Archive for the ‘phishing’ Category

« Older Entries
Newer Entries »

Spammers exploit confusion over DigiNotar certificate forgeries

Thursday, September 15th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

 

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

Spam impersonating Royal Bank

(Click for larger image)

While it may look like  garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

Network traffic of exploit attacks

(Click for larger image)

 

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers.  All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

How a LinkedIn notice could empty your bank account

Saturday, August 27th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

Banks

We see a lot of spam at Barracuda Labs.  Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging.  We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

Linkedin spam

As convincing as they may be these emails have nothing to do with LinkedIn.  The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

LinkedIn spam

 

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

Network traffic of exploits

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3).  Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

Update with phishing HTML

(Click for larger image)

 

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS.  The list above shows the services that the Trojan is being configured to monitor.  There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance.  Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

 

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that  truly malicious spam poses.  Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Email Security, Internet Security Tips, phishing, Spam, Web Security | No Comments »

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

 

Tax forum spam

 

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

Fake alert

 

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

 

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Fake Chase Bank invite delivers password stealer

Friday, June 17th, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Chase Paymentech logo

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

Chase Paymentech spam
Fake Chase Paymentech email

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Word document
Word document

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Trojan.Zeus network traffic
Trojan.Zeus network traffic

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Spam | No Comments »

Spammers Offer iPhone 5, Deliver Malware

Monday, May 23rd, 2011

by Dave Michmerhuizen – Security Researcher

 

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

Photo distracts you from backdoor installation

 

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

Share

Tags: , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam, Uncategorized | No Comments »

Osama Bin Laden Death Picture Spam on the Rise

Wednesday, May 4th, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

The spam honeypots at Barracuda Labs have detected the first of what we suspect will be a wave of spam that takes advantage of the curiosity surrounding the death of Osama Bin Laden.  Not so long ago spam emails would have been the first to exploit such a current event.   However, as we posted recently, Facebook now has that distinction.

The spam offers up some pretty gruesome photos:

Spam

Spam

The Portuguese text reveals that these spams target residents of Brazil.  A rough translation says that the photos visible in the email are not real, (they are indeed fake) but that real photographs are available from the attached link.

Following the attached link leads the user to malware, not photos, as shown here:

Malware, not photos

Malware, not photos

This should certainly ring all sorts of alarm bells.  Users do not “Run” photos; however, this file is a version of Trojan.Banload, downloader which installs additional malware. As shown below, it downloads another file, a variant of Trojan.PWS.Banker, that settles onto the user’s PC and intercepts online banking usernames and passwords.

Malware traffic

Malware traffic

Once the banking Trojan is successfully installed, a message is sent back to the malware authors:

 

There are similar families of malware optimized for stealing online banking credentials from American and European computer users, and appealing social engineering strategies for delivering them, Osama Bin Laden’s death being only one of many.   Do not open or run email attachments.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

 

 

 

 

Share

Posted in Email Security, phishing, Security, Uncategorized | No Comments »

Paypal account statement emails: Do as we say, not as we do.

Thursday, April 28th, 2011

by Dave Michmerhuizen and Denis Kieft – security researchers

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails.  Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails.  As you would expect, PayPal does so on their website.

Warning on PayPal website

Warning on PayPal website

 

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen.   “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails.   Although PayPal has declined to comment on the email,  close examination shows no malicious content.    Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years.  An email from a bank or online service should be considered suspect by default.   PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue.   Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective.   When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | 1 Comment »

IRS spam arrives just in time for April 18 tax deadline

Monday, April 18th, 2011

by Dave Michmerhuizen & Luis Chapetti – security researchers

Just in time for the U.S. tax filing deadline, the Barracuda Labs spam honeypots have detected a surge in spam intended to scare harried tax filers into letting down their guard.

Tax time is stressful and many of us are sifting through piles of forms and receipts.  It can be difficult to remember to be skeptical of that official-looking that appears to be from the Internal Revenue Service.   Yet skeptical is what you should be, because the the IRS is a favorite target for spammers and phishers to impersonate.    Lets look at three samples.


The first spam is from a phishing campaign that has been active since at least 2008.  Aimed primarily at immigrants, it presents a dense thicket of poorly written gobbledygook stating that the recipient is not subject to taxes on certain unspecified interest.

Fake non-resident exemption

Fake non-resident exemption

A PDF of form W-4100B2 is attached and you are encouraged to fill it out and fax it to a number provided in the email.  The form asks for practically every piece of sensitive financial information an identity thief could want, including Social Security numbers, debit and credit card numbers with codes and even passport numbers.

However, the fact is that there is no IRS form W-4100B2. The IRS has specifically stated that they “do not request detailed personal information through email.”    Messages like this should be ignored.


The second spam has been used for phishing in the past, but in this year’s incarnation it carries a nasty payload.

"Rejected EFTPS" spam

"Rejected EFTPS" spam

The salutation of “Hello Dear” isn’t very convincing coming from the IRS.  Still, the basic message that an electronic tax payment might be rejected might be enough to cause a harried office worker to open up the attachment.  That would be a big mistake because although clicking on the attachment does not appear to do anything it actually does install Trojan.Zeus in the background.  This Trojan horse runs silently, steals usernames and passwords and in this case sends them to a command and control server in Asia.


The last sample is from a campaign that is noteworthy for how it is carefully targeted to specific individuals.   Usually spam campaigns are scatter shot affairs that send out large numbers of emails addressed to “Dear Sir / Madam”, as our first example showed.   This “rule change notification” was seen using individual email addresses of real people, addressing them by their real name and company name.

Targeted "Rules Change" spam

Targeted "Rules Change" spam

Instead of new tax rules, the attached .zip file contains a Trojan.Downloader which installs a variety of other malware.

Again, the IRS has stated that it “does not initiate taxpayer communications through email,” and “does not request detailed personal information through email.”  If a taxpayer has questions about emails such as these they should check with the IRS using contact information found in their local phone directory or www.irs.gov.


Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in the attacks.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | No Comments »

New Japan tsunami relief spam impersonates Red Cross

Friday, March 25th, 2011

David Michmerhuizen & Luis Chapetti – Security Researchers, Barracuda Labs

As we wrote last week, scam artists were quick to take advantage of the recent disaster in Japan.

Since then they’ve been hard at work making their appeals even more sophisticated.   Within the last few days the spam traps at Barracuda Labs have detected a very large campaign that carefully impersonates the British Red Cross.

Tsunami relief spam

Tsunami relief spam

There are many small clues in the email that flag it as suspicious.  The use of a free webmail host and the desire for payment via Western Union are two, but what is most damning is that the ‘donate now’ button takes you to a small otherwise unused website rather than to the official Red Cross website.

Tsunami relief scam website

Tsunami relief scam website

This web page is very convincing, but it still isn’t the Red Cross.

Links in emails are very easy to hide or spoof.  Barracuda Networks advises that you not click on such links to go to external sites.  Instead, determine the actual website of the organization you want to visit, whether it be a charity or a bank or even your phone company,  and then enter that website name directly into your web browser.

We have not yet seen similar spam targeting other national Red Cross organizations but these sorts of scams are very easy to set up.   The British Red Cross is aware of the problem.

British Red Cross warning

British Red Cross warning

The British Red Cross does have a website that accepts donations at redcross.org.uk, as does the American Red Cross at www.redcross.org.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings.

Share

Posted in Email Security, Internet Security Tips, phishing | No Comments »

« Older Entries
Newer Entries »