Archive for August, 2010

3 resumes you don’t want to open

Friday, August 27th, 2010

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional.  While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t.

The Barracuda Labs spam monitoring center has detected a recent increase in the amount of this fake resume spam from multiple sources.  While the messages are similar, the threats they carry are all different.  Here are three cautionary examples…




HTML attachment

One common feature of these fake resumes is that the spammer keeps the  message short and sweet, hoping you’ll open the attachment to see if this is that one resume they’ve been waiting for.

Of course in this case better grammar would help make the sale.   This particular message contains an HTML attachment, something our honeypots have seen a great deal of in the past week.    HTML attachments are less likely to be filtered by email scanning software that might otherwise reject binary attachments by default, and even end users who are conditioned not to open and run programs might look at a HTML file and think that it is harmless.

Except that this HTML is anything but harmless.

The attachment is 100% obfuscated malicious JavaScript.   Opening it in a browser (which is the default action when clicked) raises an alert

and sends you off to a bogus antivirus site.

Don’t open suspicious HTML attachments.   Email the sender and ask for the information in a different format, such as a Word document or text file.


RTF attachment

Since the Rich Text Format (RTF) is handled by Windows Wordpad and Microsoft Word, you wouldn’t necessarily be surprised to get an email with a resume in that format

However, it is possible to completely embed an executable program within an RTF document, and that’s what we have here.

When first opened the filename of this embedded object only partly displays.   Still, clicking on it does display a security warning that should make you think twice.   After all, a resume doesn’t normally need to be “Run”.

If you do click run, nothing seems to happen.   However, if you’re watching your internet traffic you’ll see the telltale signs of a Zeus Trojan infection.

A Zeus trojan will quietly examine your internet traffic looking for usernames and passwords, and then send them back to criminals who use them to take over online accounts.  Many cases of online banking fraud involve passwords stolen by this malware family.




ZIP attachment

The last example has the most convincing message text, and the file name of the attachment includes a persons name, making it look less threatening

But once you’ve opened the .zip attachment the alarm bells should be ringing.

A careful check of the properties of the file inside shows it is an executable, and clicking on it would run it.  As we said above, resumes do not normally need to be “Run”.   Doing so just installs a fake antimalware named SecurityTool onto your computer.





If you or your colleagues handle resumes be careful of unsolicited or unanticipated resume emails.  Examine any resume attachments carefully before opening them, and as we repeatedly stress, never press the “Run” button unless you are certain that is appropriate – it rarely is.

Barracuda Spam & Virus Firewall customers are protected from these attacks.



Dave Michmerhuizen – Barracuda Labs

Share

Posted in Email Security, phishing | No Comments »

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Share

Tags: , , , , ,
Posted in Email Security, phishing, Security | No Comments »

Kanye’s First Week on Twitter: An Infographic Review pt. 2

Thursday, August 12th, 2010

By BarracudaLabs

In his first week on Twitter from July 28 to August 4, Kanye West sent 190 tweets. By the end of that first week, he reached 431,104 followers. We calculated the total amount of time that people spent reading @kanyewest tweets in one week. We estimated that each tweet took 3 seconds to read. We calculated how many people were following him at the time each tweet was sent. In total, 2,551,812 man minutes were spent reading @kanyewest tweets in one week. We then looked at what else could be done with that much time.

If one person had 2,551,812 minutes, here is what he could do:

Click one of the images below to view the graphic:

Share

Tags: , ,
Posted in Research, Social Networking, Statistics, Uncategorized | No Comments »

Kanye’s First Week on Twitter: An Infographic Review

Tuesday, August 10th, 2010

By Barracuda Labs

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye’s first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye?  For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye’s followers and their followers.

BarracudaLabs.com - Kanye West Twitter Followers

Let’s review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year’s MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye’s first week, more than half of Amber’s followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye’s new song is called “Power” but let’s compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye’s followers also follow the President.

Perhaps Kanye’s followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye’s first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

Share

Tags: , ,
Posted in Research, Social Networking, Statistics | No Comments »