Facebook Virus That Drains Your Bank Accounts: What You Need to Know

This post has been shared originally by Malwarebytes Blog:

The word about the Zeus Trojan back on Facebook has spread as fast as the malware itself across many news sites.

Awareness and education about online dangers is essential but headlines like “Malware That Drains Your Bank Account Thriving On Facebook” instill fear while at the same time blame Facebook — something that may not be entirely justified.

Malicious links on social networking sites are nothing new (Twitter, Linkedin to name a few). They have been, and continue to be, abused by spammers to peddle fake AV or redirect to exploit sites distributing all sorts of nasties.

So what exactly is all the fuss about? Let’s have a look at this example reported by the New York Times.

FB

 

The fraudulent/spammy posts appear to be from either fake Facebook accounts or ones that were hijacked. The links all seem to have a similar pattern, where the country-code top-level domain name (ccTLD) is “tk”. This ccTLD belongs to Tokelau, a small territory part of New Zealand that’s regarded as a hotbed for all sorts of online fraud. Suricata/Emerging Threats even has a detection rule for “.tk” domains: “ET CURRENT_EVENTS DNS Query to a .tk domain – Likely Hostile”, which sums their trustworthiness rather well.

In this particular case, the “.tk” domain seen here is simply used as a redirector to another domain, 2bestmall . com

counterfeit

Here we have a classic case of counterfeit merchandise where big brand names are advertised at 78% off of MSRP. Visitors who make a purchase have their payment processing done through another intermediary known as billingcheckout . com, which has a rather poor reputation according to Web of Trust (WOT).

checkout

The domain name billingcheckout.com was registered through TODAYNIC.com, INC, a Chinese registrar with unsurprisingly bogus registrant information. Ordering counterfeit goods may not be the smartest of ideas if the parcel is intercepted at the customs, and trusting a “company” like this with your credit card is definitely not something you want to do.

As far as the Zeus malware connection, the counterfeit website we identified belongs to an interesting hosting company that has many ties to malware activity:

safebrowsing

What’s more, if you dig deeper you will find the link to Zeus (courtesy of abuse.ch):

zeus

The Zeus Trojan is a rather notorious piece of malware that became extremely popular and inspired offshoots such as the Citadel Trojan. It sits in the background and waits for the user to log into a sensitive site (such as a banking login screen) so that it can steal the password or even display fake pop-ups requiring the victim to enter additional confidential information.

It’s not the first time and it won’t be the last that links posted to Facebook pages and profiles will contain or redirect to malware. But does Facebook really sit idle while its users get infected? Not quite, as the social media platform has partnered with many security companies to offer a safer experience, including both WebSense and WOT.

webs

wot

I also feel this is a bit of a cheap shot because that same spam can be found elsewhere. This same ad has also appeared on Google’s Blogger, a service that I and many other professionals use to maintain their own blogs:

blogger

Facebook happens to be the largest social networking site and as such is one of the most coveted platforms for the bad guys, just like Microsoft’s Windows is for the operating systems.

These kinds of statements made from online news sources on this topic have undermined the incredible amount of work and resources spent on fighting cyber-crime, and fail to show the realities security researchers face every day. Cyber-criminals constantly adapt and up their game to defeat every new security measure put in place. Whether they are financially or politically motivated, cyber attacks will always exist.

End-users need to rely on a layered defense approach to best protect themselves. It is nice to know that Facebook and Google continue to try and protect us from browsing malicious sites, but we cannot expect them to block 100% of attacks. As always, good security software and best practices (such as being careful before clicking links) go a long way towards saving you from all the online dangers out there.

Dorkbot worm lurks on Skype and MSN Messenger again

The Dorkbot/Rodpicom worm, which spreads via messaging applications and leads to additional malware infections, is currently doing rounds on Skype and MSN Messenger, warns Fortinet.

skype-msnThe vicious circle starts with potential victims receiving a direct message from a contact, asking “LOL is this your new profile pic? http://goo.gl/[removed]”. Those who follow the link land on a malicious site and are infected with the worm.
Apart from being able to send out the aforementioned message to further potential victims, the malware is also capable of opening a backdoor into the infected system, downloading more malicious software, spamming, reaching out to its C&C server, downloading a new version of itself, and other malicious activities. The computer is essentially enslaved into a botnet and is ready to do the botnet master’s bidding.
It’s interesting to note that the worm waits until the victims log into the chat app they use and then send out the messages. It is also able of changing the language of the message to be consistent with the language of the installed Windows operating system, making it more believable that the message has been sent by the user.
According to FortiGuard Labs researcher Raul Alvarez, the malware is also equipped with a number of evasive and obfuscation techniques aimed at hiding its existence both from AV software and researchers.

