MalwareTeks Blog

The volume of Internet Junk Mail plummets drastically when McColo Corp., a California based Hosting Company, has it’s access to the Internet cut-off by Internet Providers.

Experts claim that McColo Corp., based in San Jose, California, was responsible for coordinating roughly 75% of all spam sent daily.  On Tuesday, November 11th, e-mail security firm IronPort saw a drop of almost 2/3 of overall spam volume. While they were investigating what they thought might be a technical problem, it was discovered that a major spam network, McColo Corp., was shutdown.

Related Stories
Major Source of Online Scams and Spams Knocked Offline
Host of Internet Spam Groups is Cut Off
Spam Volumes Drop by Two-Thirds After Firm Goes Offline

By Dan Goodin in San Francisco
26 Mar 2008 00:56

Washington state cracks down

The alleged supplier of some of the net’s most hated malware titles has been sued by Washington state’s attorney general.

Ron Cooke, the owner of Scottsdale, Arizona-based Messenger Solutions, stands accused of violating Washington’s Computer Spyware Act and Consumer Protection Act for marketing programs that went under names including WinAntiVirus Pro 2007, System Doctor, WinAntiSpyware and Messenger Blocker.

According to a complaint filed Tuesday in Washington state court, the company caused some people surfing the net to receive a torrent of pop-ups that advertised porn links and other sketchy sites. The messages were sent through Windows Messenger Service, a feature in Windows that allows network administrators to send notices to users. (The service has been turned off by default since Microsoft pushed out Service Pack 2 for Windows XP, but evidently plenty of people still have it turned on for one reason or another.) [Read Entire Article at the Register]

The Department of Justice has recently become aware of fraudulent spam e-mail messages claiming to be from DOJ. Based upon complaints from the public, it is believed that the fraudulent messages are addressed “Dear Citizen.” The messages are believed to assert that the recipients or their businesses have been the subject of complaints filed with DOJ and also forwarded to the Internal Revenue Service. In addition, such email messages may provide a case number, and state that the complaint was “filled [sic] by Mr. Henry Stewart.” A DOJ logo may appear at the top of the email message or in an attached file. Finally, the message may include an attachment that supposedly contains a copy of the complaint and contact information for Mr. Stewart.THESE EMAIL MESSAGES ARE A HOAX. DO NOT RESPOND.

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at www.ic3.gov.

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html

Reference: http://www.usdoj.gov/opa/pr/2007/June/07_crm_465.html

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical - it’s really just another classic social-engineering attack. What makes it interesting is that the author…

read more | digg story

Virginia Tech Tragedy May Spawn Phishing Sites

added April 17, 2007

In recent years, US-CERT has received reports of an increased number of phishing sites set up in the wake of tragedies and natural disasters. US-CERT reminds users to remain cautious when receiving unsolicited email that could be a potential phishing attempt.

Phishing emails may appear as requests for donations from a charitable organization asking the users to click on a link that will then take them to a fraudulent web site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

• Do not follow unsolicited web links received in email messages.
• Contact your financial institution immediately if you believe your account and/or financial information has been compromised.
• Verify the legitimacy of the email by contacting the company directly through a trusted contact number.
• Visit the Anti-Phishing Working Group for more information on known phishing attacks.

For additional information regarding phishing, US-CERT recommends reading the following documents:

1. Technical Trends in Phishing Attacks
2. Recognizing and Avoiding Email Scams
3. Avoiding Social Engineering and Phishing Attacks

Produced by US-CERT, a government organization.

Here we have another in a long line of Scams centered around MySpace. This time it is how to create a digital picture for your MySpace account without the use of a digital camera or scanner. This new technology uses your computer monitor. Oh boy not that old joke, resurfacing as a scam.

Instantly develop a new MySpace picture without a digital camera or scanner!

A new camera technology has been released that can actually use your computer monitor to take a picture of you and your surroundings. This technology “dot-dithers” your screen to act as a camera receptacle. The beta website captures your image just as if you had the computer connected to a video cam.

Try it out!

Select the type of screen you are currently using…

LCD Monitor (thin flatscreen)
Traditional monitor (bulky)
Television
Laptop
None of the above
Not sure

Continue to Free Beta Site

ScreenShot #1

Cool, NOT!!! This all starts when you receive a Group Invite on MySpace, from someone you absolutely don’t know; inviting you to join a group with a pretty vague name. Pretty typical fare for this type of scam. So, your just a little bit curious and click on the profile pic to take a peek. Bad move!!!

ScreenShot #2

Just to satisfy your curiosity, here are the 2 images that make up the page. Yes, you can click on the Click Here image; it links to the animated gif on my server.

clickhere.gif

landscape.jpg

The Click Here image scrolls across the page; and you can click on either the background or the animated gif and be taken to the page (ScreenShot #1).

