Month: January 2011

Vietnamese college students in Minnesota are subjects in $1.25 million online scams

The Minneapolis Star Tribune is reporting that a U.S. Department of Homeland Security investigation  of money mules (Operation eMule) has been led to two Vietnamese students at Winona State University. They said the pair had used stolen identities to set up 180 eBay and 360 PayPal accounts that were allegedly used to defraud merchants out of more than $1.25 million.

The two, Tram Vo and Khoi Van, are in the U.S. on F1 visas, according to a request for a search warrant filed by DHS investigators Dec. 29 in federal court in St. Paul. Neither man has been charged with a crime.

Companies that were victims of the thefts  including eBay, PayPal, Amazon, Apple, Dell and Verizon Wireless, investigators said.

According to the papers filed in the case, investigators from the National Cyber Crimes Center (part of U.S. Immigration and Customs Enforcement) and the Department of Homeland Security Investigations are working on the case. They said in the court papers that the money was wired to accounts in Canada and Vietnam.

It has been no surprise to me that it has taken most of a decade for law enforcement agencies to get up to speed in their Internet crime investigations. If you’ve ever sat through a trial in which a chain of evidence was presented by the prosecution and cross examined by defense you can appreciate the enormity of the learning curve that law enforcement has faced.

In these cyber-crime investigations, the chain it isn’t a matter of defendants’ links to physical items, but rather a trail of recorded computer connections and money transfers. Thieves’ use of proxy servers make those trails pretty faint.

Tom Kelchner

GFI Labs documented 167 rogue security products in 2010 – exactly the same number as 2009.

(Click on graphic to enlarge)

Number of rogues by year

Year    Total
2005    26
2006    44
2007    95
2008    162
2009    167
2010    167
   
Total    661

According to GFI Labs statistics, the number of rogue security products appearing annually has been stable for the last three years. After increasing from 26 in 2005 to 162 in 2008, we’ve seen about the same number of variants each year since: 167 in both 2009 and 2010.

New “utility” look appears in 2010

Late in 2010 Researchers at GFI Labs noticed that at least one group of rogue writers had started a new deceptive tactic: creating graphic interfaces that impersonated utility software — such as hard drive defragmentation applications — instead of anti-virus products.

UltraDefragger — the new “utility” look

(Click graphic to enlarge)

 The UltraDefragger rogue appeared mid-November and was quickly followed by a number of clones.

FakeAV-Defrag family history:

11/15/2010        Ultra Defragger
11/16/2010        ScanDisk-Defragger
11/30/2010        WinHDD
12/9/2010          HDDPlus
12/12/2010        HDDRescue
12/12/2010        HDDRepair
12/13/2010        HDDDiagnostic

We blogged about the new look about the middle of December.

From 2005 to 2007, the rogue creators had static web sites to distribute their clones. Internet enforcement wasn’t up to speed, so the rogue sites were taken down less frequently than they are today. The rogue distributers weren’t pushed to create as many clones.

The number of rogues increased in 2008 largely because the rogue creators needed to evade stepped-up detection by anti-virus companies, according to researcher Patrick Jordan.

By 2009 the pace continued. In that year, the FakeSmoke family of rogues saw a new clone distributed almost every 24 hours, Jordan said. The FakeSmoke family of rogues began in October 2008 with WiniGuard,

(Click on graphic to enlarge)

SpySheriff: longest surviving rogue

Rogue distributors usually create their malicious software and server infrastructure then clone their malcode often in order to escape detection by legitimate anti-virus products. They count on making money in the days (or hours) that the new rogue clones go undetected.

The longest-surviving rogue was SpySheriff. It lasted from July 2005 until its site was finally suspended in August 2008. SpySheriff and its 31 clones included:

7/6/2005    SpySheriff
8/6/2005    SpyTrooper
1/30/2006    PestTrap
8/16/2006    DiaRemover
10/3/2006    PestCapture
12/18/2006    MalwareAlarm
12/18/2006    MrAntiSpy
12/18/2006    SpyMarshal
5/22/2007    DrAntispy
7/16/2007    MagicAntiSpy
7/16/2007    SpyShredder
9/12/2007    SpywareNo
3/16/2006    BraveSentry
8/13/2007    LiveProtect
11/30/2007    DrProtection
11/30/2007    GuardCenter
11/30/2007    LiveAntiSpy
11/30/2007    OnlineGuard
12/6/2007    LiveProtection
12/21/2007    Immunizr
11/28/2008    Extra Antivir

