Facebook Phishing (again)

Today, if you're a user of Facebook, you may have received a message in your inbox from an apparent user with the subject "Look at this!". The message simply contains the domain name fbstarter[dot]com. If you have automatic notifications set up in your facebook account which most people do due to default settings, you also received this email in the form of a notification in your email inbox, and that's exactly how we are seeing them here at AppRiver. We're not seeing a ton of them, but enough to be a nuissance, around 2 per minute currently, though this is likely a bit more exaggerated in users' Facebook inboxes than in email boxes because of these notification settings. The domain fbstarter[dot]com was just registered today to a man called Boris Soroka. The registrar, ALANTRON BLTD., is located in Latvia, but the contact information for the domain is pointing to Moscow. Currently the domain doesn't have any content, though I concur with other experts that sometime soon, likely by the end of the day, this domain will begin to host Facebook phishing sites. Make sure you're paying close attention, and never click on links in emails from people you don't recognize. You should avoid opening them at all if possible.
Facebook has been a very popular taget as of late for all sorts of malware, and spam campaigns due to its fairly recent rise to the top of the social networks. It's use of Web 2.0 3rd party applications and advertisements along with its growing popularity make it a fertile target for malfeasance. Be careful, and be aware.

That Didn't Take Long

Spammers and malware authors are notorious for latching on to breaking news stories and using them in their campaigns, and they're pretty quick about it. As I was listening to the news this morning, it seemed like every other story is about swine flu. So, i thought I'd take a peek into our filters to see if they were using this theme in hopes to pique your interest and get you to visit their websites yet, and of course they were.

Other subject lines included things like:
US swine flu fears
Salma Hayek caught swine flu!
Will swine flu attack USA?
Administration declares health emergency in swine flu outbreak
Madonna caught swine flu!
US swine flu statistics

All of the emails were similar with a one-line body and a link to one of many .cn domains. All of the links I tried were already broken, but I believe they were once pointed towards pharmaceutical sites.

IRS Phishing Sceme Targeting Non-Resident Aliens

This year has been full of the normal IRS style phishing emails. Most of these promise you a nice believable return quickly and easily via email. That is, after providing every piece of sensitive information you have to a website that mirrors an actual IRS website through the use of convincing graphics. Every year there is usually at least one new, and somewhat creative technique that is attempted surrounding April 15th or "tax day" for U.S. citizens.
This year's comes nearly a week and a half past the deadline for tax filing and targets non-resident aliens. A non-resident alien for those who don't know (I was a little shakey on the definition myself), is someone who is not a permanent resident of the United States, but is in the States legally and is taxed on resources from U.S. sources.
The email arrives in the normal quasi-official looking means, claiming to be from the IRS, addressed to Sir/Madam. There's clue number two, the first was the fact that you received an email from the IRS, they don't communicate in this manner, especially for official business they've always stuck with the snail mail technique, and apparently plan on keeping that way according to their website.
Even though they don't use your actual name, nor do they know your gender, the email goes on to say that "Our records indicate that you are a non-resident alien. As a result, you are exempted from United States of America Tax reporting and withholdings on interest paid on your account and other financial dealing to protect your exemption from tax on your account and other financial benefit in rectifying your exemption status."
At this point some people may recognize it as a hoax and delete it, others may be drawn in by the fact that they're already late in filing, and this email tells them that they're exempt anyway, thus turning what may have been anxiety and nervousness over possible penalties into a brief sigh of relief. For those that this bait reels in, there are more official documents attached posing as Form W-8BEN which is in fact the official Department of Treasury's "Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding"; however this version goes for broke asking for every piece of information that the scammer could possibly think of including: nationality, birthplace, passport numbers, mother's maiden name, spouse's name, spouse's birthdate, addresses, social security numbers, you name it! The document is intended to be faxed upon completion to a phone number whose area code points towards Seattle WA. It has been busy everytime I've tried it, hopefully someone is flooding it to prevent victims from being able to connect, at least I hope that's what's going on. Click on any of the pictures to enlarge them.

If You Can't Trust, You Can't Be Trusted

The Waledac botnet is offering up some fodder for the paranoia laden this week with a fake service that would allow you to intercept and view anyone's SMS messages via an online browser. That way you could catch your cheating significant other, or just make yourself look and feel like a complete ass. The emails arrive in the exact same Storm-esque fashion as they always have (btw, I'm still confused as to why we had to change its name to Waledac, but I digress), one-liner bodies with a link to the malicious site, and one-liner subjects such as:
Do you want to read her SMS?
Do you trust her?
Do you want to test your partner?
Your girlfriend is cheating on you!
Keep a spy eye on your Girlfriend's mobile
Read other people's SMS without any program
The world's most advanced sms reading program
Once at the site you are treated to the picture above along with the text:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then! It's so easy! You don't need to install it at the mobile phone of your partner. Just download the program and you will able to read all SMS when you are online. Be aware of everything! This is an extremely new service!
and of course, you are treated to a link that downloads the malicious executable. The name of the file varies from trial.exe, sms.exe, smsreader.exe, freetrial.exe, and smstrap.exe. There is one difference here, this time I have yet to find any hidden iframes which have also become a staple of the Storm, er, Waledac campaigns. These iframes would be used to automatically start the malicious download even without having to click on the supplied link.

