Micro-Spamming

They're invading all possible outlets nowadays. Who? The spammers, of course. Pretty soon they're probably going to branch away from the digital medium and just start breaking into my house at night and leaving annoying flyers on my nightstand and maybe some post-it notes with cyrillic gibberish on them adhered to my television and glasses, and maybe my bathroom mirror. The newest spamming trend involves the newly uber-popular microblogging site Twitter. The spammers are taking advantage of the fact that most people who use Twitter allow people to follow their tweets without having to be approved. They then utilize a program called TwitterTornado which creates a large number of Twitter ids, and also follows a large number of legitimate Twitter ids. These new accounts then begin spamming direct messages to the legitimate users thanks to the help of a supplied text file to TwitterTornado.
Here's a quote directly from the TwitterTornado site:
"Using the “Tweet Tornado” software will allow you to quickly create unlimited twitter accounts and quickly follow thousands of people who are interested in any topic you want. Within minutes of starting the software many people will choose to follow you and visit any website you ask them to. The software does everything for you so you can leave the computer during your Tweet Tornado campaign! Just turn it on, setup your campaign (takes a few minutes) and hit the “OK” button, that’s it!"
It is suggested that Twitter users change their default settings to require approving new followers to help to avoid this new annoyance.
If you'd like to follow my fairly infrequent tweets I'll be here --> @phreadphread

Fake Classmates[dot]com Invites

A new wave of fake Classmates[dot]com emails have just begun to circulate. These emails invite you to join your old fellow classmates at a class reunion on the 31st of January, and provide you with a link to "Proceed to view details>>>". This link takes you to one of several URLs where you're shown a fake video of what appears to be blurry people celebrating. Kind of interesting that they already have the video of the reunion when it hasn't happened yet, but I digress. If you click on the video to view it, or even if you don't and wait a few seconds, you will be prompted to download the file ADMedia_Player.exe, not good. They don't even try to "warn" you that you need a special classmates codec to view the video or anything, they simply try to hand you the malicious executable. The executable lacks a little consistency as well. When you mouse over the icon the description displays "Adobe inc", and "Company: adobes player", yet the icon is that of a Windows Media file or .wma. When executed the trojan attempts to download more malicious files from a remote host.
This actually appears to be the second wave of the day, the first began around 5:45 a.m. cst this morning, and we have seen about 100k pieces of mail from this campaign. The second wave began at around 10:42 a.m. cst and we've seen nearly 50k from this one so far. All in all around 150,000 pieces of mail that have apparently been sent out completely randomly, possibly with random email generators as around 99.2% of them are to invalid users.
The domains used were all registered today, and will likely be abandoned tomorrow. The domains are:
smartdownloadvideo.com
loadingupdatess.com
videoupdateclassmates.com
explorerupdatesr.com
updateplanflashplayer.com
prestigioclassmates.com
tehnologyupgradeclassmates.com
reunionclassmartes.com
videoplayerclassmates.com
meetwithfriendsclass.com

I Will iWork for Malware

The popular news around the blogosphere this morning is the new Mac trojan that's being distributed on a certain popular bit torrent site. The malware is disguised as a full working version of Apple's iWork '09, Apple's desktop productivity suite. In reality the file is a trojan named OSX.Iservice. The fake software does contain parts of the actual free trial version that Apple is offering on their website, so as you go through the installation process, it may seem legit. The trojan drops its payload under the name iworkservices.pkg and copies itself to two other places on your harddrive as it opens a backdoor and attempts to communicate via ports 59201 and 1024 awaiting commands from remote servers. After that your computer is open to the malware authors whim. I would assume keylogging software will soon follow, maybe a Mac botnet, how fun would that be?!

Shot Through the Heartland

While most of you were busy watching America swear in its new president yesterday, Heartland Payment Systems decided that it was a good day to announce that their systems had been infected with malicious software and it resulted in what may be one of the biggest data breaches we've ever seen. Heartland is responsible for processing credit card payments for many different businesses including restaurants and retailers among others. They process approximately 100 million credit card transactions per month for 175,000 different merchants.
The company claims it likely became infected sometime in 2008, which obviously could be anywhere from 1 month (1 million transactions) to 13 months (13 million transactions). They were quick to report exactly what type of data was not breached and that included:
"No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms."
That seems to only leave the cardholder's name, credit card number and expiration date, certainly everyone can see where that would be bad enough. This information could be enough on it's own, but data thieves often have more than one collection from which they can cross reference to assemble a more complete chunk of information. In the underground economy when cyberthieves sell complete sets of info including card numbers, names, expiration dates, addresses, and phone numbers, they are referred to as "fulls" and garner a larger price tag than say credit card numbers alone.
Heartland was quoted as saying "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
The odds make it unlikely that any one person will be targeted as a result of this breach, but it would certainly be advised to watch your statements. Especially if you think you may have made a credit card purchase from one of their affiliates such as:
Arizona Restaurant Association
California Restaurant Association
Colorado Hotel & Lodging Association
Florida Restaurant & Lodging Association
Kansas Restaurant & Hospitality Association
Nevada Restaurant Association
New Hampshire Lodging & Restaurant Association
New Jersey Restaurant Association
Oklahoma Restaurant Association
Hospitality Association of South Carolina
Washington Restaurant Association
Wisconsin Restaurant Association
Here is a link to Heartland Payment Systems official statement.

Fake Headlines: Barack Leaves the USA!

On the eve of Barack Obama’s inauguration as 44th President of the United States cybercriminals bring us one ridiculously sensational breaking news story. Today’s social engineering tactic is an attempt to lead us to believe the Barack Obama has changed his mind about his Presidential nomination. Like many different malware campaigns of the past, these messages arrive via email but contain a link to a “News” web site. The email with the link is accompanied by a few different text variations.

Most headlines read:
Barack Obama doesn't want to be our next president
Barack Obama left USA without president
Barack Obama has refused to be President

The message will contain a link to one of the many different web pages that they are attempting to direct you to. The messages are all signed by a different and seemingly randomly generated name. The link takes you to a remarkably good looking page. Here they have further details of this breaking story. Any link you click on this page prompts you to download either usa.exe or barackblog.exe. Both files are believed are believed to contain the same Trojan. Here is a look at the webpage they are using to deliver the payload:

What's This Email All Aboot?

As the 2009 tax season gets under way scammers are attempting to prey on the hopes and expectations of many individuals that are looking forward to receiving their tax refund. Last week we began seeing a phishing scam that targeted taxpayers in the UK. This morning a different version emerged. This phishing scam targets Canadian tax payers. The scam begins with emails that are originating from Russian IPs. The email informs you that based on an annual calculation of your fiscal activity; you are now eligible to receive a tax refund. Coincidentally, everyone that receives the great news is eligible for the same refund of 386.00. Here is the message:

If you follow the link in the message you are directed to a well disguised "login" page. The graphics and page headers match those of the actual Canadian Revenue Agency making this phishing page look very similar to the real thing. While the page looks to be legitimate, if you take a closer look at the URL you will find that the phishing page is actually being hosted (likely unknowingly) on a domain that is based in Taiwan.The host domain belongs to a company that specializes in the sale of computer accessories. On this page you are solicited to give your social insurance number, your date of birth, amount of the refund and your full name. If you have come this far then I am sure you will not think twice when you go to the next page and are asked for your credit card details along with other useful snippets of your personal information such as your mother’s maiden name.

I have yet to receive official confirmation from the CRA but I would be willing to bet that they do not send out unsolicited emails and especially would never ask you to follow a link in such email to login. One thing is for sure, as tax season comes into full swing we expect to see many more variations of these tax refund themed phishing scams.

New Bot on the Block

Yes indeed, there is a new botnet working the digital streets, its name Xarvester. Ever since the big McColo shutdown which temporarily took down the world's 5 biggest botnets, Xarvester has begun to inch towards the front. It is currently in third place in the largest spamming category, responsible for replica watch and pharmaceutical spam.
According to Marshal, Xarvester shares many similarities in fuctionality to what was the largest botnet pre-McColo, Srizbi. Xarvester even has a couple of McColo IPs hardcoded in its code. Other similarities include its means of communication which is http, but not over the standard port 80, the bots don't handle their own DNS queries, and even their spamming configuration files are very similar, and contain everything that's needed, including payload, to carry out large (very) spam campaigns. The bot even communicates back to the C&C with results from the campaign such as whther the delivery was successful, if the bot was blacklisted, or filtered, or if there were connection issues among others. Marshal goes on to explain that it's likely that the botherders for Srizbi and Xarvester were the same group which may have figured it to be easier to abandon Srizbi after the McColo shutdown and concentrate on Xarvester. If this isn't the case I would assume that the similarities are signs of underground outsourcing where the author of the botnet's code was the same person and simply sold his wares to the different groups.
Watch out for this one as it's sharing the top spot with its partners in crime Rustock, and the aptly named Mega-D.

Spammers Piggyback Legitimate Newsletters

Over the past week or so here at AppRiver, my associates and I have seen spammers evolve into using another new technique. This time they appear to be taking legitimate graphics and formats of newsletters from people like Men's Health, Omaha Steaks, Microsoft, and Food Network, and appending their own links and graphical links to Canadian pharmacies inside them. My assumption behind the reasoning of this is that they are either trying to hide in the professional look of these newsletters, and pretend to be part of it, or perhaps they're trying to sneak past filtering with hopes that something in these original newsletters has been previously whitelisted for recipients that want them. It's more likely that they're simply trying to wear a little camouflage. Here are a couple of examples: One from Men's Health that we're seeing today, not as flashy as the first couple from Omaha Steaks and Food Network, but it still roughly follows the newsletter protocol with a fake unsubscribe link at the bottom. The picture of the pills as well as the "Unsubscribe" hyperlink both link to the spammer's site.
In the apparently failed Microsoft Newsletter, all that was visible in the spam messages was this footer. All of these hyperlinks also led to the spammer's pharmaceutical pages.
All of these were blocked by AppRiver filters before they had a chance to make it to inboxes, which is good, as we're seeing numbers in the millions for today's campaign alone.Here's a better looking one that came through today ( the 14th).

