Who Says No One Uses MySpace Anymore?

So as to not leave any hard feelings, Zeus runs what appears to be an impromptu malware campaign pretending to be from MySpace this time. I say "impromptu" because if this truly is an offering from Zeus it lacks the good looking graphics that normally accompany its offerings. This to me looks more like a Bredo campaign, complete with the .zip attachment that comes right in the email. Zeus normally hosts its malware in the cloud and rarely brings it right to your inbox doorstep. I have yet to analyze it to give my personal findings however 9 other AV companies are detecting the sample as Zbot, so I'll go with that for now. It's not the first time Zeus has done a slimmed down plain text campaign, but it has been a good while.

Zeus Botnet Targets Facebook

This morning a rather aggressive one two punch started coming into our filters, and is currently still very active attempting to deliver Facebook phshing emails at a rate of about 1000 messages per minute per domain used with about 30 domains being utilized. That's 30,000 messages per minute from this botnet, or 500 per second. On top of that we've already seen about 1.65 million messages from this campaign.As we've come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse. The graphics are well done and all look like something you would see from Facebook. The email informs users that Facebook is updating their log-in system to, of course, make things more secure, and it urges people to click on the update button in the email. First of all, this should be enough anyone needs to see considering Facebook, your bank or anyone else, doesn't need every one of their users' participation in order to update their product.
After the unfortunate victim clicks on the link, they are taken to a false Facebook log-on screen where their user name is kindly filled in for them, they only need to supply their password. But this isn't where this attack ends. Not being simply happy with having had stolen your Facebook account, the Zbot crew wants more. After "Logging in", victims are then taken to a page that takes it one step further and actually offers what it touts as an "Update Tool", specifically updatetool.exe. So after claiming a new Facebook account, they're also going to infect the victims' PCs as well with the Zeus trojan. This trojan is known for targeting banking accounts and other financial and personal data from its targets.
Stay away from these emails, Zeus or Zbot spares no effort in making their attacks appear to be genuine. It is very important for you to protect yourself by being vigilant. Know that threats are out there, and they are indiscriminant. If you don't personally know the sender, I'd avoid clicking any links in emails, especially when the term "your account" appears anywhere in the email.


UPDATE: When this phishing email is received on a smart phone with a Facebook application installed it appears as an actual Facebook notification complete with Facebook icon. It will be received in your inbox as well as under the Facebook "Notification section" in the application itself.

Zeus Trojan Strikes Again

What appears to be an alert from the FDIC is really the latest installment of the Zbot Banking Trojan. The message claims to have come from the FDIC to inform you that your Bank has failed and the FDIC has taken control of its assets. These messages come with such subjects as you need to check your ”Bank Deposit Insurance Coverage” or “FDIC has officially named your bank a failed bank”. You are then directed to a link that would allegedly allow you to check your deposit insurance coverage. This link takes you to a page that alleges to contain your “personal insurance file” in your choice of a PDF or Word document, the only catch is that they are both executable files named pdf.exe and word.exe. The fake FDIC websites that contain the payload are being hosted on a variety of .eu domains. Here is an example of the message and landing page:



Contained in both of these links is your very own fresh new copy of the Zbot trojan. This is has become a very prolific infection in recent months. Also known as Zeus this piece of malware is a key-logging trojan designed to steal your logins and more importantly your banking credentials. These guys are well known for their social engineering tactics having most recently brought some fake “IRS Alerts” and “mailbox related server upgrades”. This is a common technique in malware distribution to provide an air of fear and couple that with a relevant news headline to provide legitimacy. All of our Hosted Exchange and Spam filtering customers are currently protected from all known variants.

Facebook Themed Malware

Not too long ago we began to see a virus campaign shuffling through posing as Facebook notifications. The email states " Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in the attached document. Thanks, The Facebook Team" This wasn't from Facebook, but instead from the Bredo botnet attempting to expand its numbers. The past couple of month's virus activities have really been ruled by two major botnets, Bredo and Zeus, and both of them have been relentless. Zeus focuses mainly on phishing and banking trojans and arrives posing as a money related institution such as banks, both foreign and domestic, or government agencies such as the IRS or HMRC. Zeus emails are colorful and mimic the organization they're targeting complete with logos and graphics. Bredo tends to stick with plain text emails pretending to be FedEx, DHL, or as in this case Facebook.

One Account to Rule Them All

Today we've been seeing a new comer on the phishing scene. This one is attempting to steal the accounts of a service that I was not yet aware of, that's because this service is UK based and I am not. This phishing attack is going after One Account - accounts. This is apparently a service that helps you to pay down your mortgage by combining your savings account, mortgage, and your income in one account. I didn't read enough to tell you exactly how it works because it was making me sleepy, but I can tell you how this phishing campaign works -
First an email campaign began early this morning touting a new updated version of the banking software. This being complete with a link to the malicious websites, which there were relatively few of in this case.Once at the website you are prompted for your account log in info.
After giving up this information, the false site tries for a little more asking for your name, address and email address. On a side note, none of these fields bothers checking for proper formatting, it just accepts the info you put in, and continues. On a side side note, my new email address is "fdhgdhgdt".
After entering this information a dialog box pops up thanking you for your information and that you will now be logged out?? Strange, that's usually the opposite of what I'm going for when I log-in to something, but ok. Next it redirects you to the actual One Account site where you get to log in all over again to see that your account is now empty.If it's in regards to your livelihood, your life savings, your identity, or anything else important to you, and it arrives in an email from a stranger, throw it away, it's fraudulent. Your bank will never contact you via email to make account changes, maybe you'll get a monthly newsletter or factoid from them, but that is it. I'm almost to the point to say, ignore it all unless you were expecting it, but that may be a little above and beyond, but not by much.

