Published: February 09 2010, 01:35 PM | no comments
by Rossano Ferraris

Cybercrime includes many things among which we enumerate the so-called “mule recruiting” issue. “Mule recruiting” is the process of recruiting “money mules,” who are people that transfer money and reship high value goods that have been fraudulently obtained in one country, usually via the internet, to another country.

A "money mule" or "money transfer agent" is required to launder the funds obtained as a result of phishing and trojan scams. After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a certain commission payment.

Money mules are recruited by a variety of methods, including spam emails, adverts on genuine recruitment web sites, approaches to people with their CVs available online, instant messaging and adverts in newspapers. Generally the jobs posted require the victim to work at home.

We have witnessed  many spam emails in the course of the last several months where fraudsters convince victim users to become “money mules”  to further the fraudsters' criminal goals.

Here below are some examples:


Figure 1 - Part A

Figure 1 - Part B

Figure 2

The emails above demonstrate how fraudsters use persuasion to get an innocent user victim (who has probably lost her job recently) to respond.
They offer a lot of money to victims that may be facing hard economic times.
The number of emails like those above increased during 2009, and this has probably happened possibly because of the economic crisis. The economic crisis has made it easier for fraudster to exploit others.

Mule Liability

The mules cooperating in the fraud scheme in many cases are simply innocent victims just looking to make some extra money. However, that does not change the fact that they are operating illegally and will be held accountable for their actions. Most times, law enforcement will approach them expecting information and will not arrest them since they obviously did not realize they were committing a crime.
In Italy, for example, a money mule risks severe penalties, depending on the case. The risk can vary from 4 to 12 years of jail time and/or penalties from 1,000 to 15,000 Euros.

How do you avoid the scam?

CA ISBU Research Team advises all users (both corporate and consumer) to ignore and/or delete emails with the characteristics explained above. Remove them immediately and if possible consult CA ISBU and/or Law Agencies.

We foresee new forms of work-at-home scams or other jobs that require people to be “mules” and collaborate in the fraudulent operations.
Fraudsters are always inventing new sophisticated techniques of social engineering but the resulting fraud is always the same, so … look out!

Share this post:  Email

Share

Published: February 08 2010, 08:42 PM | no comments
by Mary Grace Gabriel

A lot of people nowadays have Internet addiction, and malware authors have been taking advantage of this situation to target unsuspecting users. A social engineering technique that has been used multiple times is threatening target users to suspend their internet access if they do not stop the illegal downloading of copyrighted materials, in other words advocating piracy.

CA ISBU came across an active spam email campaign containing a malware as file attachment, as seen on [Figure 1]. This spam campaign was already seen a few months back but with a different malware attachment.

                                        [Figure 1 – Fake ICS Monitoring Team Spam Email]


Distinctive Spam Email Characteristics

The email contains the Subject: Your internet access is going to get suspended

The email contains the Body:

--------------------------------------------------------------------------------------------------------

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

--------------------------------------------------------------------------------------------------------

File Attachment: report.zip

The file report.zip contains a file report.exe which CA proactively detects as Win32/Bredolab.C!generic.

If the file report.exe was executed, it will connect to 195.88.190.36 to download and execute a variant of Win32/SecurityTool.

Then, the following message box and GUI will be displayed:

                                                         [Figure 2 – Win32/SecurityTool GUI]

For more information about Win32/SecurityTool, please visit the following URL:

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=80835

Then, it also connects to 83.133.122.160 to download a variant of Win32/Waledac.

For more information about Win32/Waledac, please visit the following URL:

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77741

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Share this post:  Email

Share

Published: February 08 2010, 08:17 PM | no comments
by Zarestel Ferrer

A codec or video add-on has been one of the common form of disguise used by most prevalent malware downloaders. They may arrive in spam emails with catchy subjects or downloaded by another malware.

One of the most active that we have seen recently is “New Video Add-on” scheme used by downloaders. One of its distribution vectors is thru spam email enticing target users to click on the malicious URL. Below are example email subject lines:

• A joke
• Funny cards
• Funny moments from live TV news
• Funny video tubes
• Have You Seen
• My wedding video
• Short joke for You
• The Home of Drunk Celebs
• Top 10 funniest video anecdotes
• Very funny animal
• Very funny kids

                                               [Figure 1 – Spam Emails with Catchy Subjects]

The malicious URL takes advantage of short URL services to hide and bypass mail scanners.

Once the user reaches the real malicious URL, it will show any of the following web pages tricking the user to download the malware file. The downloaded malware file has a filename format “New-Video-Addon.<random 5 numbers>.exe”.

