April 23, 2012

New social engineering tricks used in email malware scams

It appears that no matter how many cyber criminals get busted, or botnet command and control servers are taken offline, there is always another scam waiting to take their place. So it is in the case of email scams leading to malware attack kits.

The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.

The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.

Here then are the subjects and message contents of some email scams I analyzed today.

Scam #1:

Received: from [86.98.158.206] (helo=bba81994.alshamil.net.ae)
Date: Tue, 24 Apr 2012 05:31:55 +0400
From: "Adonia Fitzgerald"
Subject: Are you tired of severe taxes?

We can help you optimize your accounting so that your expenditures on taxes reduce by two times minimum. Our professional employees will attach best efforts so that no legal expert could find a fault. Furthermore, we undertake to submit your paperwork to the Tax Service. Due to our broad experience in this field and large turnover, we have our own contacts in this institution which makes it easier for us to submit statements and brings their review to naught. Please, find attached the list of our services and the price list.We will be glad to cooperate with you! <a href="h**p://cyclosgazelec-lr.fr/ZD7NERn1/index.html?2YK1JF1=MD514XFTP1&GJT=IM137AHQ&WWK87AD=ZOFW5MD1LKCXYO4&JYPQJ18=C7I058V8WM35P6GO8FFH5&VFQKC=GPK0888WYHLWHC9KM69S4MCL0&FGL=VO3VR841&D18FL=RB9UK2KXPP&">our services.doc 726kb</a> Best regards Adonia Fitzgerald Fingerprint: c3e1de1d-4b650000

I have deactivated the link above, for your safety. Trust me when I tell you that the link led to a compromised website, into which a folder named ZD7NERn1 was injected, along with a single file in that folder, named index.html. The contents of that index file consisted of two JavaScript "includes," both of which contained the same JavaScript code to redirect the victim's browser to another intermediate server, which passes the request to the actual malware server hosting the exploit kit.

Scam #2:

Received: from [189.31.234.75] (helo=brasiltelecom.net.br)
Date: Mon, 23 Apr 2012 11:50:59 -0300
From: "American Express"
Subject: Fraud Protection Alert

Fraud Protection Alert Fraud Protection Alert.Cardholder, For your security, we regularly monitor accounts for possible fraudulent activity. Please review the attempted charge below which occurred within minutes of the timestamp of this message.

Transaction Date: 04/23/12
Merchant: TIGERDIRECT
Amount: 5153.88 Currency: USD
Case Number: 13680

Please verify these attempted charges using our <a href="h**p://mikroteksoft.com/akAYd6dn/index.html">Secure Online Chat</a> or please log in to <a href="h**p://mikroteksoft.com/akAYd6dn/index.html">www.americanexpress.com/case/</a> to dispute it.

If we've already spoken to you about this matter, please disregard this message. No further action is required.Thank you for your Cardmembership. Sincerely, American Express Account Security Fraud Prevention Network For your security:
...snip...


This scam leads to the same exploit kit as the previous one.

As an email recipient, you can protect your computer from being exploited by such attack kits by combining user smarts with computer security programs. Do not allow the weakest link to reside between the keyboard and chair! Smarten up Trainee! Learn how to spot fake links in email or website messages. The simplest way to do this is by hovering your pointer, without clicking, over any links in an email that has you concerned. All email clients (desktop email program, or browser based email reader/composer) have a means of showing or hiding what is known as a "Status Bar." Use you email client's View options to display a Status Bar. If you do email with your main web browser, it will either have a View option for a Status Bar, or will automatically create one when you hover over any link.

Once you figure out how to see the Status Bar, hovering over links will reveal the actual URL (usually a domain name or IP address) to which the coding points. If you see links such as thee above examples, while the text I highlighted in bold says something else (e.g. "our services.doc" or "www.americanexpress.com"), do not click on the link!

All email clients and browser based email systems will have some way of displaying the complete incoming "headers." The Headers reveal the actual sending domains. Note the headers in my second example. The Received from line shows that the message was sent from brasiltelecom.net.br (Brazil). It would make no sense for the US based American Express company to use a home telecom service in Brazil to send important announcements to their customers. They own their own servers and email systems, located in the good old US of A! That's where Internet Street Smarts comes into play. Learn to display and review your incoming email headers! Find your email display options and activate the one to show the complete headers.

