spam « The Barracuda Labs Internet Security Blog

Posts Tagged ‘spam’

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down. The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

: Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal. In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all. Nothing displays. However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords. The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Tags: Anti-Spam, Email Security, Internet Security, Rogue AV, Security, spam
Posted in Email Security, Security, phishing | No Comments »

Think You Want a New Social Security Number?

Friday, July 23rd, 2010

by Barracuda Labs

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number. With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help. Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose. The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud. What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information. Not only do the scammers send out email spam, they post spam to unprotected online forums as well. This is done automatically by ‘bots’ which are indiscriminate in their targets. Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.

Tags: Anti-Spam, Email Security, ID Theft, phishing, spam
Posted in Uncategorized | No Comments »

Who can you trust?

Thursday, May 20th, 2010

by Barracuda Labs

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.