Second generation

6/3/2008    System AntiVirus 2008 (Sav)
6/3/2008    Vista AntiVirus 2008 (Vav)
6/3/2008    Windows AntiVirus 2008 (Wav)
6/9/2008    Ultimate AntiVirus 2008 (Uav)
6/18/2008    Advanced Antivirus 2008 (AAV)
7/30/2008    Antivirus Master (AVM)
8/22/2008    Power Antivirus(PWA)
8/26/2008    Spyware Preventer (SPP)
9/11/2008    Micro Antivirus 2009 (MicroAV)
10/28/2008    AntiVirus Sentry (AVS)
11/3/2008    Ultra Antivirus 2009(UltraAV)

Thanks Patrick

Tom Kelchner

Here we have what appears to be a scam on Facebook.

It’s a popular one too, with 70,706 people smacking the “Like” button as if their lives (and free points) depended on it.

Of course, popularity doesn’t mean it works. Here are some satisfied customers, and by “satisfied” I mean “absolutely furious”:

Whoops.

Shall we take a look? The site where all the action takes place is xbox360pointsonline(dot)blogspot(dot)com.

Yes, “follow the steps” and get your 4,000 XBox Live points. You can probably guess where this one is going.

As you can see from the happy customers above, nobody actually seems to be getting their free points. Meanwhile lots of profiles start to fill up with this as the Like / Share rampage continues:

Given that the average price of 4,000 Microsoft points is about £35, it’s unlikely that Random Survey Man is going to be making enough money to scatter those points around like confetti.

Do yourself a favour and pass this one by.

Christopher Boyd

The GFI Malware Minute video is available for your viewing pleasure on the GFI Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we find that might be of interest.

This week we blogged about the next version of the Storm Worm, fake YouTube ads for the movie Tron, a golden oldie Nigerian 419 scam and two rogues, ProtectShield and Spyware Protection.

Tom Kelchner

A number of us here at GFI received a Nigerian 419 scam email over the weekend. A little investigation shows these fraudulent spam emails alleged to be from Maryam Abacha have been circulating at least since 2005.

From: Maryam Abacha [mailto:maria_abach@_____.com]
Sent: Sunday, January 02, 2011 7:38 PM
Subject: Very Urgent Reply.

Hi,

My name is Maryam Abacha the widow of Sani Abacha, de facto President of Nigeria from 1993 to 1998.

Following the sudden death of my husband I have been thrown into a state of utter confusion, frustration and hopelessness by the present civilian administration.

I have been subjected to physical and psychological torture by the security agents in the country.

You must have heard over the media reports on the recovery of various huge sums of money deposited by my husband in different security firms abroad.

I am looking for a reliable and trustworthy individual that would receive the sum of $15.5 Million Dollars which I have secretly deposited with a security company abroad.

I will give you 20% of the total sum and how to receive the funds on my behalf as soon as I hear from you.

I got your contact through my personal research, and out of desperation decided to reach you through this medium.

Best Regards

Mariam Abacha.

The Freeman Institute seems to have taken a special interest in the 419 scams that use the Abacha story.

Thanks Patrick

Tom Kelchner

It’s a bit depressing to hear anyone in their twenties or younger say “What’s a Tron”, although the recent film may help out a bit where that’s concerned. Regardless, hunting for some TRON action on the internet may end in frustration, surveys and installs aplenty.

For example, hd-movies(dot)biz gives us a fairly standard “Fake advert on Youtube / hit you with a survey” scam:

What an awesome set of questions. Anyway, next up we have freemoviehub(dot)net imploring us to “get our Gucci on”:

It’d be nice if someone made a New Year’s resolution to never, ever pop a survey for anything for the rest of eternity but somehow I can’t see that happening. Perhaps your choice of beverage isn’t the new fangled TRON film with light cycles that trace a curved path, a bland lead actor or Olivia Wilde sporting the best Ladytron haircut ever. Maybe you’re one of these young’ns who stumbled across TRON Guy and wondered where he got his inspiration from.

You might not want to bother.

Moviepoint(dot)org/tron:

Clicking the player underneath the banner splash takes you to browserdl(dot)com/xvid_dl/ which wants you to install a program before savouring the delights of hearing someone say “Greetings, program”:

Needless to say, there isn’t any TRON action going down once the end-user has installed ClickPotato, ShopperReports, QuestBrowser and blinkx Beat. I’m now going to cross my fingers and hope end-users won’t fall for movie fakeouts like the above as we stumble into 2011, while also wondering why a Daft Punk music video looks more like TRON than the actual sequel.

End of line…

Christopher Boyd