In closing, I use and recommend MailWasher Pro to detect and delete spam and scams, before they are downloaded to my Windows Live Mail desktop email client. Some scams contain active scripting which could be triggered by opening a rigged email message in your reader. MailWasher protects you from this by displaying the contents in safe, plain text. I also write custom spam filters for use with MailWasher Pro. Feel free to use them with your paid copy of MailWasher Pro. I update the filters every week, and sometimes on a daily basis.

One final thought: You must keep a legitimate anti-malware program operating and updated on all of your computers! This includes Macs, which were recently targeted by the Java exploiting Flashback Trojan, which is still infecting over 600,000 Mac computers. I use and recommend Trend Micro security programs. They all come with the Trend Smart Protection Network, which blocks access to infected pages and malware servers.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 14, 2012

End of support for Windows XP w/Service Pack 3 on April 8, 2014

Beginning on April 10, 2012, Microsoft has posted a notice on various knowledge base articles for Windows XP and on their lifecycle fact sheet, that all support for Windows XP will terminate on April 8, 2014. Effective that day there will be no further updates, upgrades, or patches issued for any computer running Windows XP. Right now, one must have XP with Service Pack 3 in order to receive any patches from Windows Updates.

On the same date, all support and patches for Microsoft Office 2003 will also come to an end.

Windows XP has enjoyed a long life since its official release to retail date of October 25, 2001. It has been the most popular version of Windows since Windows 95 was released with parties and huge fanfare on August 24, 1995. XP has received three service pack upgrades since 2002, ending with SP 3, which was issued on April 21, 2008. Windows XP market share peaked at 76.1% in January 2007. But, with the introduction of Windows 7, there has been a steady decline in the number of XP users online. As of today, the market share for XP is only about 29%.

If you are reading this from an XP computer you need to begin planning to upgrade before all support for your aged operating system ends on April 8, 2014. Since there won't be anymore patches, you will be left unprotected by Microsoft against any vulnerabilities that may be discovered running in the wild after that date. History teaches us that as soon as support is dropped for one of the versions of Windows, cyber criminals ramp up their attacks to try to draft as many of the unpatched machines as possible into spam and DDoS attack botnets.

Another fact we have seen play out is that security software vendors begin to drop support for any version of Windows that has been end-of-lifed by Microsoft. So, people hanging onto XP after April 2014 will not only be left out in the cold by MS, but will soon see an end of support from anti-malware companies as well. Without virus and malware protection or Windows Updates, those computers will become cannon fodder for exploit kit writers.

I have already upgraded to Windows 7 and love it! My XP desktop computer is only turned on once a month, on Patch Tuesdays, to download any available Windows Updates. That machine is only here as a backup unit in case my main Win 7 computer hard drive crashes. It would only be used until I could restore a saved Acronis image of the operating system to the new hard drive. I save a complete image of the hard drive once a week, but backup my documents and libraries every night.

If you have programs that are only written for Windows XP, without newer versions that work under Windows 7, even in Compatibility Mode, you should consider buying a copy of Windows 7 Professional. It allows you to download a free, fully licensed copy of XP Pro, with SP 3, which you install into a virtual machine that runs inside Windows 7, as an application. You can run any Windows XP based program inside that Window, as though you had booted into XP. Of course, it takes away a gig of your RAM to run XP in the virtual machine, but, be happy if it runs at all.

Note: Your computer must have a CPU that supports running Virtual Technology (VT) in order to use the XP Mode in Windows 7 Professional. Learn more about the hardware requirements for running XP as a Virtual Machine in this article.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 13, 2012

Apple releases third patch for Java exploits, plus Flashback removal tool

I, among many other security bloggers, have recently posted articles regarding Java vulnerabilities and patches and how crimeware exploit kits target Java before any other commonly installed software. In fact, I published an article last night, April 12, 2012 about security patches that have been released so far this year, in which I mentioned that Apple had lagged way behind in patching the version of Java used on Mac computers.

Well, it may have taken Apple 2 months to issue "a" patch, but they enjoyed doing that so much that they have now released their third patch in 7 days! Yes Mac owners, you have three critical patches to download and apply, including the latest one issued late yesterday (April 12, 2012).

