Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.

Follow Us on Twitter
  • 0
    Updated: Samir_Patil 23 May 2013 23:14:57 GMT

    Whitewashed Spam – How Antispam Laws Are Helping Spammers

    Contributor: Binny Kuriakose Anonymity disguised as freedom of expression and lack of clear cut laws makes cyberspace murky from a security point of view. Countries are waking up and realizing that there is a need for laws which enable authorities to catch and punish cyberspace miscreants; however, these miscreants are very crafty. Spammers are known to use ingenious methods to peddle spam and lately they have even begun using antispam laws themselves in an effort to spearhead spam attacks. This blog is not about analyzing the effectiveness of antispam laws; it is about how spammers are quoting the laws in emails in order to make the spam look legitimate. There are some “grey area” emails, which fall somewhere between spam and legitimate mail, and sometimes there can be something very inconspicuous in the mail that can tip the balance in the mind of a recipient. Quoting antispam law in the body of the email and claiming that the email...
  • 0
    Updated: Rodrigo Calvo 23 May 2013 21:07:41 GMT

    Downloader.Liftoh Cousin to W32.Phopifas?

    Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing. A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012. The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware: The victim receives a message from someone who seems to be on their contact list...
  • 0
    Created: Samir_Patil 23 May 2013 12:03:44 GMT

    Rise in URL Spam

    Symantec is observing an increase in spam containing URLs. On May 16, URL spam volume increased by 12% from 84% to 96% and since then the URL spam volume fluctuated between 95% and 99%. That means 95% of the spam messages delivered during this period has one or more URLs in it. Figure 1. URL spam message volume During this period, .ru was the most used top-level domain (TLD). As illustrated in Figure 2, it is interesting to note a drop in .ru spam and a simultaneous rise in .com and .pw spam. Over 73% of the URL spam contained the .ru, .com, or .pw TLDs. Figure 2. Top 3 TLDs distribution (last seven days) ...
  • 0
    Created: Mathew Maniyara 23 May 2013 06:03:47 GMT

    Phishers’ New Fake Social Media Apps

    Phishers are trying everything they can to improve their chances of harvesting user credentials. They are known for experimenting with different fake social media applications in a desperate move to lure users. Recently, we found a few examples of some new fake apps. In the first example, the phishing site used an image of a girl along with the Facebook Like button. After clicking the button, users are prompted for their Facebook login credentials in order to “like” the photo. After the credentials are entered, the phishing site acknowledges the login and asks users to click another Like button. The button is placed beside a fake number indicating the number of likes already gained. The phishing site was hosted on servers based in Amsterdam, Netherlands. Figure 1. Facebook Like button...
  • 0
    Updated: Anand Muralidharan 23 May 2013 04:11:25 GMT

    Spammers Targeting Oklahoma Tornado Victims

    Natural disasters, like tornadoes and earthquakes, are quite common in the United States of America. Unfortunately, the Oklahoma City suburb of Moore experienced a violent tornado on Monday, May 20, that sadly resulted in dozens of casualties. Spammers take advantage of natural disasters with luring scams and Symantec Security Response has started to observe spam messages related to this tornado flowing into the Symantec Probe Networks. The top word combinations used in message headlines include: Tornado – hits – Oklahoma Massive – Tornado Huge – Tornado Tornado – survivors Figure 1: Oklahoma City tornado spam campaign   These headers have been observed in the spam attack:...
  • 0
    Updated: Candid Wueest 21 May 2013 20:22:58 GMT

    Why Email is a Key to Your Castle

    Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked. Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things...
  • 0
    Created: Anand Muralidharan 20 May 2013 19:02:16 GMT

    Spammers Make Memorial Day Memorable

    Memorial Day is celebrated on May 27 and it is a day for memorializing the men and women who have died in military service for the United States. It is a common practice for cybercriminals to take advantage of events and holidays. This year, various spam messages related to Memorial Day have begun flowing into the Symantec Probe Network. We have observed that most of the spam samples encourage users to take advantage of clearance sales on cars and trucks. Clicking the URL will automatically redirect the user to a website containing some bogus offer.   Figure 1: Memorial Day financial spam   A variety of subject lines have been observed related to the clearance sale spam attacks for Memorial Day: Subject: Memorial Day Auto...
  • 0
    Updated: Symantec Security Response 20 May 2013 16:57:37 GMT

    Operation Hangover: Q&A on Attacks

    Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber/espionage attack that appears to be originating from India. Symantec released a brief blog around this incident last week and this Q&A will provide additional information relevant to Symantec around this group. Q: Do Symantec and Norton products protect against threats used by this group? Yes. Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies...
  • 0
    Updated: Symantec Security Response 17 May 2013 16:52:49 GMT

    Symantec Protection for Trojan.FakeSafe

    Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). If exploitation is successful, the malicious documents drop the following files: smcs.exe SafeExt.dll SafeExt.org SafeCredential.DAT SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT...
  • 0
    Updated: Symantec Security Response 17 May 2013 16:48:35 GMT

    Symantec Protection for Targeted Attacks in South Asia

    ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies. Figure. Telemetry data focused on South Asia The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code...