Google (does not) Announce Google Pharmacy

June 2, 2011

by Dave Michmerhuizen and Luis Chapetti – Security Researchers

The spam honeypots at Barracuda Labs have detected new spam that takes social engineering – and chutzpah – to new heights.

Google Pharmacy Email

Google Pharmacy Email

While Google announces new products and services regularly, the skeptical email recipient will determine that this announcement fails to make the grade.

We do give the spammers an A for their eye-catching addition of Viagra and Cialis to the Google logo.

However, we mark them down with a D for their fractured English, (“pharmaceutical interfaces”) and a resounding F both for their choice of a domain in Russia and for landing on a run-of-the-mill  rogue Canadian Pharmacy website, as shown here

Canadian Pharmacy website

Canadian Pharmacy website

Spammers have long traded on the cachet of the Google name when sending out lottery spam, but presenting Google as a purveyor of Viagra is a whole new level of impersonation.  It has to be especially galling to Google because the company has recently been accused of knowingly accepting advertisements from rogue online pharmacies.  For their part, Google recently went to court to sue some of those same advertisers.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

Share

Posted in Uncategorized | No Comments »

You Will Dislike the “Dislike”

May 26, 2011

by Nidhi Shah, research scientist

Many Facebook users have long waited for a Dislike button and this post is  to inform them that their wait is *not* yet over. The latest scam making rounds on Facebook is offering to add a “Dislike Button” to your profile.

However, clicking on the link to Activate or Enable the feature will only lead you to various, and typical, malicious offerings such as likejacking, RogueAV, drive-by downloads or survey scams.

The most interesting thing we noticed with this one is how creative the bad guys are getting about the distribution of their malicious apps. They are no longer simply exploiting a user’s inherent trust on Facebook via an app most likely since that means is getting some attention and risks being taken down. Instead, they are using other venues that have a user’s trust and also  allows them to distribute their apps. e.g. Mozilla add on or Chrome plugin.

Once installed these plugins have the ability to intercept and add code to a user’s Facebook profile and any other website he or she may browse.  One such plugin inserts rotating ads whenever the victim browses Facebook. While these ads may sound benign, ad networks in the past have been compromised and suffer from what is known as malvertisement.

The bottom line? As much as we might like to have it, there is no Dislike button just yet. Facebook users, and those browsing the Web in general, should remain extra careful before giving access to any apps on your browsing machine.

 

 

 

 

 

 

 

Share

Posted in Uncategorized | No Comments »

Spammers Offer iPhone 5, Deliver Malware

May 23, 2011

by Dave Michmerhuizen – Security Researcher

 

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

Photo distracts you from backdoor installation

 

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

Share

Tags: , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam, Uncategorized | No Comments »

Fake AntiVirus Scams Add MacOS Support

May 19, 2011

by Luis Chapetti & Dave Michmerhuizen – Security Researchers

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

Fake Antivirus that mimics Windows

 

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Fake antivirus that mimics Macintosh

 

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Malicious link in Google results

 

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Share

Tags: , , , , ,
Posted in Security, SEO Poisoning, Uncategorized, Web Security | No Comments »

Facebook Videos Now Leading to Fake YouTube CAPTCHAs

May 17, 2011

by David Michmerhuizen – Security Researcher

Facebook survey scams continue to mutate, and the latest development is pretty sneaky. Scammers have designed an offsite page that displays a very convincing YouTube CAPTCHA screen which is completely fake. Similar to fake video pages that we’ve written about before, this fake CAPTCHA test page uses the Facebook OpenGraph API to spread to your friends’ walls and then serve up several survey links.

It starts with something unremarkable, a video link on a friend’s wall:

Video post on friends wall

Video post on friends wall

The “Dad walks in on daughter” is very familiar to those of us who monitor Facebook scams on a daily basis.  In previous incarnations it would lead to a fake video preview page.  Instead, today it leads to this:

Fake CAPTCHA page

Fake CAPTCHA page

which looks enough like a real CAPTCHA to fool many people. Pressing the ‘submit’ button executes code that posts the malicious video link to all of your friends’ walls.  Once done, the user is sent to some scammy surveys:

Surveys

Surveys

Barracuda Networks recommends users take particular care when on Facebook.  If friends post links, make sure you trust the destination domain before following the link.  Barracuda Web Filters also allow the selective blocking of Facebook within the organization.

