MMS Phishing Attack Targeting Texas Residents

Just a few moments ago, the analysts here at AppRiver began noticing a phishing campaign utilizing MMS or multimedia messaging services, which allows images and other multimedia to be sent to your cell phone. The messages are being sent from infected email servers and are strictly targeting Houston and Dallas/Fort Worth Area - area codes. It just so happens that the bank being used in the scam, Sterling Bank is based in Houston as well.
This qualifies as a targeted attack, and quite possibly fingers the location of the attacker because the landing sites for the MMS messages are phishing for debit card information such as the number, expiration date and PIN. Meaning that a successful phish could result in some fraudulent ATM withdrawls. Seeing as this bank is local to Texas it may set off alarms if the attackers begin making dozens or even hundreds of withdrawls from an area to far from home base. Here are a few images from the attack in the order they arrive.

Trying to Clean up Yahoo!

Following immediately on the heels of this past week's abuse of free cloud services such as Yahoo Groups, Google Groups, etc etc We walk in to work this morning to find a fairly typical IRS tax refund phishing scheme coming through. It made it's way into inboxes in an email such as the one below stating that after their calculations that realized that you were owed a refund of $314.79, all you had to do was fill out the attached form.The form itself arrived as an .htm page slightly formated to pretend to look like a .pdf with the file name payment_form.pdf.htm. It had all of the usual fields to fill out such as your name, address, credit card number, CVV number, date of birth, mother's maiden, etc, you know, all of the stuff that the IRS never ever asks for. The code also had elements that would not accept data if someone tried to enter all 1's in the credit card field for example. It also included code to avoid the same entry in an ATM field, which wasn't even included in the form this go around. This shows that these codes are getting recycled and not completely being catered cleanly, or perhaps they were sold in phishing kits where the purchaser simply didn't know much about the code or how it worked and was just given simple directions on how to get it up and running. Still, these types of errors and redundancy are often seen throughout the criminal cyber world.
After all of the pertinent information was entered into the form and the "Submit" button was clicked, your information would then be posted onto a remote site by the name of xfilez.biz. More specifically, it was posted to a php page at the site called lus.php. I began to get a little curious when the xfilez page contained analytical javascript references that were located on Yahoo servers. the scripts themselves were located at yimg.com and webhosting.yahoo.com, both Yahoo sites. Could it be that in addition to not only hosting spam redirects on the groups pages, that Yahoo also hosted phishing scripts on their very own servers? So, I did a look up on the domain itself, and sure enough:
These were indeed hosted on Yahoo's very own servers. It wasn't looking too good for our buddies at Yahoo! spam galore, and now phishing attacks too, eek. I will say that as of around 3 pm cst, the site was taken down, which is a pretty good response time for them considering the spam redirects that reside on Yahoo groups are still very much active even after at least 7 days which was when Troy and I began following them. Perhaps they don't feel spam is worth hurried attention, or there is just way too many of them to be able to find them all. Regardless, it's a good thing the phishing scripts were taken down quickly, and it would be a great thing if Yahoo! as well the other major hosting providers actively continue to find, remove and make it harder for these criminal sites to appear.

Spammers Abusing Free File Storage

Once again spammers are blasting out a massive spam campaign that takes advantage of free file storage services. This time they are abusing groups.yahoo.com, livejournal.com and groups.google.com. Through the utilization of an automated account creation process, which possesses some captcha-breaking ability, spammers are hosting their spam images/links on these websites. The vast majority of these messages are using groups.yahoo.com. Using these in an email spam campaign allows the spammer to piggy-back on the good reputation of Yahoo and the like, thus avoiding blacklisting. The hosted image or link simply acts as a redirect to push traffic to their intended destination. To add insult to injury, many of these messages are being sent out via hotmail accounts that were assumedly created in the same manner as the hosted links. Through these means spammers can avoid the use of botnets for spam distribution. The availability and ease of abuse to these services continues to keep such “cloud based" spamming operations a viable enterprise.

Here are a few of the messages and the destinations of the URL's:

URL takes you here:

Example 2:

URL takes you here:

TechCrunch Goes Public on Twitter With Way More Than 140 Characters.

