Internet Security Tips | The Barracuda Labs Internet Security Blog

Archive for the ‘Internet Security Tips’ Category

Attackers Use Fake Friends to Blend into Facebook

Thursday, February 2nd, 2012

FOR IMMEDIATE RELEASE

Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Posted in Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »

The more connected the more vulnerable

Tuesday, December 13th, 2011

by Daniel Peck, Research Scientist

The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B.

Interesting in and of itself this shows how social networking is used to connect to people with whom you have very little in common, perhaps enjoying similar music, enjoying the same food, or like the same apps/games on Facebook. Something like mini ad-hoc Farmville Fan Clubs. And that is neat, the more connected we are to one another then maybe the more we’ll understand each other.

That said, this amount of connectedness has a price in the realm of trust, especially with regards to anomaly detection and behavioral classifying. The network doesn’t distinguish the levels of trust/friendship that we have in the real world. This is likely a neccessary level of abstraction, and we don’t have a leaderboard of friends trust levels, but you have an internal model that allows you to weigh “truths” differently based on whether it came from a long time friend versus someone you met because you attended a one day class together. Software can’t know these levels, at least not without an unreasonable level of training from the user, so for the purposes of behavioral classification it has to use more derived variables, like connectedness, on the social graph. As this collapses these variables become less valuable, and may introduce false levels of trust within your real circle of friends. We’ve seen this become increasingly popular with spammers working through fake accounts. Usually the steps go something like this:

An account is created with a profile listing that they went to “Generic State U”
A few friend requests are sent to others within the “Generic State U” ad-hoc group and with a relatively high level of certainty a few will accept.
The spammer then has a foothold into that persons network, and each “friend” request they send out has more legitimacy
Your real friends are wishing these fake accounts “happy birthday” and commenting on their latest picture uploads, and occasionally having malware spreading links dropped into their feed.

This level of trust via degree connectedness leads to a sort of herd vulnerability. Each malicious account that gains a foothold on the network, means all users of the network are much more vulnerable. The extra few seconds that you take to verify a friend connection, even if you aren’t worried about privacy issues or spam yourself, helps protect less savy users and keeps some of the easiest computations for behavioral analysis effective and the network as a whole a bit less dangerous for the weaker members.

Posted in Internet Security Tips, Social Networking, Spam, Statistics | No Comments »

Seven Annoying Attacks That Facebook Misses

Wednesday, November 16th, 2011

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams. You might think you are buying your mother a nice new purse for a great price. If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best. Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints. Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps. Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them. The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card. A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images. Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention. With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album. With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people. This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook. Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them. New examples show up daily, often focusing on giving users features that they wish Facebook would provide. After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button. It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk. Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature. Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream. Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection. We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc. Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go. In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

Posted in Current Events, Internet Security Tips, Research, Security, Social Networking, Spam | No Comments »

Spammers exploit confusion over DigiNotar certificate forgeries

Thursday, September 15th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

(Click for larger image)

While it may look like garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

(Click for larger image)

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers. All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

How a LinkedIn notice could empty your bank account

Saturday, August 27th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

We see a lot of spam at Barracuda Labs. Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging. We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn. The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

As convincing as they may be these emails have nothing to do with LinkedIn. The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3). Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

(Click for larger image)

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS. The list above shows the services that the Trojan is being configured to monitor. There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance. Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that truly malicious spam poses. Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Posted in Email Security, Internet Security Tips, phishing, Spam, Web Security | No Comments »

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure. So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity. This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity. I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option. This protects users’ traffic from getting sniffed and their sessions from being hijacked. It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 184942 Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly Date: Fri, 15 Jul 2011 14:29:05 GMT Expires: Fri, 15 Jul 2011 14:29:05 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE
There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection. So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page. This prevents Clickjacking attacks against the user. Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack. If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser. Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step. In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK Cache-Control: public, max-age=604800 Content-Type: application/x-javascript; charset=utf-8 Expires: Fri, 22 Jul 2011 14:46:37 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly X-FB-Server: 10.52.238.45 X-Cnection: close Date: Fri, 15 Jul 2011 14:46:37 GMT Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

