Targeted Attack Exploits Ichitaro Vulnerability

JustSystems, developer of the Japanese word processor software called Ichitaro, recently announced a vulnerability—Multiple Ichitaro Products CVE-2013-3644 Remote Code Execution Vulnerability (CVE-2013-3644)—that has been exploited by attackers in the wild. Symantec has seen the exploitation being used in targeted attacks since May, but it has been limited to users in Japan and the volume of attacks has been minimal.

The attacker can leverage this vulnerability by sending a specially crafted attachment as part of a spear phishing campaign. When a user opens the malicious Ichitaro document file, arbitrary code is executed causing malware to be dropped onto the computer. Symantec detects the malicious document files as Trojan.Tarodrop.M. Files dropped by the exploit depend on the specific attack but are generally detected as Trojans, such as Backdoor.Specfix.

We continue to monitor this threat to improve coverage and will provide any relevant updates when possible. Symantec strongly advises users to update their antivirus definitions regularly and ensure the latest Ichitaro patch is installed.


Social Network Scam Targets NBA Finals

For sports fans, the most exciting time of the year is the post season. It is when the underdogs have a chance to topple the better teams in the league, or last year's champions are trying to win it again. Depending on the sport, these events can draw a lot of viewers, whether it is a single event or a seven game series. So, its no surprise there are sites that claim to offer fans the ability to watch these events online.

Right now, we are in the midst of the NBA finals pitting some of the finest players in the league against each other in their quest to win it all. The series was just tied 2-2 before Game 5 on Sunday. On that day, some Facebook users may have seen pages offering a free live stream of the game.


Figure 1. Free live NBA Finals stream posted on Facebook

Facebook users may also see posts about NBA Finals live streams linking to a page hosted on Tumblr.


Figure 2. Free live NBA Finals stream page on Tumblr

When a user selects “YES I AGREE” on the Tumblr page they are redirected back to Facebook and asked to install an NBAFinals Facebook application.


Figure 3. Scam NBAFinals Facebook app, permissions request

This Facebook application requests access to your profile, friends list, and email address. If a user grants permission, the application will request more permissions.


Figure 4. Scam NBAFinals Facebook app requests additional permissions

In addition to posting to your friends on your behalf, the scam Facebook application requests more permissions that do not make any sense for an application to have in order to enjoy free live streaming, such as access to manage your Facebook pages.

Even worse, after the application installs, users are redirected to another Tumblr site and asked to spread the scam on Facebook before proceeding.


Figure 5. Scam NBA Finals site asks users to share on Facebook


Figure 6. NBA Finals scam spreads on Facebook

For the user, after all this, there is no live stream presented. Instead, users will see a video player that doesn’t work. Clicks on the video player redirects users to a plugin install page that earns the scammers money through affiliate links.


Figure 7. NBA Finals scam page contains no live stream

There are some references in the final page to other sites that claim to offer live streams of the game. These pages are not official however, and these types of streaming sites are prohibited.

For the scammers, getting the user to install their Facebook application keeps the scam going because the application posts messages to your timeline on your behalf.


Figure 8. Scam NBAFinals app timeline post on Facebook

In cooperation with Symantec, Tumblr has removed the sites associated with this scam and we have reported the application to Facebook.

Users should be aware which applications they install on Facebook, especially when looking for special features or access to websites that offer live sport streams. If it seems suspicious, most likely it is.

Oracle Java SE Critical Patch Update Announcement – June 2013

Original release date: June 18, 2013

Oracle has released a June 2013 Critical Patch Update for Oracle Java SE. This Critical Patch Update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. The update contains 40 new security vulnerability fixes, including a patch for Oracle JavaDoc frame injection vulnerability VU#225657. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

The following versions of Oracle Java SE are affected:

  • JDK and JRE 7 Update 21 and earlier
  • JDK and JRE 6 Update 45 and earlier
  • JDK and JRE 5.0 Update 45 and earlier
  • JavaFX 2.2.21 and earlier

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.

Hospitality Spam Takes a New Ride

Hospitality is the friendly bonding between the guest and host, especially efforts to make the guest feel comfortable. Spammers exploit hospitality events, and the bond between guest and host, with fake promotional offers. We are currently observing an increase in spam messages which exploit hospitality offered by major events, festivals, and concerts. The spam messages invite users to watch the events at entertaining venues happening in different places. Hospitality spam tries to entice users with bogus offers such as the following:

  • Luxury items
  • Fine dining
  • Champagne
  • VIP parking
  • VIP hostess service
  • Gambling
  • Q&A with sports celebrities
  • Large plasma screens


Figure 1. British Grand Prix hospitality spam


Figure 2. Ashes Series hospitality spam

A variety of subject lines have been observed in the hospitality spam attacks, such as the following:

  • Subject: VIP HOY Show hospitality
  • Subject: Unique opportunity to present a trophy at top event
  • Subject: Ringside dining action at HOY 2013
  • Subject: Exclusive Equine ringside action
  • Subject: Champagne journey to bitter grudge match
  • Subject: Looking for an evening of champion sport?
  • Subject: A unique moment to talk with the legendary Murray
  • Subject: 2013 Festival of Speed
  • Subject: Exclusive Race Day Hospitality with Murray Walker
  • Subject: A unique moment to talk with the legendary Murray

The "From" address associated with these hospitality spam emails include the following:

The main motive of these spam campaigns is to lure recipients by providing fake promotional offers and asking users to reply with questions about the event to the spam domain which is only registered for a year and hosted in the United Kingdom.

Symantec advises our readers to use caution when receiving unsolicited or unexpected emails. We are closely monitoring these spam attacks to ensure that users are kept up to date with information on the latest threats.