Share

Posted in Internet Security Tips, Social Networking, Web Security | No Comments »

Facebook survey scams reappear as Verify Your Account wall posts

May 12, 2011

by Dave Michmerhuizen – Security Researcher

Facebook survey scammers who had recent success with JavaScript cut and paste pages have changed their approach and turned loose a fast-spreading “Please verify your account”  campaign that appears as a wall post from a friend…

Verify your acount wall post

Barracuda Labs recently reported on versions of this scam that required you to cut and past a bit of JavaScript into your URL bar.  The attack above uses the same JavaScript but embeds it in a link attached to the wall post.

There is another version that we have no sample of which posts  an obscene message to your wall which then claims that the only way to remove the obscenity is to press a “Remove this app” button that is part of the post.

As was the case in the cut and past attack, if the link is pressed the JavaScript executes in the context of your Facebook page and has access to all of the APIs and credentials of your Facebook page.  The attacking JavaScript takes advantage of that context to post the same scam to the walls of all of your friends.

The end result is the same as our previous report – a sham survey that attempts to sign you up for some unwanted service or get your cell phone number in order to send premium SMS messages to it.

Eliminating the convoluted cut and paste instructions makes this version of the JavaScript attack much simpler and more convincing and it has been spreading across Facebook like wildfire.   We can only assume that at some point Facebook will sanitize links in wall posts and not allow use of the “javascript:” scheme.   Until then, expect to see waves of these scams using every social engineering attack in the book.

In the meantime, don’t click on links that are part of unusual items posted to your wall – delete them instead.   Visit the Facebook account settings pages to take care of account related issues.

 

As always, Barracuda Networks recommends you exercise special care when visiting links posted in your social network feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Share

Posted in Social Networking, Uncategorized | No Comments »

Facebook infested with cut and paste Javascript survey scams

May 10, 2011

by Dave Michmerhuizen – Security Researcher

The Social Networking monitors at Barracuda Labs are reporting a virulent outbreak of survey scams on Facebook.  These attacks use a variety of social engineering topics and spread via different Facebook APIs,  but all use the same initial “cut and paste JavaScript” exploit to spread within the Facebook ecosystem.

Osama Death Video

Osama Death Video

500 Facebook Credits

500 Facebook Credits

Free McDonalds

Free McDonalds

Official Time Spent App

Official Time Spent App

See you in 20 Years

See you in 20 Years

Dad walks in on daughter

Dad walks in on daughter

Who hacked your Facebook

Who hacked your Facebook

Who Visited 1.01

Who Visited 1.01

 

How it works

All of these pages exploit a poorly understood feature of modern web browsers – the ability to execute Javascript entered into the URL bar.    You can demonstrate this yourself by entering the following in the URL bar of your browser

javascript:alert("Thanks for reading the Barracuda Labs blog!")

and pressing the Enter key.

JavaScript executed in this manner does so in the context of the currently loaded webpage.  If that’s Facebook and you’re logged in, then the JavaScript has access to all the APIs and credentials that the authenticated Facebook page has.   You can even demonstrate that by putting this example in the URL bar

javascript:alert(document.cookie)

The resulting message box displays the cookie (if any) that is associated with the currently loaded web page.

 

These scam pages all try to trick you into copying a bit of JavaScript onto the clipboard and pasting it into the URL box like so

Typical Cut & Paste instructions

Typical Cut & Paste instructions

It’s no accident that this looks confusing since the scammer doesn’t want you to think too hard about what you’re actually doing.  “Just follow the instructions!” is what they say.   What this particular snippet does is to tell the currently loaded web page to load and run a much larger JavaScript file from elsewhere on the Internet, in this case,  http://hapenceiver.info/lock.js.

The JavaScript file that is loaded in goes right to work spreading the scam to your friends.  There are  a number of these files in circulation, all of them parameter-driven, so easy to use that would-be scammers don’t even need to know how the script works.  Just change the fake message and the scam landing page and they’re good to go, like in this small sample of one script

Javascript sample

JavaScript sample

The bulk of the JavaScript spreads the scam virally using various Facebook APIs such as  messages, invitations and posts to friends walls.

 

At one time these sorts of survey scams were spread via Facebook applications that attempted to trick you into “liking” them.   A Facebook application requires scammers to apply for an AppID and to have a server.    This “Cut and Paste JavaScript” approach only needs a cheap domain or even a Facebook page.  Either are easy to set up, and with such a lowered bar to entry the scams are showing up everywhere.   Prompting users to cut and paste JavaScript isn’t new but it’s sure meeting with a lot of success.

