Month: March 2011

Taken was indeed an excellent film; no doubt Liam Neeson spends most of his time blowing up half of Europe in Unknown, too.

In fact, here he is now looking for all the World like he’s about to lay the smackdown on another collection of hapless European criminals:

Yeah, people are going to die.

Unfortunately, death-dealing might have to be put on hold. Clicking on any of the numerous links promoting showings of Unknown via see-it-free(dot)com on Twitter (or any of the other movies referenced, for that matter) won’t give you cinematic views of Liam Neeson punching the Eiffel Tower while half of Paris burns.

In fact, clicking the “Buy this poster” link won’t even give you a cool poster (it takes you to a Giant Chinchilla plastic exercise ball on Amazon. Who knew).

What you will end up with, is bingo surveys.

AND LOTS OF ‘EM.

“I wonder if a total lack of content will be your reward for filling in yet another useless survey”, I hear you cry.

You could say that:

It seems Liam has already killed everyone in sight and had his movie taken down for good measure. While that’s certainly an admirable trait, it doesn’t help anybody who filled in an offer for free iPads / bingo games / celebrity surveys / horoscopes or anything else that tends to pop up on these information hungry content gateways.

Remember: he might not have money, but what he does have is a particular set of surveys; surveys acquired over a long career. Surveys that make him a nightmare for people like you…

Christopher Boyd

Thanks to Matthew for sending this one over.

There’s a nasty round of Facebook app pages dabbling in Javascript shenanigans to spam Acai Berry diet pages on your profile walls. Simply visiting these pages while logged in is enough to post some spam, most of the pages involved promising (surprise, surprise) a video to watch:

Click to Enlarge

If you try to navigate away from the above app page, a message will pop up claiming you’re about to “corrupt the Flash install”. Total nonsense, but it’s just enough to result in something like the below being posted to your profile:

Click to Enlarge

“I am living proof that this works”, claims the “facebook sponsored weight loss product”. No sign of anyone yelling “Beefcake, Beefcake” but let’s dispense with the South Park references and see where the spam link leads to:

Click to Enlarge

Oh look, a fake news site touting logos from various news sources. Needless to say, you don’t want to be handing over any money for the above. Though the code in the below screenshot may look like a load of tech related jibber-jabber, you can still see many pieces of text used for the various spam messages:

Spam messages will also be sent out in both wall postings and facebook chat that look like this:

“Hey, What the hell are you doing in this video? Is this dancing or what?? Bahahah”

You can see that in the above screenshot, too (look near the bottom of the code). If you don’t want to strain your eyes, here it is in action:

There appears to be one main domain for this, franebook(dot)com (although it’s currently serving up 404 errors) and many of the related application pages also appear to have been taken down by facebook. apps(dot)facebook(dot)com/bergamoleyra/ and apps(dot)facebook(dot)com/hellenismkpmga/ are both giving “page not found” messages, although there seems to be a number of app pages still live and redirecting to the Acai berry spam sites.

As always, be careful what you’re clicking on in facebook – random messages promising junk will usually give you just that (and perhaps a little more besides).

Christopher Boyd

A friend sent me this link, which is an interesting spin on the old “HMRC tax refund” scam – a fake HMRC claiming your bank wants to issue a refund instead.

Click to Enlarge

As you can see below, they have a large selection of banks to choose from (in keeping with more common phish attacks):

Click to Enlarge

Everybody from NatWest and HSBC to Santander and Halifax are in there. Most of the bank specific pages all ask for the same kind of personal information, but if one of the banks asks for something unique to them (such as a banking PIN or other security feature) the phishers have taken care to include those too. If your bank isn’t included, no problem: they have a generic “catch-all” page for you to sign up to years of identity theft and a couple of days worth of “Who bought all this stuff on iTunes”?

Here’s a sample of the information asked for on the Barclays page:

Click to Enlarge

Deep breath: name, address, phone number, email (and email password!), national insurance number, information related to your parents, how long you’ve lived at your address, employment status / income, your full card details (of course) and everything related to your online banking account.

I think “Ouch” is the word we’re looking for.

HMRC do not issue tax refunds by email, they most certainly do not have websites where banks want to issue you with refunds, and they also know how to spell “being” (take another look at that second screenshot).

Avoid like the plague.

Christopher Boyd

Changing some code in Firefox to make it store passwords without notification isn’t a particularly new trick; indeed, code to do just that has been around since at least 2009. What’s interesting is the appearance of malicious files automating the process – back in October, Webroot uncovered a file that used this technique to collect logins, while using added functionality to send the stolen details back to base.

Here’s a timely reminder to always be wary of public terminals, because we have another executable that forces Firefox to store logins locally while removing any notifications to the end-user:

Hitting the “Enable” button alters “nsLoginManagerPrompter.js”, replacing some bits of code and adding others like the Trojan-PWS-Nslog file from October did. At this point, the unwary user will log in without any “Do you want Firefox to remember this password” prompt and go about their merry business. The moment they leave, all the attacker has to do is access the same PC, go into Tools / Options / Saved Passwords and retrieve whatever has been stored there from the list of sites, usernames and passwords.

Unlike Trojan-PWS-Nslog, the executable we tested doesn’t appear to send the logins elsewhere – it’s a local threat only, which is better than nothing I suppose. If a public terminal seems a little insecure or you didn’t see a “save this password” prompt from Firefox, it might be a good idea to check if your logins have been stored. In all likelihood, they probably just have the “save passwords” feature disabled but better safe than sorry.

Detection rates on Virustotal at the moment are quite low – 8/43 – and we detect this as Backdoor.Win32.FFGrab.A.

Thanks to Adam Thomas and Francesco for additional research.

Christopher Boyd

A question from a security mailing list: “Is this some sort of phish”?

———- Forwarded message ———-
From: Adobe Incorporated
Date: 1 March 2011 01:33
Subject: Adobe Acrobat Reader latest version released ! Upgrade Available Now
To: —-

Dear —–,

Adobe is pleased to announce that a new version of Acrobat PDF Reader was released today with new features, options and improvements.

official-adobe-download(dot)org

What’s new in this version :

* Read, search, and share PDF files.
* Convert to PDF.
* Export and edit PDF files
* Add rich media to PDF files
* Combine files from multiple applications
* Increase productivity and process consistency
* Streamline document reviews
* Collect data with fillable PDF forms
* Protect PDF files and content
* Comply with PDF and accessibility standards

To get more and upgrade to this version, go to  :

official-adobe-download(dot)org

Start downloading the update right now and let us know what you think about it. We’re working on making Adobe Acrobat Reader better all the time !

Talk soon, The people at Adobe       

Copyright © 2011 Adobe Systems Incorporated. All rights reserved.

While this isn’t a phish in the sense that they aren’t asking for login details, they are trying to get some money by making it look like you need to pay to download Adobe Acrobat Reader (you don’t). This kind of thing has been around for a while, and is also popular where Skype is concerned too.

Steer clear.

Christopher Boyd