Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.

Follow Us on Twitter
  • 0
    Updated: Symantec Security Response 17 May 2013 16:52:49 GMT

    Symantec Protection for Trojan.FakeSafe

    Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). If exploitation is successful, the malicious documents drop the following files: smcs.exe SafeExt.dll SafeExt.org SafeCredential.DAT SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT...
  • 0
    Updated: Symantec Security Response 17 May 2013 16:48:35 GMT

    Symantec Protection for Targeted Attacks in South Asia

    ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies. Figure. Telemetry data focused on South Asia The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code...
  • 0
    Created: Ben Nahorney 16 May 2013 13:15:01 GMT

    Spam Campaigns Take to Tumblr

    As the urban legend goes, the bank robber Willie Sutton was asked why he robbed banks. “Because that’s where the money is,” he is attributed as saying. While Sutton has long since distanced himself from the statement, the concept resonates with many people, to the extent that it’s been used to describe principles in accounting and even medicine.   This principle also holds true in the world of Internet security. In the latest version of the Internet Security Threat Report we discussed the major trends in the spam world, where the percent of spam email continues to decline while more and more social networks are being targeted. Given the growth of social networking in recent years as a means to communicate, this...
  • 0
    Created: Joji Hamada 16 May 2013 10:07:30 GMT

    Japanese One-Click Fraud on Google Play Leads to Data Stealing App

    Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play. Figure 1. Total number of developers and apps developed Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication,...
  • 0
    Created: Mathew Maniyara 16 May 2013 02:10:31 GMT

    Phishers Offer Rita Ora’s Video

    Contributor: Avdhoot Patil Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on a free Web hosting site.   The phishing site prompted for Facebook login credentials that called the video a “social plugin”. The phishing page contained an image of a fake YouTube video of Rita in the background. The title of the video in question described it as an adult video of Rita Ora. A recent event involving an accidental exposure of Rita instigated phishers into devising this bait. The phishing site gave the impression that users could view the video shown in the background when login credentials are entered. In reality, after login credentials are entered,...
  • 0
    Updated: Anand Muralidharan 15 May 2013 18:01:13 GMT

    Increase in Pump and Dump Stock Spam

    In the last few weeks we have observed a drastic increase in “penny stock” spam emails. In 2011 Symantec published a blog entitled Global Debt Crises News Drives Pump-and-Dump Stock Scams, which also dealt with this type of spam. Penny stocks, also known as cent stocks, are shares in small companies that trade at low prices, often as low as a few cents per share. Penny stocks are a very popular topic used by spammers. The spam emails advertise the cheap shares and state that the company is on the verge of becoming very successful and that the value of the shares will rise significantly. The emails make out that the company is more valuable than it actually is and implies that they have just created some major product or are on the verge of a breakthrough and that the share value is tipped to rise dramatically. The aim is to increase sales of the stock,...
  • 0
    Updated: Symantec Security Response 14 May 2013 19:02:31 GMT

    Microsoft Patch Tuesday – May 2013

    Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing 10 bulletins covering a total of 33 vulnerabilities. Eleven of this month's issues are rated ’Critical’. As always, customers are advised to follow these security best practices: Install vendor patches as soon as they are available. Run all software with the least privileges required while still maintaining functionality. Avoid handling files from unknown or questionable sources. Never visit sites of unknown or questionable integrity. Block external access at the network perimeter to all key systems unless specific access is required. Microsoft's summary of the May releases can be found here: http://technet.microsoft.com/en-us/security/bulletin/ms13-May The following is a breakdown of the issues...
  • 0
    Updated: Symantec Security Response 15 May 2013 08:40:44 GMT

    A Phone Call, a Phish, and a Remote Access Trojan

    In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French and asked the victim to process an invoice that they were to receive in an email. Here is an example of an email that was received during one of the attacks. The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT). Figure 1. Spear phishing attack email   There...
  • 0
    Updated: Candid Wueest 13 May 2013 17:51:23 GMT

    When Web Servers Serve Evil

    In the last few months, we have witnessed a rise in the number of cases of modified Web servers that inject malicious redirections into every website that it hosts. One example was the malicious Apache module (Linux.Chapro and Trojan.Apmod) that we blogged about recently. A newer example is Linux.Cdorked, about which our friends at ESET also wrote. With Linux.Cdorked, instead of adding a malicious Apache module to the configuration list, the attackers instead replaced the main httpd binary file...
  • 0
    Created: Anand Muralidharan 10 May 2013 07:40:10 GMT

    Fake Promotional Offers Targeting UEFA Champions League 2013

    The 58th season of the UEFA Champions League is coming to an end with the final being played on May 25 at Wembley Stadium in London. Nowadays, cybercriminals are gaining a lot of interest in football, at least inasmuch as how to exploit interest in football to their advantage, and Symantec has recently blogged about cybercriminals continuing to show interest in football. Spammers are exploiting the latest sporting event by sending spam of fake ticket offers through email. Below is an Italian spam campaign we have observed targeting the UEFA Champions League with a fake ticket offer promotion. The spam can be identified by the following headers: Subject: Scopri come puoi vincere i biglietti per la Finale UEFA Champions League...