Faux Cash Prize for Christmas

Contributor: Ayub Khan

Phishers consider special occasions as an opportunity to strike at end users and Christmas has always been a favorite for phishers to introduce new phishing baits. For this past Christmas, phishers created a phishing site pretending to be a popular payment system based in the USA. Phishers used a typosquatting domain hosted on servers based in the Netherlands.

The phishing site began by stating that the user was chosen as the winner of a $400 cash prize. Users were told that ten winners were given the prize every year for Christmas. To receive the prize, visitors were prompted to enter the verification code they received by email. There is poor language used in the phishing site, evident from the misspelled “recieve” in the message.
 

Figure 1. Verification code request
 

In another phishing page, visitors are informed that they won a prize to double the amount available in their payment system account. The procedure given to attain the prize was similar to the preceding one where visitors were required to enter a verification code received by email. A fee of one cent was allegedly deducted to ensure an active account. The phishing site claimed that their offer would expire after 24 hours of receipt the above email and the user’s account balance would double after the tax was paid.
 

Figure 2. Confirmation code request
 

The same type of phishing bait was used in the form of a contest survey as well. In this scam, the prizes mentioned were $1000 for first place, $500 for second, and $100 for third place. The survey questions on the phishing page were as follows:

  1. You are using [BRAND NAME] at least:
  • Once a day
  • Once a week
  • Once a month
  • Once a year
  1. You think [BRAND NAME] is:
  • Useful
  • Unuseful
  1. If you need to give a mark to our services, you give:
  • 1
  • 2
  • 3
  • 4
  • 5
  1. Have you ever used our Messaging service?
  • Yes
  • No
  1. Your impression (Optional)
  • [TEXT BOX]

After the responses are selected and then submitted, the phishing site redirected to a participation acknowledgement page. Users were informed that they would become participants of the survey after paying a verification fee of one cent. The phishing site stated that the winners of the contest would be declared on a specific date. If users fell victim to the phishing site, phishers would have successfully stolen their information for financial gain.
 

Figure 3. Contest survey page
 

 Figure 4. Survey participation acknowledgement
 

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software frequently (such as Norton Internet Security) which protects you from online phishing

Two US power plants infected with malware spread via USB drive

Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.

Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter for October, November, and December of 2012. The authors didn't identify the owners of the facilities and there's no indication the infections resulted in injuries or equipment failures.

The incidents were reported earlier by Threat Post, and they are the latest to underscore the vulnerabilities posed by so-called supervisory control and data acquisition systems that aren't properly secured. SCADA and industrial control systems use computers to flip switches, turn dials, and manipulate other controls inside dams, power-generation plants, and other critical infrastructure. Computer malware that infects those systems can pose a threat by giving remote attackers the ability to sabotage sensitive equipment. Last year, a backdoor in a widely used piece of industrial software allowed hackers to illegally access a New Jersey company's internal heating and air-conditioning system.

Read 7 remaining paragraphs | Comments

Red October relied on Java exploit to infect PCs

Attackers behind the Red October espionage campaign used this PHP script to exploit a critical vulnerability in Oracle's Java software framework.

Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.

The unknown attackers infected computers operated by the Russian Federation, Iran, the US, and at least 36 other countries. They used highly targeted malware to collect what's believed to be hundreds of terabytes of sensitive data, according to researchers from antivirus provider Kaspersky Lab. The success of the covert operation is largely the result of malware and phishing e-mails that were highly customized for each victim.

Now, Aviv Raff, CTO of Israel-based Seculert, said he has uncovered a website used to infect some of the victims of Operation Red October (as the campaign has been dubbed). The website exploited a critical Java vulnerability identified as CVE-2011-3544, allowing the attackers to surreptitiously execute malicious code on visitors' computers. Although Oracle developers patched the bug in October of 2011, the malicious Java archive file was compiled the following February.

Read 6 remaining paragraphs | Comments