Video Screencast Help
Security Response
Showing posts tagged with phishing
Showing posts in English
Binny Kuriakose | 23 Jul 2014 23:28:53 GMT

Contributor: Mayur Deshpande

Phishing emails masquerading as banking communications are observed in huge quantities every single day. Spammers will often exploit global news and major world events to carry out phishing attacks. Phishing emails often use international and regional news to disguise their phishing content and force the recipients to give up sensitive personal data.

Recently, Canada enacted an anti-spam law which mandates that all companies obtain explicit consent from customers for email correspondence. Spammers exploited this news to send phishing emails pretending to request consent for emails. This phishing attempt shown below goes a step further and fabricates fake news about a similar law in the United States.

Fake US Antispam Law 1 edit.png

Figure. Phishing sample...

Sammy Chu | 26 Jun 2014 19:49:01 GMT

Image spam has been around for a longtime and peaked in January 2007 when Symantec estimated that image spam accounted for nearly 52 percent of all spam. Pump-and-dump image stock spam made up a significant portion of that 52 percent. Image spam has been in hibernation mode for a long time until recently when Symantec detected a significant increase in these attacks from our global Intelligence network.

Between June 20 and June 23, 52.25 percent of spam messages contained an image, compared to just 2.23 percent between June 13 and June 19. As with the last wave of image spam, image stock spam made up a significant portion of image spam messages. 

Image Stock 1 edit.jpg

Figure 1. Significant increase in image spam

Pump-and-dump image stock spam’s main problem stems from how it can cause financial...

Sean Butler | 23 Jun 2014 21:05:36 GMT

On June 19, we came across an interesting e-card spam campaign. E-card spam typically distributes malware; however this campaign simply redirects the user to a “get rich quick” website.

This campaign’s emails are very basic. The messages are sent from a spoofed 123greetings.com email address and contain one sentence and a link.

ecard spam 1.png

Figure 1. E-card spam campaign email

After looking at the header for one of the emails, we saw that the email appears to have been sent from an Amazon IP address. This is most likely an attempt to trick anyone that reads the header into thinking the email is legitimate. However, the IP address actually resolves to a DNS name that is not associated with Amazon.

In the body of the emails, the spammers use URL shorteners to redirect victims to their site...

Sammy Chu | 12 Jun 2014 21:23:05 GMT

The Symantec Global Intelligence network has detected a significant increase in hit-and-run spam attacks (sometimes referred to as ‘snowshoe’ spam attacks) from .club domains in the last 24 hours. Earlier this year the Internet Corporation for Assigned Names and Numbers (ICANN) released a number of generic top-level domains (gTLD), with .club among them. Spammers have taken to abusing gTLDs, and specifically, the .club gTLD to perform hit-and-run spam attacks. Hit-and-run spam attacks quickly cycle through domains and IP addresses with unknown reputation to avoid detection. In this case they are using domains with the .club gTLD because of their lack of reputation.

We have observed the following “From:” header lines in these attacks:

  • From: "CarClearanceLot" <CarClearanceLot@[REMOVED].club>
  • From: "CarSavingsEvents" <CarSavingsEvents@[REMOVED].club>
  • From: "PriceNewCar" <PriceNewCar@[REMOVED].club>
  • From: Gift Cards <...
Satnam Narang | 29 May 2014 17:12:10 GMT

Following reports of Apple IDs being compromised and devices being held for ransom in Australia and New Zealand, Apple issued a statement to ZDNet proclaiming that their iCloud infrastructure had not been breached. They went on to warn users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.” Symantec would like to advise owners of Apple devices to keep an eye out for emails attempting to phish for Apple ID login credentials.

Going phishing for Apple IDs

While there have been no confirmed reports as to how these Apple IDs were compromised, one possible explanation is phishing scams. Due to all the media attention this event has received, Symantec is cautioning...

Nick Johnston | 21 May 2014 18:02:27 GMT

Google Docs and Google Drive were the focus of a sophisticated phishing scam that we looked at two months ago and this technique is being used again. This scam is more effective than the millions of phishing messages we see every day because the Google Drive phishing page is actually served over SSL from the legitimate Google Drive service itself.

Most phishing mitigation focuses on visually inspecting the URL to make sure the connection is secure. And this is good advice, but this does not help prevent against this specific attack.

As in the past, the attacker's phishing message uses the simple subject of "Documents" and contains a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service:
 

...

Binny Kuriakose | 16 May 2014 15:02:41 GMT

May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.

This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.

The following are subject lines seen in...

Binny Kuriakose | 09 May 2014 02:42:51 GMT

On May 11, 2014, many countries will celebrate Mother’s Day. Plenty of online articles have been giving gifts ideas and advice for making the day special for mom. Companies have also been sending a huge number of promotional emails with a special message about Mother’s Day. Unsurprisingly, spammers have been exploiting this occasion to send out a fresh batch of spam.

Symantec started observing Mother’s Day spam from early April and we have seen a steady increase in the volume of messages ever since. Previous Mother’s Day spam emails often stuck to certain categories. Spam emails offering flower deliveries, jewelry, personalized messages, coupons, and other gifts for mothers were the most common. Survey and product replica spam were also observed in the past.

The following are the major Mother’s Day themed spam campaigns seen this year.

Flowers for Mother
A beautiful bunch of flowers is something any mother will love and spammers use this...

Tsering_Paljor | 23 Apr 2014 13:24:55 GMT

Contributor: Binny Kuriakose

Symantec has recently detected phishing emails related to the Heartbleed Bug. The phisher attempts to gather information by posing as a US military insurance service with a message about the Heartbleed bug.

The Heartbleed bug is a recently discovered security vulnerability affecting OpenSSL versions 1.0.1 to 1.0.1f. This vulnerability was fixed in OpenSSL 1.0.1g. Symantec’s security advisory gives more details on the bug and offers remediation steps.

Spammers and phishers are known to use trending news and popular topics to disguise their payloads. In the case of phishing emails, phishers often cite security concerns to legitimize and disguise their social engineering methods. The payloads of these emails attempt to compel the messages’ recipients into divulging sensitive information.

In this...

Lionel Payet | 23 Apr 2014 08:23:21 GMT

Contributor: Andrea Lelli

Operation Francophoned, first uncovered by Symantec in May 2013, involved organizations receiving direct phone calls and spear phishing emails impersonating a known telecommunication provider in France, all in an effort to install malware and steal information and ultimately money from targets. 

This highly targeted dual-pronged attack has proven to be very persistent in the French speaking world. Keeping a close eye on the Francophoned campaign, Symantec observed a resurgence in October 2013 and, early this year, witnessed some changes to the social engineering attack including the use of new malware.
 

Figure1.png...