Archive for February, 2012

Steve Jobs’ birthday doesn’t go unnoticed by spammers

Friday, February 24th, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Steve Jobs Will spam

 

Happy Birthday, Steve!

As expected Steve Jobs’ birthday did not go unnoticed by spammers.  Nigerian 419 spammers are using his name to troll for victims with this email.

Steve Jobs themed 419 spam

(click for larger image)

 

While this may not seem like an appropriate way to celebrate, it is fairly rare for a western personality to be a factor in classic 419 spam.  Celebrity references are much more likely to be found and mentioned in social network scams.  Recently, only Ben Bernanke and Osama Bin Laden have been mentioned by spammers hoping to differentiate themselves from the usual subjects of dead princes and oil executives.

Of course there is no inheritance, there is no money at all.  419 spam (named after the Nigerian criminal code it violates) promises a large amount of money but then asks for a series of smaller ‘fees’ before that money can be delivered.

The Barracuda Networks spam traps have detected thousands of these messages relayed from a mail server in Chile and we are actively blocking them.

Share

Posted in Anti-Spam, Email Security, Security, Spam | No Comments »

Keylogger poses as Facebook and Microsoft, steals login credentials

Thursday, February 16th, 2012

 

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Most computer users have a haunting fear that somehow malware will find a way to sneak onto their PCs  when they are not looking. The truth is that while this does sometimes happen, the most common types of malware rely on trickery to invade and infect your computer.

An excellent example of this fell into our spam traps recently, a spam that pretended to be from Facebook (an easy thing to fake, actually) hiding its payload behind an official looking graphic from Microsoft.

Facebook Silverlight spam

In this case the image is an HTML link supposedly offering up Microsoft Silverlight. If you take your time and examine the destination of that link you’ll see that the real payload is a .PIF file from an IP address in Malaysia. PIF files are Windows executable files, and in this case the executable that is actually sent is Trojan.Win32.Jorik. It can’t sneak onto your computer and install itself though; it needs your help to do that.

Clicking on the Silverlight graphic does warn you that you’re about to run a program. This is why the Microsoft graphic is a clever addition to the ruse – you think you should be running a Microsoft program, and it’s doing exactly what you expect.

Warning about running the spam payload

The problem, of course, comes once you’ve pressed ‘Run’ and find out there is no Facebook or Silverlight, there is only malware. Trojan.Win32.Jorik is actually a keylogger. It begins monitoring your Web browsing, writing every keystroke and Web page title into a disk file.

The keylogger can capture almost anything you do on the Web.  This is of particular concern when visiting secure sites whose credentials you definitely want kept private, as demonstrated below:

Wells Fargo HTTPS login page

Wells Fargo HTTPS login page (click for larger image)

Facebook login page

Facebook login page (click for larger image)

Gmail HTTPS login page

Gmail HTTPS login page (click for larger image)

 

We entered FakeUsername and FakePassword on all three sites. The results were easily found in the disk file that the keylogger maintains.

Keylogger file contents

Keylogger file contents (click for larger image)

Ultimately this disk file is sent back to a command and control server, hidden by no-ip.com and most likely also in Malaysia.

Network communications to command and control server

Network traffic to Command & Control (click for larger image)

 

The bottom line,  as we always say at Barracuda Labs, is to maintain a healthy skepticism about anything that appears in email.  The easiest way into your computer is to persuade you to push that ‘run’ button.  Spammers and malware distributors are constantly looking for ways to convince you to do just that.  Be vigilant, don’t be a victim.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

Share

Posted in Anti-Spam, Email Security, ID Theft, Internet Security Tips, Security, Spam | No Comments »

Attackers Use Fake Friends to Blend into Facebook

Thursday, February 2nd, 2012

FOR IMMEDIATE RELEASE

Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Share

Posted in Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »