3 resumes you don’t want to open

August 27, 2010

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional.  While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t.

The Barracuda Labs spam monitoring center has detected a recent increase in the amount of this fake resume spam from multiple sources.  While the messages are similar, the threats they carry are all different.  Here are three cautionary examples…




HTML attachment

One common feature of these fake resumes is that the spammer keeps the  message short and sweet, hoping you’ll open the attachment to see if this is that one resume they’ve been waiting for.

Of course in this case better grammar would help make the sale.   This particular message contains an HTML attachment, something our honeypots have seen a great deal of in the past week.    HTML attachments are less likely to be filtered by email scanning software that might otherwise reject binary attachments by default, and even end users who are conditioned not to open and run programs might look at a HTML file and think that it is harmless.

Except that this HTML is anything but harmless.

The attachment is 100% obfuscated malicious JavaScript.   Opening it in a browser (which is the default action when clicked) raises an alert

and sends you off to a bogus antivirus site.

Don’t open suspicious HTML attachments.   Email the sender and ask for the information in a different format, such as a Word document or text file.


RTF attachment

Since the Rich Text Format (RTF) is handled by Windows Wordpad and Microsoft Word, you wouldn’t necessarily be surprised to get an email with a resume in that format

However, it is possible to completely embed an executable program within an RTF document, and that’s what we have here.

When first opened the filename of this embedded object only partly displays.   Still, clicking on it does display a security warning that should make you think twice.   After all, a resume doesn’t normally need to be “Run”.

If you do click run, nothing seems to happen.   However, if you’re watching your internet traffic you’ll see the telltale signs of a Zeus Trojan infection.

A Zeus trojan will quietly examine your internet traffic looking for usernames and passwords, and then send them back to criminals who use them to take over online accounts.  Many cases of online banking fraud involve passwords stolen by this malware family.




ZIP attachment

The last example has the most convincing message text, and the file name of the attachment includes a persons name, making it look less threatening

But once you’ve opened the .zip attachment the alarm bells should be ringing.

A careful check of the properties of the file inside shows it is an executable, and clicking on it would run it.  As we said above, resumes do not normally need to be “Run”.   Doing so just installs a fake antimalware named SecurityTool onto your computer.





If you or your colleagues handle resumes be careful of unsolicited or unanticipated resume emails.  Examine any resume attachments carefully before opening them, and as we repeatedly stress, never press the “Run” button unless you are certain that is appropriate – it rarely is.

Barracuda Spam & Virus Firewall customers are protected from these attacks.



Dave Michmerhuizen – Barracuda Labs

  • Share/Bookmark

Posted in Email Security, phishing | No Comments »

Wedding Bells Ringing in Malware

August 18, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

  • Share/Bookmark

Tags: , , , , ,
Posted in Email Security, Security, phishing | No Comments »

Kanye’s First Week on Twitter: An Infographic Review pt. 2

August 12, 2010

By BarracudaLabs

In his first week on Twitter from July 28 to August 4, Kanye West sent 190 tweets. By the end of that first week, he reached 431,104 followers. We calculated the total amount of time that people spent reading @kanyewest tweets in one week. We estimated that each tweet took 3 seconds to read. We calculated how many people were following him at the time each tweet was sent. In total, 2,551,812 man minutes were spent reading @kanyewest tweets in one week. We then looked at what else could be done with that much time.

If one person had 2,551,812 minutes, here is what he could do:

Click one of the images below to view the graphic:

  • Share/Bookmark

Tags: , ,
Posted in Research, Social Networking, Statistics, Uncategorized | No Comments »

Kanye’s First Week on Twitter: An Infographic Review

August 10, 2010

By Barracuda Labs

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye’s first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye?  For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye’s followers and their followers.

BarracudaLabs.com - Kanye West Twitter Followers

Let’s review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year’s MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye’s first week, more than half of Amber’s followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye’s new song is called “Power” but let’s compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye’s followers also follow the President.

Perhaps Kanye’s followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye’s first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

  • Share/Bookmark

Tags: , ,
Posted in Research, Social Networking, Statistics | No Comments »

Barracuda Labs 2010 Midyear Security Report

July 28, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

  • Share/Bookmark

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »

Think You Want a New Social Security Number?

July 23, 2010

by Barracuda Labs

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number.  With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help.  Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose.  The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud.  What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information.  Not only do the scammers send out email spam, they post spam to unprotected online forums as well.  This is done automatically by ‘bots’ which are indiscriminate in their targets.  Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.

  • Share/Bookmark

Tags: , , , ,
Posted in Uncategorized | No Comments »

New Spam Pretends to be Xerox Scanner Output

July 16, 2010

by Barracuda Labs

Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.

Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.

The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.

