Wiz's Computer and Website Security Blog  

May 16, 2012

This article is about cybercriminals taking email exploit attacks to a new level. Tonight, I processed an email scam (to SpamCop) that claimed to come from a service known as 'Bill Me Later' - detailing an online payment I was supposed to have made over the phone. Except, my name is not Dr. Mary Olsen, MD!

The message, which was carbon copied (CC) to dozens of other recipients (whose email addresses were viewable in plain text), started off with the following totally fake text:

"Thank you for making a payment over the phone! We've received your
Bill Me Later® payment of $60.12 and have
applied it to your account."

The scam goes on to list various account numbers and (fake) payment details. It was also loaded with images and clickable links (20) to view many details, including:

Manage your account, Make a payment, View statements, Account Summary, Home, Make a Payment, About Bill Me Later, Offer, Directory, View Statements, Merchant Sign Up, Store, View Account, Summary, FAQs, Register Account
and 4 image links.

What is astoundingly different about this scam is not just the unusually high number of links leading to an exploit kit, but the fact that they all led to different domains. Normally, I see one or two domains used in hostile link scams. Twenty different compromised domain links is a new record for me.

Each one of these 20 links (see compromised website list) leads to a different website, to a sub-directory (folder) containing 8 mixed case alphanumeric characters, then, /index.html. Here is one sample URL (deactivated for your safety): h**p://webprof.ro/Tv2YU8u6/index.html

This article has extended content.
Continue reading "Spoofed 'Bill Me Later' email has links to 20 Blackhole exploit websites" »

Posted by Wiz at 10:23 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

After taking a month off from publishing my spam statistics, I am resuming it today. I have been watching spam trends during my quiet month and found that the volume of spam is increasing. This, after a year of declining spam volumes.

I have added up all my incoming email and counted those classified as spam, and found that in the last week, my percentage of spam has been almost 40%. During the same period last year, it measured just 30%. This is a 10% increase.

I measure the amounts and types of spam with MailWasher Pro (2012), which compiles very good statistics for its users. If you don't already know about this program, it is a spam filter and email classifier, which sits between your email servers and your email client. It receives either POP3 or IMAP email from your mail servers and applies any filter or blacklist rules you define. I write and publish spam filters for MailWasher Pro and most of them are so reliable that I set them to automatically delete known spam. In case the filters are in error, I am able to restore the wrongly deleted messages from the MailWasher Recycle Bin.

While the volume and percentage of spam has increased over the last 7 days, an interesting development occurred: there was no spam with either malware links or attachments! In the previous weeks there were many such hostile messages, spoofing all manner of known websites and banks. Make no mistake, the malware scams will resume soon. Stay alert, especially if you have Java, Flash, or Adobe Reader installed on your computers or smart phones/tablets.

I always advise my readers to hover over links before clicking on them. Doing this causes the actual URL (web address) to be displayed on the bottom of your browser (Web-mail) or email client (desktop email program). This gives the savvy user a chance to see if the link claiming to lead to Intuit actually goes to a website that has nothing to do with intuit.com, or facebook.com, paypal.com, linkedin.com, etc, etc.

On the other hand, clicking (without hovering first to check it out) on a poisoned link takes you to a compromised website, which uses JavaScript and iframes to redirect you to a Russian malware server, where your computer is attacked for any vulnerable software. If you have any exploitable, unpatched software installed, your computer may be taken over by criminals and drafted into a spam and attack botnet, and have malware installed which steals money from your financial accounts, or extorts money from you to fix non-existent problems.

Let's move on to the spam analysis for the week...

This article has extended content.
Continue reading "My spam analysis for May 6 - 13, 2012" »

Posted by Wiz at 1:23 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Today, I received an email containing a Nigerian 419 scam that while laughable for its horrible spelling and punctuation, makes an upfront demand for payment. Normally, these scams hide the fact that victims are asked to pay in advance before the (fake) hundreds of thousands of dollars will be released to the beneficiary (victim).

Let's take a look at this scam from a curiosity point of view.

First of all, the sender has covered his tracks by using compromised email relaying PCs in a botnet. Two computers were used, both belonging to US residents. One belongs to an organization named "Secured Private Network" - which is obviously not so well secured! The second relay occurred via an open relay in a mail server belonging to CrystalTech Web Hosting.

The return path was interesting. It used a (possibly spoofed) account on a Ukrainian domain: terence_m@e-mail.ua. However, the From address shows test@milkom.net, which is obviously spoofed.

The message body claims to be from the "United states ambassador to nigeria
Ambassador terence mccauley" - yet it is filled with incorrect grammer, bad spelling and letter cases. I have to believe that any school kid in the USA knows that titles, countries and personal names always have the first letter capitalized.

The scammer claims to have plans to be: "coming to your country for an official meeting and i will be bringing your funds of ($500,000:00) FIVE HUNDRED THOUSAND UNITED STATES DOLLARS {bank draft} along with me." He goes on to demand an up front payment of $250 processing fee! "the cost of registering it is $250 USD the fee must be paid in the next 48 hours via western union."

