Scam

In this post I want to highlight how SEO attacks are working: Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue). When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below). There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple). Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application. ...

Imagine that you’re sitting at home catching up on your email backlog. In comes an email from your ISP, FooBarBazCo (some creativity required here, I know). The email seems to be from Technical Support – ‘From: FooBarBazCo.com Team’ – and states that you need to update your email settings as a result of a recent security upgrade. Can you trust it? Today we observed an increase in spam messages containing links to a particular malicious URL. The messages masquerade as having come from mail administrators, with the ‘from’ address spoofed so that they appear to have come from the same network domain as the address to which the mails are sent (the ‘from’ and ‘to’ addresses are actually identical, although this will not be visible in most email programs). ...

Fraudsters never seem to rest. They have now turned their attention towards phishing using the Indian Income Tax Department’s name and branding. It is the season of tax returns in India and it is well known that people will file their income tax returns for the end of the fiscal year in India. Hence, phishers have chosen the right time to phish the market since most users will not be aware of these attacks. ...

Symantec has recently observed phishing scams targeting Apple iPhones in order to gain serial numbers, IMEI, model, and capacity, etc. What is an IMEI? An IMEI (international mobile equipment identity) is a 15-digit unique number used by GSM networks to identify valid devices. Every GSM, WCDMA, or iDEN mobile phone (and even the odd satellite phone) has an IMEI. It can be found under the battery of the device or by typing *#06# on the mobile. If your phone or device is lost or stolen you can report it to your service provider, providing the IMEI number. The service provider can then blacklist the IMEI number, rendering the device unusable in that country. ...

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla. The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.” ...

“Dammed thieves. Stole our logo. I suppose we should be flattered, though.” — A.E. Old rogue, new package: AntivirusProtectionCenter av2009.exe : crc6:7f3d73762762 crc8:003091628c68decc md5:d71d1e303ab963fdae76936ba52a05b7\ AMC.exe : crc6:1d6922972762 crc8:003005cfbb91b729 md5:e5555754fd758fc2be1374796f9433e2\ Hash’s different from their PersonalAntiMalware added 2/16/2010 opener_.exe : crc6:8ee75c08081d \ crc8:00dc55e5aaa82efa md5:5bb290cd1eb419ca98ca1f31273f7219\ “It’s the same gang that had the code saying ‘hello Sunbelt software’ They are watching us.” — P.J.

The popularity of online auctions paves way for the development of online auction marketing tools. These tools are software applications that are intended to facilitate the sellers’ side of popular online auction websites. Some of the tools that help sellers in auctions are: image hosting to display galleries of their products, listing of best bidders in a single template, automatic inventory systems to notify sellers during low stocks, etc. With the help of these tools, online auctions are easier and time saving. ...

While most sane people around the world are enjoying a romantic Valentine’s Day today, we at SophosLabs remain vigilant on the front line of the war against malware. This year, Valentines Day coincides with the Chinese New Year as well as the start of the Winter Olympics in Vancouver, and many malware attacks have centred around SEO poisoning of these and other topical search terms. The Chinese New Year of the Tiger is proving a popular target, especially as this ties in with any Tiger Woods related searches: ...

While everyone is searching the web for the unusual gift on Valentine’s Day, Cybercriminals take this opportunity to propagate Rouge Antivirus. I have searched for the keywords “unusual-valentines-day-gifts”, gives the following results: Clicking the highlighted link above will lead to fake message such as “Alert! Your system is exposed to risk of virus attack. It’s highly recommended to check your PC immediately. Press OK to start the scan right now”. ...

(BBC) Lonely internet users are being warned about Fembot, a piece of malicious software that poses as a flirtatious woman looking to chat on instant messaging services. Victims are persuaded to give out personal information that could be used for fraud or identity theft, according to security experts. Fembot was first spotted in 2007 but hasn’t been seen much since then. However, there are signs she may be back on the scene in time for Valentine’s Day. ...