June 2011 – The Legacy Sunbelt Software Blog

Google docs phishing

A hazard of cloud-based services is reputation hijacking — using the cover of a legitimate cloud service to do bad things. For example, you can’t block the domain “Google.com”, because it has legitimate purposes. So a network administrator is left in a difficult quandrary.

As an example, Google Docs (specifically, Spreadsheets), is a playpen for phishers. We have found a very large number of phishing sites using Spreadsheets, especially for stealing credentials.

These phishing sites all use the ability of Google Spreadsheets to create forms. These Google forms have wonderful legitimate uses, such as empowering teachers with the ability to collect data from students. But their ease of creation makes for a dangerous situation.

Since all of these forms use the “formkey” parameter in the URL, searching for them is trivial, using a simple google search like this one.

Schools are a particular target, but it’s not limited to just that area.

One major area of popularity for this use is in Indonesia, where these phishing sites are setup to steal credentials for various games. Gemscool (an Indonesian gaming site) is a particular target, such as for the Point Blank (PB) and Lost Saga games.

Some examples:

If it only takes a simple Google search to find these, one wonders exactly why these aren’t being policed more aggressively. This is trivial stuff to find.

Alex Eckelberry
(With thanks to Sonny Discini)

Some Spam to Avoid…

I thought it might be useful to give examples of some of the spam we’re seeing drop into mailboxes instead of the nearest supernova. Without further ado…

1) “Facebook Survey Gift Invite”.

Click to Enlarge

“You’ve been invited to participate in our short Facebook survey”, they say. Considerably shorter than they expected:

Let’s not and say we did.

2) An interesting attempt at sending users to a Paypal phish:

Click to Enlarge

“Unfortunately, your recent transaction was declined because your PayPal account is currently restricted. PayPal may restrict accounts for a variety of reasons to prevent fraud and verify the identity of users.”

Yes, they want to play on your fears of having a restricted PayPal account to send you to a phish page located at zurl(dot)biz/www(dot)paypal(dot)com. Avoid.

3) World of Warcraft phish mails. The site listed in the below example is currently offline, but it’s a pretty standard (and popular) template.

Click to Enlarge

“You’re trying to sell your account which is breaking the EULA, confirm you’re the original owner by visiting this link…”

As you’ve likely guessed, this is the last thing you should be doing.

That concludes our spam roundup. Stay safe…

Christopher Boyd

Earth Hour Section of WWF’s Philippine Site Defaced

WWF Philippines’ site is hacked by some Madoka (it’s an anime) fan. I don’t know whether to laugh or cry.

The above was the actual tweet from a chain of retweets that reached my stream and got us (Chris and I) looking into this matter. This one below was the screenshot we captured:

Click to enlarge

The Earth Hour section seems back to normal now.

GMANews.TV has given us an interesting news angle to chew on. According to them, the individual behind the WWF and Bureau of Customs Web page facelifts are one and the same given their reference to the keyword “mahou shoujo”, a term used to classify a sub-genre of Japanese anime and manga, found in both attacks. We can neither confirm nor deny this, but it is a good point to keep in mind.

You can read more about this story on this GMANews.TV Web page.

Other grueling stories of defacements in the GFILabs Blog:

Jovi Umawing

Thousands of Tumblr Logins Stolen in Phishing Attack

The past few days have seen a rather aggressive phish attack targeting users of popular Microblogging service Tumblr. What started off as a strange (if rather basic) “click the link to see an advert” scam has now become a phishing problem so bad that Tumblr have a rather comprehensive dedicated autoreply for emails sent to their support team:

Click to Enlarge

How does it work?

It’s a simple enough attack, luring Tumblr users with the promise of “hidden” pornographic content that requires entering login credentials to view. “This page contains adult content. Please revalidate your credentials”:

Click to Enlarge

The pages involved are all regular Tumblr users who have previously been compromised. Once hijacked, their pages are converted into the fake logins and then sent into the world following regular Tumblr accounts. At that point, the phisher hopes those same accounts will visit the fake login, enter their details and keep the cycle going.

What sites are involved?

A handful of domains have revealed themselves to be at the heart of this scam, domains which we’ve previously written about.

tumblriq(dot)com
tumblrlogin(dot)com
tumblrsecurity(dot)com

Tumblriq(dot)com was registered on the 15th of June to someone called “Jack Alimae”, and the other two URLs were registered on the 25th to “Mike Alexander” – however, both sets of registration use the same address which suggests potentially fake data was used somewhere down the line.

