Threat Lab

Coming on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they write the rules for the organizations that run the pipes through which money flows between banks and businesses–the circulatory system of the financial world.

In fact, more than 15,000 banks passed 18 billion electronic transactions through the ACH in 2008 alone. ACH is a linchpin in the world’s financial system. But as a rule-making body, NACHA also typically acts behind the scenes, which is why most people who don’t work in the financial services industry probably have never heard of them.

That said, when the world’s largest clearinghouse for transfers of funds between banks supposedly sends you an email like this one, you probably would perk up and pay attention:

The email’s dire warning: “The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association.”

But it’s a scam, as you probably already guessed.

read more…

In a move sure to raise the ire of Sesame Street fans everywhere, the black hat SEO gangs that have been manipulating Google results for the better part of the year have seized on a new target from which they’ve launched their current salvo of rogue antivirus guano. That’s right, the lovable, giant jaundiced avian friend to child and adult alike is being used to hijack searches and rope unsuspecting users into a vortex of popups and fake scans.

They have besmirched Big Bird. And on his birthday, of all days. Have the rogue AV purveyors no shame?

Actually, they’ve just once again demonstrated that they, too, can take advantage of Google Trends, which rates the ‘hotness’ of searches for “Big Bird’s Birthday” today as “Volcanic.” It’s not surprising, really. Big Bird’s legs replaced the “L” in the Google logo this morning (in honor of the 40th anniversary of the popular character’s first Sesame Street appearance). So of course, people are clicking away at those feathered gams, trying to find out why they’re there.

The fake alerts touting the equally fake Internet Antivirus Pro warns users, through a series of browser popup alerts, that (like a fine strip of beef destined for the jerky factory) “your computer…need to be cured as soon as possible.”

The same advice we’ve given in the past prevails. Parents, also take note that you shouldn’t necessarily click — or let your kid(s) click — any old link that purports to lead to something child-friendly. The first link we saw appeared as the seventh search result on the first page of Google results. Many more appeared lower down. The text beneath the malicious result link read, in part, “Make your child s big day extra special with a personalized birthday banner!”

read more…

Yet another new phishing campaign targeting users of Facebook struck over the Halloween holiday weekend. After scammers began filling inboxes last week with bogus “Facebook update” attachments, this weekend we saw a different group at work. Employing URLs with random domain names registered under the .eu top-level domain, the campaign looks similar to messages distributed in a recent series of phishing campaigns that attempt to convince the user that the mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known banks.

The email messages, which use a forged From: address that makes the message appear to originate from the legitimate facebookmail.com domain, and were timed for just after Facebook’s highly publicized changes to its homepage had just gone live, clearly indicate that the phishers were going for the jugular. When you follow the link, you’re presented with a login dialog identical to that used by Facebook. Once you enter your password into that form, you’re presented with a page titled “Account Update” where you’re prompted to download and execute something called the Facebook Update Tool.

The messages read, in part:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.

…followed by the typical tease to “click here” and a link-that-doesn’t-lead-where-you-think-it-will. The URLs in the message begin with “www.facebook.com” but that’s part of the ruse: The full URL is www.facebook.com.(some random letters).eu followed by a query string that includes a long string of numbers and the recipient’s email address (see example).

In the past, links formatted in precisely the same way led directly to pages hosting versions of the Trojan-Backdoor-Progdav (aka Zbot) keylogger. That’s also true in this case. So the bad guys don’t just want your Facebook password. They want all of your passwords.

We’ve seen a lot of this style of phishing campaign just in the past few weeks and if history serves as a guide, the small number of links in the spam messages we received over the weekend will likely be followed by dozens more versions, each with a distinct URL. Facebook users would be well advised to refrain from following the links in the message; If you suspect that you’ve inadvertently fallen victim to this dirty trick, change your Facebook password immediately — from another computer.

It was a particularly busy weekend for spammers, especially the creepy, evil ones who are trying to steal information (as opposed to the merely scungy pill vendors and their ilk). Webroot’s Threat Research team has recently seen a glut of phishing messages which, like most, purport to come from banks and ask you to update your account information. But unlike most phishing messages, which contain a link to a Web site, these phishing messages include an attached HTML file which, in essence, puts the phishing page right on your hard drive.

