Federal Trade Commission Fraud

Be aware that there is a fraudulent email going around pretending to be from the FTC. It's directed towards an individual whose name appears several times throughout the email, as does, in the cases I've seen, that recipient's place of business. It poses as a complaint made by a Mr. George Hanson toward your company that you failed to resolve, and therefore had been escalated to the Federal Trade Commission. Wow, you must've really upset this guy! It does contain what is supposed to be a copy of the complaint in .doc format, but in actuality it is a link to download a keylogging trojan designed to steal passwords, screen names, and whatever other information you feed into it.
The spoofing of governmental agencies is nothing new. Especially this year alone, we have seen fake complaints from The Better Business Bureau, the IRS, as well as a previous FTC forgery. Always be weary of a somewhat threatening email from any agency that you are unaware of the circumstances. Check with them directly if you have any questions for them.

Quick, Get Your Exploits In!

As I mentioned in my last post, the .pdf file got a little ugly last week, when a mailto: exploit was discovered, and mailed out in mass to unsuspecting Adobe Acrobat users. Well, now the copy cat hackers are all over it with a new version seen this morning utilizing the same exploit to back into your windows system32 directory, fire up your cmd.exe prompt, and download malicious software onto your machine. These are downloading from a different host IP, that reportedly was shut down pretty quickly. However, if you hadn't patched your Adobe Acrobat before this one came in, they were sending out enough to hit a good cross section of people while the IP was active, so you may have had a good opportunity to enjoy this one too. We've been blocking this one for around eight hours, and have caught nearly one million samples, so you get the idea.
This follows a trend that always seems to follow a good zero-day exploit that actually allows this exploit to last often up to a year or more in the wild. This is due to the fact that people don't patch as often as they should, and hackers know this, and are very happy to take advantage of it.

.Pdf Files Take a Turn to the Dark Side

We had gotten used to the idea of the .pdf file being used to deliver your spam since June, but yesterday, the .pdf began to carry a special payload. Once opened the file would make use of an exploit in Acrobat that will immediately download a trojan named ldr.exe onto your computer.
The files were thought to originally be targeted towards businesses, but have since been seen in the wild, and arrive with subjects lines, and attachments named "Bill", "Invoice", "Statement", or the like.
Adobe released a patch yesterday to fix this, and I recommend you go there now, and patch it up.

http://www.adobe.com/support/downloads/detail.jsp?ftpID=3796

Otherwise, maybe you'd enjoy a different .pdf reader with less exposure. I enjoy FoxIt.

http://www.foxitsoftware.com/pdf/rd_intro.php

Are You Funding the Turks' Invasion of Iraq?

This morning my department came across an interesting bit of hactivism. The site was hacked by someone calling themselves "Serious Error", and featured a video hosted by YouTube showing a collage of military exercises and activities proudly displaying the flag of Turkey in many of it's scenes. An obvious display in support of Turkey's invasion into northern Iraq to confront the Kurdish rebel group the PKK, or Kurdistan Workers' Party.
The PKK has been blamed for many attacks against the Turks, and most recently a suicide bombing in Ankara and a landmine attack on troops.
The interesting part of this hacked website, is that it also contains a PayPal phishing site. Perhaps they're using it to help fund their causes with your money. Perhaps, they're just thieves that want to express themselves.

.Mp3 Spam Has Arrived!

Last night brought on the birth of audio spam in the very popular .Mp3 file format. I'd have to say that the spammers are stretching it with this one. The .Mp3 file is of an extremely poor quality audio recording of a female voice with what seems to be an English accent announcing the praises of the latest pump and dump stock scam.
The email arrives with the subject line of Re:, Fwd:, the name of that particular .Mp3 file included in the spam, or completely blank. The body of the email is blank, save for the .Mp3 attachment.
The file is harmless at present.

The Latest, and Not So Greatest in P2P Networks

That's right, are you ready for the latest in sweet file sharing technology? It's even easier than one might think. Simply click on the link supplied in this well prosed introductory email, and [insert onomatopoeia here], even with out your knowledge the file krakin.exe will be downloaded and installed onto your computer, and you will become part of Storm Worm's latest peer to peer network offering.

