Archive for the ‘phishing’ Category

« Older Entries

Attackers Use Fake Friends to Blend into Facebook

Thursday, February 2nd, 2012

FOR IMMEDIATE RELEASE

Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Share

Posted in Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »

Human Rights Group Used to Spy on Activists

Thursday, December 22nd, 2011

By Paul Royal, Research Consultant

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Share

Tags: , , , ,
Posted in Current Events, phishing, Research, Security, Uncategorized, Web Security | 1 Comment »

Personal Safety: Two Rules For Dealing With Spam

Tuesday, December 6th, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers


The Barracuda Labs spam traps recently received a burst of phishing emails targeting Bank of America customers. These particularly well-crafted messages underscore two important rules when dealing with spam.

Rule # 1Never click on a link in an email, no matter how authentic it might appear.

Rule # 2:  If a dialog asks you if you want to RUN something, don’t.

Many people think they can effectively spot spam by looking for the tell-tale clues such as poor grammar or misspellings. Modern spam campaigns render this approach ineffective.

Take a look at this very convincing email…

Bank of America spam

(click for full-size image)

There is nothing in this email that initially seems suspicious – except that the email offers a link to an “online statement”, which is actually a malware executable.

This involves rule number one – never click on a link, even if it might appear to be legitimate, indeed even if it is legitimate.  Such links are so frequently malicious that trying to determine which are and which are not is simply too risky.  It is much safer to directly visit the website of the institution within your web browser.

In the most simple cases, clicking on a malicious link downloads the malware executable and attempts to run it.  Before running it, Windows will prompt you and ask you if you really want to run the file, like so…

Windows Warning

(click for full size image)

 

This triggers rule number two – never select Run when this dialog is presented.  No reputable, unsolicited, email will contain, or link, to something that needs to be run on your local computer; even if the email is from a trusted or known organization.

What can happen if you ignore these two rules?

In this case, you would have downloaded and executed a bank password stealer.   One of the first things this Trojan horse does is update itself with a list of banking sites that it should monitor for transmitted usernames and passwords.

Password Stealer update

(click for full size image)

Once this step is complete the Trojan checks-in with a command and control server in Russia, updating it with any banking credentials it finds.

Trojan Traffic

(click for full size image)

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Email Security, phishing, Spam | No Comments »

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

Wednesday, October 12th, 2011

By: Barracuda Labs

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

Campbell, Calif. (Oct. 12, 2011) Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

  • LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

  • Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

  • One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

 

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Share

Posted in ID Theft, phishing, Research, Security, Social Networking, Spam, Statistics | No Comments »

Spammers exploit Steve Jobs death

Friday, October 7th, 2011

By Dave Michmerhuizen – Security Researcher

Apple Chairman Steve Jobs passed away on October 5, 2011. We all share in the sadness of losing such a technology leader, visionary and innovator. Steve impacted our lives in a multitude of positive ways, through his spirit, his creativity and the word-class products he brought to market. Apple’s offerings are both mainstream tools and sources of joy – solving problems and brightening lives everyday, all over the world.  We wish for peace for Steve Jobs and his family.

Unfortunately while many are mourning, others are trying to take advantage of them. Only 24 hours after Jobs’ death spammers began sending insensitive emails claiming otherwise.

Steve Jobs spams

Spams like these capitalize on their shock value. The senders hope that you will be curious just long enough to let down your guard and click on the link.

By now we should all know that these links lead to no good.  Merely clicking on the link in one of these emails leads to a compromised website which redirects the browser multiple times, in some cases finally delivering it to a host serving up the BlackHole exploit kit.

Barracuda Labs is seeing more and more instances of spam linking to servers hosting these exploit kits.   They are increasingly popular with malware distributors because a link has been clicked no further user interaction is required to install their payload.

It saddens us to see these  emails in our honeypots.   Don’t let the amoral scum who send these things take advantage of you. If you see them, delete them right away.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Posted in Current Events, Email Security, phishing, Spam, Web Security | No Comments »

Spammers exploit confusion over DigiNotar certificate forgeries

Thursday, September 15th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

 

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

Spam impersonating Royal Bank

(Click for larger image)

While it may look like  garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

Network traffic of exploit attacks

(Click for larger image)

 

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers.  All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

How a LinkedIn notice could empty your bank account

Saturday, August 27th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

Banks

We see a lot of spam at Barracuda Labs.  Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging.  We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

Linkedin spam

As convincing as they may be these emails have nothing to do with LinkedIn.  The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

LinkedIn spam

 

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

Network traffic of exploits

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3).  Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

Update with phishing HTML

(Click for larger image)

 

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS.  The list above shows the services that the Trojan is being configured to monitor.  There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance.  Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

 

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that  truly malicious spam poses.  Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Email Security, Internet Security Tips, phishing, Spam, Web Security | No Comments »

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

 

Tax forum spam

 

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

Fake alert

 

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

 

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Fake Chase Bank invite delivers password stealer

Friday, June 17th, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Chase Paymentech logo

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

Chase Paymentech spam
Fake Chase Paymentech email

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Word document
Word document

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Trojan.Zeus network traffic
Trojan.Zeus network traffic

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Spam | No Comments »

« Older Entries