Finally, to add insult to injury, the scam contains this outrageous statement:

Please, if you know you will not or can not send the requested $250 USD, please, dont bother replying this mail.

It is the up front, advance fee demands that gave these scams the name 419 scam. You see, section 419 of the Nigerian Penal Code makes it a serious offense to commit financial fraud involving advance fees. Yet, Nigerians go to Internet Cafes every day and mail out thousands of such scams to people in all parts of the World, but especially English speaking people in North America, the United Kingdom and the lands down under.

Never reply to a Nigerian scammer and never give them your phone number! There is no 500 Gs waiting for you, and you are not the beneficiary of anybody who died and left millions in a Nigerian bank. They will bleed you out of all your money with new fees and bribes and never send you the promised funds (because they do not exist). This has happened over and over to greedy people who fall for such scams. W.C. Fields once said "Never wisen up a chump or give a sucker an even break." That is exactly how Nigerian 419 scammers behave. They target the elderly as well as business owners and town clerks.

Posted by Wiz at 11:59 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Lately, much ado has been made about the Google Street View vehicles doing more than photographing houses and businesses. Apparently, the Google vans have also been intercepting and storing wireless data from *unsecured* wireless routers, as they drive along the streets of our great nation.

Does this worry you? It should if you are one of the people operating an unsecured wireless router. Not because of what Google was doing with this openly transmitted data, but because if a Google van can read your unencrypted data, so can a neighbor's hacker kid, or somebody with bad intentions driving down your street, looking for wireless connections to piggyback on, or data to steal (a.k.a: War-driving).

Here is what the FCC determined about Google Street View vans intercepting wireless data as they dove down streets:

The FCC has been investigating, and recently fined Google $25,000 [details] for the incident. In its report, the FCC concludes, "For more than two years, Google's Street View cars collected names, addresses, telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files, and other information from Internet users in the United States."

So, how can you make sure that something like this doesn't happen to your wireless connections? Secure your wireless routers, or hotspots! Here's how...

This article has extended content.
Continue reading "How to prevent unauthorized people or vehicles from intercepting your wireless data" »

Posted by Wiz at 11:39 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

It appears that no matter how many cyber criminals get busted, or botnet command and control servers are taken offline, there is always another scam waiting to take their place. So it is in the case of email scams leading to malware attack kits.

The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.

The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.

Here then are the subjects and message contents of some email scams I analyzed today.

This article has extended content.
Continue reading "New social engineering tricks used in email malware scams" »

Posted by Wiz at 5:04 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

Beginning on April 10, 2012, Microsoft has posted a notice on various knowledge base articles for Windows XP and on their lifecycle fact sheet, that all support for Windows XP will terminate on April 8, 2014. Effective that day there will be no further updates, upgrades, or patches issued for any computer running Windows XP. Right now, one must have XP with Service Pack 3 in order to receive any patches from Windows Updates.

On the same date, all support and patches for Microsoft Office 2003 will also come to an end.

Windows XP has enjoyed a long life since its official release to retail date of October 25, 2001. It has been the most popular version of Windows since Windows 95 was released with parties and huge fanfare on August 24, 1995. XP has received three service pack upgrades since 2002, ending with SP 3, which was issued on April 21, 2008. Windows XP market share peaked at 76.1% in January 2007. But, with the introduction of Windows 7, there has been a steady decline in the number of XP users online. As of today, the market share for XP is only about 29%.

If you are reading this from an XP computer you need to begin planning to upgrade before all support for your aged operating system ends on April 8, 2014. Since there won't be anymore patches, you will be left unprotected by Microsoft against any vulnerabilities that may be discovered running in the wild after that date. History teaches us that as soon as support is dropped for one of the versions of Windows, cyber criminals ramp up their attacks to try to draft as many of the unpatched machines as possible into spam and DDoS attack botnets.

Another fact we have seen play out is that security software vendors begin to drop support for any version of Windows that has been end-of-lifed by Microsoft. So, people hanging onto XP after April 2014 will not only be left out in the cold by MS, but will soon see an end of support from anti-malware companies as well. Without virus and malware protection or Windows Updates, those computers will become cannon fodder for exploit kit writers.

I have already upgraded to Windows 7 and love it! My XP desktop computer is only turned on once a month, on Patch Tuesdays, to download any available Windows Updates. That machine is only here as a backup unit in case my main Win 7 computer hard drive crashes. It would only be used until I could restore a saved Acronis image of the operating system to the new hard drive. I save a complete image of the hard drive once a week, but backup my documents and libraries every night.