The subject lines include:

here if you need help call me
here ya go
ok last time I am emailing this
check it out
here is the music you wanted
Krackin
re: krackin is released
this is the link
you have go tot get this

with the email bodies reading:

You have got to check this out. The new Krackin sharing network is now

Dude this is the hottest new sharing network. Krackin rocks.

Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin.

Check out the new Krackin network for free. Click here to download it
now

Check it out man. This thing just hit the net last week. I can see over
2 million users on already.

New Sharing network goes live. Check out Krackin here.

Check out Krackin, It.s the hottest new sharing network on the planet.

Yo, down load krackin here then add me as a friend. My user is
freakman011

Man I have been downloading non stop for two days. Check out this new
software called Krackin. It rocks!


The only real difference I've heard about is the way in which the computers on this network communicate. Perhaps an experimental addition to the worm's architecture adding 40 byte key encryption over the P2P communications.

I'm In UR Emailz Giving You Worms

I knew I should have blogged about this Friday when I first saw it, but I thought the Vladuz story was a little more interesting, oh well, now I'm on the band wagon.
Storm's latest ploy is another ecard often calling itself Kitty Kards[sic] or Cards. There are several different subject lines such as:

"Someone is thinking of you! Open your ecard!"
"Have you seen this hilarious greeting?"
"Someone Just sent you an ecard!"
"You have one new ecard waiting!"
"This greeting's for you!"

The body text of the message contains text such as:

"You have been sent the Laughing Kitty kard
"Click here to view your laughing kitty card online."
"Preview your Kitty card online. It is so funny!"

The links are IP addresses that point you to a site featuring two kitties that are just so gosh darn adorable. Meanwhile, as is always the case, Storm downloads itself in a file called SuperLaugh.exe., it's not really that funny.

Vladuz, at it Again.

Vladuz, a self proclaimed, and very proud Romanian hacker claims to have "at will" access to eBay's infrastructure, and seems to prove it every so often by entering eBay's forums to make "pink" postings, which are those with customer service representative level clearance, taunting eBay, and their security. After a few snide remarks, he enjoys posting lists of customer account information right in the forum for everyone to see, as proof of his conquests.
This past Friday, he struck again in the same manner, this time posting in the "eBay Trust and Security" forum, where users of eBay discuss security related questions with one another, and a room moderator. He began by hacking into an eBay server temporarily suspending accounts for a large portion of eBay users. eBay officials claim that he was kicked out of this server before any permanent damage was done. They also claim that this server was an externally visible server and didn't contain the goods that Vladuz claims to have stolen from their internal servers. Regardless, shortly after the server heist, he made his appearance in the forum posing as a moderator posting his taunts, and more customer information. It has been believed since his first appearance, that the information he had stolen was in fact acquired through elaborate phishing campaigns, and not directly from eBay servers, however, this is a part of what has now turned into an exciting jeer versus defensive stance war between Vladuz and eBay security officials. eBay maintains that the hacker has far less access than he claims, let's hope.
Meanwhile, international authorities have teamed up with officials in Romania in an attempt to locate this criminal.
Here is a somewhat small screenshot of Vladuz posting a taunt to an eBay security official named Durzy back in February.

Authorities Stepping It Up?

Whether the authorities are making an extra effort nowadays, or the bad guys of the internet are getting sloppy, it (to quote a McAfee headline) has been a bad month for malware authors.
Three significant arrests have been made recently. The first being the arrest of the author of the Downloader-AAP, a trojan style virus which was spread manually by unsuspecting victims through a mass spamming campaign posing, among others, as an IKEA billing confirmation notice in German with a link that led to the download of the trojan. Once in, the downloader secured its position, and downloaded a keylogger program meant to steal account information.
The second arrest was of the author of the many variants of the Fujacks worm. Unlike trojans, worms are self-replicating, and spreading. This one being no different would spread via network shares, and P2P network shares. Once in, it also had keylogging ability and would allow for remote access to your computer. An interesting note on this case is that the author Li Jun of China has already been offered several high paying jobs available upon his release. Including CTO of a China based networking company located in Hangzhou. His attorneys are using this offer letter as proof of his worth to society, claiming that he now feels badly for his actions. I'm sure I'd feel pretty badly for my actions after I was arrested for them too!
The third arrest was on the 1st of October of Greg King, a 21 year old California resident, who was responsible for the DDoS attacks against the anti-fraud site CastleCops, who take it upon themselves to report on known phishing sites, and provide constant fraud advisories. It's possible that he was also guilty of the attacks on other anti-fraud sites that occurred at the same time as the CastleCops attacks, such as the attacks on 419eater.com and 419fraud.com who specialize in the awareness, and the scambaiting of 419 style Nigerian scams.
King was the botmaster of a network of zombie computers 7000 strong, which he used to attack these sites by flooding them with traffic overloading their networks, and causing them to shut down.

