Video Screencast Help

Symantec Intelligence

Showing posts in English
Nick Johnston | 02 Aug 2011 | 0 comments

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters--after all, this is crucial to a spammer's success.

Recently we've seen a low, but steady, number of spam messages where spammers are replacing characters in URLs (which point to spam sites) with Unicode characters which look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyse URLs. To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalisation rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalisation forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer obfuscation technique relies on the HTML rendering engine in mail clients (or web...

Ken Bechtel | 01 Aug 2011 | 2 comments

In the past few days, many people in the Anti-Malware community seem to be discussing user education again.  Based on these discussions, I felt it a good time to update an older work and re-release it, in hopes that it helps educate our user community.

Ten Rules of Common Sense Anti-Virus

  1. Buy and keep up-to-date, Anti-Virus Software.  If you fail to keep it up-to-date, you might as well not have anything at all.
  2. Just because you trust a person with your house key, doesn’t mean they practice safe computing. If you don’t know why they are sending you a file, don’t double click on the attachment, ask why it was sent.  Beware of sensational headline news links on social networks.  A healthy dose of paranoia will save you time, energy and frustration.
  3. Recordable CDs and removable Hard Drives are cheap, your data’s not.  With a CD...
Nick Johnston | 13 Jul 2011 | 0 comments

By Nicholas Johnston

As we've covered extensively on the MessageLabs Intelligence blog, 419 or advance fee fraud scammers are skilled at using current events in their scams. In the past we've seen scams relating to earthquakes in Japan and Haiti, and scams relating to the recent unrest in Egypt and Libya.

We recently saw a 419 scam claiming to be from Christine Lagarde, the newly-appointed director of the IMF (International Monetary Fund). The scam follows the usual 419 or advance fee fraud pattern. The scammer claims to be Christine Lagarde, and is releasing all "intercepted consignments" in celebration of her appointment. The catch (or "Rule and Obligation", as the mail puts it) is that to get one of these mysterious consignments, you have to pay a fee of $45 to the IMF in Benin. Of course, this $45 will simply be the first of many increasingly-inventive fees and charges that the scammer demands.

The message was sent through a...

Paul Wood | 10 Jul 2011 | 0 comments

As with many exciting trends we observe in the technology industry - designed as a force for good, to enable, enhance and empower - there are criminals on the other side of fence looking to hijack, undermine and exploit the new capabilities for their own nefarious purposes.  The subject of today's post - VoIP telephony - is an excellent example of how even a genuinely transformative technology can quickly lose its innocence.  Sunday 10th July represents the five year anniversary of a new word in the security commentator's vocabulary, as the first 'vish' - a phish using VoIP telephony - was reported by a number of concerned consumers. Vishing uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication whilst posing as a trusted entity. A vish takes place over the telephone, using call spoofing, and tricks a user into...

Paul Wood | 04 Jul 2011 | 0 comments

Today – Monday 4th July – is notable not just because it is Independence Day in the US, but also because it marks another important anniversary for the technology industry in particular. Fifteen years ago, on 4th July 1996, entrepreneurs Sabeer Bhatia and Jack Smith officially launched the first free web-based email system Hotmail, choosing the day deliberately to symbolise freedom from ISP-based email. In 1997, Microsoft acquired Hotmail for an estimated $400m and turned it into the world’s largest web-based email service with over 350 million users operating in 36 different languages.

The mass adoption of Hotmail, and subsequently rival web-based email tools such as Gmail and Yahoo! Mail, is significant for a couple of reasons. Firstly, over a number of years it has successfully transformed email from a largely professional, ‘grown up’ tool, into a free, mainstream, consumer-friendly way of communicating, accessible to, and enthusiastically...

Nick Johnston | 01 Jul 2011 | 0 comments

We've seen spammers abusing URL shortening services on a huge scale for quite some time, which was also reported in-depth as part of the May 2011 MessageLabs Intelligence Report [http://www.symanteccloud.com/mlireport/MLI_2011_05_May_FINAL-en.pdf]. The explosion in popularity of micro-blogging services and social networking status updates has seen a huge increase in the number of URL shortening sites. The simple and semi-anonymous nature of these sites allow spammers to easily create thousands of links which they then include in their spam in an attempt to evade URL-based spam blocking.

Recently we saw a large malware attack using URL shortening services.
The attack abused at least five different URL shortening sites. The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was...

Paul Wood | 28 Jun 2011 | 2 comments

Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.  The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.

Since the shutdown of the Rustock botnet in March, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.

The overall impact has been that spam now accounts for 72.9% of email in June, returning to the same level as in April earlier this year. In June, 76.6% of this spam was being sent from botnets, compared with 83.1% in March. This marks a return to the same level of output as at the end of 2010...

Sean Butler | 22 Jun 2011 | 0 comments

Today I came across a phishing mail that is tied to the current Wimbledon Tennis Championships that are taking place.   The scammer informs their potential victim that they have won two tickets to this year’s Wimbledon Championships, and all they need to do is login to their online banking account and complete the required fields.  Of course in reality there is no free tickets to Wimbledon and the recipient will end up being a victim of fraud where the scammer will empty their bank account.

A quick glance at the email confirms the suspicious nature of this due to the poor grammar in the body of the mail.  Even the subject contains a grammatical error – “Your way to Wimbledon , claim your tickets now!”  The mail displays a link to a well known worldwide banking corporation, but the link hidden behind this in the source of the mail shows that the...

Nick Johnston | 25 May 2011 | 0 comments

Domain parking services allow registration of Internet domain names without using them for services like email or hosting a website. This is often done to reserve the domain name for future use, to prevent (or carry out) cybersquatting or earn money via advertising hosted on an automatically-generated web site on the domain.

We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice. The only minor restriction is that URLs have to be base64-encoded: in other words, a redirect URL of "http://symantec.com" must be specified as "aHR0cDovL3N5bWFudGVjLmNvbQ==".

This type of abuse is particularly interesting, as it's important to note that spammers have not compromised the service directly: they are simply taking advantage...

Paul Wood | 27 Apr 2011 | 0 comments

Posted on behalf of Martin Lee, Senior Software Engineer, Symantec.cloud

 

Targeted attacks are bespoke pieces of malware that are sent to email addresses that appear to have been specially selected by the attacker.  In this way they differ from the rest of email malware that are sent in large numbers without apparent regard to the recipient. In this way non-targeted attacks appear to be designed to infect as many computers as possible, whereas targeted attacks appear to be designed to attack the computers of specifically targeted individuals presumably either to extract information that is valuable to the attacker or to act as a launching pad for further attacks within an organisation.

The targeted malware itself often exploits ‘0’ day or the most recent vulnerabilities. The low copy-numbers in which these malwares are sent and their sophistication means that they are often not detected by traditional anti-virus techniques and...