Archive

Archive for the ‘scam’ Category

Keep your Facebook friends close and your antivirus closer

November 17th, 2011 No comments

Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends’ walls in Facebook, gaining access if the user is logged in.

Facebook friend post

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware’s authors also went one step further in making sure the video landing page looks as legitimate as possible:

Fake youtube site

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor “calls home” to domains such as commonworld<removed>.cc or web<removed>es.cc to get the data that it posts on the friends’ Facebook walls. Its main module, in the meantime, is hosted on <removed>youtube.com.

Facebook friend wall post

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you’re at it, remind your affected friends to change their Facebook passwords, too. Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.

Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

  • c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
  • 54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
  • ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

— Mihai Calota, MMPC

Scam emails – the cost of response

April 20th, 2011 No comments

Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT“ (the message did not filter to my junk folder and was not marked as spam).

Image 1 - "Mystery shopper assistant" spam from "Richard Fletcher"
Image 1 – “Mystery shopper assistant” spam

I’m familiar with the hobby of mystery shopping – a service provided under contract where the contractor discreetly reviews an establishment and observes various aspects such as customer service, cost of goods or services sold and so on. The contract then reports back to the contracting agency and receives a modest payment, commonly less than $50 plus reimbursement for any item purchased. This email however was laced with the promise of paying $300 per assignment, which sounded my inner suspicion alarm.

Image 2 - the lure
Image 2 – the lure

Several key components of the message attempted to lend credibility to the post, for instance, naming companies that employ the services of secret shoppers. The message is a scam, however — readers beware.

The scam scheme begins when the prospective secret shopper responds to the email. The scammer may send the target additional instructions such as what part of the store to review; for instance, Wal-Mart’s “MoneyCenter” service, an in-store service that allows customers to send money electronically to a recipient. The scammer obtains the target’s address and sends them a (fraudulent) cashier’s check with instructions to cash the check, keep $300.00 for themselves, and send a remainder back to the scammer. This is a classic fraud scenario as the trick in this case is that the cashier’s check is made of rubber, and the person cashing the fake check is liable for amount of the cashed check during the transaction. Meanwhile the scammer has received valid cash at your expense.

Wal-Mart stores have been a conduit for scammers for a few years now, and there is a landing page on the Wal-Mart site describing the “Mystery Shopper Scam”:
http://walmartstores.com/PrivacySecurity/9567.aspx

In a section titled “How to protect yourself”, it is mentioned that no legitimate business “will pay in advance and ask you to send back a portion of the money.” The MMPC concurs with this statement – and don’t forget the old adage that if it sounds too good to be true, it probably is.

 

— Patrick Nolan, MMPC

Categories: scam, spam Tags:

Doctor Who calling–on Skype, with malware

April 15th, 2011 Comments off

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:

 

cached page sos**.com
Image 1 – cached page sos**.com

 

One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:

 

Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure

 

This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

  • select ‘Allow calls from people in my Contact list only’
  • select ‘Show that I have video to people in my Contact list only’
  • select ‘Automatically receive video and screen sharing from people in my Contact list only’
  • select ‘Allow IMs from people in my Contact list only’
  • unselect ‘Allow my online status to be shown on the web’

Skype privacy settings
Image 2 – Skype privacy settings

For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/

– Dan Nicolescu & Patrick Nolan, MMPC

Categories: guidance, rogue, scam, Skype, spam Tags: