Phishing

Just a quick note – the sudden death of Hollywood celebrity Brittany Murphy last Sunday (BBC report here) has prompted a spike in searches on the subject – and of course, an SEO attack. Users who click on a poisoned search result link will be redirected to a website that will display a scare message trying to panic users into downloading rogue AV software: Screenshots of the rogue AV: ...

ProtectPC’s is a nasty rogue antivirus program, or phony security software, used to scam people out of their money. If your PC is infected with ProtectPC’s you should remove it immediately. ProtecPC’s poses a serious security risk for all PC users. Symptoms of a ProtecPC infection can include: Web Browser redirecting spontaneously System scans that result in reports showing multiple infections Pop-Ups and system alerts stating the PC is infected Programs being shut down or unable to open Click Here to learn how to remove these kind of malware. ...

Malware Defense is a rogue security program, designed to look like legitimate security software. If Malware Defense has been installed on your PC more than likely you did not intentionally download it, it just appeared one day. Malware Defense usually infects a computer system with help from malicious advertising or a trojan found on a shady website. Malware Defense usually infects unsuspecting users PC’s without permission. Malware Defense is a scam, do not buy this software, it should be removed from infected computers immediately. ...

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar “play video/need codec” screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates. ...

Data Doctor 2010, an encryption trojan via our old “friends” iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it. It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware. The victim receives a message that the system is shutting down due to “Unrecognized disk driver command.” His system is then re-booted to safe mode and a message is displayed: “Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended.” ...

Almost the entire year 2009, the battle for the first place on phishing targets took place between Ebay and Chase Bank. Most of the time, the Chase Bank was on top of the most phished brands. In December, the situation was changed: Now PayPal is the most phished brand (32205 unique URLs) followed from far away by the Chase Bank (25901 unique URLs) and Ebay (18738 unique URLs). ...

Earlier in 2009, the Microsoft privacy homepage became the target of rogue security software developers looking to make a fast buck. The developers of the rogue security application known as “Privacy Center” even went so far as to include a link to Microsoft to trick users into thinking the rogue is a Microsoft product. Trojan:Win32/PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. ...

Starting at ~3:20pm GMT today, Canadian Pharmacy spammers began using attached MP3 files as the call-to-action for their latest campaign. The message had no subject, no “text” body content, just an attached “audio/mpeg” file with a random lower case file name. Upon playing the attached mp3 file, you find out why I called it the “call-to-action”. A robotic sounding woman’s voice reads off the URL they would like recipients to browse to (letter by letter), with porn-like moaning as background noise. I guess they are going for the often used spam tactic of tying ED pills (Viagra, Cialis, etc..) to porn star-like performance in bed. ...

Earlier on this morning I happened to notice a redirect page used in a meds spam campaign that just happened to also be compromised with a malicious script. You can see the META tag redirect that will instruct the browser to immediately load the page on the target site. And immediately below, it, the obfuscated JavaScript injected into the page. Deobfuscating this script, we can see its payload is also redirection, this time to a malware site. ...

It’s not a huge surprise that we are seeing some malware spam runs where the malicious attachment attempts to portray itself as a Christmas Greeting of some sort. Here’s an example from today (md5: C670165AE6DFA8318F0EA795B1D3AD55). This one is actually a Zapchast (IRC bot variant). The “Christmas Card” requires it’s own “special version” of Flash to be installed — flashplayer2009.exe — which is the malware itself. Once ready, it will display this friendly message written in Universal Gibberish. ...