Month: January 2011

Bits and pieces of popular culture will always be a target for scams, and we’ve already seen more than our fair share of Black Ops shenaningans; fake keygens / cracks back in November, and a curious tale from January of how gamers broke into a radiology server to play some rounds while apparently failing to touch the mass of personal info sitting on the compromised box.

February is almost upon us, and that means a new target enters the crosshairs – the Black Ops map pack downloadable content is available for all ($15 / £10 to you, guv’nor with a nifty Youtube preview to make you wave your wallet) and this means scammers are out in force.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

As with almost every scam these days, they just want to pop a survey and make some affiliate cash. At best, a dummy file is hiding behind the survey; at worst, you’ll end up with a nasty infection stomping up and down on your hard drive.

Click to Enlarge

Survey popping scams seem to be as popular as ever, which probably means a good chunk of people are still filling the things in then wondering why “dubiouswormthing.exe” causes their hard drive to melt.

Don’t be one of those melty hard drive people.

Christopher Boyd

The companies: Innovative Marketing, Inc. and ByteHosting Internet Services

The rogues: Winfixer, Drive Cleaner and Antivirus XP

Two men will pay $8.2 million to settle a U.S. Federal Trade Commission action that charged them with using deceptive advertising to sell consumers rogue security products in 2008. The money will be used to reimburse customers who were defrauded, the FTC said.

Marc D’Souza and his father, Maurice D’Souza, are among seven people connected with Innovative Marketing, Inc. and ByteHosting Internet Services, LLC, which operated out of offices in a number of countries under a variety of aliases.

The FTC said in a news release: “In December 2008, at the request of the FTC, a U.S. district court ordered a halt to the massive scheme. According to the FTC’s complaint, the defendants falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC alleged that the defendants conned more than one million consumers into buying their software products such as Winfixer, Drive Cleaner and Antivirus XP to remove the malware the bogus scans had supposedly detected.”

Eric Howes, GFI Labs Spyware Research Manager said: “The FTC is to be applauded for taking down what was one of the more prolific and abusive ‘scareware’ operations of the past few years. Although the $8.2 million settlement is likely the best the FTC could gotten under the circumstances, one has to wonder how it compares with what the defendants actually made from their deceptive practices and products. And, sadly, most of the same deceptive tactics employed by Innovative Marketing and its partners are still being used by others to push worthless rogue security products on frightened and confused internet users.”

Antivirus 2008 was another rogue gem from Innovative Marketing (thanks Patrick Jordan.)

Antivirus 2008 graphic interface

Tom Kelchner

An experiment in non-communication?

In what some observers are calling a first, the government of Egypt has shut down the country’s four Internet service providers, blacking out nearly all net access in the country in the face of widespread protests.

According to the Aljazeera news organization, which specializes in news of the Arabic world, protesters have been mobbing city streets and throwing rocks and some gasoline bombs in Alexandria and Cairo for four days. The crowds of mostly young people have been calling for an end to the rule of Hosni Mubarak, who has been in power for 30 years. Protests also have been reported in the cities of Suez, Mansoura and Sharqiya.

James Cowie on the renesys.com blog asked the central question: “What happens when you disconnect a modern economy and 80,000,000 people from the Internet? What will happen tomorrow, on the streets and in the credit markets? This has never happened before, and the unknowns are piling up.”

He said that exceptions to the Internet blackout were the 83 routes of the Noor Group which allows inbound traffic from Telecom Italia. That allows access to the Egyptian stock exchange (www.egyptse.com).

Cowie said that Tunisia blocked certain Internet routes and Iran limited traffic to slow communication when those two countries were faced with large scale protests recently. Neither imposed a complete blackout, however.

Tom Kelchner

Update from Twitter, 4 p.m. (EST):

I’m not sure what to think about this but it sounds serious:

Sure, I’ll buy Antivirus.Net.FakeSpyPro rogue.

Yesterday on the GFI Rogue Blog we reported finding the Antivirus.Net rogue security product (FakeSpyPro family).

 (Click on graphic to enlarge)

Today, researcher Patrick Jordan came across the browser hijacking mechanism that the rogue installs to trick a victim into making a purchase. After the “scan” is performed, this is the only page that a browser user will see:

 (Click on graphic to enlarge)

The fractured English – “There might be an active spyware running on your computer” is one giveaway that this isn’t genuine.

Thanks Patrick.

Tom K

Andreas Marx at AV-Test has shared some more information which highlights the significance of the malware problem.

The numbers are staggering — AV-Test processed an average of 54k samples per day in 2010, up from an average of 33k in 2009 — and up from 426 samples per day just a decade ago.

Stats below, source data here  (xls), all courtesy of AV-Test.

