Syrian Unrest Spurs Phishing Spell

Contributor: Avdhoot Patil

Phishers are known for incorporating current events into their phishing sites and never leaving any stone unturned. They are now capitalizing on the civil war in Syria. In December 2012, a phishing site spoofing a popular social networking site claimed to have a torture video of a prisoner in the Syrian prison, State Security Branch Khatib. Phishers compromised a legitimate domain based in the United Arab Emirates to host the phishing site. The phishing pages were in Arabic.

The title of the phishing site translated to “Liberal torture in the State Security Branch Khatib”. The site warned that the video contained scenes of violence and asked users for their permission before proceeding. After permission had been granted, users were prompted to enter their login credentials. The login credentials were allegedly required to confirm that the user was over 18 years of age. After the login credentials had been entered, the same phishing page was reloaded. If users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.

Figure 1. Video permission request

Figure 2. Login credentials prompt

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently which protects you from online phishing

Trojan.Stabuniq Found on Financial Institution Servers

Contributor: Alan Neville

Almost a year ago we added detection for a low prevalence Trojan found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. For easier identification and tracking we recently renamed this threat to Trojan.Stabuniq.

Figure 1. Trojan.Stabuniq distribution by type

Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users. Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions. These financial institutions had their outer perimeter breached as the Trojan has been found on mail servers, firewalls, proxy servers, and gateways.

Trojan.Stabuniq has relied upon a combination of spam email and Web exploit kits to compromise computers. Over the past year, this threat has only been found in small numbers and has not been widespread, suggesting the authors may have been targeting specific people and entities. The approximate location of unique IP addresses where the Trojan has been found converges on the eastern half of the United States:

Figure 2. Trojan.Stabuniq geographic distribution by unique IP address

The Trojan collects information from the compromised computer and then sends it to a command-and-control (C&C) server. Additional technical details are available.

Overall, this Trojan has not infected many machines in the past year, is localized to the United States, and—given that close to 40 percent of its targets are financial institutions—at this stage we believe the malware authors may simply be gathering information.