Wiz's Computer and Website Security Blog

January 29, 2014

Email malware and phishing scams are nothing new and most will appear for a while, then disappear, then reappear some time later. So it is with a new scam targeting American Express card holders on January 29, 2014.

Earlier today, my spam protection program, MailWasher Pro, auto-deleted a message that was a phishing scam against American Express card holders. Here are the pertinent details to watch out for, lest you fall for this scam.

Subject: American Express Security Notification
From (spoofed): "American Express" <[email protected]>
Return-path: <[email protected]>
Date: Wed, 29 Jan 2014 17:23:53 +0000
Some normally hidden email headers:
Received: from [94.197.44.27] (port=53006 helo=94.197.44.27.threembb.co.uk)
Received: from 94.197.44.27 (account [email protected] HELO otpfh.ifxkmqeu.com)
X-Mailer: The Bat! (v3.51.10) Home

The message body in plain text reads as follows.

---

American Express Security Notification

Dear Customer,

As you may already know we ask our customers to update the contact details associated with American Express card account.

A recent review of your account determined that you need to confirm the information associated with your American Express account.

As the Primary Contact, you must verify your account activity before you can

continue using your card, and upon verification, we will remove any restrictions placed on your account.

We encourage you to use the following link and confirm your account details as soon as possible:

https://www.americanexpress.com/[Links to h**p://dychovka.eu/dissents/index.html]

Note: Failure to update your account may result in account limitations or even account closure.

We appreciate your prompt attention to this important matter.

Thank you,

Amber Justice

Level III Security Officer

American Express

? 2014 American Express Company. All rights reserved.
AMEX Account Security

---

Note: (I deactivated the hostile link for your safety)

Here are some pertinent details about this scam.

First, the message did not come from AmericanExpress.com, or "aexp" at all. Everything in the headers to that affect are fake; spoofed data. This particular scam email came from a Mobile Broadband Service customer in Great Briton located at the IP address 94.197.44.27.threembb.co.uk.

In fact, I see the "return-path" set to "fraud@aexp" in almost every other malware and phishing scam email over the past year. Even scams claiming to come from a bank, or department store are composed using the same spam template. Most of them also have set "X-Mailer: The Bat!" which is a favorite email program in Europe, especially in Russia, where it was created.

Let's see how the scam in this email works. Note that I have deactivated the dangerous links for your protection, by changing http to h**p.

There is one clickable link presented, spoofing americanexpress.com, but actually going to an exploited server at: h**p://dychovka.eu/dissents/index.html - which is located in Czechoslovakia. The index.html page at that URL has just the text: "Connecting to server..." followed by nothing but three automatic JavaScript Includes, like this: h**p://Holidaymatrix.com/bushel/maricela.js. Anybody arriving at that location with a typical web browser that has JavaScript enabled by default will have those .js files loaded into their browser and executed automatically. Each of the .js files include a single JavaScript line of code that uses "document.location" to redirect the browser to yet another location. This location is where the Phishing scam is hosted.

All of this happens in the blink of your eye. If the payload was a malware exploit attack, it would be launched as soon as you arrived at the final destination. In this case, the payload is a webpage using code and images stolen from the American Express website. The Phish is in a form that tells you that you must fill in the required details and submit it or lose your credit card rights. All lies!

The Phishing page is titled: "American Express Credit Cards, Rewards, Travel and Business Services" in the Titlebar. Down the page is a form, prefaced with the text: "Please submit your login credentials to start the identification procedure." The submission is posted to a page named: "/americanexpress/work.php" where your stolen credentials are stored until the criminals behind this scam gather them up.

I have already notified the hosting company responsible for the actual Phishing scam. The owner of the website is an innocent real estate company in Charlotte North Carolina. They actually own 5 websites that are infected with this or other malicious scams.

No matter what domain this particular scam is hosted on, the folder containing the Phishing page will be inside a folder named: "/americanexpress/." The next time they run this phish, the folder name may change, or not. If you manage a web site or sites, now is a good time to check for folders which you did not create, containing files you know nothing about. Your web site could have been compromised, just like the one in this example was.

What you can do to protect your computer against this type of scam.

If you are using Firefox as your default browser, install the NoScript add-on and learn how to use it. It blocks JavaScript, Java, Flash and other forms of active scripting by default, unless you specifically allow a web site to use them. If you aren't using Firefox, try it and install the NoScript add-on ASAP.

If you must use another browser, make sure you have a robust security program installed on the computer. I use Trend Micro Internet Security which contains a component that automatically blocks access to infected web pages, like those I listed above.

Posted by Wiz at 5:27 PM | Permalink

back to top ^

January 21, 2014

Today's article is about a long established email scam that claims to deliver a fax or faxes inside an attached file. Last year, the majority of these scams pretended to come from eFax, which is a well established fax to email provider. However, the current batch are now spoofing RingCentral as the sender.

The emails that are spoofing RingCentral all have a similar construction to this recent spam message:

From: "Ralph Brock" <[email protected]>
Subject: New Fax Message on 01/15/2013

Body (plain) text:

You Have a New Fax Message
From: (607) 009-4357
Received: Wednesday, January 15, 2014 at 11:34 AM
Pages: 4
To view this message, please open the attachment.
Thank you for using RingCentral.

In this case the attached file was simply named "fax.zip" which contained a .exe Trojan installer.

