Big Brother Brasil Bait is Back

In 2010, Symantec reported phishing sites that were spoofing a popular social networking brand. The phishing sites claimed to have a Web application with which end users could watch “Big Brother Brasil” online. This phishing attack was launched during the 10th season of the television show that was on air from January to March of 2010. On January 11, 2011, the 11th season of the show began and phishers are back again with the same bait to try their luck at harvesting user credentials. The latest phishing site was hosted on a free webhosting domain.


 
On certain legitimate Web sites, live video feeds of the show are available around the clock from multiple cameras in the Big Brother house. Some of these videos are suitable only for adult viewing. On the other hand, no live video feeds are available on the phishing site and the claim of having such a Web application is only a ploy to lure end users. The message in the displayed image of the phishing site was in Portuguese and translates to “In ***** [Brand name removed] Big Brother Brazil is live. Attention: Login to the side and check”. If users fell victim to the bait by entering their login credentials, phishers will have succeeded in stealing their information for identity theft.

In the past few months, the motive of phishers has been to improve their chances of tempting end users by increasing the appeal of the baits. It has been observed that pornography or adult content comprised of majority of the utilized baits. Here, though pornography was not involved in the phishing site, the strategy of phishers was to give users the hope of viewing adult videos of the participant celebrities in the television show.

Internet users are advised to follow best practices to avoid phishing attacks, such as:
•    Do not click on suspicious links in email messages.    
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up screen.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

------------------

Note: My thanks to the co-author of this blog, Avdhoot Patil.

Scammers Seek Support for Serrana Flood Victims

In January 2011, floods caused severe calamity in several towns in the mountainous region of Brazil known as the Serrana region, in the state of Rio de Janeiro. Scammers, as usual, are on their toes to take advantage of the opportunity to send scam messages that request fake donations.

Scammers utilized a domain name to carry out the phishing scam. The domain name consisted of words in Brazilian Portuguese which translate to “donations for the tragedy in Friburgo”; Friburgo is a municipality located in the affected region. The Top Level Domain (TLD) of the domain name was Brazil. Though the TLD was of Brazil, the domain name was located on servers based in Dallas, USA. The content of the phishing Web page was in Brazilian Portuguese and translates to:

 “The images show districts affected by the tragedy. The number of cities that reported casualties has risen to five, after heavy rains in the Serrana region caused devastating floods. The municipalities and fire department have confirmed a total of 600 deaths. Rio De Janeiro is in need of your help. We donate food and water to those people who have lost their homes. Please help by donating a little money. You may pay with your credit card or directly from your bank account. On behalf of all the homeless, we are grateful for your help.”  

Below the message were logos of popular banks and credit card services of Brazil. There were a set of hyperlinks below the logos that prompted end users to pay their donations by clicking on the link. Each hyperlink was for a specific amount of donation in dollars. The amounts specified were $5, $10, $15, $30, and $50. Upon clicking the links, end users were redirected to a phishing site that spoofed the corresponding brand. At the bottom of the page, a message stated that end users may also pay donations in other amounts by contacting a particular email address of the same domain name. The phishing sites of the brands asked for the user’s login credentials. Upon entering the login credentials, the phishing site redirected to the legitimate Web site.

In this way, scammers were targeting several brands by means of a single phishing scam. If end users fell victim to the phishing site, scammers will have succeeded in stealing their credentials for financial gain.

Internet users are advised to follow best practices to avoid phishing attacks, such as:

·         Do not click on suspicious links in email messages.    

·         Avoid giving any personal information when answering an email.

·         Never enter personal information in a pop-up screen.

·         Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

 

Thank you to the co-author of this blog, Ravish Bagul.

Holidays are Over for Spammers

In this blog about spam volume, we discussed the virtual shutdown of three botnets including Rustock that caused the global spam volume to plummet around Christmas day. MessageLabs has indicated in their blog that those botnets have restarted, although they are sending less volume than pre-shutdown levels at the moment.

As seen in the chart below, we are indeed seeing a spike up in volume as of January 10. We will be keeping a close eye on this over the next few days to see if the increase holds up. For now, it looks like holidays are indeed over for spammers.

We saw a drop in the use of the ‘.ru’ domain URLs in spam messages around December 25.  When the spam volume spiked up on January 10, we saw a corresponding jump in the use of ‘.ru’ domain URLs in spam.  This data suggests that the new wave of spam mostly consisted of ‘.ru’ domain URL spam messages.

Some of best practices users should follow are:

· Do not open unknown email attachments. These attachments could infect your computer.

· Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.

· Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).

· Do not buy products or services from spam messages.

 

Please visit State of Spam & Phishing homepage for latest news on spam threat landscape.

It’s Aishwarya Rai’s Turn to Be Popular with Phishers

Phishers have used several types of bait in social networking scams in the hopes of improving their chances of harvesting user credentials. Some of the bait included offers of free mobile phone airtime, tickets to sports matches, pornography, hacking software downloads, and so on. In several instances, the displaying of an image of the fake offer gave the impression that the user can avail the benefits upon logging in to the phishing site. Such phishing Web sites typically use a template, where the image and the text is changed. Celebrities’ photographs are often displayed in an attempt to attract end users.

In this particular phishing site, the displayed image was one of the popular Indian actress, Aishwarya Rai. Symantec had earlier reported a similar phishing Web site that used another actress, Katrina Kaif, as the bait. As in the earlier example, the phishing Web site had its content altered to help it look like an adult version of a social networking site. Again, it is important to bear in mind that the legitimate social networking site being spoofed is not involved with any form of pornography or adult sex chat service. Though pornography is a common bait in social networking scams, it’s not common  to see Indian actresses being used. Clearly, phishers are choosing celebrities who have a large fan following, as they perceive that a large audience will mean more duped users.

The phishing site was hosted on a free Web-hosting site. Upon entering the login credentials, the user is redirected back to the legitimate Web site. If users fall victim to the phishing site, phishers will have succeeded in stealing their credentials for identity theft. The phishing URL contained certain keywords that gave the impression that the content was linked to pornography. Below is the phishing URL:

hxxp://www.sexhotchat.******.com/Index.html [Domain name removed]

Internet users are advised to follow best practices to avoid phishing attacks, such as:

  • Do not click on suspicious links in email messages.     
  • Avoid giving any personal information when answering an email.
  • Never enter personal information in a pop-up screen.
  • Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thanks to the co-author of the blog, Ashish Diwakar.