Archive for June, 2011

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

 

Tax forum spam

 

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

Fake alert

 

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Facebook suggestions fuel fake profile business

Friday, June 24th, 2011

by Nidhi Shah, Security Researcher

Have you ever encountered  people selling designer shoes on Facebook for prices that are too good to be true?  Check out these links if you have not (here, here, and here…).  The interesting things about these links is that the profile owner almost always is a hot chick with lots of male friends with regular posts about expensive shoes for sale.   The order links mentioned on the shoe photo go to many different domains which   ultimately lead to one store, kicksbay.com.

e.g.

Designer shoe leading to fake profile and fake storeleading to

The above three are just an example.  We searched Facebook for similar shoe products and found it smothered with such links.

http://www.facebook.com/photo.php?fbid=126073080809309&set=p.126073080809309&type=1

http://www.facebook.com/photo.php?fbid=126073527475931&set=p.126073527475931&type=1

http://www.facebook.com/photo.php?fbid=126159517467316&set=p.126159517467316&type=1

http://www.facebook.com/photo.php?fbid=126217434128151&set=p.126217434128151&type=1

http://www.facebook.com/photo.php?fbid=126300230786487&set=p.126300230786487&type=1

http://www.facebook.com/photo.php?fbid=126408794109113&set=p.126408794109113&type=1

http://www.facebook.com/photo.php?fbid=126460707436911&set=p.126460707436911&type=1

http://www.facebook.com/photo.php?fbid=126460854103563&set=p.126460854103563&type=1

http://www.facebook.com/photo.php?fbid=126804947401822&set=p.126804947401822&type=1

http://www.facebook.com/photo.php?fbid=126940920719740&set=p.126940920719740&type=1

http://www.facebook.com/photo.php?fbid=127046007377110&set=p.127046007377110&type=1

http://www.facebook.com/photo.php?fbid=127894873957922&set=p.127894873957922&type=1

http://www.facebook.com/photo.php?fbid=128218357259011&set=p.128218357259011&type=1

http://www.facebook.com/photo.php?fbid=128361313909783&set=p.128361313909783&type=1

http://www.facebook.com/photo.php?fbid=129208183824889&set=p.129208183824889&type=1

http://www.facebook.com/photo.php?fbid=129476437132948&set=p.129476437132948&type=1

http://www.facebook.com/photo.php?fbid=129489630463165&set=p.129489630463165&type=1

http://www.facebook.com/photo.php?fbid=129981733747345&set=p.129981733747345&type=1

http://www.facebook.com/photo.php?fbid=130090707069591&set=p.130090707069591&type=1

http://www.facebook.com/photo.php?fbid=130204773726573&set=p.130204773726573&type=1

http://www.facebook.com/photo.php?fbid=131154313629317&set=p.131154313629317&type=1

http://www.facebook.com/photo.php?fbid=133529226726132&set=p.133529226726132&type=1

Most of these profiles are similar enough in execution to raise suspicion.  Each one of them is pointing to a site that leads you to either kicksbay.com or similar site.

How many kicksbay.com site copycats are out there?   Well, here is just a snapshot

one-sweet-pair.info
only-authentic.info
only-designer-goods.info
only-heels.info
only-jordans.info
only-louisvuitton.info
only-lv-heels.info
only-nike.info
pair-time.info
player-jordans.info
player-nike.info
player-pair.info
postjordan.info
postnike.info
postshoes.info
power-time.info
priceless-heels.info
rare-jordans.info
rarejordans.info
reallygoodjordandeal.info
right-jordans.info
right-kicks.info
right-nike.info
rightnike.info
runjordan.info
runnike.info
save-heels.info
sell-jordans.info
sell-nike.info
share-jordans.info
share-nike.info
share-pairs.info
share-sole.info
star-effect.info
star-feel.info
star-hoops.info
star-pairs.info
star-skills.info
thejordan.info
wholesale-jordans.info
wholesale-nike.info
wholesale-pairs.info

Clearly these profiles are fake and shoes they are selling are fake, and real people are getting scammed by it.

So why is this scam so widespread and successful? How are fake profiles able to acquire 1000s of real people as friends to whom they can market these shoes?

This is where Facebook’s “people you might know” suggestion comes into play. We all know that Facebook will suggest you list of people who went to same school, worked with same employer,  lived in same area or are friends of friends.  What about people with whom you do not have any such common ground?

As a test, on one of my profiles I had information about a school that I went to.  So far all the suggestions were for profiles with common school in common class. However on one of the fake profiles I encountered an ad for the “Miss Interenet” Facebook app. As soon as I added that app to my account all of my friend suggestions were for profiles similar to the fake profiles we encountered in shoe scam, girls with suggestive  photos and wall postings. None of them had anything in common with my profile except they might be related to “Miss Interent” app some way (as a user or liker).

