Month: November 2010

Scammers are attempting to cash in on a recent flood in Cagayan. Bernadette Sembrano, a well known journalist in the Phillipines, is being impersonated by individuals looking to make a little money out of the misfortune of others.

The fake:

The real thing:

Interestingly, this isn’t the first time the fake account (located at @bsembrano) has asked for money. A quick snap from Google cache confirms this:

While the above smart money account could be theoretically genuine, there’s no information to confirm this from the Twitter page and one wonders why such an account is pretending to be a well known journalist in the first place. It goes without saying, but always check the legitimacy of an account randomly asking for money. The account has 191 followers, which is potentially a lot of victims eager to hand over their money. We’ve notified Twitter of the rogue account and hopefully they’ll look into it shortly.

Christopher Boyd

Insecurity sells

 Internet scams seem to aim at our most primordial instincts. Some of the noteworthy lures have been:

— Sex. How many “sex videos” can all the celebrities in the world really make?
— Fear of losing one’s health: thus there are thousands of “Canadian” pharmacy sites (in China) pushing all kinds of questionable medications.
— Making fast wealth: which brought us those 419 scams that seem to contribute significantly to Nigeria’s annual gross domestic product.

And now there’s a new one: the fear that one of your friends on Facebook no longer likes you.

Above is the Facebook post that will take you to this app:

(Click on graphic to enlarge)

[Side note (see red box in graphic): How insecure do you have to be to sign up for Facebook just to find out if a friend has deleted you? If you don’t have a Facebook account you don’t HAVE any Facebook friends yet! OR, who besides Bernard Madoff is so unpopular that people unfriend them on Facebook before they set up an account?]

Unless you’ve been living deep in the forest with only a dial-up Internet connection for the last five years, you’ve probably seen this before. The app must “protect” its content, so it requires you to play a game or “Save $$$ on Auto Insurance.”  That isn’t exactly a computer security authentication scheme that’s on the test for Certified Information Systems Security Professionals.

To make this short: they collect your name, email address and cell-phone number then try to sell you  a subscription to get a quiz and two clues for $9.99 (billed to your cell phone) each month.

So if you’re really insecure about your Facebook friends, it’s going to cost you. And even if you don’t subscribe, just going this far results in your Facebook account being used to spread ads to all your friends about this loony service.

Which will give them more than ample grounds to unfriend you.

Tom Kelchner

There were some very pecular goings on in Twitter land today, as the account of Kirsty Allsopp seemed to be taking potshots at Sir Alan Sugar:

Click to Enlarge

The only problem? She didn’t post that message, despite a bit of confusion and the fact that the pair of them had a very public argument recently.

It seems like it might be an easy thing to work out: so far, the compromiser is apparently making all of their posts from an iPhone.

Not so long ago, her account was hijacked and started sending out iPad spam. Methinks this time around she’ll be lucky not to get a “You’re fired” from Sir Alan…

Christopher Boyd

“…an unprecedented wave of Java exploitation” – Holly Stewart, Microsoft.

Bottom line: many Java exploits go after vulnerabilities that have been patched. Since Java runs on a wide variety of platforms, this makes it a very serious vector. You should stay alert for the automatic Java updates. You also can check the Java site (see link below.)

The background hum of news about the increase in malware that uses Java vulnerabilities has now increased to a roar.

Today Daniel Wesemann wrote a very readable blog post on the SANS site about Java weaknesses.

Wesemann pointed to an October piece on Microsoft’s Malware Protection Center by Holly Stewart in which she writes: “What I discovered was that some of our exploit ‘malware’ families were telling a scary story – an unprecedented wave of Java exploitation.”

Wesemann described the method used by the recent “bpac” family of exploits. The Java vulnerability that it uses was patched in July he points out.

The infection usually happens as follows:

(1) User surfs to website that has been injected with the exploit
(2) Exploit pack triggers – it comes as an obfuscated JavaScript that downloads an (Java) Applet and a PDF
(3) The applet contains an exploit, here for CVE-2010-0840
(4) The applet is invoked with a parameter that tells it where to find the EXE
(5) If the exploit is successful, the EXE is downloaded and run”

And what is downloaded can be anything, like a back door that can steal your bank login information or turn your machine into a spam-pumping bot.

