Video Screencast Help
Search Video Help Close Back
to help

Symantec Intelligence

Showing posts in English
Phishing with Wimbledon tickets
Sean Butler | 22 Jun 2011 | 0 comments

Today I came across a phishing mail that is tied to the current Wimbledon Tennis Championships that are taking place.   The scammer informs their potential victim that they have won two tickets to this year’s Wimbledon Championships, and all they need to do is login to their online banking account and complete the required fields.  Of course in reality there is no free tickets to Wimbledon and the recipient will end up being a victim of fraud where the scammer will empty their bank account.

A quick glance at the email confirms the suspicious nature of this due to the poor grammar in the body of the mail.  Even the subject contains a grammatical error – “Your way to Wimbledon , claim your tickets now!”  The mail displays a link to a well known worldwide banking corporation, but the link hidden behind this in the source of the mail shows that the...

Read more
Spammers abusing major domain parking service
Nick Johnston | 25 May 2011 | 0 comments

Domain parking services allow registration of Internet domain names without using them for services like email or hosting a website. This is often done to reserve the domain name for future use, to prevent (or carry out) cybersquatting or earn money via advertising hosted on an automatically-generated web site on the domain.

We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice. The only minor restriction is that URLs have to be base64-encoded: in other words, a redirect URL of "http://symantec.com" must be specified as "aHR0cDovL3N5bWFudGVjLmNvbQ==".

This type of abuse is particularly interesting, as it's important to note that spammers have not compromised the service directly: they are simply taking advantage...

Read more
Are You At Risk From Targeted Attacks? Lifting the Lid on Who Was Being Targeted in 2010
Paul Wood | 27 Apr 2011 | 0 comments

Posted on behalf of Martin Lee, Senior Software Engineer, Symantec.cloud

 

Targeted attacks are bespoke pieces of malware that are sent to email addresses that appear to have been specially selected by the attacker.  In this way they differ from the rest of email malware that are sent in large numbers without apparent regard to the recipient. In this way non-targeted attacks appear to be designed to infect as many computers as possible, whereas targeted attacks appear to be designed to attack the computers of specifically targeted individuals presumably either to extract information that is valuable to the attacker or to act as a launching pad for further attacks within an organisation.

The targeted malware itself often exploits ‘0’ day or the most recent vulnerabilities. The low copy-numbers in which these malwares are sent and their sophistication means that they are often not detected by traditional anti-virus techniques and...

Read more
Rise in ZIP File Attachments in Spam Emails Lead to Bredolab Malware
Paul Wood | 15 Apr 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Analyst, Symantec.cloud

On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect,  global spam levels started to drop, as can be seen when you look at the number of mails being delivered  to one of our spamtraps.

However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps,  despite the number of actual emails continuing to decline.

Investigation revealed that the reason for this was that the Cutwail botnet had started sending much  more emails with zip file attachments than normal, meaning the average size of each mail was much  higher than normal. The chart below shows that there have been a couple of spikes in early March, which  may have...

Read more
The PDF Exploit: Same Crime, Different Face
Paul Wood | 06 Apr 2011 | 0 comments

Posted on behalf of Jason Zhang and Joseph Rabaiotti, Malware Research Analysts, Symantec.cloud

 

Portable document format (PDF) is one of the most commonly used file formats with which to exchange electronic documents across platforms and applications. Because of its popularity, it has been heavily used in both targeted and non-targeted attacks, as reported by MessageLabs Intelligence Monthly Report (PDF) in February 2011 and a blog post in January 2011. According to the report, PDFs now account for a larger proportion of document-based targeted attacks; in 2009 approximately 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010.

In 2011, we have seen no sign of...

Read more
Stay Safe Online During Tax Time
MarissaVicario | 04 Apr 2011 | 0 comments
 

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec.cloud

Every year tax season is usually exploited by those who seek to make a profit preying on people's trust. Throughout the year MessageLabs Intelligence commonly sees phishing attacks, but there is always an increase around March, as the financial year draws to a close and tax season kicks into full swing.

The chart above shows tax-related phishing as a proportion of all malicious mail (not general spam)

As on can see, there was an increase in traffic in mid February, but even that is less than half of the volume of tax related scams seen throughout March.

Most of the scams that we are seeing are purporting to be from the UK's tax office, "Her Madjesty's Revenue and Customs...

Read more
Happy 5th Birthday, Twitter!
Paul Wood | 22 Mar 2011 | 0 comments

On 21 March 2006, Jack Dorsey sent the first ever Twitter message or ‘tweet’ with five simple words “just setting up my twttr”.  Five years later, 140 million tweets are sent in a host of different languages every day via the micro-blogging service which boasts over 200 million registered users worldwide and is valued at an estimated $7.7 billion following an auction of shares in March 2011.

Although Twitter’s 100 million messages a day may seem paltry compared to the roughly 66 billion email messages sent each day on average in March 2011 before the Rustock botnet was disrupted; (52 billion of which were spam). The prolific growth of micro-blogging platforms...

Read more
Has The Rustock Botnet Ceased Spamming?
Paul Wood | 18 Mar 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Data Analyst, Symantec.cloud

 

Brian Krebs posted on KrebsonSecurity a report about the Rustock botnet apparently going quiet yesterday, and spam from the botnet ceasing. I can confirm that at around 15:30 UTC, on 16 March, spam identified as coming from the botnet known as Rustock ceased sending spam, as shown below:

In the chart above, the spike on this chart is actually normal behaviour for Rustock, as can be seen from this next chart, covering a longer time period:

For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam. At it’s peak it was responsible...

Read more
Spammers taking advantage of IDN with URL shortening services
Paul Wood | 28 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese, Russian, Latin (with diacritics) and many other characters like 寿司and 한글. It has been possible to include these characters in some domains for several years, but until last year, top-level domains (like .ru for Russia) were not internationalized like this. Several top-level domains now have internationalized versions, for example .рф for Russia.

I recently saw some German pharmacy spam (targeted at Germany, Austria and Switzerland). The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site:

Figure 1 – example of spam email using URL shortening service redirecting to IDN domain

 

Most of the spam is in...

Read more
New Targeted Attack Exploiting Libyan Crisis
Paul Wood | 25 Feb 2011 | 0 comments

Posted on behalf of Jo Hurcombe AV Operations Engineer, Symantec.cloud

 

 

Today, I identified a new targeted attack that for the first time makes reference to a discussion on the economic stakes in Libya’s current Crisis.

The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document, as seen in the example given below.

Example of targeted email

 

The first example of this targeted attack was intercepted by Symantec.cloud on February 24, 2011 at 12:52 GMT. These attacks were targeted in nature and in total 27 individuals were targeted within six organizations. The emails were sent from four separate domains. All of the organizations targeted are involved in...

Read more