 

Alex Eckelberry

“… an international celebration of the dignity of the individual expressed through personal information.”

Data Privacy Day will be marked Friday in the U.S. and 27 countries in Europe. It’s a day for education and awareness events “… to promote understanding of privacy best practices and rights. Educational events focus on informing teens about the importance of protecting the privacy of their personal information online, on social network sites and other internet activities.”

It’s a division of The Privacy Projects, which is described on the web site as “a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection…”

$10 off VIPRE Home and Premium: $19.95.

In an effort to raise awareness of the increased dangers online and to help consumers protect themselves from digital identify risks, GFI is offering limited-time pricing incentives on its high-performance VIPRE Antivirus Home product line to those seeking to safeguard their personal information and protect their PCs.

On January 28, 2011 – Data Privacy Day, GFI Software will offer a $10 discount on VIPRE Antivirus Home and VIPRE Antivirus Premium, bringing the entry level price point to $19.95. Visit: http://virpreantivirus.com to take advantage of this special pricing, which is only available on Friday, January 28, 2011 until 11:59pm EST.

Tom Kelchner

Our researcher Patrick Jordan has found a group of web sites that uses an ever changing array of redirects to deliver a .pdf exploit. VIPRE detects it as Exploit.PDF-JS.Gen (v), which is ranked 19 in our VIPRE ThreatNet detections at the moment.

One of main links in the group of malicious PPCSearch sites, celltonesfinder.com, presents visitors with a link to toshtube.net which is used to re-direct them to a (changing) group of sites that offers the malcode.

(Click on graphic to enlarge)

The malicious .pdf file has been in VIPRE detections for some time:

(Click on graphic to enlarge)

The PPCSearch sites include:

bestrxfinder.com
celltonesfinder.com
daofinder.com
fastfinder10.com
gamesearchnetwork.com
homefinder10.com
jokerfeed10.com
megasearch10.com
nextfreefinder.info
searchforpills.com
superfinder10.com
top10feedsearches.com
topcasinofeed.com
topdaocasino.com
topdaodating.com
topdaodrugs.com
topdaofinance.com
topdaofinder.com
topdaogames.com
topdaoimage.com
topdaoringtones.com
topdaotravel.com
topfindersup.com
topseachresults.com
toptripsfinder.com
ultrasearch10.com
youfindmore.com
yourdatingnetwork.com
yourlivesearch10.com
yourpillsfinder.com

Today’s sites used to distribute the PDF exploit:

nijade.info/shop/jmclhpgmcmjn.pdf
bestefa.info
gogrefa.info
zealhu.info

Thanks Patrick.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI- Rogue Blog and anything else we think might be of interest.

This week we blogged about a phony offer on Facebook that led to an Trojan disguised as a photo;  the FBI’s Internet Crime Complaint Center notice about criminals using job applications for spear phishing; Twitter “free iPhone” spam, possibly from hacked accounts, that led to “sweepstakes” and “survey” sites and two rogues: WindowsUtilityTool and WindowsScan.

Tom Kelchner

This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content.

Typically, the scam involves sending messages to Facebook users from compromised accounts similar to this one:

For those of you with images switched off (and that probably isn’t good where my writeups are concerned, as I tend to stuff each one with a million of the things), the message reads: “Foto 😀 apps(dot)facebook(dot)com/photobf/index(dot)php”.

Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more “Foto” related spam and the whole process begins again.

Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications. Either way, regardless of how the link is delivered the end-user will find themselves on a page containing nothing but a tantalising message regarding their photo hunt.

Click to Enlarge

Yes, unfortunately the photo the end-user is trying to view “has been moved”. Never fear, clicking the “View Photo” button will reveal a photograph. Right?

Actually, no. The end-user is asked to download a file claiming to be an image.

Well, that seems suspicious. I wonder what happens if we ask Windows to stop hiding default file extensions…

You know, I think we rumbled their cunning plan. Infections spamming out malicious links isn’t anything new (in fact, the filename used here pops up at least as far back as 2009!) but people will still fall for it so it pays to be on your guard.

So far, postings on the web indicate the following app pages were involved (all of which are now deactivated):

apps(dot)facebook(dot)com/bestfunnypicever
apps(dot)facebook(dot)com/costumphotos
apps(dot)facebook(dot)com/photobf
apps(dot)facebook(dot)com/hahahahahahh

The good news is that many of the compromised websites hosting the infection file are being taken offline, Facebook are shutting down rogue application pages quickly and the VirusTotal score is coming along nicely with a 32/43 detection rate – we detect this one as Trojan.Win32.Generic.pak!cobra.