This Isn't It!

Attention Michael Jackson fans, as you may know, MJ, following in Tupac's footsteps, released a brand new single, even after his death a couple of months ago. The single entitled "This is It" was released online at his website michaeljackson.com at midnight on the 12th. Well just a day or so later, we began seeing fake CNN breaking news reports hitting our filters.
The email came in with the subject "CNN Breaking News" and a brief story of how the single had been partially leaked on YouTube the day before its release. The "Breaking News" also contained a large link where you could "Listen Online Now". Once the link was clicked you were taken to a webpage that would simply try to get you to download malware that pretended to be the song. The file was titled Michael_Jackson-The_brand_new_song.hta . The file itself would load an .html page with the CNN logo and the YouTube video in question, however, behind the scenes the malware would secretly begin installing a backdoor into your PC.

Say No to OWA Security Upgrade

Today we began seeing a large malware campaign from the Storm Worm. Yes, I said it, the Storm Worm. We haven't really seen much from this variant lately, unless you count its rebirth under the Waledac moniker, but not everybody does. I do believe these are written by the same team, however. Though I was under the impression that the old version had been ditched for the new, but I guess they've swept the dust off and gave it another go.This campaign is very similar to one we saw two days ago from the same worm with subtle differences in the body of the email that delivers the link to the malicious payload. On Monday, the emails pretended to be from your domain's engineering team informing you of "Server Upgrades" that were taking place and provided you with a link to expedite the process. Today's attack utilizes tokens to personalize the email to make it appear as if it is also coming from within your domain. This time apparently our technical support team made some security changes in "my" mailbox and I need to click the provided link to apply them. If they want changes made, I think they should just apply them themselves, heck, they've got the uber admin passwords already, but ok whatever, I'll bite - "click".Next I find myself on a webpage that mimics an Outlook Web Access sign on page, once again personalized to appear to be specifically for my domain, though I will say it looks slightly odd. Instead of giving you the normal log in and password fields, they are replaced by a link to download the file settings-file.exe. Once executed the host computer is then infected with Nuwar.
The Storm Worm is a mass mailing worm that harvests email addresses and mails itself to every address it finds. Once a PC is infected it becomes part of the botnet, and detection and sterilization becomes very difficult. Avoid these.

Underreported Taxes:The British Invasion

Back on September 9th we began seeing an IRS themed malware distributing email campaign that played on people’s innate fear of everything IRS. Messages with the subject line "Notice of Underreported Income" were coming in mass quantities. Most often when we see a campaign invoking the IRS it is a phishing message that tries to trick you into giving out your personal financial information. This one was different as it was attempting to deliver a malicious payload to the unsuspecting user. A more detailed account of this IRS malware campaign can be found here in my colleagues September blog entry. The IRS malware campaign continued for over one month until yesterday when it changed. Here is an example of one of the landing pages from the IRS campaign.

Yesterday, we began seeing the very same campaign shift their strategy and point their attack at our friends “across the pond”. The new variant of these messages target her majesty’s loyal subjects via the HMRC. They use the exact same technique to the “T” as far as the message goes, simply replacing the IRS with the HMRC. The landing pages of course look exactly like the page would, if it actually existed on the HMRC website. If you follow their instructions and click the link provided, you are promted to run an executable file aptly named “tax-statement.exe”. This file contains [Trojan-Spy.Win32.Zbot.gen] an infection that carries a very high threat level. This infection will not only attempt to log and steal all of your personal information (logins, passwords, credit card info, mail server access codes, etc.) but it does not stop there. It also opens gateways for other malware to make its way onto your machine, most reportedly, rogue anti-virus programs (Scareware). This piece of malware has also proved very tricky to remove. Here is an example of the current message and landing page:

Operation Phish Phry

In a first time collaboration, Egyptian and US authorities work together to indict 100 suspects in a major international phishing ring. All of the defendants have been charged with bank fraud, aggravated identity theft, conspiracy to commit computer fraud, specifically unauthorized access to protected computers in connection with fraudulent bank transfers; and domestic and international money laundering. If convicted they could face a maximum of 20 years in a federal penitentiary. According to the indictment, the Egyptian attackers stole bank account information and related personal information from an unknown number of victims and then hacked into accounts at two separate banks. The names of these banks have not been released. The American co-conspirators would then work to collect and transfer funds from victims' accounts, all of which were also American, to fraudulent accounts where the money was to be distributed . The Egyptian's involved would have their share of the take wired to them.