Credit: Net-Security.org

Adult Phishing Scams Haunt Aura Kasih

aura-kasih-video-3[6]

Symantec: Phishers continue to target Indonesian celebrities with adult scams. Phishing attacks on rock star Ahmad Dhani have already been seen. In July 2012, Symantec observed a phishing site that claimed to have an adult video of Indonesian actress and singer Aura Kasih. The phishing site spoofed a social networking brand and was hosted on a free Web hosting site.

The adult scam came in light of a recent scandal surrounding the singer. An adult video, allegedly of Aura Kasih and pop star Nazril Irham, has been circulating recently in Indonesia over the internet and mobile phones. It is rumored that the video started appearing after Nazril Irham’s laptop was stolen.

Phishers created the phishing site with an image of a video link of Aura Kasih. A message in Indonesian on the image prompted users to login to view the video. The message also mentioned that the video was provided in secret by the social networking site and asked users not to distribute the video. A logo of the social networking brand was placed towards the image on the left with the caption, “Download Video”. After users entered their  login credentials they were redirected to an Aura Kasih blog page. The blog page contained several fake links giving the impression that clicking them would lead to adult videos of the singer.

Phishers are constantly monitoring current events to incorporate them into their phishing sites. They perceive that by doing so, the phishing sites look more authentic which improves their chances of harvesting user credentials. If users fall victim to the phishing site, phishers would have successfully stolen their information for identity theft. The strings contained in the phishing URL indicate that the video in question is available after logging in.

The phishing URL is:

[http://]aurakasih-sexxx.[16mb].com/login.php

Adult-Phishing-1-edit[4]

Internet users are advised to follow best practices to avoid phishing attacks: https://omidfarhang.com/computer/security/phishing

Fake Facebook Photo Notifications Contain Malware

Mashable: Sophos’s NakedSecurity blog outlined the threat on Wednesday. The company’s SophosLabs intercepted a “spammed-out email campaign” which was designed to spread malware. Sophos provided the following example:

facebook-malware-email

The blog notes that the email address above misspells “Facebook” as “Faceboook.” The link takes the user to a malicious iFrame script, which exposes the user’s computer to malware. However, within four seconds, the user’s browser is directed to a presumably innocent Facebook page like the one below to act as a smokescreen.

facebook-malware-page

The lab recommends checking the “Facebook” email addresses closely in emails and hover your mouse over the link, at which point you should see it doesn’t go to a Facebook page.

Have you been duped by a fake Facebook photo tag message? Let us know in the comments.

Important: Today is your last chance to keep your internet connection

March8Internet_main_0227

Tomorrow, July 9th, the FBI will shutdown the DNS servers which allow the computers infected with this malware to use the Internet.

If you want to make sure you will keep your internet working, act today and check your computer to see if it’s infected by DNS Changer or not, here is a very easy to use tool: Tool available for those affected by the DNS-Changer

LinkedIn passwords in circulation

LinkedIn_logo_initialsH-Online: Internet forums are currently circulating a list containing over six million password hashes which allegedly originate from LinkedIn. The passwords are being cracked collaboratively with about 300,000 passwords already published as plaintext.

The list contains pure SHA1 hashes with no name or email addresses. If decrypted, the passwords will not easily give access to an appropriate account. However, it is probable that the person who captured the hashes also has the corresponding email addresses. In an initial sampling, The H‘s associates at heise Security didn’t find any known LinkedIn passwords in the list, but with over 160 million members that doesn’t mean a lot. The already cracked passwords often contain “linked” or even “linkedin” in the form, for example, of “lawrencelinkedin”. This suggests that the passwords actually come from the LinkedIn social network. However, this has not yet been confirmed.

The shocking reality is that even passwords “parikh093760239”, “a06v1203n08” and “376417miata?” have already been cracked. This is due to the fact that the hashes were obviously generated without salt. This makes them easy targets for attacks using rainbow tables, which makes it possible to crack even passwords that are believed to be strong in just a few hours. For a view of what a server administrator needs to do to prevent this, read the article Storing passwords in uncrackable form at The H Security.

Whatever the case, you cannot rely on your own password to remain uncracked and so, if you have a LinkedIn account, you should change the password as soon as possible. You should also do the same for all other services where you used the same password or password root as on LinkedIn.

Learn more about this and how to change your LinkedIn password: http://techblog.avira.com/2012/06/06/change-your-linkedin-password/en/

Find out how to create a strong password and take care of them: https://omidfarhang.com/computer/security/passwords

Hackers use fake Facebook cancellation emails to deploy malware

H-Online: fb-malwareA new type of phishing strategy, which aims to trick unsuspecting users into installing a trojan by pretending to be an account cancellation request from Facebook, has been discovered by Sophos. The email messages link to a third party application on the site that will install a Java applet and then prompt the user to update their Flash player, but will actually deliver the trojan malware.