For beginners: Java is a compiled programming language created by Sun Microsystems (now owned by Oracle)  that can be used to create applications that will run on a virtual operating system or in your browser. You may have heard of JavaScript. That is different. That is a scripting language that is put in the HTML code of web pages to run in your browser.

Here is Oracle’s description of the two:

What is JavaScript and how is it different from Java Technology?

 * Java is an object oriented programming (OOP) language while Java Script is an OOP scripting language.
    * Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
    * Java code needs to be compiled while JavaScript code is all in text.
    * They require different plug-ins.

How to check to see if your machine needs updates

To test your machine to see if the latest version of Java is installed, go to this test link with your browser: http://www.java.com/en/download/help/testvm.xml

If your Java installation is out of date, you will see something like this:

If you have the current version, you will see something like this:

Tom Kelchner

On Patch Tuesday this month, Microsoft released three security bulletins:

MS10-087 — Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( critical — remote code execution)
   
MS10-088 — Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution  (important — remote code execution)
   
MS10-089 — Vulnerabilities in Forefront Unified Access Gateway Could Allow Elevation of Privilege (important — elevation of privilege)
   
Bulletins here.

Tom Kelchner

The South Florida Sun Sentinel (Miami and Dade County) is reporting that sheriffs in the Florida Keys arrested an 18-year-old man after they were called to the scene of a break-in and found a computer logged into the suspect’s Myspace account.

The Monroe County Sheriffs office said deputies arrested Robert Rupp, 18, of Big Coppitt Key, near the scene of the break-in and charged him with burglary, possession of burglary tools and theft.

The deputies said they were summoned by a caretaker who noticed someone inside the house on Sugarloaf key. They found an open window, empty food and beverage containers, marijuana and a bedroom computer turned on and logged into Rupp’s Myspace account.

Story here.

Tom Kelchner

You can guarantee that everytime a new product comes out, someone will be offering a “free” version of it in return for filling in a survey.

Yes, we’re all thoroughly sick of surveys. What caught my eye more than the entirely predictable “cracks” for Call of Duty Black Ops was a link sitting in most of the videos I saw:

Click to Enlarge

“How to download”. Clicking that took me to scdownloads(dot)za(dot)pl, which actually gives the end-user step by step instructions on how to access files stored on “fill in a survey to download” sites such as Sharecash. Multiple languages, too!

Click to Enlarge

I’ve no idea who created that website, but obviously individuals are so worried end-users won’t generate money for them that they’re resorting to giving us “The idiot’s guide” treatment. And that particular website isn’t limited to promotion in random fake crack videos, either – you’ll find it being linked to from all manner of offers, “freebies” and pilfered content:

Click to Enlarge

Windows 7 mobile downloads, PS3 jailbreaks, MTV videos, shop hacks, Sony Vegas movie studio keygens…you name it, someone is doing their level best to have you fill in a survey with as little confusion as possible. I’m not entirely sure how “fill this in” could be confusing, but to give you an idea of the way that site is being linked to (and how popular links to surveys are on video sharing portals):

Youtube is telling me it has about 15,000+ links to the tutorial page, and there are fifty pages of links from the last day.

Click to Enlarge

That’s fifty pages of links to surveys, garbage downloads and – of course – a wonderful tutorial ensuring end-users make the most out of getting nothing in return for signing personal information away.

Surveys: most definitely here to stay.

Christopher Boyd

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Topics this week: FakeVimes rogue showing up in various places, Internet gaming scams, a loaded rogue download site and Hotmail phishing.

Tom Kelchner

GFI Software is holding a sweepstakes to give away two free tickets to American Football’s Big Game Feb. 6, 2011, in Arlington, TX.

To enter

The free trial and sweepstakes are open until December 31, 2010 to verifiable IT purchasing influencers 21 years or older who work in a business that employs 25 or more employees within the 48 contiguous United States and the District of Columbia. After downloading VIPRE Antivirus Business and completing a short survey, users will be entered for a chance to win the two tickets. To download VIPRE and enter the sweepstakes and for full rules and restrictions, please visit www.VipreTestDrive.com and follow these easy steps:

•    Download VIPRE Antivirus Business by December 31 and test drive it for free
•    Complete a quick survey
•    Be entered for a chance to win two tickets to the Big Game

VIPRE Antivirus Business combines high-performance antivirus and antispyware into a single agent to provide comprehensive endpoint malware protection with low system resource usage. This combination of technologies brings high-performance endpoint protection with anti-malware software that doesn’t slow down users’ PCs, is low on system resources, and makes it easy to protect enterprise networks. For more information about VIPRE, visit: http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/

GFI news release here.