Let’s hope decent detection rates along with a growing awareness that random photo viewing requests may not be what they seem will put this one out to pasture for good.

Christopher Boyd

This seems to be circulating through the Facebook pages of people with Indian names. Clicking on the numerous Facebook “like” mechanisms would of course spread this thing pretty quickly

The whois information for the connected web site shows it was set up last week with a service provider in Delhi.

(Click graphic to enlarge)

(Click graphic to enlarge)
 

(Click graphic to enlarge)

   Sharing it and “liking” all the buttons on the page results in lots of stuff being sent to your friends such as:
 

(Click graphic to enlarge)
Which, of course they can share (spam) with their friends:

 

(Click graphic to enlarge)

The collection includes one of those “whose spying on you?” scams.

(Click graphic to enlarge)

And a great tool bar for “Bible enthusiasts” which is installed by a Trojan:

Tom Kelchner

If you are enthusiastic about VIPRE, you might consider nominating it in About.com’s 2011 Readers’ Choice Awards.

The awards will highlight the best products, features and services in categories including technology, hobbies and parenting. About.com will be accepted the nominations from Jan. 13 to Feb. 4 at 11:59 p.m. (Eastern.) Nominees will be named Feb. 11 and winners will be announced March 15.

About.com gives no prizes, “…just the bragging rights that come with getting recognized by the readers of one of the biggest networks on the web,” they said.

Tom Kelchner

Our rogue researcher (and that’s “rogue” in all senses of the word) Patrick Jordan found this over the weekend. We’re not sure how.

Somebody — hopefully with legitimate site access — appears to be having some fun with some potty humor:

(Click on graphic to enlarge)

It has a discussion forum too:
 
(Click on graphic to enlarge)

Thanks Patrick

Tom Kelchner

Update:

We just discovered that this was a Google April Fools Day joke some years ago. They apparently have a history of jokes like this.

Spear phishing aimed at HR

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

One giveaway that you received something like this would be an email attachment with an “.exe” extension when you would be expecting something with a document format

Tom Kelchner

URL-shortening site Bit.ly appears to be effectively filtering the links in what remains of the “free iPhone” spam surge on Twitter. Also, the number of spammed Tweets is far lower today than yesterday when we found a rate of over 1,300 per hour.

It is not known why the thousands of Twitter  accounts are sending out the spam, but we found a least one Twitter user yesterday complaining about his account or machine being hacked.

 

 (Click on graphic to enlarge)

Those who received the Tweets and followed the links were taken to pages on Adserve (dot) rewards-confirmation (dot) com or progressiveemail (dot) com that offered a “Free Apple iPhone 4G.” However “testing & participation required.”

 
 (Click on graphic to enlarge)

 (Click on graphic to enlarge)
And then were required to take a survey.

And then go through 20 screens of offers for subscription services.

And then see more screens of offers.

 Subscribing to the required nine of them would probably cost you much more than an iPhone.

  (Click on graphic to enlarge)

Although there was no evidence of malware on the vast number of pages, the process does require you to enter you name, address and phone numbers.

Tom Kelchner

A wave of Twitter posts advertising a “free iPhone” continues today at the rate of about 1,300 Tweets per hour. They lead to sites that require visitors to purchase any of a variety of subscription services in order to get the “gift.”

At least one Twitter user seemed to believe that his account had been hacked.

The vast spam run pumps out Tweets with URL’s shortened by the Bit.ly shortening site that lead to sites including:

— Sweepstakes (dot) com
— BiggestGiftRewards (dot) com
— Rewards-Confirmation (dot) com
— FreeBrandProducts (dot) com

(Click on graphic to enlarge)

(Click on graphic to enlarge)

(Click on graphic to enlarge)

Trying to navigate away from the pages results in a pop-up Window asking if you “sure” you want to move away from the page. Clicking “OK,” merely takes to another page (Sweepstakes, above)

(Click on graphic to enlarge)

The rules of the game also include:

“By clicking Continue, I have read and agree to Sweepstakes.com’s Official Rules, Privacy Policy and Terms & Conditions which includes providing my signature expressly requesting a return phone call from Sweepstakes.com and SMS texts (std msg rates may apply).”

The huge spam run could be the work of affiliates. Cicks on the sites are being monitored:

(Click on graphic to enlarge)

A check of the Twitter accounts some of the spam was sent from shows that some appear to have been used only to send spam (including some in December). Other accounts appear to have sent normal chatter with the “free iPhone” spam sent as well.

At least one Twitter user appeared to know that his account had been hacked:

(Click on graphic to enlarge)

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI- Rogue Blog and anything else we think might be of interest.