You see, Apple has a policy of discontinuing support for certain third party software for various reasons. They decided about a year ago to drop support for Adobe Flash. Not too long ago they also decided to drop support for Oracle Java and removed it from the list of applications that are installed or updated by Apple Software Updates.

This decision to stop deploying Java with Apple/Mac updates was a tactical error in my opinion. It was well intentioned, but short sighted. Java exploits are absolutely the number one infection vector used by perpetrators of the ZeuS Trojan and various botnet installers. Java is cross-platform, and has been described by its original maker Sun Corporation as "write once, run anywhere" technology. Java is not a scripted language, but is deployed as compiled mini-programs, known as Applets, using what are known as .JAR files to distribute these programs and their supporting files.

Run Anywhere includes Mac OS computers, as well as smartphones, tablets, ATMs, on and on. Even though the user base for Mac computers is relatively small, compared to Windows, they have now become targets of Java exploit kits, due to the erroneous attitude of many Mac users that they are immune to malware sneak attacks. This has been proven to be wrong thinking.

Enter the Flashback backdoor botnet installer for Macs

It was not too complicated for the authors of the Flashback backdoor Trojan to update their exploit kit to detect if the computer being attacked was a Mac. If yes to is Mac, the machine is probed to see if a vulnerable version of Java is installed (whether or not the owner is using Java or even aware of it), then if certain security programs are also installed. If Java is installed, and these particular effective anti-malware programs, the Trojan installer bails out and deletes itself, knowing it has no chance of success.

Due to the viruses don't infect us attitude of many Mac owners who also had Java installed and were lured to compromised websites, or served malicious advertisements on legitimate websites, over 600,000 of them were infected with the Flashback backdoor, which drafts the computer into the Flashback Botnet. The Trojan also steals login credentials and other personal information from those computers.

Here is how a CNET security blogger described the new Mac Flashback infection routine:


Simply visiting a malicious Web site containing Flashback on an OS X system with Java installed will result in one of two installation routes. The malware will request an administrator password, and if one is supplied, it will install its package of code into the Applications folder. If a password is not offered, the malware will install to the user accounts where it can run in a more global manner.

Once installed, the Flashback will inject code into Web browsers and other applications like Skype to harvest passwords and other information from those program's users.

Apple has finally responded to this threat that has affected so many of its trusting Mac OS X users. The third update, issued on April 12, 2012, includes a removal tool for the Flashback Trojan itself. The previous updates included the latest version of Java, for those computers that had a previous version installed, as well as a code patch that will make it much more difficult for silent infections to occur in user space.

Mac users still need to be aware that malware is targeting them and even if this one is being dealt with, others are certain to come along, exploiting a to be discovered weakness in the operating system. Then, there is always social trickery that fools people into supplying their administrator password for a malware Trojan, disguised as some desirable utility program.

Finally, only Macs running OS X Lion, or 10.6 are patched by the Apple Java updates. If your Mac runs on Snow Leopard or earlier, you remain totally vulnerable to the Flashback Trojan, if you have Java installed and it it not at least patched version Java 1.6.0_31. Your only protections are to disable Java from running in your browsers, or uninstall it completely from your computer.

There are many anti-virus programs available for Mac computers, including Smart Surfing for Mac from Trend Micro, which detects, blocks and removes Mac viruses and content stealing Trojans.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 12, 2012

Security threats and program patches for 1st quarter of 2012

We are just 1/3 month into the second quarter of 2012 and we have had a lot of security vulnerabilities, threats attacking them and program patches released by major software companies. These patches include Windows Updates, Mac (Apple) Updates, Adobe Flash, Air and Reader, Oracle's Java Virtual Machine, Internet Explorer, Firefox, Safari and Chrome browsers, Real Player and iTunes.

All of the software updated by these companies, over the past three months has suffered from highly critical security vulnerabilities, many of which are now being actively exploited by cyber crime gangs who publish exploit attack kits. Java exploits are almost always the first types of exploits targeted by crimeware kits, like the Russian Blackhole kit.

