Scam

Earlier on this morning I happened to notice a redirect page used in a meds spam campaign that just happened to also be compromised with a malicious script. You can see the META tag redirect that will instruct the browser to immediately load the page on the target site. And immediately below, it, the obfuscated JavaScript injected into the page. Deobfuscating this script, we can see its payload is also redirection, this time to a malware site. ...

It’s not a huge surprise that we are seeing some malware spam runs where the malicious attachment attempts to portray itself as a Christmas Greeting of some sort. Here’s an example from today (md5: C670165AE6DFA8318F0EA795B1D3AD55). This one is actually a Zapchast (IRC bot variant). The “Christmas Card” requires it’s own “special version” of Flash to be installed — flashplayer2009.exe — which is the malware itself. Once ready, it will display this friendly message written in Universal Gibberish. ...

I blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right. Monday they found GuardPCS and today they found TheDefender. Its associated web site was registered Dec. 4. ...

New rogue borrows massively from AV company sites Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25. It seems they also have recruited the entire management team from AVG anti-virus company as well. Right! Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php ...

Case in point: findproper[dot]org These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue. For more information Click Here.

Following on from the latest Captcha techniques used by the W32/Koobface worm, it seems that the malware authors have turned to Santa for help to deliver it’s nasty surprise which awaits Facebook users. The infection drops other trojans such as FakeAlert and leaves the user renderless. It all begins with a post on a user’s Facebook Wall. If the user clicks on the link, they are presented with a fake video player with a Christmas greeting as shown below ...

Despite talk of Tiger Woods’ sponsors “limiting his role” in their advertising campaigns, he is still very much hot stuff when it comes to search engine queries which means he’s still a viable target for the malware writers. We can see that Tiger Woods related searches are still being poisoned with malicious results using Search Engine Optimisation techiques: This leads to the familiar: ...

Internet Security 2010, It’s a rebranded clone of Advanced Virus Remover, a rogue security product. It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification. A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this: ...

Lately, a Google work at home scam has been plastering its way throughout the Internet. The scam site is designed to look like a convincing news paper article and is currently circulating heavily through social networks (hacked and spam accounts) and ad networks. Example of the scam wall post on Facebook from a hacked account: The scam site: ...

Basically, the rogue antispy was directing the victim to a genuine Microsoft address, but was modifying the html on the fly as it came back from the real Microsoft page. It made it read that Microsoft was recommending that the victim should buy the rogue. That’s a pretty good trick that will catch a lot of folks, and it reminded us of another one that we frequently see. It works like this… The victim attempts to reach Microsoft, or receives a link like http://go.microsoft.com/?linkid=9480113 and if you go there on a normal computer, you see a page like this (click to enlarge)… ...