My notification mail from Hilton HHonors

• Pay careful attention to emails your receive in the coming months, perhaps years.
• Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
• Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
• Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
• To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

 
And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.
 

Spam email from Zeus bot

The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

“Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).

Socks4-server.

HTTP (S) a PROXY-server.“

My favourite part of this particular readme though has to be this:

“Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.“

Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.

This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts  for just $320 (USD).

Email harvesting or affiliate advertising associated web pages are springing up intent on monetising this with false promises. The first I noticed was doing the rounds on Twitter, promising users a Google Wave invite “within the hour” if they would just surrender their twitter username and email address. As you can see, about 50% of the relevant page content was made up of affiliate-based advertising. This iste had a particulalry tricksy domain name too, lending it credibility, www.google.com-wave.info making it of course a part of the com-wave.info domain, not an official Google page.

Fake Google Wave on Twitter

“Now we need to take some details from you so that someone with an invite can send you one! We promise to only share your details with people who claim to have invites“

Google Wave Invitation System

Needless to say, I still haven’t received my Google Wave invitation, from either of these sources.

My advice? Wait until a friend sends you an invitiaton. If you don’t have any friends using Google Wave, why would you want an invitaiton, after all it’s about communication and collaboration isn’t it?

So far details from Yahoo!, Hotmail, Gmail, AOL, Earthlink and Comcast among others have been posted online. The data has been simple lists of matched username and password pairs and did not appear to have been cleaned up or de-duped.

What is surprising is not really the amount of accounts affected, although current media reports may lead you to think otherwise. It is only the fact that so many were exposed publicly that is surprising. There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story. These accounts are valuable to scammers as emails coming from people you know and have in your address books are far more likely to be trusted and far less likely to end up in a spam folder. In what may or may not be a concidence, here is some spam I received from an email account belonging to a friend of mine just one day after this story broke.

Anyway, I thought I would go and have a quick look at just how much that account data was actually worth, I think you’ll be surprised. Using the current prices of one single vendor who has multiple tens of thousands of stolen accounts for sale, we can estimate the value of 10,000 hotmail account credentials at a measly $90 (US Dollars), that is of course applying the 10% discount that the vendor is offering for purchases of over 10k accounts.

Prices as at 7th October 2009

This is not a “massive phishing campaign” it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths.

If you have an email account and you are in the slightest bit unsure of things, why not go and change your password, after all, you do that regularly anyway don’t you?

If you want some free tools to help protect you in the future, then have a rummage around here http://free.antivirus.com/prevention-tools/

SMiShing reports date back to around 2006 when this threat started to become noticeable. Spoofed or otherwise faked SMS messages are used as bait to lure victims to responding via SMS to premium rate services, visiting a malicious website or calling a telephone number. The SMS messages are not malicious in themselves but often require the recipients attention for something which must be completed immediately or urgently,”confirming” or “activating” account or credit card details, cancelling non-existent subscriptions or confirming imaginary purchases.

The threat from SMiShing sometimes works in conjunction with Vishing (voice phishing) when the recipient is required to call a telephone number, or with more traditional Phishing when the recipient is directed to visit a particular website, SMiShing messages have also been known to direct recipients to malicious websites designed to infect them.

“Someone posted your full personal and banking information at insert-bad-url-here website you must remove it now”

 

“Notice – this is an automated message from insert-bank-name-here, your ATM card has been suspended. To reactivate call urgent at +##-####-####”

 

In the case of Vishing, if the victim calls the number, an automated system (IVR), or occasionally a real person, will prompt them for things like credit card number, CVV code (the number on the back of your credit card), expiry date or bank account details and even card PIN numbers. Criminals will also often seek to elicit personal information such as date of birth, personal identification numbers (SSN, National ID etc.). Click here for an audio capture of such a system.

If the phishing threat is web-based the stolen information can be more extensive and include items which are more difficult to enter on a telephone keypad, such as mother’s maiden name and email address. These items are then used to create faked credit cards or sold on as ID packs for others to do the carding.

Concurrently we are also seeing a rise in speculative outbound vishing calls. These kinds of calls exploit the trust that people have in the traditional and the familiar telephone system. Advances in technology, specifically  the use of the internet to make and take telephone calls (VoIP) has really simplified the process of spoofing or faking your caller ID and making the scammer much more difficult to trace and to block. This threat has grown established to the extent where telephone based cybercrime-as-a-service outfits are already in business.

Vishing calls arrive with a spoofed caller telephone number and often come from outside the country of residence of the victim. An example is detailed in an earlier blog here.

If you receive a communication that you were not expecting, whether it be by telephone, email, SMS or carrier pigeon, and that communication is asking you to give up sensitive information, *do not respond*. Do not reply to the email or SMS, do not talk to the person on the end of the telephone or click on any links provided to you. Instead, note the name of the company the communication is supposedly from and contact them directly to find out if they indeed have something they wish to tell you. Contrary to some advice I have seen, I would not advise immediate deletion of the SMS or mail as the contents of it may be helpful to the organisation that is being impersonated.

If you need SMS anti-spam technology, then look no further (it’s in the Pro version of the consumer product too)…

Financial institutions suffer considerable losses year on year to this criminal endeavour and are increasingly deploying technology to help combat this fraud. One technique that is becoming more widespread (at last) is two-factor authentication. Banks provide their customers with hardware or software tokens that generate one-time codes to be used whenever money is being transferred. One of the oldest forms of this is a “code card” or “code sheet” this kind of technology has been in use in some European companies such as France and Germany (for Minitel and BTX banking ) even before the Internet and is still in use today.

Allied Irish Bank (AIB) started providing one time code cards to their customers back in 2005, making them early adopters in English speaking European terms. So it’s no surprise that phishing mails are also evolving to try to overcome these obstacles.

This afternoon I received an email supposedly from AIB informing me that my code card was about to expire

AIB phishing email

This piqued my curiosity so I took a quick look at the attachment, only to be amazed at the bare-faced cheek (as my mum would say) of the phishers. Not only are they asking for my registration code, Personal Access Code and home phone number, but also all 100 of my code card digits!

Phishing mail input form

Source code from phishing form

Facebook notifications page

UPDATE 3: 19th August Rogue app number six just showed up and is unsurprisingly called “Inbox (1)”

UPDATE 2: 19th August:A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.

UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications  that lead to yet another rogue app.

Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”

“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.

I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation.

________________________________________________________________________________________

Original post follows:

I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.

My research has turned up two further Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.

When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).

Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.

 The application then goes on to send spam to all your contacts, without asking for permission of course…

The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.

How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.

So like I said yesterday, always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use

Trend Microhas informed Facebook of these findings.