Some of you may be wondering how these exploits are delivered to your computer in the first place. The most common method of luring potential victims to scripted exploit kits is via cleverly crafted, hostile email spam messages. These hostile spam messages differ from standard commercial spam in that they aren't trying to sell you counterfeit pills, watches, or pirated software. Rather, they use well constructed come-ons to con or panic recipients into either opening attached files containing Trojans or JavaScript codes redirecting your browser to a malware server, or clicking on obscured links to compromised websites.

After one clicks upon such a link, the scripts on the compromised landing page usually redirect you to other compromised websites and scripts, until you ultimately arrive at a distant server owned by cyber criminals, often in Eastern Europe. These servers use domains registered in places like Russia and the Ukraine to launch exploit kit attacks on your web browser and its add-ons and plug-ins, with Java plug-ins leading the pack. Adobe Reader (PDF files) and Flash are major secondary targets, followed by iTunes and Quicktime, Microsoft Word and just about any popular software that can be used to gain access to the operating system.

This is why reputable software companies release security updates on a more or less regular basis. Microsoft releases Windows Updates almost every month, on the second Tuesday of the month. Adobe has agreed to also release any critical patches on the same Tuesday. This has become known as Patch Tuesday. Make a note of this and if you have a Windows computer running XP with Service Pack 3, or Vista, or Windows 7, or Windows Server 2003 or newer, set your Automatic Windows Updates to check for updates at least every Tuesday, at the equivalent of 2 PM Eastern time for your time zone. Accept all updates rated Important or Critical. Reboot after all updates are installed and log back into an administrator level account to ensure that any further processing takes place, before logging into a less privileged account.

Note: There have now been four Patch Tuesdays so far in 2012, with the most recent being April 10, 2012. If you have not run Windows Updates this week, do so now. Two very serious vulnerabilities were patched this week. One is for Internet Explorer and the other for Microsoft Word. Exploits are now in the wild for both vulnerabilities.

What types of subjects are being used in hostile spam messages?

Hostile spam emails frequently pretend to be invoices from well known online businesses, like Intuit, NewEgg, Amazon, etc, or as account activity alerts spoofing PayPal, or your bank, NACHA, ACH, BBB, or fake Wire Transfer and transaction cancelled/pending notices, or fake Facebook Friend Requests, or spoofed LinkedIn updates. This week has seen a lot of fake Wire Transfer Transaction scams, several fake Facebook Friend Requests, a few fake Intuit invoices and a bunch of money mule scams disguised as Work At Home schemes.

The payload delivered by most of these email scams is the Zeus bank account stealing Trojan, plus a botnet backdoor remote control installer. Others download fake anti-virus alerts to your computer, holding it hostage until you either pay to "activate" the fake virus remover, or hire a computer troubleshooter to remove the infection, or disinfect it yourself. Some malware even encrypts all of your files until you pay a ransom to crooks in the Ukraine.

Most of this misery can be avoided by keeping up with when updates and patches are released for your operating system, plus any third party software that runs in a web browser as a plug-in, add-on or extension, or which opens another application when you click on a link in a web page (e.g. Adobe Reader for PDF files, Quicktime, iTunes, etc.). This used to be a monumental task, as until recently most companies producing such software and apps required users to manually check for updates.

Some 3rd party software, like old versions of Java issued by Sun (before they were acquired by Oracle), didn't even remove previously installed versions when you installed a newer version, in fear of breaking some feature being used in those versions. This "feature" caught the attention of the code writers employed by Russian malware companies. They began writing attack scripts that targeted old vulnerable versions of Java by the default installation locations on hard disks.

Nowadays, most reputable software companies have an automatic update checking module included when you update to a current version. Adobe Flash is the latest to join the big dogs with automatic updates. Still, every one of these applications makes the user decide what type of automatic updates they want to receive. This ranges from full automatic, to notify only. I prefer fully automatic updates, downloaded and installed. Let me know that an update occurred and tell me if it needs to close my browser or restart Windows, or Mac computers. Show me a signed certificate so I know its from the actual company, then finish the patching. My work can be saved and reopened after the computer reboots, or the browser closes and opens again.

Above all, make sure that if you have Java installed, you use the Java icon in Control Panel to set the automatic update checker for every day, at a time when the computer is normally on. They have no timetable or schedule for patches, so I have it check every single day. Next, if you have Adobe Reader (and/or Acrobat) installed, first go to Adobe.com and download the latest secure version. Then, open Reader, click on the "Edit" menu item, mouse down to "Preferences" and click on that. At the bottom of Preferences click on Updater. Select the top option: Automatically install updates and apply it. Close the preferences.