 As we said in last-week’s blog piece, we didn’t put in a real credit card number to see what a purchase actually got you. Given what we’ve seen, you really don’t want to go any further.

Thanks Bruce.

Tom Kelchner

 Microsoft has issued a security bulletin advanced notification for the November Patch Tuesday next week.

Three bulletins will be issued, fixing two remote code execution vulnerabilities in Microsoft Office and one fixing an elevation of privilege issue in Microsoft Forefront Unified Access Gateway.

Microsoft Security Bulletin Advance Notification for November 2010 here.

Tom Kelchner

It seems there’s a couple of trojans doing the rounds that are using a (semi) cunning disguise:

isn’t going to be new to you but I guarantee you’ll have a relative who hasn’t heard of that one before. It’s always worth a mention to a less computer savvy individual! This is (of course) a case where the executable has been renamed to look like it’s a .txt file, when in reality the file is play.txt.exe. Should the end-user download and double click one of the infection files, they’ll have infected themselves.

told a number of websites hosting these files have been taken down in the last hour or two, but I imagine they’ll be back soon enough.

Better go warn granny…

Christopher Boyd

/ Update – to be clear, these files are executables using the double extension trick, where an attacker renames an executable like so:  filename.txt.exe. The file is still an executable, however the creator is hoping the end-user will only see the .txt extension. I’m also having some problems updating this post – as you can see, half the text is missing and refuses to go back in. I haven’t had a Blogger.com glitch for some time, but they come for everyone eventually…

(click on graphic to enlarge)

Thanks Alex

Tom Kelchner

Alert reader Laurie (my boss actually) forwarded a copy an email she received from a friend. It said the sender was “…pleased to announce the newest version of Antivirus 2010 for Windows.”

There was a link to click, of course.

(Click graphic to enlarge)

Something called “Antivirus 2010” for sale in November is very odd for three reasons:

1) It’s nearly 2011 and legitimate AV companies are putting out their 2011 versions.
2) There was a rogue security product last year called “Antivirus 2010.”  (VIPRE detection: FraudTool.Win32.Antivirus2010 (v))
3) Although a lot of companies make a product named Anti-Virus 2010, they usually put their name in front of it, such as “Kaspersky Anti-Virus 2010” or “Norton AntiVirus 2010.”

The Antivirus 2010 rogue graphic interface from 2009:

(Click graphic to enlarge)

We checked out the URL (officialversion.ru) in the email, putting in our name and “promotion code” (actually any number will do) , went past the “member login page” that made some mentions of the very legitimate AVG anti-virus company, and went on to a credit card payment page. The REAL AVG company (fourth largest AV vendor in the world) offers “AVG Anti-Virus Free Edition 2011” in addition to security software that users purchase.

We noticed the logo on the page mimicked the colors of the AVG logo:
 

The prices:
— $2.49 per month.
— A two-year “Full Access & Support” choice for $17.49 per month
— Three year “VIP” access for $11.67 per year.
— (optional add on) Firewall for $14.88 – marked down from $39.95
— (optional) Antivirus Pro Version Updates for $8.95.

(Click graphic to enlarge)

We didn’t make a purchase, so, we don’t really know what’s behind the “pay now” button however, you can be sure it isn’t anything good.

We can pretty well conclude that the scam email is offering:

— A rogue security product
— AVG’s Anti-Virus Free Edition, except they charge you before they redirect your browser to AVG’s site for download.
— Something else called “Antivirus 2010” that has no visible presence on the Web.

AVG’s real page is here: http://free.avg.com/us-en/homepage

Thanks Laurie. Thanks Doug. Thanks Patrick.

Tom Kelchner

Ever wondered how much of a smackdown your Botnet is dishing out? This program lets the budding script kiddie enter some basic information about their Botnet, then hit the calculate button to see how they’re doing.

Click to Enlarge

“…takes the number of bytes in a typical packet, divides it then multiplies that number against how many victims you have & number of sockets you’re using. This program is considered accurate”.

What it certainly does not do is take into account lost packets, or the connection of the infected users – a dialup PC isn’t going to be as handy in a fight as a dedicated T1 line, for example. One of the stranger things we’ve seen pop up this week.