If you have programs that are only written for Windows XP, without newer versions that work under Windows 7, even in Compatibility Mode, you should consider buying a copy of Windows 7 Professional. It allows you to download a free, fully licensed copy of XP Pro, with SP 3, which you install into a virtual machine that runs inside Windows 7, as an application. You can run any Windows XP based program inside that Window, as though you had booted into XP. Of course, it takes away a gig of your RAM to run XP in the virtual machine, but, be happy if it runs at all.

Note: Your computer must have a CPU that supports running Virtual Technology (VT) in order to use the XP Mode in Windows 7 Professional. Learn more about the hardware requirements for running XP as a Virtual Machine in this article.

Posted by Wiz at 12:18 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

I, among many other security bloggers, have recently posted articles regarding Java vulnerabilities and patches and how crimeware exploit kits target Java before any other commonly installed software. In fact, I published an article last night, April 12, 2012 about security patches that have been released so far this year, in which I mentioned that Apple had lagged way behind in patching the version of Java used on Mac computers.

Well, it may have taken Apple 2 months to issue "a" patch, but they enjoyed doing that so much that they have now released their third patch in 7 days! Yes Mac owners, you have three critical patches to download and apply, including the latest one issued late yesterday (April 12, 2012).

You see, Apple has a policy of discontinuing support for certain third party software for various reasons. They decided about a year ago to drop support for Adobe Flash. Not too long ago they also decided to drop support for Oracle Java and removed it from the list of applications that are installed or updated by Apple Software Updates.

This decision to stop deploying Java with Apple/Mac updates was a tactical error in my opinion. It was well intentioned, but short sighted. Java exploits are absolutely the number one infection vector used by perpetrators of the ZeuS Trojan and various botnet installers. Java is cross-platform, and has been described by its original maker Sun Corporation as "write once, run anywhere" technology. Java is not a scripted language, but is deployed as compiled mini-programs, known as Applets, using what are known as .JAR files to distribute these programs and their supporting files.

Run Anywhere includes Mac OS computers, as well as smartphones, tablets, ATMs, on and on. Even though the user base for Mac computers is relatively small, compared to Windows, they have now become targets of Java exploit kits, due to the erroneous attitude of many Mac users that they are immune to malware sneak attacks. This has been proven to be wrong thinking.

This article has extended content.
Continue reading "Apple releases third patch for Java exploits, plus Flashback removal tool" »

Posted by Wiz at 11:34 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^

We are just 1/3 month into the second quarter of 2012 and we have had a lot of security vulnerabilities, threats attacking them and program patches released by major software companies. These patches include Windows Updates, Mac (Apple) Updates, Adobe Flash, Air and Reader, Oracle's Java Virtual Machine, Internet Explorer, Firefox, Safari and Chrome browsers, Real Player and iTunes.

All of the software updated by these companies, over the past three months has suffered from highly critical security vulnerabilities, many of which are now being actively exploited by cyber crime gangs who publish exploit attack kits. Java exploits are almost always the first types of exploits targeted by crimeware kits, like the Russian Blackhole kit.

Some of you may be wondering how these exploits are delivered to your computer in the first place. The most common method of luring potential victims to scripted exploit kits is via cleverly crafted, hostile email spam messages. These hostile spam messages differ from standard commercial spam in that they aren't trying to sell you counterfeit pills, watches, or pirated software. Rather, they use well constructed come-ons to con or panic recipients into either opening attached files containing Trojans or JavaScript codes redirecting your browser to a malware server, or clicking on obscured links to compromised websites.

After one clicks upon such a link, the scripts on the compromised landing page usually redirect you to other compromised websites and scripts, until you ultimately arrive at a distant server owned by cyber criminals, often in Eastern Europe. These servers use domains registered in places like Russia and the Ukraine to launch exploit kit attacks on your web browser and its add-ons and plug-ins, with Java plug-ins leading the pack. Adobe Reader (PDF files) and Flash are major secondary targets, followed by iTunes and Quicktime, Microsoft Word and just about any popular software that can be used to gain access to the operating system.

This is why reputable software companies release security updates on a more or less regular basis. Microsoft releases Windows Updates almost every month, on the second Tuesday of the month. Adobe has agreed to also release any critical patches on the same Tuesday. This has become known as Patch Tuesday. Make a note of this and if you have a Windows computer running XP with Service Pack 3, or Vista, or Windows 7, or Windows Server 2003 or newer, set your Automatic Windows Updates to check for updates at least every Tuesday, at the equivalent of 2 PM Eastern time for your time zone. Accept all updates rated Important or Critical. Reboot after all updates are installed and log back into an administrator level account to ensure that any further processing takes place, before logging into a less privileged account.

Note: There have now been four Patch Tuesdays so far in 2012, with the most recent being April 10, 2012. If you have not run Windows Updates this week, do so now. Two very serious vulnerabilities were patched this week. One is for Internet Explorer and the other for Microsoft Word. Exploits are now in the wild for both vulnerabilities.

This article has extended content.
Continue reading "Security threats and program patches for 1st quarter of 2012" »

Posted by Wiz at 10:10 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

back to top ^