I'm officially on the bandwagon and going on record to talk about the recent Twitter happenings. If you haven't heard, it goes a little something like this: A couple of months ago a hacker was able to make his way into a Twitter employee's Yahoo account by guessing the user's security question, and just before that another Twitter employee's administrator account password was hacked because they had used the simple dictionary word "happiness". This was followed with blog posts about the conquest along with screenshots like the one below showing administrator access to such celebrity accounts as Aplusk (aka Ashton Kutcher), Barack Obama, Britney Spears, et al.. All of this led to a media lashing about Twitter's inability, or lack of concern for network security. On a side note in reality, this is very common, weak passwords and easily avoidable security flaws that is, but unfortunately for Twitter, they got caught, let that be a lesson to all of you, as a matter of fact, I'm going to go change my passwords for the third time today.
Sooooo, anyhoo, all of this was just blowing over when earlier this week the online tech news site TechCrunch announced that the same hacker ended up with a little more than he had originally let on. They told the world that this hacker, hacker croll as he calls himself, sent the online magazine 310 documents and screenshots that he had lifted from the company's email and cloud locales such as GoogleDocs (this user also used the same password across several sites, oops). For around a week TechCrunch was prepping its readers about the fact that they had this info, and they seemed to struggle with the fact that they were like giddy little school girls that wanted to spill the beans. Well, yesterday they did posting 37 private Twitter documents. These were mostly notes from meetings and company plans. A lot of them were meeting notes about deals that are currently on the table, certainly some things you wouldn't want someone you were trying to hash a deal with knowing. I'm not going to repost any of them or link to the article, if you want to know you'll have to head over there unaided. I personally feel that this was an incredibly low, unethical move on the part of TechCrunch. I mean, come on, the proper thing to do in this industry, as anyone knows, is when you happen across such information, whether it be a vulnerability in a website, or software, or access to private company documents is to contact the affected party and give them the opportunity to make things right. Even though there are hundreds of documents that they did not release due to their private nature, this was still too much in my opinion, and I'm going to now refer to TechCrunch as the TMZ of tech news. Shame on you TechCrunch - ethics, perhaps you've heard of 'em?!

App Spam

Today's spam scam of the day is brought to you by a company called Theappsmarketer, by way of another "marketer" called Future-Click. Or at least it was made to appear that way by pasting a future-click logo, address and removal information at the bottom of the email. Upon further investigation, the future-click website appears to be a "computer consulting firm", though their page is pretty weak for a professional company, so who knows?! Another unsubscribe link points to yet another domain mmgunsc.com that was registered by a company called UnsubCentral Inc. just a couple of months ago. Likely this unsubscribe link functions more like a valid email verifier.

The scam itself is just another get rich quick from home schemes that's sure to get them the riches that the hapless victims were looking for. This one touts a huge "glitch" in smart phone technology. The glitch they're referring to is the ability for a third party to develop and sell apps, or phone applications. It's true the concept is really hot right now, and likely won't go away anytime soon, but this and the other facts about the industry that their site feeds you is only fuel for the scam's fire. So to make things short the company offers you a portal through which to sell their apps (I'm assuming it's their apps, though it's never really discussed). For every app sold, you keep 75%. They even give you a little chart to demonstrate how much money you'll make. There may be a slight problem with their figures though. According to the chart you will receive $35 bucks for just one sale, that would make the app you're pushing just about $50. Seems a little extreme considering most iPhone apps cost about .99 cents, save for the occassional $3.99, or maybe $10 bucks tops.Anyway, know it's out there, and avoid it. I just find it interesting(at times) when the scammers adapt the same old gimmicks to the changing landscape. They can actually be pretty good at it sometimes.