Why is Facebook suggesting that? My hypothesis is that everything in Facebook world is identified as an object  with id. That means you, area that you live in, employer that you work for or school you went to are objects and so  is apps you are using, photos you are uploading and websites you are liking. If two people have any common object ID – they can be friends!

 

Share

Posted in Uncategorized | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

 

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Fake Chase Bank invite delivers password stealer

Friday, June 17th, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Chase Paymentech logo

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

Chase Paymentech spam
Fake Chase Paymentech email

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Word document
Word document

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Trojan.Zeus network traffic
Trojan.Zeus network traffic

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Spam | No Comments »

Spammers dangle Windows 8 as bait

Friday, June 10th, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

 

Version 8 of Microsoft Windows is under active development and is tentatively scheduled to be released sometime in 2012.   Screen shots have already leaked to the internet, and some opportunistic spammers are already using the promise of a Windows 8 download to lure unsuspecting users into swallowing a malware payload.


The spam itself is short and simple.  Spammers often make tell-tale spelling and grammar goofs, so keeping the text short is a good way to reduce mistakes.

Windows 8 Spam

Windows 8 Spam

Even though it’s only two sentences, they’ve still managed to introduce a stray question mark in the name.   If that doesn’t make you suspicious, a quick check of the link destination should

Revealing the details of the spam link

Revealing the details of the spam link

The double extension of .gif.exe is used to make the file appear to be a .gif file on Windows systems that are not configured to display program extensions.

Even if the type of file is partly obscured by the filename there shouldn’t be any confusion once you click on the link.  Windows asks you if you are sure you want to run this software.

Are you sure you want to do this?

Are you sure you want to do this?

Of course, you don’t typically run a program in order to “get more details” about some topic.   At this point what you want to do is to press “Don’t Run” and back away.

But let’s suppose your defenses were down and your overwhelming curiosity about Windows 8 had you pushing that “Run” button.  Here’s what happens

Running 8final.gif.exe

Running 8final.gif.exe

The program opens up a spiffy Windows graphic.   That’s it.  Those are your details.

 

Except not quite.  The program is a variant of Trojan.Zapchast.   After it opens the graphic it gets to work installing an Internet Relay Chat client – mIRC, along with special scripts that turn the client into a backdoor.

This Zapchast isn’t all that sneaky though.  If you look at the screen shot above you’ll see a blank spot in the notification bar, just to the left of the speaker icon.   Hovering over it ever reveals an “mIRC Daemon Tools” tooltip.    You can actually open it and watch the bot-herder at work.

A glimpse of the backdoor in action

A glimpse of the backdoor in action

This IRC controlled backdoor is set to start whenever the computer is started.   It monitors the channel (in this case, #drones) for messages that it interprets as commands and then carries them out.   Once infected, the host computer can be directed to download and run other malware, search for personal information, send spam – in short, your computer belongs to the bot-herder.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

 

 

Share

Posted in Email Security, Security, Spam | No Comments »

Visualizing Bad Tweets

Saturday, June 4th, 2011

by Daniel Peck, Research Scientist

This afternoon I spent a bit of time putting together slides for my presentation at AppSec Europe next week on measuring and monitoring malicious (and we’ll throw spam in that bucket too) activity on social networks, primarily Twitter and Facebook. I wanted a quick way to show the common threads that go into “bad” tweets, and word cloud came to the rescue.  Visualized below are the major threads we’ve seen through mining the Twitter data over the last month.  This is everything that was categorized as either adult, porn, spam/fraud, or malware distribution.  No surprise that phrases related to the assassination of Osama Bin Laden dominate the dataset.

It’s a little messier than it should be as I have only removed the common English words from this dataset, so the more common Spanish words show up.  On the to-do list. For now, I thought you would enjoy.

Share

Posted in Social Networking | No Comments »

Google (does not) Announce Google Pharmacy

Thursday, June 2nd, 2011

by Dave Michmerhuizen and Luis Chapetti – Security Researchers

The spam honeypots at Barracuda Labs have detected new spam that takes social engineering – and chutzpah – to new heights.

Google Pharmacy Email

Google Pharmacy Email

While Google announces new products and services regularly, the skeptical email recipient will determine that this announcement fails to make the grade.

We do give the spammers an A for their eye-catching addition of Viagra and Cialis to the Google logo.

However, we mark them down with a D for their fractured English, (“pharmaceutical interfaces”) and a resounding F both for their choice of a domain in Russia and for landing on a run-of-the-mill  rogue Canadian Pharmacy website, as shown here

Canadian Pharmacy website

Canadian Pharmacy website

Spammers have long traded on the cachet of the Google name when sending out lottery spam, but presenting Google as a purveyor of Viagra is a whole new level of impersonation.  It has to be especially galling to Google because the company has recently been accused of knowingly accepting advertisements from rogue online pharmacies.  For their part, Google recently went to court to sue some of those same advertisers.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

Share

Posted in Uncategorized | No Comments »