Video Screencast Help
Symantec Intelligence
Showing posts in English
Paul Wood | 25 Feb 2011 | 0 comments

Posted on behalf of Jo Hurcombe AV Operations Engineer, Symantec.cloud

 

 

Today, I identified a new targeted attack that for the first time makes reference to a discussion on the economic stakes in Libya’s current Crisis.

The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document, as seen in the example given below.

Example of targeted email

 

The first example of this targeted attack was intercepted by Symantec.cloud on February 24, 2011 at 12:52 GMT. These attacks were targeted in nature and in total 27 individuals were targeted within six organizations. The emails were sent from four separate domains. All of the organizations targeted are involved in...

Paul Wood | 24 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

As 419 or advance fee fraud scammers have demonstrated in recent days and weeks, they are particularly adept at using current events to their advantage. We've covered how scammers have also used Egypt's recent revolution to try to get money from their victims.

I recently identified a 419 scam message trying to take advantage of the unrest in Libya. It seems that as countries around the world scramble to evacuate their citizens from the deteriorating situation in the country, 419 scammers are also rushing to send out messages to capitalise on the unrest and publicity.

The scam message claims to be written by someone connected to Libya's Senussi crown (overthrown by Muammar al-Gaddafi in his 1969 coup d'état). The scam follows a fairly...

Paul Wood | 21 Feb 2011 | 0 comments

Posted on behalf of Sean Butler, Senior Malware Operations Engineer, Symantec.cloud

 

I recently saw a typical 419 scam mail which was different in one aspect, in that the email was written in Welsh.  Whilst we have seen 419 scam mails constructed in many different languages such as German and French, for example, this was the first time we have come across one of these scam mails written in Welsh.

419 scam mails or advance-fee fraud scam mails usually promise large amounts of money, but demand upfront fees or payments first.  This can leave any potential victims passing over money to the scammers believing this is for the fees, but they will never get the promised large amount of money.

The content of the mail is typical of a 419 scam mail.  In it the scammer posing as a widow of a Kuwaiti ambassador for the Ivory Coast has $2.5 million in a trust fund.  They then want their potential victim to...

Paul Wood | 17 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

It has only been a few days since the resignation of Egypt's long-standing president, Hosni Mubarak, who resigned after intense political pressure following days of widespread protest across the country. As we've seen in the past, 419 or advance-fee fraud scammers (who typically promise large amounts of money, but demand upfront fees or payments first) are quick to react to current events. For example, in the aftermath of Haiti's devastating earthquake in January 2010, 419 scammers impersonated the Red Cross, requesting donations.

We recently saw a German language 419 scam claiming to be from the former Egyptian president's lawyer:

 

The scammer claimed that he needed the recipient's help to retrieve $2.5m of the president's funds, frozen in a Belgian...

Paul Wood | 15 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

MessageLabs Intelligence recently tracked a new pharmaceutical spam campaign promoting a supposedly "Google-accredited" online pharmacy. This is obvious brand hijacking: Google does not host or approve any pharmacy sites. We contacted Google about this, and a spokesperson responded with, "Google has a track record of fighting similar types of scams, and we also recommend that users carefully review online offers that look too good to be true before entering any of their information: http://googleblog.blogspot.com/2009/12/fighting-fraud-online-taking-google.html".

The spam message contains text promoting a drug for preventing hair loss, and a link to a blog the spammer has set up on a popular free blogging site, shown in the screenshot below:...

Paul Wood | 10 Feb 2011 | 0 comments

Q. What’s the only computer virus to ever appear in an episode of Friends?

A. The Anna Kournikova virus (celebrating its tenth birthday on February 11, 2011)

10 years ago, on 11 February 2001, the Anna Kournikova virus swept the internet, tricking email users everywhere into opening a mail message that appeared to contain a picture of the famous Russian tennis beauty. Instead of providing the image promised, the virus plundered the user’s email inbox, accessed their address book, and sent itself to every contact in it. The virus wreaked such havoc that our analysts at the time commented that it was "spreading twice as fast as the Love Bug", the notorious ILOVEYOU virus we identified before anybody else back in 2000.

The Anna Kournikova virus - or Vbs.SST@mm to use its full Symantec virus name -...

Paul Wood | 03 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

As we extensively covered on the MessageLabs Intelligence blog last year, the 2010 soccer FIFA World Cup in South Africa, enjoyed by millions, was also used by both 419/advance fee fraud scammers and malware authors to lure unsuspecting victims into handing over money or installing malware.

Last December we saw two scams which claimed the recipient had won a lottery supposedly connected with 2014 World Cup, to be hosted in Brazil. We were surprised to see scams promoting an event so far in the future, so we were especially surprised to recently see a scam promoting the 2022 World Cup in Qatar. Evidently scammers are not concerned by the fact that the tournament is over ten years away, with tournaments in Brazil and Russia before.

The scam itself is fairly normal. The mail contains very little content in the body; it simply encourages recipients to open the...

MarissaVicario | 20 Jan 2011 | 1 comment

Posted on behalf of Martin Lee, Senior Software Engineer, Symantec.cloud

Occasionally, MessageLabs Intelligence is lucky enough to find an email thread contained within a malicious email that allows us to examine the conversation leading up to the attack. This particular email exchange between the attacks and intended target allows us to understand the social engineering that leads to an attack.

The initial contact is from an individual claiming to be a journalist from a well known American newspaper sent to a media contact for a large professional services company.

Despite the  name given in the email, the language used does not appear to be that of a native English speaker. The name used in the header ‘From’ address is non-English and does not correspond with the name used in the email signature.  These are surprising lapses...

MarissaVicario | 10 Jan 2011 | 5 comments

Posted on behalf of Mathew Nisbet, Malware Analyst, Symantec Hosted Services and Matt Sergeant, Senior Anti-Spam Technologist, Symantec Hosted Services

On December 25, 2010, Rustock, the largest of the spam botnets, went quiet. Why this happened, we don't know but what we do know is that global spam levels dropped massively as a result. MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right.
 
Since around 00:00 (UTC) on January 10, Rustock has resumed activity, and appears set to continue where it left off on December 25 as the biggest source of global spam.

As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on...

Paul Wood | 04 Jan 2011 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Over the 2010 Christmas holiday, the level of spam in circulation has dropped drastically. For example, at the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008. As can be seen from the global spam level estimates in figure 1 below, the amount of spam worldwide has dropped dramatically since 25th December 2010.

Figure 1 - Global spam volumes

 

The main cause of this drop is a from a huge reduction in output from the Rustock botnet, by far the most dominant spam botnet of 2010. Since 25th December, Rustock seems to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5% of all spam worldwide. Further  contributing to the massive reduction in spam levels...