The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.  It is not until you go to open the file that you see its true nature.  It is an executable and it is not scanner output – it is a variant of Trojan Oficla.

Choosing  Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.  Rather, it simply installs itself and gets to work in the background downloading other malware.

Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.

As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.  Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.

Barracuda Spam & Virus Firewall customers are protected from this attack.

  • Share/Bookmark

Posted in Email Security | 1 Comment »

Watch Out for Fake Adobe Flash Updates

July 7, 2010

by Barracuda Labs

Barracuda Labs has found compromised sites in the wild which present unwary visitors with an official-looking Adobe Flash update page. Even though this page looks convincing, downloading this ‘update’ only provides the user with a nasty piece of malware that McAfee currently classifies as Downloader-CEW.f.

We recommend getting Adobe Flash updates directly from the source – http://get.adobe.com/flashplayer.

How it happens

Performing a quick search for a breaking news topic, such as LeBron James opening his own Twitter account, starts the process. Searching for “LeBron James Twitter” gives the highlighted result a rank of 62.

Google Results for LeBron James Twitter

Google Results for trend topic "LeBron James Twitter"

Clicking on the highlighted result  sends the user directly to the fake upgrade page. Note that the actual domain is registered in the Cocos Islands.  Also note that the dialog offers Adobe Flash Player 11, while (at this writing) the current version of Flash is 10.1.

Fake Adobe Flash Update Dialog

Fake Adobe Flash Update Dialog

Another sign that this dialog box is bad news is that none of the buttons close the dialog.  Clicking both “Cancel” and “Details” implores the user to click “Ok”  (which is not a button name).   Only “Continue” offers the user a path forward, to a Windows Security Warning dialog.

If the user does run the file, it will download a background clicker that uses the Internet connection to generate fake Internet traffic.  While this activity goes on unseen, additional scamware and spyware programs are downloaded, as seen below.

PC infected with malware

The unsuspecting user can be compromised in no time, which is why it is recommended to get Adobe Flash updates directly from the source.

Barracuda Web Filter and Barracuda Purewire Web Security Service customers are protected from these attacks.

  • Share/Bookmark

Posted in Uncategorized | 2 Comments »

New Spam Poses as Spam Fighting Email

June 30, 2010

by Barracuda Labs

This week a new sort of spam started showing up in the Barracuda Labs Spam Honeypots – fake sender verification emails such as the one below:

Sender Verification emails ask users to verify that they sent a particular email to someone, usually by responding with another email, or as in this case, by clicking on an embedded link.

Under normal circumstances, these emails come from an email server that has been enhanced with  sender verification software as a spam-fighting measure.  While this software is not as common as it once was, these systems still are used by some businesses and ISPs.

However, the example above merely pretends to be one of these verification emails and is not from an email server at all.  Instead, it is cleverly constructed spam whose included link can take the recipient to suspicious Websites, or even offer up executable malware.

This spam appears plausible and easily can trick the unwary email user.

Close examination does reveal several tell-all signs that this email is suspicious. For starters, the name of the person supposedly emailed is missing.  Second, the domain that the email purports to come from is the same domain as that of the user, which makes no sense since the user should not need to verify himself to his own mail server.

Indeed,  one aspect of this campaign is that each spam is carefully tailored to  reference the email domain of the recipient, most likely because that domain is one the recipient knows and trusts.

The message is sent only in HTML format, and the link has varied over time. In some cases, it redirects to Canadian Pharmacy Viagra sites.  In others, the link presents the user with a Windows .EXE to run, which is a variant of the rapidly spreading TDSS rootkit.

While it is easy enough to hover over the link and see that it does not go back to the organization shown as having sent the email, many users will not question the name of the domain in the verification link.

Barracuda Spam & Virus Firewalls block these emails.  We suggest users take note and warn other email users of this new social engineering tactic.  These emails do not fight spam; they ARE spam.

  • Share/Bookmark

Posted in Email Security, phishing | No Comments »

Eminem still isn’t dead

June 24, 2010

by Barracuda Labs

Eminem still isn’t dead… at least not as of June 2010. Barracuda Labs honeypots have received thousands of copies of a new spam that is trying to take advantage of a venerable hoax that rap artist Eminem has died in a car crash, this time according to CBS news.

Eminem Dead hoax email

The entire poorly written story is contained in an image that links to a file, outlined in red above. The victims are led to believe they are clicking on a CBS story, but actually the file downloads EminemDead.exe. Running this file installs a backdoor on the victim’s computer which has very low detection rates – VirusTotal results.

This once again reiterates the importance of never running anything distributed in an email unless the source is known.

Barracuda Spam & Virus Firewalls intercept these emails, and Barracuda Web Filters block the payload.

  • Share/Bookmark

Posted in Email Security | No Comments »

« Older Entries