The email messages that are sent out claim to be from Facebook and state: “We are sending you this email to inform you that we have received an account cancellation request from you.” However, Facebook never sends such account cancellation confirmation messages via email. Users who want to cancel their Facebook account can do so by visiting facebook.com/deactivate.php to deactivate their account; they may later delete it after a cool down period has passed.

The malware preys on the fact that many users value their Facebook account highly and do not want it to be deleted. If they follow the link, they get prompted to install a Java applet. If they choose not to do so, the application will keep nagging until the user agrees to the applet being installed. Next, the user will see a message that they need to update Flash Player – this will actually install a trojan onto the system which allows the hackers to take over the machine and integrate it into a botnet. According to Sophos, the most commonly installed trojans are SpyEye-B and Agent-WHZ.

Phishers Offer Fake Storage Upgrades

Symantec Connect: Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email addresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.

Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the plan will auto-renew each year and the customer can choose to cancel at any time by returning to the same page:

1

To avoid customer suspicion when the bogus offer doesn’t materialize, phishers used a time-buying strategy. They indicated that customers would be contacted 30 days prior to renewal and also that the upgrade process will take effect in a 24-hour time span. After user credentials are entered, the phishing page redirected to a page which confirmed the upgrade was initiated and complete. The phishing page then redirected back to the legitimate service website:

2

Similar phishing pages were observed spoofing other email services. The phishing site in this second example is titled “Obtain Free Additional Storage”. The same bait was used here as well:

3

To gain customer trust, the email address field was auto-populated on the fake page and is also concealed in the query string. Looking deep into these scams, it is evident these phishing scams are targeted attacks. By randomizing the email address in the query string of the phishing URL, the same phishing page can be used for targeting multiple users. Below is the URL format:

http://*****/?name=email_address@domain.com&cid=email_address@domain.com

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software which protects you from online phishing.

Warning: Fake Biophilla app on Android is malware

Corss-posted from ZDNet: Summary: Cyber criminals have created a fake Biophilla app for Android that is really just malware in disguise. Your first red flag should be that Biophilla is officially available on iOS, but not on Android.

biophilla_fake_android

During April alone, we’ve already seen malicious versions of Angry Birds Space and Instagram in the wild. Both are Android apps that are really just malware designed to generate money from unsuspecting users by sending expensive international text messages. Now the same is happening with the popular Biophilla app.

Here’s the official description of the app:

Biophilia is an extraordinary and innovative multimedia exploration of music, nature and technology by the musician Björk. Comprising a suite of original music and interactive, educational artworks and musical artifacts, Biophilia is released as ten in-app experiences that are accessed as you fly through a three-dimensional galaxy that accompanies the album’s theme song Cosmogony. All of the album’s songs are available inside Biophilia as interactive experiences: Crystalline, Virus, Moon, Thunderbolt, Sacrifice, Mutual Core, Hollow, Solstice, and Dark Matter.

Björk recently invited hackers and pirates to port her app from iOS to other platforms, but somehow I don’t think Android malware is what she had in mind. Symantec identified the social engineering scam on third-party Android app download sites and described the malware as follows:

The app itself comes in two parts: the front-end, which has the ability to stream songs, and a background service with the name ‘Market’. Upon examination of the background service (designed to activate every time the phone starts) it appears to belong to the Android.Golddream family of threats. The authors of this family of threats are known to target third-party apps with malicious versions of popular apps, drawing revenue from premium SMS scams.

To reiterate, Biophilia is not available for Android. Some may have managed to port it illegally, but please beware that they may have included malware inside. If you want to get the official iOS version, get it from the official Apple App store. Here is the direct link: itunes.apple.com/app/bjork-biophilia/id434122935.

WikiPharmacy? Fake Notifications Spammed Out

Symantec Connect: Symantec is intercepting a resurgence of spam attacks on popular brands. Spam messages that are replicas of the Wikipedia email address confirmation alert are the new vector for the present. The said spam messages pretend to be originating from Wikipedia, and are selling meds, with the following subject line: “Subject: Wikipedia e-mail address confirmation”.

The spoofed Wikipedia page is a ploy to give legitimacy to the sale of meds online. The embedded URL in the message navigates to a fake online pharmacy site that is dressed up as a Wikipedia Web page. Furthermore, to give the email a legitimate look, the spammer has added the recipient’s IP address in the body of the spam mail. Needless to say this IP does not belong to the user.

wiki0

Figure 1: Part of the spam message

 

wiki1

Figure 2: An example spam message

 

wiki2

Figure 3: The corresponding WikiPharmacy Web page

 

This is another social engineering tactic where popular brands are exploited for spamming. Symantec anticipates a surge of such attacks due to increasing popularity; a trick used by spammers from time to time to make their clandestine efforts look legitimate.

Beware of any purchases from such sites as it will put the user’s personal and banking information at risk. We recommend users not click on any URLs from such unsolicited emails.