This week we blogged about Twitter spam, Facebook scams, a pay-for-Skype scam, a two-for-one scam that downloaded the WindowsSystemOptimizator rogue and 2GCash, an FDIC phishing warning and the Bamital file infector.

Tom Kelchner

A.: When it’s a toolbar installer

The any-load.com site, and there are about a dozen more like it out there, presents itself as a peer-to-peer network with almost 120 million files for your downloading pleasure. It doesn’t really do that though.

We took it for a spin looking for some tunes by Bruno Mars:

(Click graphic to enlarge)

Our first hint that all was not as it appears was that VIPRE blocked the downloader.

(Click graphic to enlarge)

So we turned off VIPRE to check the rest of the any-load.com schtick. Notice the “quick download” radio button is clicked on the download screen by default:

(Click graphic to enlarge)

When we clicked the “advanced download” radio button, it gave us a list of what the site was really up to: installing the WebBlog toolbar.

(Click graphic to enlarge)

In whatever browser you’re running apparently:

 

(Click graphic to enlarge)

Oh, and the file we downloaded? It’s an mp3 file ok, but there’s nothing in it.

(Click graphic to enlarge)

The license agreement is a gem of doublespeak too:

“3.      The MultiLoad Technologies.
         1. Downloading and Updates.

            MultiLoad downloads only those files that are both
authorized by you for download (specifically or by category or
subscription).”

Thanks Patrick.

Tom Kelchner

Alert reader Janne sent us a tip on this one.

Apparently there was a huge surge of Twitter spam this morning “I just won a free iphone and ipad” that contained a shortened URL to a malicious site. Those who clicked on it retweeted the message. It looked like a LOT of Twitters fell for it.

(Click on graphic to enlarge)

Bit.ly has blocked the site and the site itself has been blocked.

Whois shows it was registered in Singapore by a Mr. “Repeated Monotony.”

 
(Click on graphic to enlarge)
Thanks Janne.

Tom Kelchner

The site I’m going to write about today has apparently already been shut down for abuse, but the content seems good fodder for a “cut and paste” campaign so let’s take a look at the smouldering corpse anyway.

Runescape is the name of the game, and tricking people into thinking they could be part of a “Runescape player moderator” group made to “celebrate the Summer” is the scam at hand (you can see their first mistake there, then). The redirection URL used for this one is (was) freerunescapemod(dot)tk.

Everything is based around distracting the end-user with a few meaningless checkboxes and a survey to establish if they’re worthy of taking the reigns:

Click to Enlarge

Click to Enlarge

It all sounds very impressive: “I have never been muted for advertising”, “I have reported at least 5 spammers”, “I have never been banned for scamming” and so on. All meaningless, of course.

Click to Enlarge

The fake login looks very nice, but regardless of what you type the next thing you’ll see onscreen is this:

Yes, my “login was successful” even though I typed in complete nonsense into the form. After a few moments, everything appears to be coming up Milhouse:

“Your Player Moderator Application has been successfully submitted.

Our staff will review it and notify you if you are accepted through message centre.”

As you’re no doubt aware, anything “coming up Milhouse” should be taken with a grain of salt. In this case, about ten sackfuls of the stuff.

One humorous note to close on – I’m not sure how many victims this scam hoped to pull in, because instead of setting the redirection URL to send victims directly to the survey, they did this:

Click to Enlarge

“Ultimate Mod Phisher”? Looks like the scammers were having a Milhouse moment too. There seem to be a couple of these sites out there…most notably, runescapemoderator2011(dot)tk which is also currently offline) – asking for player mods so don’t be taken in by random Jagex recruitment campaigns.

Christopher Boyd

Today alert reader Matthew drew out attention to this one. It’s yet one more Facebook application scams: “My total Facebook views are…” It’s pretty good social engineeering. Who wouldn’t want to know how many people have viewed their Facebook profile?

(Click on graphic to enlarge)

If you search for it on Openbook, it’s obvious that this is a hard-coded number in the message that is being spammed out. The choices are:

3187
4353
5714
6126
8578
9821

And, of course it wants to spam itself out from your account:

(Click on graphic to enlarge)

It’s another affiliate scam to the same tired list. Obviously it’s from someone who is not a native speaker of English judging by the grammar.

(Click on graphic to enlarge)

There is more than one of these running.

(Click on graphic to enlarge)

In this one, we checked the source code and found a URL that showed you what was behind the “verification” screen. So, if you signed up for one of the services advertised and spent some money, this is what you would get:

(Click on graphic to enlarge)

Looking in the source code you can figure out how they arrived at the 384 figure: a little piece of JavaScript provides you with a random number less than 7,000.

(Click on graphic to enlarge)

Thanks Matthew.

Tom Kelchner