Phishing

Notable highlights this month include the shift of the regions of message origin, and changes in the average size of spam messages. In recent months, APJ and South America have been taking the spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009. With respect to the average size of the messages, the 2kb – 5kb message size category increased by seven percent, while the 5kb – 10kb message size category decreased by six percent in December 2009. With respect to all spam categories, health and product spam have increased and now account for 52 percent of all spam messages. Click here to download the January 2010 State of Spam Report, which highlights the following trends: ...

As any reader of this blog knows, cybercriminals can steal your money not just by putting malware on your machine, but by phishing attacks too. Phishing attacks don’t just target online banking and e-payment systems, but almost any site which asks the user to input sensitive data. Sites run by national government agencies are a prime example as they often demand a wealth of personal information which goes far beyond a simple user name or account number + PIN. While filling in a tax return online might seem like a great way to save time and paper, it gives cybercriminals a great opportunity to scoop all your details at once – data which could then be used to steal your identity and/or commit further crimes in your name. ...

PCProtectar is the latest rogue security software infecting PC’s across the interwebs. PCProtecter uses false security warnings and system scan results to trick people into buying the software. If your PC has been infected with PCProtectar, don’t fall for the scam. Do not buy this software, it is completely useless and an infection in itself. PCProtectar is a potentially dangerous infection that may cause programs to stop working, web browsers to not open, making it impossible to access the internet. PCProtectar should be removed from infected computer systems immediately. ...

We have a tool available to do just that. Click Here. How to use dd2010_decrypter.exe to do batch processing: Place the encrypted files in a directory (i.e. c:\encrypted_files\) Copy dd2010_decrypter.exe into another directory and FROM THAT DIRECTORY, run the following command: for %f in (“c:\encrypted_files\.”) do dd2010_decrypter.exe %f %f.decrypted All files in the encrypted_files folder will be processed and the new decrypted files will have the same name but their extension will be “.decrypted.” ...

Koobface is still going strong despite not making the headlines so much anymore. Well, the Koobface gang took the time to send a Christmas card and wish security researchers a happy new year. Very nice of them… For a couple of days now I’ve been looking at their infection method and trying to see any interesting patterns. The bad guys use bogus blogpost.com blog pages to redirect users to the actual Koobface malware. The redirection consists of several attempts to connect to compromised PCs, through their IP address. Below is a Fiddler log showing those attempted connections (in red are failed connections). Once a host has successfully responded, the users are redirected to a fake page prompting them to install a video codec. ...

I recently received a suspicious Gmail chat message from a friend (shown below). I was immediately suspicious about the message because this friend has never used chat to talk with me previously, and also he appeared to be offline and the content of the message was similar to messages that other instant messaging worms use. I expected that when I clicked on the link I would be asked to download an executable thinly disguised as a photo (for example, coolpic.jpg.exe) like W32.Scrimge.E or that some drive-by exploits would be used on the page such as the ones Koobface uses. Instead I was brought to the following page that asked me to log in to my choice of MSN, Yahoo, Gtalk, or AIM accounts to view the “private album.” ...

The massive growth of gold farming – the exchange of real money for virtual goods – might result in an increase in gaming Trojans and other malware aimed at gamers in the future. A well-respected researcher has described the incredible growth of “gold farming,” an significant industry and source of employment in China and other parts of Asia. He estimates there are 400,000 people, working for gold farming companies. They spend as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash. ...

The creators of WiniGuard rogue security software have released their first clone of 2010. This new rogue is called PcsProtector.

This is an interesting sample, caught by our honeypots. The file comes as a zip archive from qtpom{removed}.tripod.com/codec.zip, which once extracted looks like this: It is almost undetected. Virus Total report here. Truth be told, no blatant sign of malware activity is noticed at first until this: What the heck? This is not my Google home page. And what are those tabs up there: “Pharmacy”, “Casino”? ...

Antivirus PC 2009 is the latest rogue security software to hit the internet. Antivirus PC 2009 is a complete scam designed to harass PC users into buying the corrupt software. Antivirus PC 2009 will try to trick people into thinking that their PC is infected with malware and recommends purchase or registering the software to remove the malware. Antivirus PC 2009 will show false scan results that report numerous infections. Antivirus PC 2009 will also display annoying popups and system alerts that stat the PC is infected, under attack or not protected with antivirus software and recommends buying Antivirus PC 2009. Antivirus PC 2009 will also prevent other programs from opening, even the web browser making it impossible to use the internet, rendering the PC nearly useless. ...