CNN Targeted Once Again

Yesterday morning we began to see a massive malware campaign reminiscent of one that rolled through in August of last year spoofing CNN Headlines. The difference here is that while the ones that came through last year used headlines such as "Fla. man dials 911, complains his sub has no sauce", or "World's hottest water found", the attacks yesterday combined a professional looking web page with headlines relevant to the current conflict in Gaza. This type of social engineering could prove to be very effective as the bait emails were blasted out just before people arrived at work, and were waiting for them in their inboxes posing as legitimate news. "They certainly look convincing, a lot of people probably wouldn't have even given them a second guess." I said in a recent blog posting on Digital Degenerate. Oh, sorry, I've done a couple of interviews today, and I'm thinking in quotations. Here's a link to one in the USA Today.Here is a list of subject lines used in the campaign, as well as the email body itself.

Ground War in Gaza - Atlantic Review

Israel At 'War to the Bitter End,' Strikes Key Hamas ...

Israel–Gaza Strip barrier

Gaza Groups Report on War

The Arab Israeli Conflict: The Palestine War Hamas Goads Israel Into War Israeli war strategy. IDF in urban combat.

Israel Assaults Hamas In Gaza

Crisis In Gaza

Israeli War: The Zero Hour in French israel war

Israel's Fight

Israel Braces For Gaza Retaliation

Israel Assaults Hamas In Gaza

Hamas launching rocket war after Gaza evacuation

Israel brings Gaza airstrikes to the Web

Reminders of War in Gaza - CNN In what became known as Israel's War of Independence

frontline: israel's next war?

Israel Puts War Footage

Body of Every Email

Israel offers short respite from strikes.

Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.

The images broadcast here were graphic and striking.

The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.

Proceed to view details:

http://edition.cnn.2009.mixed.world-6l0mhqn1i.xxxxxxxx.xxx/israel-gaza.htm?/efsonline/VIDEO=kyt0k0ggsgm5a3z (<---replaced with X's, these sites are still live)

UK Taxpayers Targeted

As British citizens prepare to file their taxes, cybercriminals are attempting to lead unknowing taxpayers to a very realistic phishing page that is nearly identical to that of the real UK revenue and customs website

“The site looks identical to HMRC.gov.uk using the same graphics, fonts and styling, and is being used to gather web users' names, addresses and credit card details.”

Individuals are being led to the phishing site by a spam email, reminding people of the impending tax deadline on January 31. The message contains a link to the fake HMRC page. Once the criminals have obtained all the information that they are trying to gain, the individual is redirected to the real HMRC.gov.uk website. This helps to disguise the information theft that just occurred, leaving most people completely unaware of what just happened.

It is not known exactly how many people have fallen victim to this scam. A spokesman for the HMRC said that all users should be wary of such "phishing" scams, and that the HMRC never sends out unsolicited emails.

As US citizens begin receiving their W2’s and related tax forms, you can rest assured that there will be more scams like this one. In years past we have seen plenty of IRS related “tax refund” type scams. In light of the trend in recent years towards more and more information theft, we can expect to see plenty of these in 2009.

UK Police Get the Green Light to Hack Home PCs

In a relatively scary piece of news, it would seem that after a decision by the European Union's council of ministers, a new plan was adopted that allows police all across Britain the right to routinely hack into personal PCs and collect any data that they deem evidential without any need for a warrant. Are you kidding me?!
Obviously, this move has angered many a civil liberties groups, describing it as "a sinister extension of the surveillance state which drives a coach and horses through privacy laws."
The act is called "remote searching", and it allows authorities who may be hundreds of miles ( or kilometers as the case may be) away to covertly examine any online computer whether it be a home PC or your office machine, according to David Leppard of the Times Online. Read his write-up here to get some real detail.
Technically they're only allowed to do this if they know that what they find will result in a minimum jail time of 3 years for the person in question, but how is anyone to know if they don't legally have to tell anyone they're doing it? Unless of course everyone gets paranoid enough to watch log files all day long like a system administrator in hopes of catching the police wrongly scanning their computer, not likely.
I personally believe this is a blatant disregard for personal privacy! I don't discount the fact that this can, and is a powerful means of catching criminals in this day and age, but they should certainly have to have proof and at least a warrant in order to "legally" take it to this level. What do you think?

Rick Sanchez Tweets in Sick

You may be aware by now about the phishing campaign that has recently targeted Twitter. If not, this past week Twitter, a micro-blogging site that utilizes short posts of 140 characters or less for networks of friends to keep one another posted and up to date of each others' daily activites, was targeted by a campaign that attempted to steal log-in information for these Twitter accounts. It really started to generate some press when several big name celebrities had appeared to have been victims of these phishing attacks. Some of those celebrities included Rick Sanchez, an anchor at CNN, Britney Spears, Fox News, and president-elect Barack Obama. As it turns out, it was reported today that these were actually the work of a single hacker, and not the recent phishing attacks that they say are now under control. According to a blog post by the Twitter staff

"The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure."
In addition to taking these tools offline, Twitter goes on to say that their staff will have a busy week resetting a bunch of passwords in addition to everything else just to be on the safe side.