Tumblriq(dot)com started out here on the 23rd of June, serving up various adverts to users clicking on compromised Tumblr accounts promoting a “Tumblr IQ Society”.

Click to Enlarge

Not long after this, the additional domains started to appear and then the full scale phish invasion took things up a level, with compromised accounts serving up a mixture of Tumblr hosted text and login credential submission forms served up by free webhosting accounts. While many of the compromised Tumblr accounts wanted you to login on the same page, many more besides were redirecting end-users to the tumblrlogin(dot)com website.

Click to Enlarge

If ever a scam page had a name that implied you should do the exact opposite of what it suggested, it would be that one. The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem. One of these sites actually pointed us in the direction of one of the dropzones used for the stolen logins, and the problem does indeed seem to be out of control at this point.

The data we saw contained 8,200 lines of text stretched across 304 pages of Microsoft Word, and even accounting for the inevitable duplicates and fake data that’s still quite the goldmine of pilfered login credentials.

Click to Enlarge

There have been other data drops, but the scammers keep moving them around. We have of course notified Tumblr in relation to the hijacked accounts.

Why Tumblr?

What does somebody want with that many Tumblr logins? We can only guess. The stolen accounts could be used as some form of advert affiliate money making scam, or maybe we could see lots of pages with survey popups pasted over them. There is the very real possibility that the Tumblr accounts are simply a way to test if those users are logging into other services with the same credentials – at that point, everything from email accounts to internet banking sites could be fair game.

At time of writing, all three .com URLs are not resolving, although whack-a-mole has been taking place with these sites for a few days now. They could well return at some point (indeed, one of the free webhost phish pages is still alive despite countless reports to the host) and Tumblr users would do well to verse themselves in the art of phishing scams, and fast. These issues make the recent messaging spamrun on Tumblr look like a very small drop in the ocean at this point.

Christopher Boyd and Jovi Umawing

(Thanks to Steven Burn for takedown assistance and Antiphishing on Tumblr for their work in tracking the scammers).

More Phishy Tumblr Fun

Hey look, I have a new follower on Tumblr!

I can’t wait to see all their lolcats, spinny gifs and pictures of Batman. Let’s click the link and see what they have for me this ti-

Click to Enlarge

….oh.

As you can see, their Tumblr account is firing me off to a site called tumblrlogin(dot)com. However, you really don’t want to be logging in there as the below site is another “Login to see adult content” phishing scam.

Click to Enlarge

It’s worth noting that the user account in question was perfectly normal not so long ago:

Click to Enlarge

Don’t go onto the site and enter your credentials or you could end up losing your account. Things could get very bad, very quickly if you use the same login details elsewhere.

Christopher Boyd

Steer clear of Tumblr hosted phish pages

If you’re a Tumblr user, be very wary of Tumblr user pages asking you to “Login to see Adult Content”. It’s a scam, and these pages are stealing your credentials.

Click to Enlarge

“This page contains adult content. Please revalidate your credentials” is what the scam page will say, along with a login box pasted across the middle of the screen.

The big clue that you shouldn’t be logging in is that the logins are located on Tumblr user accounts – randomusernamehere(dot)tumblr(dot)com, for example. You should ONLY ever login on Tumblr(dot)com – anything else could give you a very bad hair day. A snapshot of some traffic once you enter your login details and hit the “scam me now, please” button:

Note tumblr(dot)p4o(dot)net – the site currently says “This Account may have reached its limit, is suspended or this domain no longer exists.” However, there seem to be quite a lot of these doing the rounds at the moment so there’s a good chance there will be live ones still out there. Watch who you’re handing your login credentials to…

Christopher Boyd (thanks to Threat Researcher Jovi Umawing for finding this)

FBI brings down the hammer on scareware

$74 million in total losses? Yep, that’s how the scareware guys roll these days. Fortunately, law enforcement are getting to grips with these scams and have seized computers, servers and bank accounts as part of something called Operation Trident Tribunal. The FBI press release gives a great overview with a surprising amount of detail.

