Archive for the ‘Spam’ Category

« Older Entries
Newer Entries »

Personal Safety: Two Rules For Dealing With Spam

Tuesday, December 6th, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers


The Barracuda Labs spam traps recently received a burst of phishing emails targeting Bank of America customers. These particularly well-crafted messages underscore two important rules when dealing with spam.

Rule # 1Never click on a link in an email, no matter how authentic it might appear.

Rule # 2:  If a dialog asks you if you want to RUN something, don’t.

Many people think they can effectively spot spam by looking for the tell-tale clues such as poor grammar or misspellings. Modern spam campaigns render this approach ineffective.

Take a look at this very convincing email…

Bank of America spam

(click for full-size image)

There is nothing in this email that initially seems suspicious – except that the email offers a link to an “online statement”, which is actually a malware executable.

This involves rule number one – never click on a link, even if it might appear to be legitimate, indeed even if it is legitimate.  Such links are so frequently malicious that trying to determine which are and which are not is simply too risky.  It is much safer to directly visit the website of the institution within your web browser.

In the most simple cases, clicking on a malicious link downloads the malware executable and attempts to run it.  Before running it, Windows will prompt you and ask you if you really want to run the file, like so…

Windows Warning

(click for full size image)

 

This triggers rule number two – never select Run when this dialog is presented.  No reputable, unsolicited, email will contain, or link, to something that needs to be run on your local computer; even if the email is from a trusted or known organization.

What can happen if you ignore these two rules?

In this case, you would have downloaded and executed a bank password stealer.   One of the first things this Trojan horse does is update itself with a list of banking sites that it should monitor for transmitted usernames and passwords.

Password Stealer update

(click for full size image)

Once this step is complete the Trojan checks-in with a command and control server in Russia, updating it with any banking credentials it finds.

Trojan Traffic

(click for full size image)

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Email Security, phishing, Spam | No Comments »

Seven Annoying Attacks That Facebook Misses

Wednesday, November 16th, 2011

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

 

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps.  Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

 

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them.  The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card.  A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.


 

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images.  Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention.  With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album.  With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people.  This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook.  Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

 

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them.  New examples show up daily, often focusing on giving users features that they wish Facebook would provide.  After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button.  It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk.  Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

 

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature.  Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream.  Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

 

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection.  We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc.  Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go.  In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

 

 

Share

Posted in Current Events, Internet Security Tips, Research, Security, Social Networking, Spam | No Comments »

Mommar Gaddafi – 419 spam’s new favorite subject

Friday, October 21st, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

When you are engaged in direct marketing, your first order of business is to get the attention of your customer.  This is just as true for Nigerian 419 spammers as it is for everyone else, and widespread news coverage of the recent death of Mommar Gaddafi is a gift for the Lads from Lagos.

The spam monitors at Barracuda Labs have been detecting a steady stream of these spams, where the family of a dead African prince has been hastily replaced by the son of the dead Libyan dictator.

Gaddafi-themed spam

(Click for larger image)

 

Of course, by now, we hope that all email users recognize this sort of spam as an attempt to perpetrate Advance Fee Fraud. The spammers pump any respondent for personal financial information and then string them along with promises of millions of dollars once a few paltry ‘fees’ are paid in advance – thus the name, Advance Fee Fraud.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Current Events, Email Security, Spam | No Comments »

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

Wednesday, October 12th, 2011

By: Barracuda Labs

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

Campbell, Calif. (Oct. 12, 2011) Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

  • LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

  • Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

  • One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

 

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Share

Posted in ID Theft, phishing, Research, Security, Social Networking, Spam, Statistics | No Comments »

Spammers exploit Steve Jobs death

Friday, October 7th, 2011

By Dave Michmerhuizen – Security Researcher

Apple Chairman Steve Jobs passed away on October 5, 2011. We all share in the sadness of losing such a technology leader, visionary and innovator. Steve impacted our lives in a multitude of positive ways, through his spirit, his creativity and the word-class products he brought to market. Apple’s offerings are both mainstream tools and sources of joy – solving problems and brightening lives everyday, all over the world.  We wish for peace for Steve Jobs and his family.

Unfortunately while many are mourning, others are trying to take advantage of them. Only 24 hours after Jobs’ death spammers began sending insensitive emails claiming otherwise.

Steve Jobs spams

Spams like these capitalize on their shock value. The senders hope that you will be curious just long enough to let down your guard and click on the link.

By now we should all know that these links lead to no good.  Merely clicking on the link in one of these emails leads to a compromised website which redirects the browser multiple times, in some cases finally delivering it to a host serving up the BlackHole exploit kit.

Barracuda Labs is seeing more and more instances of spam linking to servers hosting these exploit kits.   They are increasingly popular with malware distributors because a link has been clicked no further user interaction is required to install their payload.

