Symantec Protection for Targeted Attacks in South Asia

ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies.


Figure. Telemetry data focused on South Asia

The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

Once exploited, the documents will drop malware that is used to steal information from the targets and send it back to the attackers’ servers.

Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Downloader and Infostealer.

Users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

Spam Campaigns Take to Tumblr

As the urban legend goes, the bank robber Willie Sutton was asked why he robbed banks. “Because that’s where the money is,” he is attributed as saying. While Sutton has long since distanced himself from the statement, the concept resonates with many people, to the extent that it’s been used to describe principles in accounting and even medicine.  

This principle also holds true in the world of Internet security. In the latest version of the Internet Security Threat Report we discussed the major trends in the spam world, where the percent of spam email continues to decline while more and more social networks are being targeted. Given the growth of social networking in recent years as a means to communicate, this comes as no surprise—it’s where the users are.

We’ve previously talked about how scammers are not only going after users on the most well-known social networks, as they have for years, but have begun targeting users on other networks, such as Instagram and Pinterest. Another popular social network has found itself in the crosshairs of spammers recently. The growth in popularity of Tumblr, particularly with younger Internet users, has also drawn the attention of spammers.

We’ve come across a spam campaign that is utilizing a feature on Tumblr similar to the type of commenting you might see on blogs or other social networks. Tumblr calls this feature “Ask,” where your followers can ask you questions, which can appear on your Tumblr blog. The feature is disabled by default, but you can enable it in your account settings and even allow anonymous comments. Spammers are attempting to take advantage of this feature to peddle their wares.

“WOW, I just lost a bunch of weight using the OFFICIAL TUMBLR DIET!! Are u using it as well? Check it out at [REMOVED][d0t]com”


Figure 1. Spam message utilizing Tumblr's Ask feature

Clearly, there’s no such thing as an official Tumblr diet. Instead, the URL provided in the spam message leads to a website that mimics a popular health magazine, espousing the benefits of a new diet pill.


Figure 2. Fake health magazine site promoting diet pill

The page is full of information about a “miracle pill,” along with testimonials and offers linking to sites where the user can get some. If the user clicks through, they are brought to an order page. However, the site appears to have a limited supply. Stock is set to run out, coincidentally, the same day the user is visiting the page.


Figure 3. Diet pill order page

The user is asked for a number of personal details, such as name, address, phone number, and email. The site will eventually ask for your credit card details as well.


Figure 4. Diet pill payment page

We don’t know for sure if the site will actually send you genuine diet pills that contain the supposed miracle ingredient, fake pills claiming to have it, or if the site will just make off with your credit card details. Regardless, we do not recommend attempting to purchase goods through offers like this.

This spamming technique is not limited to diet pills either. Other scams, such as the one below, attempt to play at a user’s desire to make money. In this case they don’t even bother to ask a question—skirting the primary purpose of Tumblr’s Ask feature altogether.

"I made $300 yesterday by Internet marketing and I'm looking at at least $450 today. So yeah. You need to do this. I found out about it from this news article on CBS. I'm just excited to share this with you because it actually freakin works! Tumblr won't let me post a link but if you want to read up and start making some money then head over to [REMOVED] [d0t] cоm - Spread this to fellow tumblree's and tumblrette's and lets get out of this recession together!"

The link in this case leads to a fake news page espousing a great way to make money from home, then to a page that asks for the same personal details as the scam above. In this case, besides gather personal details, it’s possible that the scammers here could be looking for cybermules—another precarious scam that is best avoided.


Figure 5. Page promoting "make money from home" scheme

What’s disconcerting about this scam is that Ask questions do not appear on Tumblr blogs by default, as traditional comments can. Instead, a user has to make the effort to answer the Ask, at which point both the question and the answer will appear on their Tumblr blog. Granted many users are answering these Asks sarcastically, while others do so with annoyance, seeing it as the spam it is. While we don’t suggest doing this, what’s perhaps most worrying is that some users actually go as far as to thank the Anonymous poster for the information, seemingly falling for the ruse. Regardless of how the user responds, the messages remain online, and anyone perusing these Tumblr blogs could feasibly visit the sites mentioned on their own accord.

It’s difficult to determine the number of Asks these spammers are sending out, but we have encountered hundreds of instances when looking into the issue. Since Anonymous Asks do not require a Tumblr account to submit, and determining if a Tumblr blog has the feature enabled is easily scriptable, spammers could easily send large volumes.

To its credit, Tumblr has implemented an Ignore feature, where you can block the account, IP, and/or computer sending them. Overall, this spam should be treated in just the same way as any other Ask or comment-related spam: do not answer such submissions, do not visit the URLs provided, and do not give any personal details to less-than reputable websites.

Japanese One-Click Fraud on Google Play Leads to Data Stealing App

Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play.


Figure 1. Total number of developers and apps developed

Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication, but some, especially those published over weekends, tend to have a longer life and in some cases have download numbers in the triple digits. The scam attempts to lure users interested in adult videos to a site that attempts to trick them into registering for a paid service. Even if only one user falls for the scam and pays, that’s JPY99,800  (around US$1,000 at the current exchange rate) in the pocket for the scammers, which also means they can make more money by creating even more developers accounts to publish more fraudulent apps.


Figure 2. Developer page of the malware author

Recently, the scammers have come up with a new trick. A typical one-click fraud app uses Webview class to allow Web pages to be displayed within the app. Normally the adult-related sites leading to click fraud are displayed, but the new round of apps leads to a similar adult-related site that hosts an app that steals personal information, including Google account, phone number, International Mobile Station Equipment Identity (IMEI), Android ID, and the model details of the device. These apps act as downloaders for apps that need to be manually downloaded and installed.


Figure 3. Site hosting the malicious app


Figure 4. Fake Google Play site from where to the malicious app is downloaded


Figure 5. Data uploaded from the device

What is disturbing about the recent method used to attract potential victims is that the scammers have expanded their audience to a larger group by listing random keywords in the description of the app page whereas in the past, only words related to pornography were used. The scammers are hoping that someone searching for any type of app will come across these apps and find the icon attractive as the icons are all adult themed. The titles of the apps are also typically pornographic in nature, but some have random names.


Figure 6. App page for one of the malicious apps


Figure 7. Words listed in the description of one of the apps

We have yet to confirm how the personal information is being used, but it is likely that the victims will be contacted in one form or another from the scammers. Symantec detect the apps discussed in this blog as Android.Oneclickfraud. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, please visit our Mobile Security website.