Congratulations on the bust – hopefully we’ll see a lot more of these as the year goes on…

Christopher Boyd

Steer clear of The Tumblr IQ Society

Hot on the heels of recent action taken by Tumblr to combat spammers, Tumblr users are currently a little bit annoyed by a curious spamrun called “The Twitter IQ Society”. Spam accounts are popping up all over the place that have no actual Tumblr blog to speak of; their homepage is merely a collection of images stitched together to look like this:

Click to Enlarge

Should you follow one of these users, this is what you’ll see in your dashboard:

Click to Enlarge

Nice! Clicking the text link or the “start the quiz” button on the spamblogs takes you to tumblriq(dot)com, which appears to be a fairly standard ad serving website. Most of the time you’ll see an IQ test asking you for mobile phone numbers and subscriptions ($9.99 to $19.99 per month for this? I think you failed the test):

Click to Enlarge

We’ve also been taken to a splash for the Cupid(dot)com dating site and generic iPhone offers. One Tumblr user ended up on a “Michael Jackson secret vault” – unfortunately our testing has so far been lacking in moonwalks.

Some users have also reported phishing and “script overlays” that hijack your own Tumblr and overlay it with the IQ test. However, all we’ve seen is generic adverts asking for money and our test Tumblr is (so far) IQ quiz free.

It seems Tumblr are aware of the problem:

they do know about the influx of spam regarding this, and that they have locked all accounts where this is coming from. He also says they are working on ways to stop future spamming attacks like this.

At time of writing, there are still accounts out there asking you to join the “Tumblr IQ Society”, so there’s clearly still a bit of work to do. If you see any of these spamblogs floating around, report them to Tumblr Support – a guaranteed way to pass the Tumblr IQ Test.

Christopher Boyd

Steer clear of The Tumblr IQ Society

Click to Enlarge

Should you follow one of these users, this is what you’ll see in your dashboard:

Click to Enlarge

It seems Tumblr are aware of the problem:

Christopher Boyd

Froggy fun with Open Source Software

Here’s a site promising free open source software.

Click to Enlarge

The site is called “FREEze Frog”, located – as you’ve probably guessed – at Freezefrog(dot)com. All sorts of awesome open source programs are available to download like OpenOffice, 7Zip, Pidgin and more. As the site says, “No signups, no memberships and no tricks. Just point, click, and download the software you want…best of all, they’re all free.”

Free, with a side dish of “additional installs.”

Have at it, OpenOffice!

Wait, Appbundler on the what now?

Click to Enlarge

Oh. To install this “sponsored version” of OpenOffice, you need to agree to the FREEze Frog offer engine and some (or all) of the following: ShopperReports, QuestScan and blinkx Beat. The site is brought to you by Pinball Corporation, the artist formerly known as Zango. I don’t think you get any added functionality to OpenOffice in return for installing this stuff, so you may be better off just going to the OpenOffice site here and downloading it minus the freebies.

7Zip also came with bundled software, however downloads for VLC Media Player and Pidgin timed out so we can’t say for sure if they also bundle. Seeing as we’re at it anyway: here’s the official Pidgin, VLC and 7Zip websites.

Christopher Boyd (Thanks Matthew)

Froggy fun with Open Source Software

Here’s a site promising free open source software.

Click to Enlarge

Free, with a side dish of “additional installs.”

Have at it, OpenOffice!

Wait, Appbundler on the what now?

Click to Enlarge

Christopher Boyd (Thanks Matthew)

PokeTron

I have no idea what a shiny Rayquaza is, but apparently they’re quite hard to obtain in certain Pokemon game titles. It seems hunting for Action Reply cheats to allow them in Pokemon HeartGold could pop some rogue AV on your desktop quicker than the time it takes Bill Cosby to say “Pokemon?! Pokemon with the Poke and the man and the thing with the guy comes out of the thing”.

Always wanted to quote that. Anyway: just a short heads up that looking for variations on the phrase “what’s the action replay code for a shiny Rayquaza in Pokemon Heart Gold” (hey, it must mean something to somebody) could well lead you into a world of rogue AV like this:

Click to Enlarge

Some other searches to be wary of are those involving a “tron quorra tattoo”. If you don’t remember, Quorra is the one that looked a bit like Dora the Explorer. There’s a lot of links floating around like this:

All the sites we checked were currently offline, or displaying “bandwidth exceeded” messages. However, there could well be more of these and it’s unlikely they’ve all been derezzed so be careful.

Christopher Boyd (Thanks Wendy)

PokeTron

Click to Enlarge

Christopher Boyd (Thanks Wendy)

A Tumbldown in Spam Links

“Questions cannot contain links?! – I tried to send a link to someone and Tumblr told me this. SINCE WHEN?!”