It saddens us to see these  emails in our honeypots.   Don’t let the amoral scum who send these things take advantage of you. If you see them, delete them right away.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Posted in Current Events, Email Security, phishing, Spam, Web Security | No Comments »

Spammers exploit confusion over DigiNotar certificate forgeries

Thursday, September 15th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

 

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

Spam impersonating Royal Bank

(Click for larger image)

While it may look like  garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

Network traffic of exploit attacks

(Click for larger image)

 

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers.  All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

How a LinkedIn notice could empty your bank account

Saturday, August 27th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

Banks

We see a lot of spam at Barracuda Labs.  Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging.  We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

Linkedin spam

As convincing as they may be these emails have nothing to do with LinkedIn.  The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

LinkedIn spam

 

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

Network traffic of exploits

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3).  Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

Update with phishing HTML

(Click for larger image)

 

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS.  The list above shows the services that the Trojan is being configured to monitor.  There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance.  Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

 

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that  truly malicious spam poses.  Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Email Security, Internet Security Tips, phishing, Spam, Web Security | No Comments »

Do you ever worry about police impersonations?

Thursday, August 18th, 2011

by Shawn Anderson – Security Researcher

Have you ever driven down the road with a police vehicle right behind you? Do your nerves heighten and your stomach drop? This happens to a lot of people, and when the flashing lights turn on there is one thing to do. Pull over, right? The pure adrenaline rush from thinking, “What did I do wrong?” masks the paranoia of whether or not the person is really a police officer.

What would happen if you received an email from the police department stating that you were in violation of the law? Would your stomach drop and your nerves kick in as though the police vehicle just turned on its lights behind you? Would you stop to think whether the email is legit or not? Unfortunately, impersonating the police can be very effective for spammers who are trying to persuade recipients to click on a link or open an attachment. Forcing the recipients to consider their possible guilt can distract them from questioning the legitimacy of the email itself.

At Barracuda Networks, we are witnessing a large spam outbreak with malicious attachments that impersonates (spoofs) the New York State police. The email states that the recipient was in violation of the law, and contains a description of the traffic violation. It also claims to contain the actual ticket as an attachment with instructions to open it, print it and send it to ‘Town Court’ in some small town somewhere in New York state

The attachment is actually malware, a variant of Trojan.Downloader. If run, it downloads Trojan.Fakealert which further compromises the computer.

Emails like these teach a very important lesson. Many malicious spam messages go to great lengths to appear to be sent from some official government agency or other large organization. Unfortunately the contents of email messages are very easy to fake. The sad truth is that you should never assume that an email message is legitimate. Instead, if an email raises concerns you should verify the contents by phone or postal mail, and never run emailed attachments like the one in the message above.

Tips for configuring your spam firewall to block this attack:

Currently, the malicious spam is spoofing the “From” address domain of “nyc.gov”. Since “nyc.gov” has a Hardfail SPF record set up in its DNS txt record, most conventional filters will block these spoofed messages. Enabling SPF on your spam filter will help block these spoofed emails.

It is common, however, that these types of malicious outbreaks will rotate their sender domains, and it is likely that they’ll spoof other state domains. SPF records are not always set up or set up properly in DNS for domains that are commonly spoofed, so relying solely on the SPF filter is not recommended. Other content scanning techniques are required to block these attacks as they rotate sender domains. Customers using the Barracuda Spam & Virus Firewall should make sure their Energize Updates are up to date and that they are on the latest version to help block these types of malicious emails.

 

 

 

Share

Posted in Email Security, Security, Spam | No Comments »

Spam Legitimacy Through Url Redirection

Tuesday, August 9th, 2011

by Daniel Peck, Research Scientist

Usually relegated to little more than page filler on vulnerability assessment reports, open URL redirection is a vulnerability that doesn’t usually affect the site owner, but can be leveraged to add a sense of false legitimacy to spam and phishing links going through it. This is nothing new in the world of spam, but we haven’t seen a lot of it in social network spam until recently. What usually is easy for moderately savvy users to detect becomes much more difficult when shared through a Facebook link, which as we’ve seen before is trivial for malicious types to create with “likejacking” when an unsuspecting user visits their page.

 

In this particular case the spammer is leveraging an open redirect on news.bbc.co.uk, a site that most users would see as trustworthy to redirects to a site that is far from legitimate.  It seems to only be being used to push users towards the typical affiliate spam that we often see with social network scams, but similar approaches could be very successful in a more malicious context.  While it does not solve the redirection issue, one way to avoid the viral spread of these scams is to log out of social media sites like Facebook when you aren’t using them, as then you will be prompted to login if the page tries to post to your account. For more savvier users browser add-ons such as ShareMeNot and NoScript can be used to block access to Facebook resources from sites other than Facebook. From a developer perspective, to make sure that your sites aren’t being used to add false trust to spam campaigns redirects should be validated, and limited as much as possible through a list of whitelisted urls that are allowed to be redirected to, or an intermediary page advising the user of the redirection. For more information the the type of vulnerability itself and mitigations check out this great post from Googles Webmaster Central Blog.

Share

Posted in Social Networking, Spam | No Comments »

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

 

Tax forum spam

 

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

Fake alert

 

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

« Older Entries
Newer Entries »