Category Archives: spam

Skype worm spreading fast

Ransom by redtype

Ransom by redtype


 
It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
 
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:
 

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 
or
 

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 

Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
 
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
 
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
 
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

 

This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.

 

Dropbox Breach leaves unanswered questions

Salt by SoraZG used under creative commons


 
On the 18th July, Dropbox announced that they had begun investigating claims from users of their service of receiving Spam to email addresses that had been associated only with Dropbox accounts. Two weeks later, it seems the mystery has been solved.
 
Dropbox have stated that “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts“. One of these improperly accessed accounts happened to belong to a Dropbox employee account “containing a project document with user email addresses“. Which is what they believe led to the Spam.
 
For me there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a “project document”, why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?
 
Secondly, Dropbox chose to inform their customers of the breach with an email notification containing a link to reset their password. This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a web site to enter any kind of credentials. To compound matters, according to user reports there was no notification of the attack and required password resets on the home page, which would have helped give credibility to the password reset mail they sent out. In an ideal world, an affected organisation could send out an email notification, but instead of a password reset link, they should direct users to browse to the corporate home page and follow the information there.
 
Finally, Dropbox have stated that, as a result of the intrusion, some user passwords have been reset (“In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)”). The question that arises from that is, how do Dropbox know if a given user password is “commonly used”? Are they storing passwords in the clear? Are they storing passwords using an unsalted hash (like LinkedIn were)? Are they using a common salt for every user and a hashing algorithm designed for speed rather than security? If any of these are true, then their password database is vulnerable to a rainbow table attack, which is not very confidence inspiring news. Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a “work factor” to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.
 
It’s great to hear that Dropbox are implementing two factor authentication for their users along with the other security enhancements they are announcing but this news and they way it was handled still leave many questions unanswered.
 
Aside from that, Dropbox users should now have their guard up for a Dropbox themed phishing campaign or two. This eventuality, will be abused by criminals. It’s another object lesson in why using secure unique password generators for your multiple online accounts is a good thing. If you can’t trust your service providers, then you must take responsibility for your own security.
 

Phishing for Apples in the Cloud

Apple customers in the UK and Australia are being targeted in a convincing-looking phishing scam with a cloudy twist.
 
Criminals are sending out targeted emails promising a “Discount Card” as a “reward to long-term customers“. This non-existent card supposedly offers £100 or $100 of credit at any Apple store, for the low-low price of just £9. As you can see below, the email contains enough location and currency specific information to make it more credible.
 

Phishing mail out to steal your personal info


 
Of course the card does not exist and will never be delivered. Instead of a link to a phishing site, the mail contains an html attachment, again convincing looking, using Apple style sheets. The criminals ask for a slew of personal and financial information including name, address, drivers licence number, date of birth, credit card number, expiry date, security code and sort code. Quite enough for some serious financial fraud.
 

Submit!


 
Instead of this stolen information being directly uploaded to a criminal or compromised server, the big blue Submit button POSTs the data to a server in Amazon’s EC2 cloud as shown below with dummy data. Once the data has been successfully sent to the criminal server, the browser is redirected to the official Apple web site.
 

Captured traffic from the phishing attack


 
This cleverly crafted and targeted attack may well be enough to fool the unwary, and it’s abuse of commercial cloud infrastructure will make it much more likely to overcome URL blocking security mechanisms.
 
I have informed Amazon of this abuse of their services, but in the meantime remember, there’s no such thing as an “Apple Discount Card”.
 
Never respond to unsolicited email, never open files attached to unsolicited email and never enter personal data on anything other than an SSL encrypted web site (one where the address starts with “https://“). If you do receive an email making you an offer you can’t refuse, do not follow links in the mail, but contact the vendor directly either by typing in their web address or using the good old telephone.