Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
Paul Wood | 17 Mar 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Data Analyst, Symantec.cloud

 

Brian Krebs posted on KrebsonSecurity a report about the Rustock botnet apparently going quiet yesterday, and spam from the botnet ceasing. I can confirm that at around 15:30 UTC, on 16 March, spam identified as coming from the botnet known as Rustock ceased sending spam, as shown below:

In the chart above, the spike on this chart is actually normal behaviour for Rustock, as can be seen from this next chart, covering a longer time period:

For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam. At it’s peak it...

Paul Wood | 28 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese, Russian, Latin (with diacritics) and many other characters like 寿司and 한글. It has been possible to include these characters in some domains for several years, but until last year, top-level domains (like .ru for Russia) were not internationalized like this. Several top-level domains now have internationalized versions, for example .рф for Russia.

I recently saw some German pharmacy spam (targeted at Germany, Austria and Switzerland). The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site:

Figure 1 – example of spam email using URL shortening service redirecting to IDN domain

 

Most of the spam is in...

Paul Wood | 25 Feb 2011 | 0 comments

Posted on behalf of Jo Hurcombe AV Operations Engineer, Symantec.cloud

 

 

Today, I identified a new targeted attack that for the first time makes reference to a discussion on the economic stakes in Libya’s current Crisis.

The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document, as seen in the example given below.

Example of targeted email

 

The first example of this targeted attack was intercepted by Symantec.cloud on February 24, 2011 at 12:52 GMT. These attacks were targeted in nature and in total 27 individuals were targeted within six organizations. The emails were sent from four separate domains. All of the organizations targeted are involved in...

Paul Wood | 24 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

As 419 or advance fee fraud scammers have demonstrated in recent days and weeks, they are particularly adept at using current events to their advantage. We've covered how scammers have also used Egypt's recent revolution to try to get money from their victims.

I recently identified a 419 scam message trying to take advantage of the unrest in Libya. It seems that as countries around the world scramble to evacuate their citizens from the deteriorating situation in the country, 419 scammers are also rushing to send out messages to capitalise on the unrest and publicity.

The scam message claims to be written by someone connected to Libya's Senussi crown (overthrown by Muammar al-Gaddafi in his 1969 coup d'état). The scam follows a fairly...

Paul Wood | 21 Feb 2011 | 0 comments

Posted on behalf of Sean Butler, Senior Malware Operations Engineer, Symantec.cloud

 

I recently saw a typical 419 scam mail which was different in one aspect, in that the email was written in Welsh.  Whilst we have seen 419 scam mails constructed in many different languages such as German and French, for example, this was the first time we have come across one of these scam mails written in Welsh.

419 scam mails or advance-fee fraud scam mails usually promise large amounts of money, but demand upfront fees or payments first.  This can leave any potential victims passing over money to the scammers believing this is for the fees, but they will never get the promised large amount of money.

The content of the mail is typical of a 419 scam mail.  In it the scammer posing as a widow of a Kuwaiti ambassador for the Ivory Coast has $2.5 million in a trust fund.  They then want their potential victim to...

Paul Wood | 17 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

It has only been a few days since the resignation of Egypt's long-standing president, Hosni Mubarak, who resigned after intense political pressure following days of widespread protest across the country. As we've seen in the past, 419 or advance-fee fraud scammers (who typically promise large amounts of money, but demand upfront fees or payments first) are quick to react to current events. For example, in the aftermath of Haiti's devastating earthquake in January 2010, 419 scammers impersonated the Red Cross, requesting donations.

We recently saw a German language 419 scam claiming to be from the former Egyptian president's lawyer:

 

The scammer claimed that he needed the recipient's help to retrieve $2.5m of the president's funds, frozen in a Belgian...

Paul Wood | 15 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

MessageLabs Intelligence recently tracked a new pharmaceutical spam campaign promoting a supposedly "Google-accredited" online pharmacy. This is obvious brand hijacking: Google does not host or approve any pharmacy sites. We contacted Google about this, and a spokesperson responded with, "Google has a track record of fighting similar types of scams, and we also recommend that users carefully review online offers that look too good to be true before entering any of their information: http://googleblog.blogspot.com/2009/12/fighting-fraud-online-taking-google.html".

The spam message contains text promoting a drug for preventing hair loss, and a link to a blog the spammer has set up on a popular free blogging site, shown in the screenshot below:...

Paul Wood | 10 Feb 2011 | 0 comments

Q. What’s the only computer virus to ever appear in an episode of Friends?

A. The Anna Kournikova virus (celebrating its tenth birthday on February 11, 2011)

10 years ago, on 11 February 2001, the Anna Kournikova virus swept the internet, tricking email users everywhere into opening a mail message that appeared to contain a picture of the famous Russian tennis beauty. Instead of providing the image promised, the virus plundered the user’s email inbox, accessed their address book, and sent itself to every contact in it. The virus wreaked such havoc that our analysts at the time commented that it was "spreading twice as fast as the Love Bug", the notorious ILOVEYOU virus we identified before anybody else back in 2000.

The Anna Kournikova virus - or Vbs.SST@mm to use its full Symantec virus name -...

Paul Wood | 03 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

As we extensively covered on the MessageLabs Intelligence blog last year, the 2010 soccer FIFA World Cup in South Africa, enjoyed by millions, was also used by both 419/advance fee fraud scammers and malware authors to lure unsuspecting victims into handing over money or installing malware.

Last December we saw two scams which claimed the recipient had won a lottery supposedly connected with 2014 World Cup, to be hosted in Brazil. We were surprised to see scams promoting an event so far in the future, so we were especially surprised to recently see a scam promoting the 2022 World Cup in Qatar. Evidently scammers are not concerned by the fact that the tournament is over ten years away, with tournaments in Brazil and Russia before.

The scam itself is fairly normal. The mail contains very little content in the body; it simply encourages recipients to open the...

MarissaVicario | 20 Jan 2011 | 1 comment

Posted on behalf of Martin Lee, Senior Software Engineer, Symantec.cloud

Occasionally, MessageLabs Intelligence is lucky enough to find an email thread contained within a malicious email that allows us to examine the conversation leading up to the attack. This particular email exchange between the attacks and intended target allows us to understand the social engineering that leads to an attack.

The initial contact is from an individual claiming to be a journalist from a well known American newspaper sent to a media contact for a large professional services company.

Despite the  name given in the email, the language used does not appear to be that of a native English speaker. The name used in the header ‘From’ address is non-English and does not correspond with the name used in the email signature.  These are surprising lapses...