Use of .avi & .mp3 Extension Leads to Pharmacy Spam

Symantec has observed a new spam tactic targeting YouTube using .avi and .mp3 extensions in URLs by placing a random YouTube link in the email content. This spam threat is also targeting the pharmaceutical industry, as we have previously observed in this blog: Pharma Spammers Brandjack YouTube.
 
In this new spam threat, users will be redirected to a fake pharmacy website when they click on the links. The following URLs were seen in spam samples using .avi and .mp3 extensions examined by Symantec:
 
http://www.[REMOVED].com/Fox.avi
http://www.[REMOVED].com/Yamamoto.avi
http://www.[REMOVED].vn/Larue.avi 
http://www.[REMOVED].com/McAlear.avi
http://www.[REMOVED].ru/87342.mp3
http://www.[REMOVED].ru/327182.mp3
http://www.[REMOVED].fr/472738.mp3
http://www.[REMOVED].com/165137.mp3
 
figure1.png
Figure 1: Spam email using .avi extension
 
figure2.png
Figure 2: Spam email using .mp3 extension
 
figure3.png
Figure 3: Fake online pharmacy website
 
Below are some of the email subjects used in this latest spam campaign:
  • Subject: Here Comes the Sun 1969
  • Subject: Soldier of Love (Lay Down Your Arms) 1963
  • Subject: For No One 1966
  • Subject: Misery 1963
  • Subject: Lucy in the Sky with Diamonds 1967
  • Subject: From Me to You 1963
  • Subject: Look! I found this!
The domain was found to be registered in Europe and its servers were located in Ukraine. The spam attacks use such file extensions in a YouTube link to bypass the filter and also to fool users who would expect the links to open the appropriate file type.
 
Symantec advises consumers to be cautious with unsolicited or unexpected emails and to update their antispam signatures regularly to prevent personal information from being compromised. We are closely monitoring these spam attacks to ensure that users are aware of the latest threats.

 

Would You Like Some Fish with That Phishing Site?

Phishers are known for making their phishing sites look exactly like the sites they are spoofing. We have seen plenty of examples of the detail they employ, like using JavaScript to include the current date in their static pages. In recent times, Symantec have seen an increase in generic email phishing. Unlike normal phishing, where phishing messages usually have a target in mind (bank customers or social network users, for instance), the generic email phishing technique is slightly different. In generic email phishing, the phishers will target any email address; who the target is does not matter.
 
These generic phishing messages usually claim that the recipient's mailbox size has been exceeded, and direct them to urgently "re-validate" their mailbox to prevent disruption to their email. Symantec recently identified a generic email phishing website which, at first glance, appeared normal. It looked fairly amateurish—demonstrating phishers' poor design skills when they don't have a professional site to rip off—but the site was strikingly unusual for one reason: it had a fish pattern background.
 
phish_site_with_fish_600px.jpg
Figure. Generic phishing website with fish pattern background.
 
We are not sure exactly why phishers decided to use this particular background. Was it a random, unfortunate mistake? An inside joke among fellow phishers? Or perhaps a brazen but not-so-subtle hint to experienced users that it was actually a phishing site? Perhaps—since the site is partially in Italian—the phishers were unaware of the similarity between "phish" and "fish"?
 
To protect yourself from phishing scams, be wary of messages claiming that your account has been restricted or somehow needs to be updated. Keep your security software up to date. Symantec.cloud and Symantec Messaging Gateway customers are protected from these threats.

Flash-Based Fake Antivirus Software: Windows Risk Minimizer

Fake antivirus software or "scareware" is nothing new, but these applications continue to get more sophisticated. We recently discovered a relatively new fake antivirus application called Windows Risk Minimizer.

The fake antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then redirected users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours.

When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected.

When OK is clicked, a fake scan is carried out.

The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names).

Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected.

Like many fake antivirus sites, when trying to close the window or tab, the user is greeted with an alarmist message warning of dire consequences unless the infection is removed.

When clicking Remove All in the Windows Security Alert window, the user is prompted to download a malicious executable file that contains Windows Risk Minimizer software. When opened, the following professional-looking screen is displayed:

Again, unsurprisingly, the fake antivirus software identifies several infections.

When this window is closed, the malware repeatedly harasses with pop-up warnings and balloon messages in the notification area. All of these messages are designed to convince the user an infection exists on the computer and they should purchase the (useless) software.

One message falsely claims the Google Chrome Web browser is infected. Clicking Prevent attack opens a payment window.

Another message claims illegal BitTorrent usage has been detected and refers to the controversial US SOPA (Stop Online Piracy Act) legislation. In this case, there is no Prevent attack button; instead there is a Get anonymous connection button, which also opens a payment window.

The final type of alarmist message observed when analyzing this fake antivirus software claimed that some kind of identity theft was in progress.

All of these different types of attack make it seem like there is a serious infection, so it is easy to understand why many users may be unwittingly tricked into purchasing what is useless software.

At $99.90, apparently including support (see below), this useless software is not cheap.

We also recently spotted some different fake antivirus software where JavaScript code on the page appeared to vent the author's rage against two makers of legitimate antivirus software, including an offensive message about a particular antivirus application. It is easy to understand why a malware author might be unhappy about antivirus software, but including offensive messages like this simply makes it easier to block their malware.

To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up to date with all security patches.

Symantec.cloud customers are protected from these threats through advanced link analysis. Protection is also included in Symantec's security products.