Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Phishers' Fake Security App for Facebook
Mathew Maniyara | 14 Dec 2012 23:10:35 GMT

Contributor: Avdhoot Patil

Fake social media applications in phishing sites are not uncommon. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. In December 2012, a phishing site (spoofing Facebook) claimed to have an application to secure Facebook accounts from being hacked. The phishing site was hosted on a free Web-hosting site.

The phishing site required users to enter their Facebook login credentials to gain access to the fake security app. In addition to their Facebook login credentials, users must enter a confirmation code generated by clicking a button. Phishers likely believe asking users to enter a confirmation code and stating that it is certified while displaying a fake Facebook stock certificate will make this fake app page seem more authentic. Still, it is hard to understand how a sample stock certificate has any relevance to security on Facebook.
 

...

Read more
Spam Campaign Flooding Towards Blackhole Exploit Kit
Anand Muralidharan | 13 Dec 2012 17:17:33 GMT

Contributor: Samir Patil

In the last few months, we have seen an increase in the volume of malicious spam. The majority of these new spam emails contain links to the Blackhole Exploit Kit.

Earlier this year Symantec reported on malicious spam during tax season that lead to the Blackhole Exploit Kit. Similar attacks targeting well-known businesses occurred throughout 2012, affecting major brands in various service industries such as payroll, fax, and social media.

The emails claim to be contacting the recipient in regards to account transactions, pending notifications, company complaint reports etc.

The main purpose of these spam campaigns is to lure recipients into clicking on links contained in the emails. These links then lead to malicious code being downloaded, which exploits common vulnerabilities.

Note: Read...

Read more
Microsoft Patch Tuesday - December 2012
Candid Wueest | 11 Dec 2012 17:10:35 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 12 vulnerabilities. Ten of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-Dec

The following is a breakdown of the issues...

Read more
Android.Enesoluty Adds a User Agreement
Joji Hamada | 10 Dec 2012 18:56:23 GMT

Recently, I wrote a blog describing the current status of Android malware thriving in Japan and much of the focus was on one particular family: Android.Enesoluty. I don’t know whether the authors of Android.Enesoluty read the blog or came across a news article discussing the content of it, but a few days later the app sites distributing the malware contained a user agreement. This was most likely done in an attempt to make the apps legal and ultimately avoid an arrest and prosecution as the Japanese authorities increase their pursuit of Android malware creators.

Until recently, the app pages hosting Android.Enesoluty only contained false descriptions of the apps, fake download counts, fake reviews, and links that download the apps. They did not have anything with regard to a user...

Read more
Phishers Turn to Social Media for Money
Mathew Maniyara | 07 Dec 2012 00:17:56 GMT

Contributor: Avdhoot Patil

Social media is a common target for phishers for the purposes of identity theft. Phishers are now seeking financial gain from social networking phishing sites. In November 2012, phishing sites spoofed a popular social networking site and asked for financial information as a requirement for to improve user security. The phishing sites were hosted on free web hosting sites.

The phishing site stated that the social networking site had made some improvements in security and required users to verify their identity by completing a security check. After the “Continue” button was clicked, users were asked to enter their personal details.

The personal details required included the user's:

  • First name
  • Last name
  • Email address
  • Password
  • Country
  • Gender
  • Birthday

The phishing pages that followed asked for users’ webmail address with their...

Read more
Football Phishing Fever Continues
Mathew Maniyara | 05 Dec 2012 23:52:35 GMT

Contributor: Avdhoot Patil

Several phishing attacks using football have been observed during 2012. Phishers have shown their interest in football clubs, football celebrities, and the 2014 FIFA World Cup. In November 2012, the trend continued with phishers spoofing the 2014 FIFA World Cup in Brazilian Portuguese on a free web hosting site.

In one example, a phishing site prompted users to sign up for a  daily offer to win prizes worth hundreds of dollars, including trips to the World Cup. The phishing page featured the World Cup mascot Fuleco on the right hand side. While signing up for the offer, the user is asked to select from three Brazilian electronic payment brands. After the brand is selected, the phishing site requests the user’s confidential information.

The information required includes the user's:

  • Card number
  • Electronic signature
  • Card holder name
  • Password
  • Email address...
Read more
Chicken or Egg: Where Does W32.Changeup Come From?
Symantec Security Response | 04 Dec 2012 02:12:57 GMT

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking...

Read more
Android Malware Continues to Thrive in Japan
Joji Hamada | 03 Dec 2012 23:52:47 GMT

2012 will be remembered as the year in which Android malware spread widely in Japan and may also be known as the year when some of the developers of the malware escaped punishment for performing the malicious activities.

On October 30, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android.Dougalek. Their goal was to collect personal information stored on Android devices. Coincidently, the Kyoto Prefectural Police also arrested two men on the same day, and then two more at a later date, for the development and distribution of Android.Ackposts, which was also used to steal personal information. Symantec welcomes this news and applauds the police for their efforts.

Symantec was able to assist the Tokyo...

Read more
W32.Changeup – A Worm By Any Other Name
Symantec Security Response | 01 Dec 2012 01:19:03 GMT

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

  • Microsoft: Worm:Win32/Vobfus.MD
  • McAfee: W32/Autorun.worm.aaeh
  • Trend Micro: WORM_VOBFUS
  • Sophos: W32/VBNA-X
  • Kaspersky: Worm....
Read more
Ransomware: The Couch-Potato Vs The Backpacker
Lionel Payet | 30 Nov 2012 16:38:00 GMT

Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been highly active in the wider world, particularly in the past few months.

An in-depth analysis of this month's AV detection stats for the Trojan.Ransomlock family of threats reveals two top variants: Trojan.Ransomlock.T and Trojan.Ransomlock.G.

Figure 1. Trojan....

Read more