Harry Potter Not So Magical for Spammers

By dominic_cook | July 28, 2009 | Leave a Comment 

dominic_cook

A bit of good news it seems as it appears spammers have failed to capitalise on the worldwide release of the blockbuster movie “Harry Potter and the Half-Blood Prince” on 15 July.  Symantec Security Response is detecting very few spam messages on this topic, a hopeful indication that consumers are starting to wise up to the blatant mass mailing techniques of spammers. 

The only recent Harry Potter-related spams detected arrived as either Nigerian scams or health-type spam.  The lack of spam generated around this globally prolific news topic could potentially mean cybercriminals now recognise that consumers today are savvy enough to no longer fall for their obvious spamming techniques, particularly those driven by large-scale news events.  Whilst this heralds a positive step in consumer awareness, cybercriminals will undoubtedly also start to modify their techniques to ensure they are less visible and a lot more covert .

To date, there are two scam messages consumers should be aware of in relation to Harry Potter, as opposed to the huge volume of spam messages created around Michael Jackson’s death.  One scam message is disguised as an online lottery winning notification. In this fake and non-existent lottery, the name “Potter” is misspelled as “Porter.”  Interestingly, the scammer used J. K. Rowling as the name for the online lottery—Rowling is the author of Harry Potter fantasy novel series.

Below is an example of the scam email along with the headers:

In the health spam examples, the various subject lines use phrases such as “Harry Potter ebook.”  The email body is in the form of a legitimate newsletter, but all of the URLs provided lead users to an online pharmacy website.

Here’s to hoping this is the start of the decline in news generated spam!

Belinda Lim

Save Ink… Save Money

By Guy Bunker | July 28, 2009 | Leave a Comment 

Guy Bunker

In a novel attempt to help everyone save money, SPRANQ has created ‘eco font‘. Which is a font with holes in… so it uses less ink! In using less ink (up to about 20%) it can save you money – pretty cool – and a great example of some lateral thinking. Of course, if you didn’t print it out at all you could save more, but we do print stuff out – so why not save ink and use the Ecofont. (And in case you were wondering, at normal point sizes, it looks just fine on a laser printer.)

Guy Bunker

Web browsers hold cybercrime victims to ransom!

By dominic_cook | July 27, 2009 | Leave a Comment 

dominic_cook

Ransom attacks on computers where cybercriminals lock victims out of their computers to extract a financial ransom are already a commonly used cybercrime technique.   Symantec Security Response has recently detected a new evolution of ransom threats with the discovery of Trojan.Ransompage – a nuisance tactic that is deployed by rogue anti-virus programs in an attempt to extract a ransom from its victims. 

Once infected with the Trojan, the victim’s browser will display a persistent advertisement on every web page that the victim visits and remain on the page as the victim scrolls down.  The ad will cover a part of the original webpage as shown below:

ransome pixThis ad is written in Russian and states that in order to remove the ad, the victim must send a premium rate text message to the number provided and the user will receive a code to remove the ad.  The premise is that the victim will become so frustrated or embarrassed by the ad that they will succumb to the pressure and send an SMS to the premium rate telephone number, from which the cybercriminals make money.  

More information can be found at http://www.symantec.com/connect/blogs/browsers-and-ransoms

 Consumer advice:

  • Switching web browsers is unfortunately not an option for this piece of malware as cleverly the author is targeting Internet Explorer, Firefox and Opera. 
  • Maintain an up-to-date browser and operating system
  • Make sure your web browser and other applications are fully patched
  • Make sure your antivirus and firewall software are running and up-to-date with the latest definitions sets

Dominic Cook

A Strange Way To Look At DR..

By darren_thomson | July 23, 2009 | Leave a Comment 

darren_thomson

It is interesting how some companies define an acceptable disaster recovery strategy. I met with a bank in Saudi Arabia recently who explained to me that they need to implement a complete DR plan in the next 4 months (!) from scratch. When I asked them to describe what needed to be implemented (ie. their business goals), it turned out that “acceptable DR” to them was basically making sure that their critical data was in at least two places at all times..

Servers ??.. Applications ??.. People ??.. “Nope, we don’t need to worry about any of that right now”..

Quite how this type of solution is going to help in the event of a disaster remains a mystery.. Governance from on high only has a positive effect if it is well thought out in the first place !

Darren Thomson

Late Online?