The latest version of Adobe Flash now offers automatic updating. I strongly recommend that you accept this option! Go through any other common third party software, like iTunes, Quicktime, Safari, or anything from Apple (like the Mac OS) and find an option to automatically check for and apply updates. You won't be sorry.

Sometimes, even when a third party software producer issues an update to plug a security vulnerability, other companies that use a custom version of that program may lag behind in issuing their updates. This applies to Google Chrome browsers and most irritatingly, to Mac computers. In February 2012, Oracle released their most recent patched version of Java. It took Apple until last week to issue a patch for only the most recent versions of OSX. They left 600,000 loyal Mac users out in the cold, as they became infected with the Flashback Trojan. Adobe has yet to issue a remover for this Trojan, which installed with or without user passwords. Fortunately, some security firms have stepped up and offer their own Mac Flashback Trojan removers. ARS Technica published a list of some of them this week.

I use two online scanning services to check computers for missing patches and updates to popular browser plug-ins and the operating system you use. One is from Secunia, which uses of all things, Java, to poll for what is installed and if an update is available and the other is from Qualys, which checks you browser plug-ins to see if they are current or need updating. I prefer the Qualys Browser Guard because it doesn't use Java at all, yet checks for it. Both provide links to the legitimate companies download pages for the out-dated software they detect.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 6, 2012

Fake Facebook Friend Requests with huge links lead to malware exploit kit

There is an ongoing spam campaign that I have been following since August 24 2011, pretending to be Facebook Friend Requests. However, all of the links contained in these scams lead to compromised websites, where your browser is attacked by criminal exploit kits, like the "Blackhole" or the "Nuclear" exploit kits.

If you are a member of Facebook and receive Friend Requests from senders with odd sounding names, you need to do something proactive before clicking on any links in those emails. You need to hover your mouse pointer over all buttons, images and text links, without pressing any mouse buttons (do not click!). Then, with your pointer over these links, look down at the "Status Bar" on the browser, or message window, or preview pane in the email client you are using, and look carefully at the URL being displayed.

The links and buttons in the Facebook Friend Request scams look like any other Facebook request, with a few exceptions. The photo of the alleged requester is missing, showing an outline of a shadowy head. When you hover over the picture, or name, or the Confirm Request buttons, or the Unsubscribe link, all of the links will be obviously fake, leading to anything other than facebook.com. Furthermore, for the last couple of months, the links are unbelievably huge, occupying multiple lines of codes. Herein lies the weakness in the scam.

Furthermore, Most of the scams spoofing facebook Friend Requests lack the line under their name, showing the person's statistics. E.g. 37 friends · 29 photos · 13 Wall posts. A real Friend Request contains these stats.


Making sense of what appears senseless
I am going to impart some WIZdom to you to bring you up to speed on the nature of the hostile links in the current (April 2012) fake email Facebook Friend Requests.

A real Facebook Friend Request always shows facebook.com in the first portion of the URL, just before the first single forward slash. Here is an altered example of an authentic "See All Requests" button link:

http://www.facebook.com/n/?reqs.php&mid=5c61e5akjdfhg7G5af367fd4722Gca22faG2&bcode=7p7rlcv0318MU&n_m=email-prefix%40email-suffix.com&type=1

Below, is an actual hostile link, extracted from a fake friend request, with the primary link codes replaced with asterisks (h**p) for your safety (this domain is still infected as of this posting):

h**p://torontoweddingphotographers.net/blog/index-include.htm?NA7=67W5O91L6NRW9KNO406DBNEB&G7F=98X0O929MQE303XCB8ETVA71&6F6=BXQ58NDOHTAAIMT&43O95=2VA7V50NDLL1UT0K&3547=JX6J2JL4EQ&

Compare just the URL sections which I have made bold:
Real: http://www.facebook.com/n/?reqs.php&
Fake: h**p://torontoweddingphotographers.net/blog/index-include.htm?