Bogus Tax Refund Phish

Yesterday we began seeing a new IRS phishing attempt hitting our filters. It uses the familiar method of exclaiming that the IRS has determined through some magical “calculation of your fiscal activity” that you are eligible for a tax refund. The message instructs you to complete your tax refund using a “tax refund number” that has been provided for you. These messages have slowed significantly since their peak yesterday morning but are still trickling in slowly and of course we are blocking all known variants. Here is an image of one of these messages:

The email comes with an .HTM attachment containing a form that when submitted uses the domain jackus.biz to record the information and instantly redirect you to the actual IRS website. This redirect is a common method to attempt to make victims perceive that this was the IRS all along. There are some obvious flaws that may stand out to the would-be victim aside from the fact that you are being asked to fill out a form in response to an unsolicited email sent to you by the IRS (something the IRS will not do). First there is the amount of the refund [$284.23] as the IRS does not deal in fractions of a dollar. Then they ask you for your Card number along with your four digit ATM PIN number (also unlikely since the IRS prefers to use checking accounts and routing numbers). The piece I find most amusing is the security warning that is included in the message, it reads; Note: For security reasons, we recommend that you close your browser after you have finished accessing your refund status. Pictured below are images of the attached form and some of the more interesting bits of code contained therein: (click images to enlarge)

Shortening the Link: A Follow-Up

As a follow up to what Troy began talking about here on the blog, as well as being quoted in SC Magazine, I wanted to delve a little deeper into one of the larger campaigns currently running that is utilizing these URL shortening services.
In fact the largest one out there is a familiar face. Currently this campaign is arriving at nearly 10,000 pieces per minute, with around 18 million pieces caught in our filters as of writing this. This certainly is a large one, and begins as a plain text email promising a financial way out of the current recession. In one form it gives a link to a news article, supposedly from "The Business News", and in the other it's "proof" from a concerned friend. Either way, these emails then utilize the Url shortening services to provide a unique hyperlink to the web-based story.As Troy had also stated, these obfuscated links, by means of the shortening services, make it near impossible to block these spam emails based on the links themselves. In this way, the spammers can keep the landing site on less servers and simply mask the redirection to them, thereby decreasing their workload and need for unique web addresses.
Once the link is followed you arrive at a webpage that appears to be a news story entitled "Jobs: Is Working Online At Home The Next Gold Rush?". Well that certainly sounds compelling.The fact that the page is arranged in the same manner that other reputable news sites are arranged also gives it an air of legitimacy. Another feature that helps with the legitimacy aspect is the use of Geo-Ip Location in order to customize the story and site to appear to be local and more accessible to the reader. If you remember, I blogged about a similar spam campaign that utilized Geo-IP Location back in May, and as it turns out, this is from the same group. The emails are also delivered by the same botnet - Waledac.The story is about a woman named Mary Steadman who just so happens to be from the same town as the one you're currently accessing the story from thanks to a little javascript code that's looking at your IP address. This is seen several times throughout the story including the title of the publication which is the [insert your state name here] Catholic Business Edition.The story goes on to tell you how Mary gets rich quick using Easy Google Profit to post links on various websites. I'm guessing these links you're posting will likely aid them later through some sort of Search Engine Optimization. As far as actually getting paid for it, I'm not so sure.
At the bottom of the story there is a slew of supposed reader comments some singing the praises of the work from home system, and some slightly skeptic to undoubtedly keep up the realism. A look at the source code shows that these comments are written write to the page and use avatars stolen from other various comment sections of reputable websites including the New York Times.
The site also includes what appears to be several work from home advertisements, which turn out to be but a single link that once clicked takes you to the page you might recognize from its first appearance in May, the Google Riches sign-up page where they take your information as well as an up front $3.58, though that may not be all considering they want your credit card information to process that $3.58. The landing page is slightly different, but all in all the same.

Shortening The Link

URL shortening essentially exchanges an original URL for a shorter version. When the short URL is clicked, the website looks up the longer URL and redirects the user to the actual destination. A few of the dangers associated with URL shortening is that users are blinded to the actual URL they are about to visit by clicking on an unknown link, which may contain a malware download, phishing sites, or other spam-related material. Since the proliferation of Twitter (where shortened links are common place) caution sees to have gone by the wayside, often times, a lot of trust is given by even the most savvy users who will click on shortened URL’s without hesitation. Scammers capitalize on this fact, as well as shortening their URLs to bypass spam filters (because the actual domain is not sent via email the malicious link is more likely to evade some filters). Currently, there are high volumes of spam utilizing many different URL shortening services. Finally, and worthy to note, shortening services are typically free, do not check the link, or utilize any captcha technology to prevent abuse. Such ease of access allows cybercriminals to conveniently utilize automation built-in by spammers, thereby allowing them to abuse the service with efficiency.