 

What happens

Executing the JavaScript file that the code sample is from will post a message to every one of your friends walls, like so

Post on friends wall

Post on friends wall

If a friend clicks through, they see the attack page, hosted on Facebook

attack page

attack page

and if that friend follows the directions, not only do they spam their friends, but they proceed on to a survey page, in this case disguised as a “security check”.

Fake "Security Check"

Fake "Security Check"

Following one of these all the way through lands you on the payoff screen.

Cell Phone number reqested

Cell Phone number reqested

The “security check” says it wants to send the results to your cell phone.   Your cell phone number is really being requested in order to sign you up for a premium SMS service, as shown in the small type at the bottom of the page.    This is how many Facebook survey scam pages make their money and why they are so prevalent.

 

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

 

 

Share

Posted in Social Networking | No Comments »

Osama Bin Laden Death Picture Spam on the Rise

May 4, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

The spam honeypots at Barracuda Labs have detected the first of what we suspect will be a wave of spam that takes advantage of the curiosity surrounding the death of Osama Bin Laden.  Not so long ago spam emails would have been the first to exploit such a current event.   However, as we posted recently, Facebook now has that distinction.

The spam offers up some pretty gruesome photos:

Spam

Spam

The Portuguese text reveals that these spams target residents of Brazil.  A rough translation says that the photos visible in the email are not real, (they are indeed fake) but that real photographs are available from the attached link.

Following the attached link leads the user to malware, not photos, as shown here:

Malware, not photos

Malware, not photos

This should certainly ring all sorts of alarm bells.  Users do not “Run” photos; however, this file is a version of Trojan.Banload, downloader which installs additional malware. As shown below, it downloads another file, a variant of Trojan.PWS.Banker, that settles onto the user’s PC and intercepts online banking usernames and passwords.

Malware traffic

Malware traffic

Once the banking Trojan is successfully installed, a message is sent back to the malware authors:

 

There are similar families of malware optimized for stealing online banking credentials from American and European computer users, and appealing social engineering strategies for delivering them, Osama Bin Laden’s death being only one of many.   Do not open or run email attachments.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

 

 

 

 

Share

Posted in Email Security, phishing, Security, Uncategorized | No Comments »

Cyber criminals continue to capitalize on current events – Osama Bin Laden dead!

May 2, 2011

by  Nidhi Shah, Security Researcher

Along with media, homeland security and Al-Qaeda supporters, another group of people got to work immediately after Osama Bin Laden was killed: malware authors. This is not surprising given malware writers propensity to take advantage of the day’s current events as a way to reach the largest number of eyeballs and victims.

This news is no different. We noticed multiple campaigns taking advantage of the news within hours of its announcement. One such campaign showed up on Facebook offering a video of the killing:

 

Wall from account spreading fake videos

 

Clicking on the link leads the user to a fake blog with video, which in turn requires the user to “Like” it in order to get to the video. However in doing so (“liking”), the user is authorizing the malware to post on his/her wall and fill it up with other “Like” messages that were never authorized. “Like” messages are shared automatically via the Facebook newsfeed on a user’s network; therefore, these messages quickly become viral and spread via trusted channels.

Newsfeed from victim account

 

There are multiple other campaigns taking advantage of this news and also creating new related headlines to get more attention. Like this campaign (again on facebook):

Wall from another account trying to promote sites with fake headlines

 

Clicking on that link will lead you to the blog full of such fake headlines.

Blog from fake headline campaign

 

While this one did not directly lead to any malicious impact, clearly the headlines are fake. That leads us to believe that we might have encountered it while malware authors were still in the process of preparing their next malicious campaign. Or that they could be taking advantage of current events and user curiosity for increasing search engine ranking for these pages.

Our advice to readers is to be cautious while browsing the Web to look for more details related to this event and any other major news in general. We recommend visiting the major news channels directly to get more information rather than click on links in Facebook or Twitter, even if they are seemingly posted by friends or trusted sources.


Share

Posted in Purewire Trust, Research, Security, SEO Poisoning, Social Networking | No Comments »

Paypal account statement emails: Do as we say, not as we do.

April 28, 2011

by Dave Michmerhuizen and Denis Kieft – security researchers

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails.  Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails.  As you would expect, PayPal does so on their website.

Warning on PayPal website

Warning on PayPal website

 

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen.   “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails.   Although PayPal has declined to comment on the email,  close examination shows no malicious content.    Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years.  An email from a bank or online service should be considered suspect by default.   PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue.   Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective.   When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | 1 Comment »

« Older Entries
Newer Entries »