It is obvious when you read the actual URL to which the links and buttons lead which one goes to Facebook.com and which one goes to somewhere completely different. The second giveaway is the file type used before any of the long character strings. The authentic Facebook link uses a file named reqs.php, which is a .php file type; an active server content file. The faked URL uses a .htm file type, which is a flat html file.

Next, compare the items that follow those two different files. In the actual Facebook link, the first character following the file extension (.php) is the & symbol. In the faked URL, it is a ? symbol. In URLspeak, the question mark signifies a "query string." I have traced a lot of these URLs in scam emails and can tell you for a certainty that all of the ones spoofing Facebook requests, using a .htm file, followed by a question mark (...htm?...), are totally fake query strings. They do nothing on the destination server, because the .htm files on the compromised sites are just flat files, containing only html code and JavaScript exploit attacks. These flat .htm files, simply put, cannot parse a query string. The strings are octopus ink, meant to fool the unwary.

So, if you hover over a link in a Facebook Friend Request and see a huge readout that first of all does not have facebook.com/ and which has a file with a .htm extension, followed by a ? and a long string of characters, it is a hostile link. Do not click on these links!

In the case of the message I analyzed tonight, at the destination domain, there were a series of 5 different JavaScript exploit scripts, each targeting different commonly installed and equally commonly out-dated browser plug-ins, beginning with Java. Chances are fairly high that if the washin' don't get ya, the rinsin' will! Java is the number one exploited browser plug-in, for several years running. Try to make sure that if you have Java installed on your computer, that you have set it up for automatically checking for and downloading updates.

If you don't even know you have Java installed, find out by going to http://www.java.com and use the link labeled: "Do I have Java?" It will scan your PC and tell you if Java is installed and if so, which version is currently active on your computer. If Java is installed and it is not the latest version, it is definitely vulnerable to exploitation by these scripted attack kits. Either download the current patched version, or uninstall any versions of Java you find on your computer.

If you have clicked on such a link, you probably saw a line of text in your browser's title bar stating words like: "Please wait till page loads" - which masks the attacks being carried out against your browser and its plug-ins. You need to update your anti-malware protection and scan for threats you may have acquired. That may not be enough though, as some of the bad guys install a bootkit or rootkit that is insidious to remove. You might need professional help to remove some of these infections. Many install the Zeus, or SpyEye banking Trojans, along with Botnet executables that use your computer as a spam and attack zombie.

Trend Micro, Kaspersky, Symantec and other security websites provide free online malware scanners. If a Trojan has disabled your anti-virus program, those scans may be all you have before you need to reinstall the operating system, or restore it to a previous state (system restore, or a saved backup image). It's better to have excellent, commercial security installed, up-to-date and protecting you in real time, than to risk getting infected due to free security software not being updated as often as the malware is updated and repacked.

I use and recommend Trend Micro Internet security, along with Malwarebytes Anti-Malware.

Stay safe online. Avoid clicking on links before you hover and read the URL in a Status bar. Spoofed URLs are everywhere and most lead to malware exploit kits. If you have unpatched software installed that can be accessed through your browser, your computer will almost certainly become infected. Your only hope is to operate with limited user privileges, rather than as a Power, or Standard user or administrator.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 5, 2012

Fake change of email address notice from American Express is Malware

Right now, the first week of April, 2012, there is a spam run hitting our inboxes spoofing American Express, with fake change of email address notices. These messages are convincing, having stolen images from the actual American Express website.

Here is an excerpt from one which I received a couple of minutes ago:


From: "American Express"
Subject: Confirmation of email address change

Thanks for updating your email address

We changed your e-mail address in our files to {spoofed or harvested email account}. If the new e-mail address is not correct or you did not request this change, please click here,..{spoofed link leads to malware}


If you, or someone you know was unlucky enough to click on one of these links, their PC will have been attacked by a browser exploit kit. You, or they need to run a full scan for malware with up-dated definitions in your installed security program. If you have not rebooted the computer since you clicked on the hostile link, run System Restore to a previous time or day, on your Windows computer.

