Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with phishing
Showing posts in English
Anand Muralidharan | 25 Feb 2013 20:01:22 GMT

February is a short month, but not too short for spam events to make an impact. Valentine's Day and its associated threats has passed, so now it is time for International Women's Day—celebrated on March 8 every year. This is a great occasion to express love, respect, and kindness toward women and spammers will always attempt to take advantage of these events. The following is a spam campaign we have observed targeting International Women’s Day with a fake product promotion.

Often, spam originating from Russia will attack targets using online marketing promotions with odd phone numbers. Here, spammers targeted users by providing fake offers for great gifts for Valentine’s and International Women’s Day and also some peculiar phone numbers are provided for ordering a gift certificate.

The following is an example of the Russian spam observed by...

Anand Muralidharan | 08 Feb 2013 15:59:49 GMT

Most people are eagerly waiting for Valentine's Day. The day is an opportunity to spread affection and excitement amongst loved ones by exchanging gifts. Last year we observed prominent spam attacks using Valentine’s Day as bait. Messages promoted unbelievably discounted jewelry, dinning opportunities, and expensive gifts.

This year, various Valentine’s Day spam messages have started flowing through Symantec’s Probe Network. The top word combinations used in spam messages include the following:

  • Find-Your-Valentine
  • eCards-for-Valentine
  • Valentine’s-Day-Flowers

The e-card spam message, shown in Figure 1, arrives with a malicious attachment called ValentineCard4you.zip. After opening the attachment, malware is downloaded on to the user's computer. Symantec detects the attachment as...

Mayur Kulkarni | 08 Feb 2013 15:50:31 GMT

Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as  any safety measures they might have in place to avoid such scams.

In a recent spam sample seen in our probe network, we observed that by taking advantage of human curiosity, users can easily be duped into disclosing sensitive information to unknown persons. In order to ensure awareness of this campaign, and others like it, we will discuss this phishing scam in more detail.

In a slight variation to the telegraphic transfer spam attack seen in the past, we see that the message has a HTML attachment, instead of an archived executable file. As shown in Figure 1, users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached.

Figure 1. ...

Joji Hamada | 07 Feb 2013 23:32:52 GMT

Last week, Twitter announced that the details of around 250,000 of its users may have been compromised before it discovered and stopped an attack on their network. There is not much you can do when attackers go straight to the service provider to try to steal your data; however, it is also common for attackers to approach the end-user in order to obtain account details. Phishing is a popular tactic used to steal account details this way. When thinking of phishing attacks, people usually think of bank account or credit card details as the type of information that is stolen but social network account details are also a popular commodity for attackers.

Attackers see phishing on social network sites as an easy way to trick users into giving their credentials away. So let me take this opportunity to go over one particular attack that has been taking place on Twitter over the last few months and show you...

Mathew Maniyara | 04 Feb 2013 18:27:27 GMT

Contributor: Avdhoot Patil

Recently, cybercriminals have been focusing on the conflict in Syria to incorporate current events in their cyber warfare. In December 2012, phishers mimicked the website of a well-known organization in the gulf with the motive of stealing a user's email login credentials. The phishing site asked users to support the Syrian opposition by casting their vote against the Syrian regime. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, United States.

The phishing site asked users if they wanted to criminalize the Syrian regime for the murder of innocent people. As seen in the image below, options were provided to agree or disagree. If the agree option was selected, the phishing site prompted users to select their email service provider, from a list of four popular providers, and then login in order to cast their vote.
 

...

Anand Muralidharan | 29 Jan 2013 13:00:20 GMT

Symantec Security Response has observed that spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse.

Further analysis of the malicious file shows that the threat creates the following file:

%SystemDrive%\ProgramData\ift.txt

It also alters the registry entries for Internet Explorer.

The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an...

Mathew Maniyara | 15 Jan 2013 23:52:15 GMT

Contributor: Ayub Khan

Phishers consider special occasions as an opportunity to strike at end users and Christmas has always been a favorite for phishers to introduce new phishing baits. For this past Christmas, phishers created a phishing site pretending to be a popular payment system based in the USA. Phishers used a typosquatting domain hosted on servers based in the Netherlands.

The phishing site began by stating that the user was chosen as the winner of a $400 cash prize. Users were told that ten winners were given the prize every year for Christmas. To receive the prize, visitors were prompted to enter the verification code they received by email. There is poor language used in the phishing site, evident from the misspelled “recieve” in the message.
 

...

Mathew Maniyara | 20 Dec 2012 23:17:48 GMT

Contributor: Avdhoot Patil

Phishers are known for incorporating current events into their phishing sites and never leaving any stone unturned. They are now capitalizing on the civil war in Syria. In December 2012, a phishing site spoofing a popular social networking site claimed to have a torture video of a prisoner in the Syrian prison, State Security Branch Khatib. Phishers compromised a legitimate domain based in the United Arab Emirates to host the phishing site. The phishing pages were in Arabic.

The title of the phishing site translated to “Liberal torture in the State Security Branch Khatib”. The site warned that the video contained scenes of violence and asked users for their permission before proceeding. After permission had been granted, users were prompted to enter their login credentials. The login credentials were allegedly required to confirm that the user was over 18 years of age. After the login credentials had been entered, the...

Mathew Maniyara | 19 Dec 2012 18:35:45 GMT

Fake applications offered by phishing sites continue to appear. In December 2012, a fake app was seen that was titled, “Facebook 2013 demo”. Social networking users in India were most likely targeted in this phishing attack because the phishing URL consisted of certain words in Hindi. The phishing site was hosted on a free Web-hosting site.

The phishing site spoofed the login page of Facebook and the page contents were altered to promote the fake application. A message in the phishing page stated that users could use their existing Facebook accounts to access the application and that they did not need to create a new account. Of course, such a message was added to the phishing page because phishers wanted users to enter their primary login credentials. Towards the right hand side of the phishing page there were instructions on how to access the application. The poorly worded phishing page explained the instructions in three steps, along with a note. The first two...

Mathew Maniyara | 14 Dec 2012 23:10:35 GMT

Contributor: Avdhoot Patil

Fake social media applications in phishing sites are not uncommon. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. In December 2012, a phishing site (spoofing Facebook) claimed to have an application to secure Facebook accounts from being hacked. The phishing site was hosted on a free Web-hosting site.

The phishing site required users to enter their Facebook login credentials to gain access to the fake security app. In addition to their Facebook login credentials, users must enter a confirmation code generated by clicking a button. Phishers likely believe asking users to enter a confirmation code and stating that it is certified while displaying a fake Facebook stock certificate will make this fake app page seem more authentic. Still, it is hard to understand how a sample stock certificate has any relevance to security on Facebook.
 

...