Since now, apparently. Tumblr has a feature where you can ask the blog owner a question on, well, anything you like. Depending on settings, the people asking the questions can be registered users or anonymous (something that Tumblr discourages you from doing in the options menu, as the potential for trolling, spam and abuse is high).

Check out Google for the phrase “questions cannot contain links Tumblr”:

Click to Enlarge

People aren’t happy – you can no longer post links in questions to blog owners, and this also means you can’t post images in replies. Responding with animated gifs and static images is an established method of communication on regular Tumblr blog posts, and this hasn’t gone down too well with the userbase.

Why would Tumblr do this?

Well, it seems to be a response to one (or several) recent heavy duty spam attacks. For example, I turned on Anonymous questions on my own blog not so long ago, just to see what came through.

This is what came through.

Click to Enlarge

Oh my, a random crush confession from a total stranger on the Internet! Posted anonymously! And there’s two of them!

People wouldn’t be silly enough to click this, right?

Right?

…oh. The link has been flying around both email and IM, with Tumblr taking the top “our website is under attack” spot.

Here’s a nice pie chart thing courtesy of Bit.ly:

Click to Enlarge

6,000 odd users from the US have clicked, the Philippines are in second place with just over 1,000 and Canada are battling it out for third place with the UK.

With regards Tumblr itself, this is where people are clicking it from:

This does, of course, mean that 300+ users are pretty much this guy:

Whoops.

There were a few of these links doing the rounds, the main one leading to a (now deleted) spam post on a forum. According to users there were viagra spam links in circulation, but we can’t confirm this. Either way, it’s a large serving of spam which (presumably) has convinced Tumblr to wheel out the following “feature”:

Click to Enlarge

While this may seem like a decent enough solution, getting around the link blocking is ludicrously simple and all this may end up doing is restrict legitimate users while the spammers take all of ten seconds to work around the block.

It’ll be interesting to see how long this feature remains active…

Christopher Boyd

A Tumbldown in Spam Links

“Questions cannot contain links?! – I tried to send a link to someone and Tumblr told me this. SINCE WHEN?!”

Check out Google for the phrase “questions cannot contain links Tumblr”:

Click to Enlarge

Why would Tumblr do this?

Well, it seems to be a response to one (or several) recent heavy duty spam attacks. For example, I turned on Anonymous questions on my own blog not so long ago, just to see what came through.

This is what came through.

Click to Enlarge

Oh my, a random crush confession from a total stranger on the Internet! Posted anonymously! And there’s two of them!

People wouldn’t be silly enough to click this, right?

Right?

…oh. The link has been flying around both email and IM, with Tumblr taking the top “our website is under attack” spot.

Here’s a nice pie chart thing courtesy of Bit.ly:

Click to Enlarge

6,000 odd users from the US have clicked, the Philippines are in second place with just over 1,000 and Canada are battling it out for third place with the UK.

With regards Tumblr itself, this is where people are clicking it from:

This does, of course, mean that 300+ users are pretty much this guy:

Whoops.

Click to Enlarge

It’ll be interesting to see how long this feature remains active…

Christopher Boyd

You…shall not…Multipass!

In this blog post: your favourite “get out of trouble” card now gets you into trouble.

What a concept!

Anyone familiar with The Fifth Element knows the Multipass is the quickest way to wriggle out of a tight spot – however, someone didn’t give the Rogue AV and useless offer guys the heads up.

Click to Enlarge

A search for “multipass” in Google fetches some image results along with the text, and the very first image you can see above will bounce you to a Rogue AV website:

Click to Enlarge

Continuing with the install gives the user XP Internet Security 2012, which loves nothing better than covering your screen with popup boxes. It’s like 2007 all over again.

Click to Enlarge

The VirusTotal score for this one is currently 9/42, and we catch it as Trojan.Win32.Generic.pak!cobra.

Other Multipass searches bring strange and unexpected surprises too.

Click to Enlarge

Your view of the all important Multipass is almost ruined by a popup telling you that you’re “the H8 winner” (couldn’t make it up really, could you). At this point, you end up with a lovely collection of offers to ignore completely.

Click to Enlarge

The attempt at inducing panic with a “countdown claim clock” is always appreciated, but let’s take a look at the iPad offer. I can only assume the question is for time travelers stuck in the past or the incurably stupid:

Click to Enlarge

My. That is a brain bender.

