Spam email from Zeus bot

The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

“Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).

Socks4-server.

HTTP (S) a PROXY-server.“

My favourite part of this particular readme though has to be this:

“Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.“

Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.

This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts  for just $320 (USD).

Email harvesting or affiliate advertising associated web pages are springing up intent on monetising this with false promises. The first I noticed was doing the rounds on Twitter, promising users a Google Wave invite “within the hour” if they would just surrender their twitter username and email address. As you can see, about 50% of the relevant page content was made up of affiliate-based advertising. This iste had a particulalry tricksy domain name too, lending it credibility, www.google.com-wave.info making it of course a part of the com-wave.info domain, not an official Google page.

Fake Google Wave on Twitter

“Now we need to take some details from you so that someone with an invite can send you one! We promise to only share your details with people who claim to have invites“

Google Wave Invitation System

Needless to say, I still haven’t received my Google Wave invitation, from either of these sources.

My advice? Wait until a friend sends you an invitiaton. If you don’t have any friends using Google Wave, why would you want an invitaiton, after all it’s about communication and collaboration isn’t it?

So far details from Yahoo!, Hotmail, Gmail, AOL, Earthlink and Comcast among others have been posted online. The data has been simple lists of matched username and password pairs and did not appear to have been cleaned up or de-duped.

What is surprising is not really the amount of accounts affected, although current media reports may lead you to think otherwise. It is only the fact that so many were exposed publicly that is surprising. There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story. These accounts are valuable to scammers as emails coming from people you know and have in your address books are far more likely to be trusted and far less likely to end up in a spam folder. In what may or may not be a concidence, here is some spam I received from an email account belonging to a friend of mine just one day after this story broke.

Anyway, I thought I would go and have a quick look at just how much that account data was actually worth, I think you’ll be surprised. Using the current prices of one single vendor who has multiple tens of thousands of stolen accounts for sale, we can estimate the value of 10,000 hotmail account credentials at a measly $90 (US Dollars), that is of course applying the 10% discount that the vendor is offering for purchases of over 10k accounts.

Prices as at 7th October 2009

This is not a “massive phishing campaign” it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths.

If you have an email account and you are in the slightest bit unsure of things, why not go and change your password, after all, you do that regularly anyway don’t you?

If you want some free tools to help protect you in the future, then have a rummage around here http://free.antivirus.com/prevention-tools/

SMiShing reports date back to around 2006 when this threat started to become noticeable. Spoofed or otherwise faked SMS messages are used as bait to lure victims to responding via SMS to premium rate services, visiting a malicious website or calling a telephone number. The SMS messages are not malicious in themselves but often require the recipients attention for something which must be completed immediately or urgently,”confirming” or “activating” account or credit card details, cancelling non-existent subscriptions or confirming imaginary purchases.

The threat from SMiShing sometimes works in conjunction with Vishing (voice phishing) when the recipient is required to call a telephone number, or with more traditional Phishing when the recipient is directed to visit a particular website, SMiShing messages have also been known to direct recipients to malicious websites designed to infect them.

“Someone posted your full personal and banking information at insert-bad-url-here website you must remove it now”

 

“Notice – this is an automated message from insert-bank-name-here, your ATM card has been suspended. To reactivate call urgent at +##-####-####”

 

In the case of Vishing, if the victim calls the number, an automated system (IVR), or occasionally a real person, will prompt them for things like credit card number, CVV code (the number on the back of your credit card), expiry date or bank account details and even card PIN numbers. Criminals will also often seek to elicit personal information such as date of birth, personal identification numbers (SSN, National ID etc.). Click here for an audio capture of such a system.

If the phishing threat is web-based the stolen information can be more extensive and include items which are more difficult to enter on a telephone keypad, such as mother’s maiden name and email address. These items are then used to create faked credit cards or sold on as ID packs for others to do the carding.

Concurrently we are also seeing a rise in speculative outbound vishing calls. These kinds of calls exploit the trust that people have in the traditional and the familiar telephone system. Advances in technology, specifically  the use of the internet to make and take telephone calls (VoIP) has really simplified the process of spoofing or faking your caller ID and making the scammer much more difficult to trace and to block. This threat has grown established to the extent where telephone based cybercrime-as-a-service outfits are already in business.

Vishing calls arrive with a spoofed caller telephone number and often come from outside the country of residence of the victim. An example is detailed in an earlier blog here.

If you receive a communication that you were not expecting, whether it be by telephone, email, SMS or carrier pigeon, and that communication is asking you to give up sensitive information, *do not respond*. Do not reply to the email or SMS, do not talk to the person on the end of the telephone or click on any links provided to you. Instead, note the name of the company the communication is supposedly from and contact them directly to find out if they indeed have something they wish to tell you. Contrary to some advice I have seen, I would not advise immediate deletion of the SMS or mail as the contents of it may be helpful to the organisation that is being impersonated.

If you need SMS anti-spam technology, then look no further (it’s in the Pro version of the consumer product too)…

Financial institutions suffer considerable losses year on year to this criminal endeavour and are increasingly deploying technology to help combat this fraud. One technique that is becoming more widespread (at last) is two-factor authentication. Banks provide their customers with hardware or software tokens that generate one-time codes to be used whenever money is being transferred. One of the oldest forms of this is a “code card” or “code sheet” this kind of technology has been in use in some European companies such as France and Germany (for Minitel and BTX banking ) even before the Internet and is still in use today.

Allied Irish Bank (AIB) started providing one time code cards to their customers back in 2005, making them early adopters in English speaking European terms. So it’s no surprise that phishing mails are also evolving to try to overcome these obstacles.