	Secure Cookie	Nosniff	XSS Protection	X-Frame	HttpOnly Cookie	SSL
Google+	Yes	Yes	Yes	Sameorigin	Yes	Yes
Facebook	No	No	No	Deny	Yes	Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”. According to the advisory, Facebook has resolved the issue. I did another check of the headers and still did not see any change to the response. It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has. Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking. For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers. What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities? Absolutely not. Is it a good start? Yes, it is. And further, it is good to see an app make its debut with security in mind. It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

Tags: Facebook, Google+, Internet Security, Security, social networking security, Web Security
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

Fake Google+ invites used to harvest Facebook profiles

Wednesday, July 13th, 2011

by David Michmerhuizen – Security Researcher

A common denominator of Facebook scams is that they offer you something you can’t resist. Whether it be free Farmville coins, a ‘Dislike’ button, or just a girl in a short plaid skirt, if it’s desirable then you’ll eventually see it offered on Facebook as part of a scam.

And so it is with the latest must-have digital chotchka, an invitation to the new social networking offering from Google, Google+. Since Google’s new project is aimed squarely at Facebook you would hardly expect to see such invitations offered on Facebook, but that’s where they’re showing up

Google Plus invite in Facebook news feed

Clicking on one of these news feed items brings up an actual Facebook application page. These app pages are being taken down by Facebook and scammers are creating new ones, as seen here:

Facebook fake Google plus invite application

The reason for selecting an application for this scam is that applications can, if allowed, access otherwise private information from your Facebook profile. That’s just what this app does. Clicking on any of these links takes you to a page where the application requests permission to access your Facebook data, and it really does ask for quite a bit

Permissions request

This appears to be the entire point of this scam – email and account data harvesting. The only other thing the application does is to spread to your friends. First you are asked to ‘Like’ the app, which will cause it to appear in your friends’ news feeds.

"Like" step

Then, just in case items from you don’t appear in your friends’ news feeds, there is one more step: you are asked to explicitly send “invites” to your friends.

Fake "invite" step

Instead of actually sending invites, you’re sending Facebook requests that will appear in the notification queue of each friend you select.

Once you are past this point you wind up on the Google+ home page, and when you try to log in – surprise – you haven’t been invited.

As always, we at Barracuda Networks recommend that you approach any wall post that appears in your news feed with great caution. If they seem to be too good to be true, double-check with the person whose name appears on the post. Additionally, Barracuda Web Filters give IT departments the ability to selectively block Facebook within the organization.

Posted in Internet Security Tips, Social Networking, Web Security | No Comments »

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction. Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication. What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first. They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

The text itself is very well written, as well it should be. It is an almost exact cut and paste of an IRS announcement from 2004. To be precise, IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message. Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names. In this case it’s irsgovnews.com (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things. First it displays a pop-up message saying that your browser cannot reach the site.

…which is not true. The alert comes from the site itself! This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit. This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload. The use of an exploit kit in this case means that Zeus is installed without user interaction. Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, Security, spam
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus. The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan. Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies. Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers. One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals. Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF. This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program. Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, phishing, Security, spam
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Spammers Offer iPhone 5, Deliver Malware

Monday, May 23rd, 2011

by Dave Michmerhuizen – Security Researcher

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Tags: Anti-Spam, Email Security, Security, spam
Posted in Email Security, Internet Security Tips, phishing, Security, Spam, Uncategorized | No Comments »

The Barracuda Labs Internet Security Blog

Archive for the ‘Internet Security Tips’ Category

Spammers exploit confusion over DigiNotar certificate forgeries

How a LinkedIn notice could empty your bank account

Spam targeting tax professionals automatically installs malware

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Spammers Offer iPhone 5, Deliver Malware

Search

Links

Connect with us!

Recent Posts

Categories

Blog Roll

Archives