When launched, the HTML file renders a sparse but effective phishing form in the browser. The pages warn the victim that “This account has been temporarily suspended for security reasons” and ask the victim to “confirm that you are the rightful owner of this account” — by providing the “bank” with a wide range of personally identifiable information they should already have, and never would ask you to provide through a Web-based form in the circumstances described in the message.

These pages also pull graphics from the banks’ Web sites–activity that, when it comes from a phishing site hosted on a server not belonging to the targeted bank, typically alerts the banks to phishy behavior. Because the graphics are loaded only once, from the desktop of the targeted victim, the banks can’t put a stop to it before it’s too late.

read more…

Hot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.

Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”

Uh huh. Highest levels like a fox!

The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.

read more…

Word came down from our Threat Research team this morning about a new spam campaign that uses upstart Bing search engine’s own redirection mechanism to bypass spam filters and send undesirable links over email. On top of that, the spammers are also abusing MySpace’s lnk.ms link shrinking system to further obfuscate the destination that the spammed link points to.

When you view an RSS feed in Bing (such as their news feed, for example)  all the clickable links in the feed use Bing’s internal redirection mechanism, so before you end up on the news story you want to read, your browser first connects to http://www.bing.com/news/rssclick.aspx?redir= followed by the full URL of the site you intend to visit.

The thing is, anyone can plug anything into the end of that URL, and it’ll redirect to that site. For instance, you could come back to the front page of this blog. Of course, there’s nothing in place to prevent a criminal from redirecting users to something worse, like a drive-by download or phishing page. But in this case, recipients who click the link end up bounced through MySpace’s link shrinker, and finally into a site selling a “work at home making money from Google” pyramid scheme.

Purveyors of rogue security products continue to bulk up their arsenal of stupid tricks, all of which are designed to induce either fear or frustration in victims. Increasingly, certain distributions of rogue antivirus include a payload that blocks the infected computer from receiving antivirus updates. That part isn’t new; Many Trojan installers drop a Hosts file onto the infected machine which effectively prevents the computer from reaching any Web site listed in the file. But malicious Hosts files are easy to identify and remove, because they’re always in the same location (C:Windowssystem32driversetc), and the minute you delete a malicious Hosts file, the computer can connect to the previously-blocked Website.

This new dirty trick employs components of a commercial software firewall development kit, called WinpkFilter, the Windows Packet Filter Kit, from NT Kernel Resources. WinpkFilter isn’t inherently evil or even necessarily undesirable. It’s a set of tools that other developers can license to create small network filtering applications. But in this case, the malware author uses these tools to block access to the Web sites used by at least half a dozen antivirus vendors. We’re calling this malware Trojan-Netfilter; Some of the affected vendors call it either Liften or Interrupdate.

read more…

For several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.

In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).

The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.”

Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.

read more…

As we’ve discussed so many times in the past, search terms that include the names of celebrities make good targets for malware authors, and search terms that include the name of dead celebrities make great targets for malware authors. Now there’s a new corollary to this postulate: Search terms that include the names of dead celebrities who release new material make fantastic targets for the bottom-feeders of the malware-distribution world.

So, as you’re out there searching for the brand new Michael Jackson track, please be aware that the bad guys are using this opportunity to foist malware onto your machine. The screenshot at left is just one example of what you’ll see when you accidentally click a search result link pointing to a malicious page. The “video” pops up a warning that tells you to download and run the “movie_hd_plugin_update.40014.exe” in order to see…I don’t know, something interesting? Probably more interesting than you would like. I think by now we should all burn into our memories this precise screenshot, with its misspelled “Raiting 8/10” text near the bottom, as an obvious fake that has been repeatedly employed by distributors of rogue security products. Beware!

By Mike Kronenberg

Be suspicious. About email swindles, bogus security products and online scams. I’m not kidding around. You need to pay attention and be diligent, because cyberthreats are lurking everywhere.