Christopher Boyd

“This is video ffrom yourd alst party”

(click graphic to enlarge)

Alert reader Wendy received a link to a dangerous-looking video link through her Facebook private messages that turned out to be malicious. Her Facebook friend, however, hadn’t been suspicious enough.

(click graphic to enlarge)

Clicking on the icon to run the video presented a download – an executable file. It just doesn’t get any more suspicious than that.

It was one of the rogues from the FakeVimes family. To see descriptions of the latest in that family, check out the GFI Rogue Blog here.

Thanks Wendy. Thanks Matthew.

Tom Kelchner

The Fallout series of games have always been a particular favourite of mine, and numerous scams have popped up in relation to them through the years. For example, here’s one that promised you Fallout 3 in return for a Zango install.

The promise:

Click to Enlarge

The reality:

Not so much “Amazing game set in a 3D world” as it is “dodgy copy of a half finished tech demo that was never released. Also, a bit rubbish”.

Anyway. Fallout: New Vegas has arrived, and our old friend “Cut and paste Blogspot site promises game crack in return for filling in a survey” has risen from the grave once more. Following the same pattern as the Halo Reach and DC Universe Online scams, you get a website claiming to be “Official” enticing the end-user with a completely useless crack program.

Click to Enlarge

You know the drill: click the “download” button, and fill in one of these wonderful surveys:

Click to Enlarge

After many warnings that I need to enter valid details or be banned forever (oh, the humanity) I decided to check out one of the links. The Bieber link seemed like the one a child would probably click on – this is what I got:

Click to Enlarge

A bunch of questions, complete with timer counting down. I’m always suspicious of timers on offers, because they’re often used as a hook to get the end-user to do something (“Fill this in quick, we only have six billion of product X left!”) This one is slightly different, because once the timer hits zero this pops up:

It’s almost like the survey questions are utterly irrelevant, isn’t it kids. By the way, it’s £4.50 a week. Enjoy!

The domain being used for this is falloutnewvegasgame(dot)blogspot.com. We’ve reported it to Google, and hopefully it’ll be sitting in a post apocalyptic landfill shortly.

As the rather appropriate tagline from Fallout goes, “War. War never changes”.

Neither do scammers…

Christopher Boyd

To avoid poisoned links in a search engine you should beware of:

— sites that appear a number of times in the list of search engine hits, all showing the same phrases
— URLs that are made up of random alpha numerical characters and meaningless. An example would be:  /2LitmlZM/

The “free cards to print” hits re-direct to the FakeVimes Online Scanner Scam.  Here they use a threat name “Troajn.awF” that was an actual threat at one time, although they misspelled it.

Thanks Patrick.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Topics this week: The new Antivirus Solution 2010 rogue, SEO poisoning of searches for “pumpkin” or “Jack-O-Lantern stencils,” SEO poisoning of searches for “Vanessa Hudgens No Clothes,” a functional menu in the ThinkPoint rogue and MobleMe phishing.

Tom Kelchner

Every now and again, a 419 scam mail comes through that fairly boggles the mind.

This is one such mail.

This is to let you know about scam If you know you have  been scam before, this is an help agent to you. This is to let you know that all of you who had lost money to scammers in Africa and USA, i want to let you know that there is a quick opportunity for you all. Mostly lottery. my name is FBI brad I assure you that i will do all i can to get it back to you in 3 days okay About your lost money…. an opportunity to get your money back to you.

Wait – the gimmick here is that I’ve already been scammed by a 419 mail, but with the aid of “FBI Brad” I can reclaim my money with the aid of some random lottery?

Oh, sign me up.

I believe you know what scam means. We are  global scam fighter in CA 93535. we have all the global scam computer to trace all scammer name and location okay to cut this short..if you had sent money to africa you have a chance to take 1 of them to court because 1 of them had been caught. if you lost money or win deaf lottery contact us quick reply back to this email on [removed].

I’m sure we all wish we had a “global scam computer” to hunt down the bad guys, but in this case all we need is a little common sense. Although a ludicrous attempt at web shenanigans, it still leaves a nasty taste in the mouth due to the fact it plays on the fears of victims who have already lost money to scammers. Unfortunately, it’s a very real possibility that someone desperate enough could stand to lose out twice over.

Don’t let this happen to you!

Christopher Boyd