If It's Too Good to Be True...

The old adage remains strong today. I believe it goes, if something seems to good to be true, it probably is, well when you're dealing with the internet, I dare say it always is.
I'm talking about the "Make thousands from home in only 2-8 hours a week", "Work from home", and other internet home based job "opportunities". Let's discuss the two major varieties of these work from home schemes. First we'll talk about the most recent to make the headlines with the arrest of 77 individuals connected with international fake check scams.
Fake Check Scam
The scheme goes something like this, first off you receive an email of the 419 variety with some clever story of how you will be 'processing' checks for their clients due to some international commerce issues usually, often they can pretty elaborate, but they all end in a similar fashion. You deposit the checks in your bank account, keep your processing fee, and send the remainder to the scammer. A week or two later, the bank discovers the check is a fake, and you're liable for the entire amount. You're out a few grand, and the scammer gets that much richer. Several reports state that the average loss for people that fall for these scams are between $3000 and $4000 dollars.
Another variety of the fake check scam targets people that are selling things online in which the scammer tells you that someone in the U.S. owes them, and that they will be sending you a check for more than the amount you're asking. You'll deposit it, taking your share, and sending the remainder once more. Sometimes, they'll accidentally overpay you, and ask for the overpayment portion back.
There are several varietites of the fake check scheme, read up on a few tips from fraud.org here.
Money Mule
This technique is a little older, but is still strong today. It's the money mule scam. It also operates in the "Work from home, make thousands doing nothing!" style, but with this one, you're usually helping steal from other people. You essentially end up running a forwarding service for money through your bank account or packages that show up on your doorstep. You'll earn a percentage for each item you forward whether it be a simple money transfer or forwarding that package on to another address, which is often in another country. The problem lies in the fact that these items are initially acquired through phished accounts with stolen credit card numbers, or money pulled directly out of someone's bank account. You are acting as a human proxy to obfuscate the path these stolen items are taking, and to provide a physical address to which the initial shipment for items, direct from the seller, are to be delivered. This puts you first in line when the FBI comes to find the culprits. Regardless of your ignorance, you are involved in a crime ring, and you'll be doing some jail time.
The internet continues to be a scary place for the unwary, so hang on to your street smarts, or net smarts, stay on your toes, and of course, remember-"If it's too good to be true...".

A Massage from the Dalai Lama?

Burma has been a rough place to be for the pro-democratic monks this past week and a half. Now today, as all of them have been run indoors, and thousands arrested, a spam campaign surfaces taking advantage of people's interest and concern.
An email has been circulating claiming to be from the Dalai Lama in response to the situation in Burma, or Myanmar as so named by the current military regime.

Dear Friends & Colleagues, Please find enclosed a massage from His Holiness the Dalai Lama in support of the recent pro-democracy demonstrations taking place in Burma. This is for your information and can be distributed as you see fit.

Best wishes.

Tenzin Taklha
Joint Secretary
Office of His Holiness the Dalai Lama

This email has a corupt attachment in the form of a Word document that plays off of an exploit in the Microsoft Word program itself to drop a Trojan onto your computer. It also contains a link to the Dalai Lama's official website. A somewhat keen eye will also see the misspelling of the word 'message' in the email body. Tipping one off to its invalidity.
Given the fact that the government in Burma has all but completely cut off cell phone and internet connection to the rest of the world, the public around the globe is anxious to hear news about what's going on, and can easily be tricked by this email. Another underhanded social engineering attempt to spread a new Trojan Horse virus meant to give total control of your computer to its authors.
As always, never open any attachment in an email which was unsolicited.