Messages like this are mostly targeting businesses, many of whom do business using fax exchanges. The goal in these instances is to install information stealing malware onto networked computers. The opportunity for cyber thieves is tremendous if they can get a key person to open such a file and allow it to be installed onto her or his office computer. Company secrets as well as bank accounts are stolen this way every day.

While businesses are the primary target, home users are also exploited by the banking or extortion Trojans often incorporated into the downloaded packages. You see, the first step in the infection if to install a downloader that works in the background. You don't normally see what it is doing until it is too late. Once the downloader is installed it assesses the computer for not only its hardware, but also the user privileges, other accounts, and if it is part of a network.

This report is sent back to the cyber criminals who are behind that particular spam run. The nature of the system report can alter the next delivery to be more useful based on whether it is a home user or a networked business system. A home user with just one PC connected to a cable modem might be targeted with something like the CryptoLocker ransomware that encrypts valuable file types and demands a payment in Bitcoins, or WebMoney to decrypt them. Or, sometimes fake anti-virus may be installed and a scan will lie about finding all manner of threats that can only be removed at a cost.

In virtually every case of these malware attachment infections, a remote access Trojan (a.k.a. RAT) component is installed, often incorporating what is called a "rootkit" or "bootkit." This component receives instructions and transmits requested data back to the servers controlled by the criminals running the operation. The infected computer then becomes part of a remote controlled network of compromised computers, which is known as a "botnet."

Computers in a botnet are said to be "botted." They are used as zombies that may lie in wait of instructions, acting normally for all appearances. But, when the "Mothership" controller sends a command to those computers, they wake up and do the bidding of the Bot Master. That bidding may be to turn a botted computer into a spam machine, or may order it to join an online attack against a business, personal, or Government website. Often, botted computers are rented out to host spam web pages, or to host malicious code that exploits the computers of innocent people who are tricked into clicking on poisoned links in email or instant messenger messages, or on compromised Facebook and Twitter accounts

What you can do to to avoid becoming another victim of this scam.

Home users who do not normally uses online fax services and are not expecting any faxes should assume that anything using language and file names similar to my sample are malicious and delete it. Look at the sender's name and more importantly, his email address. While these are spoofed, a lot of them are using Russian domains (e.g. st-bank.ru). If the recipient lives in the good old USA and does not operate an online business, why would somebody with e .RU (Russia) domain email account be sending you a fax?

Still, the weakest link in computer security often lies between the keyboard and the chair. So, make sure you have an up-to-date anti-virus or anti-malware program installed, updated automatically and functional. I personally use and recommend Trend Micro Internet Security. If you can't afford to pay for commercial security programs, AVG, Avira and Avast offer free versions, with somewhat limited features compared to their paid versions.

Business owners cannot afford to not have paid for anti-malware protection, especially one that scans incoming POP3 and MS Exchange email for threats. If your documents, payrolls, invoices and customer records aren't valuable enough to justify paying a small fee per computer to protect them again intruders and malware, are you really in business? Do you actually think that your bank will refund the money stolen by a banking Trojan from a business account? Think again. That protection is usually limited to personal accounts. Business accounts aren't usually reimbursed unless the bank is able to recover the stolen funds from the banks where it was sent, which in the case of Money Mules, could be dozens of banks..

Stay safe people. Email scams are picking up right now!

Posted by Wiz at 12:50 PM | Permalink

back to top ^

January 13, 2014

Today I received an unusual email sent to one of my most rarely used accounts. In what turned out to be a malicious scam, the subject was: "Passing of your friend." That subject is certainly written to get your attention! The following was in the body text.

The Amos Family

Funeral Announcement
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.

Please find more detailed information about the memorial service here.

Sincerely,
Funeral Home Secretary,
Mateo
Little

The word "here" contains a link to to a website in the Netherlands (youtubeforum.nl). The destination URL, which you can read on a PC by hovering over the link without clicking any buttons, is buried two folders under the root, in an aliased location named "/Funeral." Landing on that URL initiates the download of a file named: "FuneralProcession.zip" - which if opened contains a malicious file named: "FuneralProcession.exe."

Anybody who is tricked into downloading that zip file and opening its executable will have a Trojan installed on their PC. I guess I am the first to report this, as zero of 51 security scanners have looked at this file as of this posting. You can check the results on VirusTotal as the file gets analyzed, here.

In the meantime, if you receive an email like this one, know that it is a scam and delete it. Check the sender field to see if it corresponds to the name of the family or funeral home. In the case of the scam I received, the sender was listed as: "The Amos Family" <[email protected]>. Domains ending in .by are in Belarus, which is located in Eastern Europe, in the former Soviet Union. BY domains are registered to residents or citizens of that country. This email claimed to come from people having a funeral in Arkansas, which is thousands of miles away, on another continent.

The Amos Family name and email account is a forgery. When I traced the location of the sending computer (shown in the normally hidden headers), it too was located in Belarus, at 178.124.156.68, which is in Minsk, BY

So, even without an anti virus program scanning your email, one can see that the sender's email domain and the link URL have no correlation to the funeral notice location.

Stay safe this Winter. Scammers have been ramping up their efforts to infect as many PCs as possible with Trojan downloaders, which in turn download and install bank account stealing malware and other nasties. They will keep changing the subject lines to attract attention and trick you into clicking before thinking. No matter what version of Windows you are using, make sure it is equipped with up-to-date anti-virus and anti-malware programs, just in case you are tricked into clicking on a malicious link.

Posted by Wiz at 12:06 PM | Permalink

back to top ^