This afternoon I received an email supposedly from AIB informing me that my code card was about to expire

AIB phishing email

This piqued my curiosity so I took a quick look at the attachment, only to be amazed at the bare-faced cheek (as my mum would say) of the phishers. Not only are they asking for my registration code, Personal Access Code and home phone number, but also all 100 of my code card digits!

Phishing mail input form

Source code from phishing form

Facebook notifications page

UPDATE 3: 19th August Rogue app number six just showed up and is unsurprisingly called “Inbox (1)”

UPDATE 2: 19th August:A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.

UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications  that lead to yet another rogue app.

Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”

“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.

I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation.

________________________________________________________________________________________

Original post follows:

I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.

My research has turned up two further Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.

When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).

Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.

 The application then goes on to send spam to all your contacts, without asking for permission of course…

The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.

How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.

So like I said yesterday, always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use

Trend Microhas informed Facebook of these findings.

A rogue Facebook application appears to be sending notifications that lead users to a credential harvesting site.

Prospective marks receive a Facebook notification that a user has commented on one of their posts, as above. The notifications appear to come from an application called “sex sex sex and more sex!!!” which despite sounding shady and looking a bit of a mess still boasts over 287000 fans.

The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain (note that the user name itself does not link back to a profile). The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refresh tags to pull up the real Facebook website and prompting the victim for their login credentials.

Always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use.

The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.

The original spam mail (below) purports to come from Her Majesty’s Revenue & Customs, and promises the recipient a tax refund. It comes complete with the correct address of the Tax Credit Office in Preston, UK and a working telephone number for the tax credit helpline.

If the recipient is taken in by the email, an opens the suspiciously named (payment_form.pdf.html) attachment, they will be asked to surrender all the information necessary for credit card fraud, up to and including mother’s maiden name and CVV code (the numeric code printed on the back of the credit card).

Click to enlarge

The web form is based on an American template, which can be seen from the telephone number format, indeed a quick squint at the html code reveals that it is using style sheets imported from www.irs.gov. However the original email was created using Windows charset 1251, which is the character encoding designed to cover the Cyrillic alphabet, I’ll leave you to draw your own conclusions about the origin of the message.

At the time of writing, there is no server responding at this malicious destination. We have informed HMRC of this fraudulent email, for further information from HMRC, please see http://www.hmrc.gov.uk/security/spoofs.htm

Thanks to Rishi for sending me the original sample mail.

I have had my suspicions about QuotesLOL for a little while now, the service describes itself as

“Subscribe above to receive daily quotes on your twitter. These quotes are funny and people will enjoy them! Is your twitter boring? Well these quotes will make your twitter account active and fun :] Login above, Enjoy!”

Click to Enlarge

 

OK, so it’s a service that wants to provide you with some light relief through Twitter by sharing amusing quotations with you, not so malicious you might think. Well, for those of you who are not regular Twitter users, the normal way to offer this kind of service would be to create a Twitter profile like this one, and that way, anyone who chooses to follow your profile will receive your amusing quotes. Not so with QuotesLOL.com.

In order to use QuotesLOL.com you are asked to enter your Twitter login information (yes, the same details you use to log into Twitter) on the QuotesLOL website, once inside, only then are you asked to follow the Twitter account QuotesLOL.

So, what kind of humorous updates do you get if you choose to follow QuotesLOL? Some real side-splitters let me show you…

At no point on the QuotesLOL.com website does it tell you that your Twitter account will, from that point on, be used to post spam and earn money for the people behind QuotesLOL, but that is exactly what happens, here is an example from an account I sacrificed on the altar of Research.

Those Spam links , including the abbreviated one (which is incidentally longer than the real URL), will lead to you a domain called FollowAdd.net which is full of nothing but Google Ads for other spurious websites that promise to increase your follower count, and that is how the not-so-humorous QuotesLOL is making money from you.

 Google describe how to make money from their ads

“With AdSense for content, these ads you display on your site can be either cost-per-click (CPC) or cost-per-thousand-impression (CPM) ads. For CPC ads, you’ll generate earnings when your users click on the ads. For CPM ads, you’ll generate earnings every time the ad appears to a user viewing your site.“ 

 

Bottom line? Do not *ever*give your username and password for anything to anyone other than the site the credentials are originally for.  If you’re thinking of using one of the many third-party services that use the Twitter interface then make sure the address that shows up in the web browser is one that will keep your password safe. Look for http://twitter.com/oauth at the beginning of the address, and if it’s not there, don’t give up your details. For further details, have a look at the column I wrote for MSN How to use Twitter Safely.

Unsuspecting marks receive an email informing them that they are eligible for a refund on their paid up taxes.

The bogus mail contains a link to a very convincing looking phishing web site (see screen shot below) designed to harvest personal and credit card details enough to commit card-not-present fraud or to create an inventory of “fullz” (personal details such as name, address, postcode, etc.) and credit card details for sale on the underground economy.

Click to enlarge

These particular criminals though left the front door of their phishing site more than a little ajar, giving us a glimpse into the numbers of victims affected by this particular scam. You can see from the site statistics below that the site has counted over 200,000 hits in the four months to June, with the majority of those occurring over these first 18 days of June.

Aside from the advice to never surrender personal and financial details in response to unsolicited email, and always to check the URL in the address bar before entering any sensitive information, there is another important point to be made.

The URL to this scam site has been forwarded and shared around online, in a kind of “Wow, look how convincing this scam is” sense, this will be one thing that has contributed to the high hit rate this month.

This is never a good idea and I would urge all of you not to do this, (see, there are reasons why security bloggers tend to partially obscure URLs). It is not uncommon for sites such as this to serve a dual purpose and aside from phishing for information, they could well have been designed to attempt to invisibly infect visitors with data stealing malware. Thankfully in this instance that does not appear to have been the case.