                                 [Figure 2 – Different designs of a browser video player]

This trick has been used by a lot of malware for the past years and it has been an effective vector to distribute malware.

The downloader file is detected by CA as a variant of Win32/FakeCodec.
The downloaded malware files found vary and below are the common ones you can get if you happen to be victimized.

1. Win32/Gamepass - a family of trojans that steals login credentials and in-game information related to various Massively Multiplayer Online Role Playing Games (MMORPG).
2. Win32/Dowgent - a family of trojans that attempts to download and executes additional malware onto the computer.
3. Win32/SecurityTool – a family of fake antivirus.

To be on the safe side please avoid clicking URLs from unsolicited emails and please keep your security software’s database signature up to date.

Share this post:  Email

Share

Published: February 06 2010, 04:33 AM | no comments
by Mary Grace Gabriel

There have been different rounds of spam run this week, even though these spam campaign emails are already recycled, these are still effective way of luring victims to execute the malware.

Fake Microsoft Outlook Update

Last October 2009, we’ve blogged about Win32/Zbot’s new spam campaign, about a “Microsoft Outlook Update”. CA ISBU received spam mails and we’ve noticed that this spam campaign has been recycled by Win32/Bredolab; the only difference this time is that the spam email contains a malware as file attachment as seen on [Figure 1].

                                         [Figure 1 – Fake Microsoft Outlook Update Spam Email]

Distinctive Spam Email Characteristics

The email contains the Subject: Update for Microsoft Outlook / Outlook Express (KB910721)

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express
--------------------------------------------------------------------------------------------------------

File Attachment: officexp-KB910721-FullFile-ENU.zip


Fake Ecard Greetings

This is an old spam campaign already but since Valentine’s Day is already approaching, it is an effective way of luring victims to execute the malware. 

                                         [Figure 2 – Fake E-card Greetings Spam Email]

Distinctive Spam Email Characteristics

The email contains the Subject: You''ve received a postcard

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days.

If you wish to keep the ecard longer, you may save it on your computer or take a
print.

To view your ecard, open zip attached file.
--------------------------------------------------------------------------------------------------------

File Attachment: ecard.zip


Fake “Girlfriend” Spam Campaign

Another spammed email campaign in relation with Valentine’s Day.

Are you a single man and do not have a date this coming Valentine’s Day? Do not fall into this trap because this spammed email targets single man wishing to have a girlfriend.

                                         [Figure 3 – Fake Girl Friend Spam Campaign Email]

Distinctive Spam Email Characteristics

The email contains the Subject: Do you like to find a girlfriend like me ?

The email contains the Body:

--------------------------------------------------------------------------------------------------------
Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.
--------------------------------------------------------------------------------------------------------

File Attachment: myphoto.zip

CA proactively detects the malicious file attachments as Win32/Bredolab variant.

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Share this post:  Email

Share

Published: January 28 2010, 07:49 AM | no comments
by Methusela Cebrian Ferrer

Apple unveiled its latest innovation called the iPad. This is a highly anticipated announcement after months of rumors and speculations. As expected, hours later, discussions, impressions and sarcasm roared over the internet. [read “Apple’s iPad Event Broke the Internets”]  

[Figure 01 - Example Blackhat SEO scraper site. A scraper site is a website that displays harvested content from other websites for the purpose of monetizing it. The content is usually updated by bots.]      

Apparently, Apple iPad became “hot” trending topics in Twitter and Google, and guess what?  Blackhat SEO scraper sites immediately observed luring in search engine results hoping to cash-in -- just a click away.

[Figure 02 - Mac users are redirected to ZML{dot}com] 

This scrapper sites sells traffic to fellow cybercriminals. When the user click the URL and follow the website, the browser sends information through USER-AGENT to the server. It then identifies, whether you are running Mac OS X or Windows platform.

In this case (and as observed recently), Mac users Blackhat SEO traffic are redirected to ZML.com. The main objective of this website is to get your credit card details by enticing users to pay 99cents membership activation to download 10 pirated movies. Recent user reports confirmed that this website will perform fraudulent charges to your credit card. 

“OEM software” scamming scheme is also targeting Mac users.

        [Figure 03 - Mac users are redirected to Google look-a-like website]

Aside from targeting your credit card, some traffic goes to a typo-squatted website. This technique aims to capture more users’ traffic and serve manipulated results. 

If there’s nothing specific for Mac users, then a Rogue security alert will hijack your Safari browser especially if you are running Windows.

            [Figure 04 - Example rogue security alert message]

Share this post:  Email

Share