Christopher Boyd (Thanks to Jovi for additional research)

You…shall not…Multipass!

In this blog post: your favourite “get out of trouble” card now gets you into trouble.

What a concept!

Anyone familiar with The Fifth Element knows the Multipass is the quickest way to wriggle out of a tight spot – however, someone didn’t give the Rogue AV and useless offer guys the heads up.

Click to Enlarge

A search for “multipass” in Google fetches some image results along with the text, and the very first image you can see above will bounce you to a Rogue AV website:

Click to Enlarge

Continuing with the install gives the user XP Internet Security 2012, which loves nothing better than covering your screen with popup boxes. It’s like 2007 all over again.

Click to Enlarge

The VirusTotal score for this one is currently 9/42, and we catch it as Trojan.Win32.Generic.pak!cobra.

Other Multipass searches bring strange and unexpected surprises too.

Click to Enlarge

My. That is a brain bender.

Christopher Boyd (Thanks to Jovi for additional research)

Reblog to get a free zoo animal

Remember that “fake cancellation message that gets reblogged to infinity and beyond” on Tumblr from a few weeks ago? It seems to have returned, and in a particularly glorious form:

There will be no free giraffes.

As with the last fake message doing the rounds, this one links to a Tumblr Japan disaster donation post. Clearly people are too caught up in the excitement of naming their new giraffe to care.

As with the last scam / joke / jolly rotten wheeze, Tumblr only lets you comment if you reblog and add your message into the steadily growing pile. And as with last time, everybody is too busy mashing the Reblog button to bother reading about how this yet another fakeout.

If you go back a few steps in the notes, you can see that this was actually another example of “Your blog will be killed until dead” spam, and some humorous individual changed it to “free giraffe” along the way. The first spamrun ended up with about 137,000 notes comprised of reblogs, comments and the odd person yelling that it was a fake.

It’ll be interesting to see how far this one goes (with or without the giraffe, but hopefully with) before someone at Tumblr pulls the plug – we’re currently at 60,000 notes and counting.

I now eagerly await the Tumblr staff dropping a giraffe off outside my house, preferably by helicopter because that’ll seriously impress the neighbours.

Christopher Boyd

Reblog to get a free zoo animal

Remember that “fake cancellation message that gets reblogged to infinity and beyond” on Tumblr from a few weeks ago? It seems to have returned, and in a particularly glorious form:

There will be no free giraffes.

As with the last fake message doing the rounds, this one links to a Tumblr Japan disaster donation post. Clearly people are too caught up in the excitement of naming their new giraffe to care.

It’ll be interesting to see how far this one goes (with or without the giraffe, but hopefully with) before someone at Tumblr pulls the plug – we’re currently at 60,000 notes and counting.

I now eagerly await the Tumblr staff dropping a giraffe off outside my house, preferably by helicopter because that’ll seriously impress the neighbours.

Christopher Boyd

FakeRean Comes of Age, Turns Hard-core

Avid readers of this blog can attest that we’ve been writing about FakeRean for, oh, quite a number of months now. In case you missed out on those posts or you no longer remember them, I have for you here a short list of what we’ve written about this rogue AV family so far:

FakeRean is initially discovered by Microsoft a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system’s registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run.

Our intrepid rogue AV hunter, Patrick Jordan, spotted new ways on how FakeRean is currently being distributed online, and by the looks of things, the bad guys behind it have not only casted a wider net but also went, erm, hard-core. Case in point:

Click to enlarge

The above page is found on SourceForge.net, a prominent repository of open-source software, as a profile page. Of course, it wouldn’t matter whether you’re 18 or not, you still get a free but malicious software to download and run on your systems once you click any of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen (v).

Click to enlarge

Doing a simple search yields results that show a prevailing problem within the said domain.

Click to enlarge

This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac.

Click to enlarge

Some of Jordan’s finds regarding these Web pages involve prominent domain names, which includes (but are not limited to) the following:

Twitter

Flickr

Yahoo!

Scribd

TED

Formspring

Posterous

Box.Net

Click to enlarge

All URLs are redirect via seoholding(dot)com. Fortunately, VIPRE users are already protected from this domain if they are accidentally diverted to it.

Click to enlarge

We advise Internet users to be careful when clicking image and text links online. Be extra careful, if not steer clear all together, when visiting online profiles hosted on any site that look suspicious.

Jovi Umawing (Thanks to Patrick for finding this and Chris for the assist)