Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for May of 2009
Showing posts in English
Mayur Kulkarni | 29 May 2009 14:19:30 GMT | 0 comments

Stock markets all over the world are seeing a downturn due to the current economy. The Indian markets were no exception to this trend until the Indian election results were declared. Political experts predicted that there would be a fractured mandate; however, the India Election 2009 resulted in a single party winning a majority of the seats. This means that the Indian population can now expect a stable government. This event set such a positive mood in the Indian stock market that it went up nearly 15 percent within seconds of opening on Monday, May 18, 2009. Taking into account that people may try to invest during this period, spammers are sending messages, discussing profits on investments based on their bogus tips.

These spammers claim to be the only research firm in India that delivers 100 percent accurate results. They also state that more than 5,500 people across India earned profits from their stock tips. They have been delivering a profitability ratio of 85 percent...

Mayur Kulkarni | 28 May 2009 14:07:07 GMT | 0 comments

In our earlier blog on online fraud, we explained how HTML attachments are used in phishing attacks. We also mentioned how the attached files were named in order to mislead users. For example:

Account reset form.pdf.htm
Bank-Account confirmation form.pdf.htm

These filenames may confuse the recipients and trick them into submitting sensitive banking information through the HTML file. Recently

we have come across similar messages that use the same technique, this time for harvesting email addresses. These messages mention the falling sales of a major auto company due to the economic recession. It further states that the government plans to bail them out, but the actual funds have yet to reach the auto company. So, they are offering the sale of 1,000 autos discounted to...

Security Response China | 27 May 2009 05:00:41 GMT | 0 comments

Instant messaging (IM) applications are widely used nowadays, and while more and more people use them, they’ve also become increasingly feature heavy. Besides the original chat function, IM applications have also integrated other useful features such as blogging, photo albums, online games, etc. More functions enhance the user’s Internet surfing experience, help people to share information and thoughts, and even allow users to manage their assets online.

While people are enjoying the convenience brought by advanced technologies and services, hackers are also aiming at the information that people are increasingly putting on the Internet, especially when the information is profitable. Online account information is definitely one of them.

A recent security event is a warning to us all. It was discovered that people’s IM account information is available online by searching keywords such as “[IM USERNAME] password txt filetype:txt.” Hundreds...

Mayur Kulkarni | 26 May 2009 20:34:21 GMT | 0 comments

The latest figures from the World Health Organization (WHO) say that there are at least 170 million diabetic patients worldwide, and that number will double by the year 2030. The chronic nature of diabetes means that these patients constantly need to control their blood sugar level using medicines. Along with medicines, lab tests are necessary to check on the disease that will become part of a patient’s routine life. With the ongoing financial crisis affecting all walks of life, recurring expenditures on medical care can be costly for an individual and his or her family. Obviously these patients will look for discounts or offers to help them through their situation.

Online medical suppliers provide varying discounts or offers, one being a free glucose meter to visitors placing a supply order. Spammers have also read the picture well and are providing the...

Zulfikar Ramzan | 22 May 2009 10:19:12 GMT | 0 comments

While many forms of online mischief require some degree of technical sophistication on the part of the miscreant, we often see forms of attack that are quite simple. One case in point is the phishing attack. In many ways, phishing attacks are at the low end of the totem pole from a technical sophistication standpoint. In fact, ready-made phishing kits can be purchased in the underground economy (though the buyer should beware!), and many aspects of the attack can effectively be outsourced.
For a while, banking and other financial services sites bore the brunt of the phishers’ attention spans. It’s not surprising. Phishing is a financially motivated crime, so to understand the modus operandi of a phisher, all you have to do is follow the money. During the last year and a half or so we have noticed an interesting trend, in that social networking sites have become a much more popular target for phishers.
In some cases, social networking...

Samir_Patil | 21 May 2009 21:52:44 GMT | 0 comments

Spammers habitually exploit the reputations of brands for their benefit. As more and more people become connected through social networking sites, it is no surprise that the trust and reputation earned by these websites is misused by spammers. We are monitoring spam attacks this week that try to take advantage of the burgeoning social networking brand Twitter for two spam campaigns: make money fast (MMF) and dating spam.

In the MMF attack, a URL is provided to order a “Risk-Free Twitter Profit Software” kit. When the user clicks on the URL in the promotional email, he or she is redirected to a Web-form that asks for personal information such as name, email, and address. This is followed by another form asking for your credit card number, expiration date, and security code.

Below are some of the subject lines used in this latest MMF spam:

Subject: Twitter Guru Reveals All On Video
Subject: Use Twitter to make money...

Samir_Patil | 21 May 2009 16:39:08 GMT | 0 comments

Spammers have declared open season on Memorial Day. Observed in the United States on the last Monday of May, Memorial Day memorializes those men and women who lost their lives in American military service. This year, it will celebrated on May 25.

Memorial Day spam made its appearance early last week. These emails mainly contained health-related spam and offers selling Memorial Day flags. Health-related spam has URLs that lead users to open online pharmacy stores. Spam emails linked to Memorial Day flags claim to offer the free home delivery of discounted rate flags. A few other spam samples have injected legitimate news articles related to Memorial Day in the email body as an attempt at obfuscation.

The following are a few of the subject lines used in the Memorial Day spam promotion:

Subject: Memorial day sale, 80% off all...

Vivian Ho | 20 May 2009 19:33:56 GMT | 0 comments

In the last couple of months we’ve seen medical image spam offers resurfacing with regularity. Image spam advertising meds is easy to recognize, with a prominent med promotion image in the body. The subject lines advertise the products’ effectiveness and include noise added in the image attachment to attempt to bypass antispam filters. These are old techniques that are still common in med spam.

Spammers are also developing new tactics to attract visitors. They attempt to play mind tricks on the spam recipients, using warnings that are similar to what might be received from a system admin and personal greetings in subject lines—both attempts to lower recipients’ awareness in order to get their messages read.

We’ve recently observed a round of med spam that is sent in ordinary e-postcard form. In these messages we see that the spammers are using warning-style subject lines in order to try to dupe recipients into thinking they are violating...

John H | 19 May 2009 11:04:40 GMT | 0 comments

The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains.

The drive-by download tries to exploit a number of underlying vulnerabilities...

John H | 15 May 2009 21:56:39 GMT | 0 comments

Symantec Security Response has been monitoring a recent spate of Web-based attacks and drive-by downloads from compromised websites that are infecting end-users’ computers. This latest round of attacks has a payload that maliciously alters Web search engine results on the compromised machines. There have also been some recent blog posts and articles written about compromised websites rendering drive-by downloads, including malware, with obfuscated attacks coming from a malicious Gumblar domain in China. Yes, we have seen a short-term increase in attacks, but the reality is, this is unfortunately just another day on the Web and it reflects what we have seen in our Web Based Attacks: February 2009 whitepaper. For instance, Symantec documented attacks from more than 800,000 unique domains last year.

We have been proactively blocking these latest attacks with our network IPS in...