By Guy Bunker | July 23, 2009 | 1 Comment 

Guy Bunker

There’s a great article in this months E&T magazine from the IET on the need to manage your online presence after you have died. OK, so you won’t be able to do it yourself, so you therefore need to figure out who will.

In essence, the advice is to keep a record of username and password information for your online presence, including things like various accounts which have access to your credit card information, for example accounts with eBay, PayPal & Amazon along with any subscriptions for web hosting and the like.  This information is then stored somewhere safe, or a copy left somewhere obvious (just like a Will) and then someone can take the appropriate action when you die. As for ‘safe’… well, if you store it electronically, remember to encrypt it – and store the name of the file (or access to a password database application) with your Will or directly with an Executor.

It’s always tough to think about these sorts of things – just as it is when you make a Will. However, there is no time like the present to plan for the future… now, which sites have my credit card details… hmmmm.

Guy Bunker, CEng IET

Web browsers attacked AGAIN …. and this time mostly on Asian sites

By dominic_cook | July 21, 2009 | Leave a Comment 

dominic_cook

Symantec Security Response has identified yet another two web browser attacks, one on Microsoft Internet Explorer and the other on Firefox. Two weeks ago we reported the Microsoft Video Streaming Active X control vulnerability, which can be exploited mostly through the older but still widely used versions of Internet Explorer 6 and 7. Just as this first vulnerability died down, another new vulnerability surfaced which isn’t specifically caused by the browser but is once again triggered using a browser. The exploit happens when a user visits a malicious Web site that is hosting JavaScript code that uses the Microsoft Office Web Components. Code on the web site may cause vulnerable computers to execute the exploit which may lead to a full compromise of the user’s computer. According to reports there were some attacks taking place mostly from Asian Web sites, Symantec has detection for this attack as Bloodhound.Exploit.263.

And it’s not just Microsoft Internet Explorer that cybercriminals are exploiting; Firefox has also been hit by malware. Just a few days ago we saw reports of a new un-patched vulnerability affecting the most recent version (3.5) of the Firefox browser. Exploitation using this vulnerability can lead to remote code execution and subsequent “owning” of the user’s computer. The exploit works quite well and has the potential to cause problems for the general Web surfing public but there is a quick and easy work around which is described here, the drawback from this work around is impaired JavaScript performance but this is a price worth paying for safety sake. In response to this, Symantec has created detection for malware using this vulnerability as Bloodhound.Exploit.264.

More information can be found at http://www.symantec.com/connect/blogs/life-s-not-easy-when-you-re-web-browser

Consumer Tips:

  • Maintain an up-to-date browser and operating system
  • Make sure your web browser and other applications are fully patched
  • Make sure your antivirus and firewall software are running and up to date with the latest definitions sets

Dominic Cook

Koobface continues to mutate in the search for dollars

By dominic_cook | July 17, 2009 | Leave a Comment 

dominic_cook

We have detected, yet another variant of the Koobface worm. This variant, detected as W32.Koobface.C, installs the misleading application detected as AntiVirus2008, and is propagating on Twitter. Now, this worm is not new, since it was discovered last year in August 2008, but it has come back again to spread on Twitter.

Symantec’s response analysis and investigation into this attack has confirmed that this new version of Koobface contains functionality to search for users who have Twitter accounts.

If Koobface finds a suitable user (by searching for Twitter cookies), then it will contact a command and control server which will then send down a version of Koobface which contains functionality to log into Twitter and add a tweet to the victim’s account. We also believe that it looks for cookies for other social networking sites. When the user clicks the link, they are redirected to a fake video web site, then asks the user to download a codec to watch the video. This codec is a copy of W32.Koobface.A. and this then downloads the misleading application detected as AntiVirus2008.

So, at the end of the day, the guys that are peddling this attack are trying to see if they can make money on the back of it. What you can do to protect yourself is careful what you click on – we advise Twitter users to avoid clicking URLs on tweets, especially if the tweet advertises a home video. Additionally, arm yourself with strong and updated security software to catch and prevent malware from downloading.

Con Mallon

Government DDoS botnet W32.Dozer continues to spread

By dominic_cook | July 13, 2009 | Leave a Comment 

dominic_cook

Symantec Security Response is continuing to monitor a cyber attack – a distributed denial of service (DDoS) – impacting multiple U.S. and South Korean government, financial and media Web sites. A portion of the attack is being carried out by a piece of malware Symantec has identified as W32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.
 
