Month: February 2011

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI- Rogue Blog and anything else we think might be of interest.

This week: a phishing scheme aimed at American Airlines Frequent Flyer customers, eight rogue security products on the GFI Rogue Blog and a phishing page disguised as a British post office site.

Tom Kelchner

While the humble post office will let you send a letter, weigh a parcel and buy the odd newspaper I’m fairly certain they don’t give away free money.

Mine never has, anyway.

With that in mind, I found the following collection of folders and files rather interesting:

There are what appear to be HMRC phish pages asking for credit card info to receive a “482.84 refund”, an unfinished United Airlines page asking for credit card info to receive a “$250 bonus” and a Post Office page.

In case you were wondering, it isn’t offering free newspapers.

Click to Enlarge

As you can see, there’s a “£125 bonus” up for grabs, and all you have to do to get your hands on the “Post Office Bonus” is enter your full name, date of birth and…

Click to Enlarge

…your payment information. It seems whoever made this couldn’t be bothered using their own images for the most part, as the “Verified by Visa / MasterCard” graphic is hotlinked from the website of popular retailer Argos.

Here’s some more examples of Argos image pilfering, all of which seem to involve – you’ve guessed it – tax rebate scams. I don’t think the real Post Office website uses images grabbed from Argos and I doubt the HMRC does this either, so right click / view image location may come in handy when faced with an unfamiliar website.

Of course, the best solution is not to go entering payment details on random URLs in the first place – but free money is always tempting. I’d be happy with the free newspaper…

Christopher Boyd

Microsoft

Microsoft has posted advance notification of what we can expect on February Patch Tuesday next week:

There will be 12 security bulletins. Three are considered critical and nine important. They will cover updates and fixes in Windows, Internet Explorer and Microsoft Office.

Adobe

Adobe has posted a security advisory saying it will fix critical vulnerabilities on Tuesday with updates for:
— Adobe Reader X (10.0) (Windows and Macintosh),
— Adobe Reader 9.4.1 and earlier (Windows, Macintosh and UNIX),
— Adobe Acrobat X (10.0) (Windows and Macintosh), and
— Adobe Acrobat 9.4.1 and earlier (Windows and Macintosh).

A update for  UNIX versions will be available by the week of February 28, Adobe said.

Tom Kelchner

Google is trying to figure out a tweak for its search algorithm that will stop junk web sites — “content farms” — from achieving high search rankings, according to a great article in Technology Review.

In the Review, Tom Simonite wrote: “Speaking this week at Farsight 2011, a one-day event in San Francisco on the future of search, the firm’s (Google’s) principal search engineer, Matt Cutts, said that Google is considering tweaks to the algorithms that guide its search results. It’s also considering more radical tactics, such as letting users blacklist certain sites from the results they see.”

This is going to be a very big issue. Marketing departments and the people who design and maintain their web sites center their efforts on search engine optimization. High ranks in Google search results are worth money – a load of money since advertisers pay by the click. We’ve all seen worthless sites that have learned to game the search algorithm and deliver junk content. Some are so bad they’re almost a form of click fraud. It is possible to go through dozens of these in the course of a search before you find a site that actually gives you some significant information on the topic you’re searching for.

I suspect it isn’t going to be an easy “tweak” to make. The crappy sites will continue to tweak their content to evade the changes so they continue to make money on the clicks.

Tom Kelchner

Today, it’s all about the taco.

Not those nice things wrapped in tortilla – another kind of taco, served up from an evil fast food joint of doom.

And by “evil fast food joint”, I mean “slightly rubbish website asking you to install things”.

Click to Enlarge

It is, of course, one of those fake Java install websites that pop up from time to time – complete with (fake) Softpedia 100% clean notice. I think the last time I saw one of these was back in April of last year.

This one does exactly the same thing – pops up a prompt asking the user to hit “Run” on a Java notification. When that happens, a rather generic Trojan named after one of my favourite nibbles swings into action.

Say hello to the Taco:

Insanely high detection levels ensure this particular Taco won’t be causing any PC indigestion. However, good advice never goes out of fashion:

Click to Enlarge

Hey look, it’s being served up from Fileave.com, a host for random files that anybody can upload. Looking legit so far. I particularly like the “NOT VERIFIED” next to Microsoft. Hitting the “More information” box should set those final alarm bells ringing:

Yeah…you know what? I think I’ll skip the taco and buy some oranges instead.

I’ll finish this one off with some cut and paste action from an earlier writeup:

* ALWAYS be cautious when presented with an unknown application. Don’t just run it; go Google it first and see if anyone else even mentions it.

* In the same spirit, be very wary of unsigned applications on random websites you’ve never heard of.

* Anyone can grab an award badge from a website and claim they’re the “Best thing ever”.

Don’t eat out tonight.

Christopher Boyd

A number of Internet monitoring systems have detected that Internet traffic is again flowing in Egypt:

The folks at Opera reported this morning that their Opera Mini servers were again seeing traffic from Egypt.

Google’s transparency report shows traffic back up.

And James Cowie reported on the renysys.com blog that “All major Egyptian ISPs appear to have readvertised routes to their domestic customer networks in the global routing table…” he said major sites were again reachable there with the exception of some universities. Renysys.com was one of the first sources to report the initial outage.

Some issues this outage has raised:
— What kind of planning can individuals and enterprises do to be ready for similar outages in the future?

— Is there a net neutrality issue here that has some practical solution?

— Is the dial-up modem going to have a second life?

We can be sure that the effects of this five-day, countrywide outage is going to be seriously studied. Question number one: what was the economic loss?

Tom Kelchner

Here’s a phishing campaign currently targeting American Airlines frequent fliers.

 

Clicking the link leads to a very convincing URL:

 

Alex Eckelberry

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we think might be of interest.

This week: Christopher Boyd turned up  a phishing scheme aimed at customers of British Telecommunications (BT) and scams that use the new Black Ops map pack as bait. Patrick Jordan analyzed the new Antivirus.Net rogue security product.

Tom Kelchner

I’ve heard reports of various bt(dot)com phishes doing the rounds over the last couple of weeks, but arrived at the scene of the crime too late to grab some screenshots and ring the “unclean, unclean” bell.

Thankfully Christmas has come (very) early, as here we have one such phishy character to poke with a stick. I imagine this is being promoted via emails, but I don’t have one of those to hand so we’ll have to make do with a website example for the time being.

Click to Enlarge

As you can see, the site looks pretty convincing and asks the user to “Log in to the personal area”. Phishes tend to say “thanks for coming along, now get out” once you’ve entered your login details – however, this one has bigger things on the horizon.

Like a gold plated yacht.

Click to Enlarge

Credit card / bank account information is the name of the game, along with some other bits and pieces including mother’s maiden name and date of birth. Clicking through takes the user to the following screen:

Click to Enlarge

I don’t know about you, but I tend to think the “billing department” mentioned above will probably be sailing around the Atlantic in their aforementioned gold plated yachts instead of confirming the information sent their way.

We’ve had the above phish taken down, but I doubt we’ve seen the last of this one. Please be wary of emails / websites claiming to be from BT that ask you to fill in all of your payment details – nothing good will come of it (unless you’re the one in the yacht).

Christopher Boyd