If you lack any installed computer security, here are some options for you to try:


About the exploit kits

These attack kits are mostly made in Russia and all target vulnerable flaws in Java, which used to belong to Sun Corp, but now is owned by Oracle. Don't confuse Java and JavaScript; they are horses of a different color. JavaScript is an interpreted code that runs in your browser to do special feature things. Java is a compiled executable program that runs on any device (over 3 billion devices according to Oracle!). While JavaScript is used on hostile websites to probe your browser for any vulnerabilities, the actual payload it delivers is usually a Java Applet, or .JAR file. If you have an exploitable version of Java, chances are strong that your computer will become botted and have a bank account stealing Trojan installed by the hostile Java Applet.

Do I have Java?

You really need to know the answer to this, no matter what operating system your computers run on. This is serious sh_t. Go to Java.com and click on the link labeled "Do I have Java." If you do have Java installed the version will be displayed on the results page. If it is not the current version, you are exploitable and should either download the latest version and uninstall all previous versions, or just uninstall all versions of Java and be done with it. Fewer and fewer pages demand that you have Java to function. It is most often used in online games. Unless you must use Java, the safest course is to not have any version of it installed at all!

In Windows, you can uninstall Java via your Windows Control Panel, using the Add/Remove or the Programs and Features icon. Mac owners must download the patched version from Apple, using the built in Apple software updater.

The latest version of Java is Java 6 update 31.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Trend Micro Titanium security products on sale at 30% off, through April 2012

I am an affiliate for Trend Micro home security products. I am also a current Trend Micro customer, so I can speak from experience. I have tried a lot of both free and commercial computer security programs and I highly recommend the current offerings from Trend. Right now, through April 30, 2012, the most popular home security programs from Trend Micro are on sale, through my affiliate links, at 30% off.

This discount is an affiliate offer, not offered to the general public arriving at their website via normal methods. No coupon codes are needed to get the discounts. I never cared for those codes anyway. Too much room for typos.

Here is a breakdown of the programs being discounted, along with their list and discounted prices.

Trend Micro Maximum Internet Security for 2012
This includes the whole ball of wax. All of the protections offered by the other Trend Titanium programs, plus additional protections against phishing and man in the middle attacks, computer and identity theft, both at home and when you're on the road using a wireless connection at a hotel, motel, coffee shop or fast food restaurant. It even includes a security app for Android Smartphones. Also included is Smart Surfing for Mac.

Regular price: $79.95 Sale price: $55.95. Learn more or Buy it now

Read the details about this program and find my yellow highlighted discount links on my Trend Micro web page.

Trend Micro Titanium Internet Security 2012
This is the most popular security program from Trend Micro, best suited to computer towers that stay in one location. Some of the key features are Enhanced Behavior Monitoring/Proactive Intrusion Blocking, Antivirus Security, Spyware Protection, Detect and Block Image Spam, Personal Firewall, Fraud Defense, Data Theft Protection, Wireless Network Monitoring, Network Control, and, coolest of all, you get all this protection for up to 3 home or mobile computers with just one license fee.

Regular price: $69.95 Sale price: $48.95. Learn more or Buy it now

Read the details about this program and find my yellow highlighted discount links on my Trend Micro web page.

Trend Micro Titaniumâ„¢ Antivirus Plus Anti-Spyware
Trend Micro Titanium Antivirus + is very light on computer resources, because it uses a set of fairly small on-disk definitions that get loaded at startup, covering the most prevalent known threats. Additional real-time threat protection comes from Trend's in-the-cloud† security technology which is constantly updated as new malware is identified and definitions are written.

Regular price: $39.95 Sale price: $27.95. Learn more or Buy it now

Subscribers to any of these Titanium programs are protected against hostile and compromised web pages by the Trend Micro Web Threat technology, which blocks access to bad websites before they can exploit your computer.

This 30% off sale ends on April 30, 2011. If you were waiting for a great discount before buying commercial security for your computers, now is the time you've been waiting for! Furthermore, because we are currently into a model year and subscriptions run 365 days, you would be entitled to a free upgrade to version 2013 of the same program.

I know this because I purchased a one year subscription to Trend Micro 2011 and received a free upgrade to version 2012. I'll be renewing it for another year next month. Having tried many other security programs I see no reason to change. Trend Micro does what it's supposed to do, without slowing me down or annoying me with a lot of pop-ups, like some other security programs did. The web threat protection blocks dangerous web pages from loading, preventing their exploit kits from attacking my defenses.

Read the rest of the details and find my highlighted discount links on my Trend Micro web page.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^