We discovered a new element to the W32.Dozer threat on July 10.  The threat contains code that instructs infected systems to erase critical content on the hard drive.  When the infected system’s internal clock reaches July 10, 2009, the code will try to find and delete all files with the following extensions:

.accdb, .alz, .asp, .aspx, .c, .cpp, .cpp, .db, .dbf, .doc, .docm, .docx .eml, .gho, .gul, .hna, .hwp, .java, .jsp, .kwp, .mdb, .pas, .pdf, .php, .ppt, .pptx, .pst, .rar, .rtf, .txt, .wpd, .wpx, .wri, .xls, .xlsx, .xml, .zip

These file extensions are typically associated with office, business and development applications.

In addition to deleting data files, the code modifies the Master Boot Record so that when the system is rebooted, it renders the system inoperable.

W32.Dozer began spreading on July 4, creating a Distributed Denial of Service attack against government, financial and media sites in the U.S. and South Korea.  W32.Dozer is a threat that is predominately distributed as an email attachment.  Once a user clicks on the attachment, the threat downloads a package onto the system that contains the following:

·        Trojan.Dozer, which is used to overtake the computer for the botnet
·        A list of host sites, which instructs the botnet to which sites to attack
·        MyDoom worm, which is currently believed to be used for its mass mailing capabilities to redistribute W32.Dozer

dozer_mapInitially, it was reported that the attack leveraged more than 50,000 computers. The growth of the botnet has slowed significantly as users have updated their systems to protect against the threat.  The attached heat map shows the spread so far of W32.Dozer – it is no surprise that we have seen most activity in South Korean (red) and the US (green), but other areas of activity have included Canada, China and Australia. Areas experiencing less activity are dark blue.

To help stop this DDoS, Symantec encourages all computer users to update their security software with the latest definitions, keep their computer systems clean and continue to use general best practices for staying safe online. For additional information on this attack, please visit the Symantec Security Response Blog.

Con Mallon

Spammers continue to capitalise on Jackson interest

By dominic_cook | July 13, 2009 | Leave a Comment 

dominic_cook

As the world mourns the loss of a musical hero, spammers are jumping on the bandwagon and using it as a tactic to distribute spam. Since his death on June 25, several spam and malware campaigns have taken shape. The spam subject headings used have been as creative and emotive as ever, with the likes of, ‘Jackson is still alive: proof’ and ‘Jackson ordered to close Neverland’, being used.  As the media interest surrounding MJ’s life and death continues, we are likely to see plenty more Michael Jackson related spam traffic hitting the web. 

Image spam made an unwelcome return last month. Spammers manipulate images by using geo-metric shapes and figures in the background and mutate images to include cartoon visual comparisons of the male anatomy along with the advertised website.

The State of Spam Report also includes the following highlights:

  • 4th of July holiday brings fireworks and more spam campaigns
  • The origin of spam from different regions
  • Mass-mailing worm in fake Twitter account invite

In addition, the July 2009 State of Phishing Report highlights the following trends:

  • A 21 percent increase from the previous month in all phishing attacks
  • A 9 percent increase in the total number of phishing URLs generated using phishing toolkits. However, when compared against all phishing attacks the proportion of phishing URLs using toolkits actually reduced to 38 percent. This decrease can be partially attributed to a significant increase in the total number of phishing URLs utilising free Web-hosting services.
  • More than 143 Web hosting services were used, which accounted for 10 percent of all phishing attacks; a staggering increase of 96 percent from the previous month
  • A 21 percent increase in non-English phishing sites
  • A new phishing tactic used in an attack targeting the Australian Taxa-tion Office

Dominic Cook

Who Are You? Part 2…

By Guy Bunker | July 8, 2009 | Leave a Comment 

Guy Bunker

So the new head of MI6 has been caught on a Social Networking site – just being himself. What’s wrong with that you may well ask… well, apparently it’s all to do with national security. Whether it is, or not, I leave to you but there is a lesson in here for all of us. I have written before on pictures on Social Networking sites causing security issues - but this is really about privacy and not putting too much personal data on the net which can be used to your detriment.

So, yet again, this is a time to review what is out there and whether you want it to be. Not just what you, or your spouse, have published – but what friends have as well. Your on-line reputation is up to you – others can influence it, but you need to keep an eye on it. What you post today could effect you tomorrow, or next year or in ten years time.

(By the way… if you do find something you are not happy about – then it could be tough to get rid of, but it has to be worth a try…)

Guy Bunker

Next Page »