Fake Microsoft Email Alert Delivers Malware

Emails claiming to be a security warning from Microsoft have been being blasted out for days. They appear to be from “Microsoft Windows Security Team” (or some variation) and informs you that “your network is showing signs of being infected” with the ever popular Conficker worm. There are also multiple variations with the subject line such as: Infection Alert (Incident#: Randomized), Conficker Infection Alert (Incident#: Randomized), Security Breach (Incident#: Randomized), Microsoft Alert (Incident#: Randomized), Microsoft Alert (Case#: Randomized).
Here is an example of the message:
Once you click on the link you are redirected to a fake website as follows:

Following the given instructions you are prompted to download the file setup.exe:

This type of campaign has been seen in the past but I expect this version to achieve higher infection rates due to the recent media heightened interest surrounding the Conficker worm. This is a great example of the latest improvements in social engineering tactics, by means of using current news topics to gain the readers trust and attention. AppRiver is currently blocking all know versions of this message.

Foreign Spies Hack US Power Grid

According to a report by the Wall Street Journal today, foreign spies have successfully hacked into the United States power grid and left behind malware. The intruders have likely been "breaking into" the system for the past couple of years in an effort to learn how the internal systems work. U.S. intelligence officials, not the utility companies themselves, detected many of the compromises, which did not do any damage. The officials cautioned that there was no immediate threat but that if there was a war, the hackers may try to "turn on" the malware left behind.
The responsible parties are believed to be from Russia and China, but officials from these countries have denied any involvement. The utilization of botnets and the ability of attackers to cover their tracks make it pretty much impossible to know for sure. Here's a link to the WSJ article.

Two Senators Attempt to “Can” Mobile Spam

Only a few days after introducing two new bills that would seek an increase in network security for the nations businesses and create a National Cybersecurity Advisor to the White House, another piece of legislation is being introduced. Yesterday Senators Olympia Snowe (Rep) of Maine (co-author of the afore mentioned bills) and Bill Nelson (Dem) of Florida, introduced legislation seeking to limit unsolicited text messages on mobile devices.

The m-Spam Act of 2009 will utilize a Do-Not-Call registry, a list of subscribers who have indicated that they do not wish to receive unsolicited calls. This bill would tighten current restrictions and would prohibit any unsolicited commercial text messages from being sent to a number on the Do-Not-Call list. The Senators cited numbers from 2007 when US users received 1.1 billion spam text messages. The 2007 totals were up from 800 million or 38% in 2006. I have yet to find any numbers from 2008 but the growth estimates all project there would have been around 1.5 billion mobile spam messages received in 2008.

On Thursday Snowe stated “Mobile spam invades both a consumer’s cell phone and monthly bill"

"There is also increasing concern that mobile spam will become more than just an annoyance," she said, citing the danger of "viruses and malicious spyware."

"This significant and looming threat must be addressed in order to protect consumers and vital wireless services," Snowe said.

Senators Snowe and Nelson also cited the potential for the incurrence of unwanted cost to the consumer since many people pay on a per text message basis.

Mobile spam is still nowhere near the levels of email based spam as it is estimated to make up less than 1% of total messages but it does pose a major threat going forward. Not only will we continue to see more unsolicited messages to mobile devices but along with that, the added prevalence of mobile malware. It is great that our elected official are making strides in the right direction and I expect this legislation will, at the very least, provide some much needed additional legal recourse that will aid in the prosecution of the mobile spammers but that is when and if they are ever identified. While I do hope for the best, I do not really expect this bill to effect the proliferation of the mobile spam/malware threat.

Quick and Easy Conficker Infection Tester

Perusing the web this morning I came across what has to be the simplest means of testing your computer to see if it has been infected by Conficker. It's dubbed the Conficker eye test because it uses a set of six images in order to determine trouble. The images are lined up as seen below, with the bottom three being just a few random images that are used as controls, and the top three images are security company logos that are downloaded to the site directly from the vendors' sites.
Conficker, ever since variant "B" has blocked access to most security vendor sites, therefore the worm will also block access for this page as it attempts to display the security vendors' logos. A chart on the site can also possibly discern between which variant you may have, or even an error not related to Conficker.
It's also good to note that this is not the first time that malware has blocked access to security sites, so if you're unable to view any of the top three pics, it could also be a virus that's been around for a while, and not necessarily Conficker, so make sure you double check these results. Oh yeah, here's the test at JoeStewart[dot]Org.