Group Details:
Group Name: Very very cool
Founded: Jan 14, 2007
Location: Las Vegas, Nevada - US
Members: 15

OK, so you clicked on the image and are taken to the comment form; and decided you don’t want to answer anything and hit the back button on the browser. So, you go back to the site that got you here, right. No, this is where you wind up.

Screenshot #3

Not exactly what you had in mind. Clicking the browsers back button will get you caught in a vicious circle between the Comment form and this page. You’re getting pretty pissed after a few tries at backing out, aren’t you.

Examining the Page Source, it’s a straight forward redirect, with a count down script. Says the offer expires in 300 seconds and you can watch it count all the way down to 1 second and stop; never actually counts down to 0.

Scrolling down the page reveals the company that is running this promotion “Top Quality Ringtones”, which is really Funmobile 8383 Limited; operating out of Shatin, Hong Kong. Viewing the bottom of the web page reveals the Terms and Conditions and links to the Privacy Policy, Contact information and opt out information.

Screenshot #4

I don’t know about you, but I have no intention of giving these people my personal information and having my account charged $5.99 weekly of $9.99 monthly; depending on the cell phone provider . Who knows where my personal information will wind up. I do know that my cell phone inbox will fill up with Spam text messages, as well as my email inbox. Thanks, but no thanks.

Let’s move on to the really interesting stuff. I want to check out this new “dot-dithering” technology that can make my Monitor a camera. I just can’t contain myself. I’m always checking out new technology and finding ways of adopting it to enhance the user’s viewing experience (Sarcasm folks). So, let’s pick a monitor type and click through to the next page.

Screenshot #5

Screenshot #6

Trying to back out of this page using the browsers back button will get you the Ringtones promotional page. Same stupid behavior.

OK, let’s take the picture. Make sure you look at the “twinkling” spot in the lens.

Screenshot #7

Yep backing out of this page will get you the Ringtones promotional page.

Time to pick up my photo, By the way I have been examining the page source for all the pages. To this point there has been no malicious scripts or “drive-by” install attempts on any of the pages.

Time to pick-up my photo. Wonder how it will turn out?

Screenshot #8

Screenshot #9

They claim this is not a Phishing Scam

Please note, this is NOT a “phishing” page.

From examining the page source, it doesn’t appear that the email and password data isn’t actually submitted anywhere. At least not from what I could tell. My advice is to err on the side of caution and don’t submit any personal data, that includes your MySpace login and password, on this site.

Notice the Terms of Use/Privacy Policy at the bottom of the page:

Terms of Use / Privacy Policy:

By filling out this form, you authorize us to spread the word about this funny site. You will enjoy your friends’ reactions and you will receive all of the credit. This is a harmless e-Card site looking to spread the laughter!

We do not share your private information with any third parties. We do not “SPAM” people with commercial messages nor do we collect any information to be used outside the scope of this free tell-a-friends promotion! This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here.

This page is not affiliated with or operated by MySpace(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may do a combination of the following based on your friends’ interest.
1. Temporarily access your MySpace account for the following purpose(s).
2. Post “magic camera” bulletins in the appropriate section.
3. Invite your friends to a “magic camera” group.
4. Invite your friends to a “magic camera” event.
5. Comment your “top” friends once about this “magic camera.”
6. Send one batch of “magic camera” messages on your behalf.
7. Create a small floating profile overlay (very cool!).
8. Introduce new entertaining sites.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

H’m they say it’s harmless and they are not “Phishing”; yet they ask for your MySpace Account info. This appears to actually be a phishing attempt, a poorly implemented phishing scam.

So, what does happen when I click the button labeled “Send To Friends”?

Screenshot #10

Wow, I get a reward. I wonder what I get. Let’s find out. I type the word rewards into my browser navigation bar; hit enter. Here comes my reward.

Screenshot #3

Yep, same old tired Ringtone promotional page. Looks like they really want me to buy some ringtones. Filling in that page and submitting your information will get you what seems like an endless stream of promotional pages. If you like your Cellphone and email inboxes filling up with Spam; and someone other than you accessing your MySpace account; be my guest, fill in all those forms with your personal and sensitive information. As for me, no thanks not happening.

So, just how did I come across this site. Well on Digg http://digg.com/security/Down_Pour_Net_The_latest_Myspace_password_sca mh_wowh, I read the blog http://down-pour.net/wpblog/2007/01/14/the-latest-myspace-password-sca m-wow/, and read Ivan’s rather intense profanity filled tirade on his MySpace Blog WARNING: EXPLICT LANGUAGE http://blog.myspace.com/ivanthepig. Dude, get a grip.

Both claim that this site/scam will inundate your computer with spyware. I found no evidence that this is the case. I found no malicious scripts, no “drive by” install attempts, no downloads. Nothing, nada, zilch, zip. No Spyware, Viruses, Trojans. No malware what so ever.

What I did find is a scam site. A site that is designed to harvest email addresses, cell phone numbers, and what looks like a “phishing” attempt to obtain your MySpace account information.