What got me thinking about this was President Obama’s proclamation of October as National Cyber Security Awareness Month. He said that all users — not just those in government — have to practice safe computing. The President is taking this seriously. At the start of the month he authorized the Department of Homeland Security to hire 1,000 cyber security specialists over the next three years. The goal for these professionals is to analyze risks, figure out our vulnerabilities and devise cyber-incident response strategies.

The President sounds right on target. For one thing, every unprotected PC (and those without up-to-date security software) is potentially open to attack. If your system is infected with, say, a back-door Trojan, a hacker can grab your passwords, credit card and other account numbers, and increase your risk of identity theft. On top of that, on a national scale, your infected PC can turn into a virtual, brain-dead zombie (what an image!), propagating malicous cyberattacks, and contributing to the damage of the digital infrastructure.

If you’re reading this blog, no doubt you know the obvious ways to bolster your protection: Keep your AV and AS tools updated, double-check that your firewall’s working, check for OS patches, and make sure your wireless router’s WPA is enabled. And with the focus on awareness, you might take a minute and help a novice computer user fortify his or her defenses.

But aside from the usual security tactics, I implement other safeguards on my PC at home and on the family notebook. Read on for a few you can try.

read more…

Search engines appear to be no longer in control of the search results they display at any given moment. That’s bad news not only for the search giants, but for anyone who relies on their results.

How can that be? After all, it’s the search engines’ own servers that are supposed to deliver relevant results based on their super-secret sauce algorithms. But black hat, or rogue, search engine optimization (SEO for short) has ruined the trustworthiness of virtually any search.

Just a few years ago, companies began to spring up making outrageous promises about how they can get a client’s Web site ranked closer to the top of certain search results. Then the purveyors of various worms, fake alerts, and rogue antivirus products got involved, because they quickly discovered that it’s easier to convince someone to infect their own computer by clicking a search result link than to discover and implement an elaborate network vulnerability.

After all, according to our latest research, about one out of every five of surveyed Web surfers implicitly trust whatever a search engine delivers as the first page of search results every time they search.

So, all year long, we’ve seen rogue SEO tricks used to promote malicious search results. Many of those links foist various fake antivirus programs onto unsuspecting Web surfers’ computers. The effect is almost instantaneous, as if it was automated: A breaking news story hits the Internet, and within moments, the rogues have turned their attention to pushing bad links based off of whatever keywords the story-of-the-moment might entail. That’s not really unexpected; Google Trends, for instance, makes it incredibly easy for black hat SEOs to target whatever’s hot. Searches for news as diverse as Indonesian earthquakes, elections in Iran, and the untimely deaths of various celebrities served equally well to deliver victims to the rogues.

Now, even the Internet meme of the moment appears to drive victims to malicious Web pages. One of our researchers pointed out a funny screenshot that was making its way through Digg, the social link-sharing site. The screenshot showed some of Google’s suggested search results that appear when you type “Google will” into the search field. Among the auto-completions were “Google will not search for Chuck Norris,” “Google will eat itself,” and “Google will you marry me?”
read more…

A new Trojan quietly circulating in the wild uses components from a commercial optical character recognition (OCR) application to decode captchas, those jumbled-text images meant to help a website discern human activity from automated bots.

The OCR-using captcha breaking tool is just one component of the Trojan. Its main purpose appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns originating in the US, and it uses the OCR-cracking software in order to read the captchas and submit the form entries, on pages where the website presents a captcha to the user.

And this is not just any captcha-cracka, but a Swiss Army Knife of sorts. The maker of the “Advanced Captcha Recognition Engine” tool, based in China, claims that the tool is capable of bypassing more than 30 different captcha systems, including those used by Yahoo, MSN, and some of the largest portal sites and banks in China.

The captcha decoding tool itself is a kludge, marrying some bespoke files and components expropriated from an older version of a commercial optical character recognition (OCR) suite called TOCR. The UK-based company that makes the TOCR software, Transym Computer Services, also licenses its components to third parties, though it’s not clear they knowingly have a relationship with the Chinese captcha cracker maker, nor were they aware that parts of their engine was repurposed for sale to Chinese malfeasants. The files appear to have been stolen or pirated, and used without Transym’s knowledge.

read more…