tag:blogger.com,1999:blog-108543122024-03-13T14:18:19.150-04:00GFI LABS BlogA blog about activities, products and ideas at GFI, one of the leading developers of security software to protect against spyware, spam and other threats.Unknownnoreply@blogger.comBlogger4047125tag:blogger.com,1999:blog-10854312.post-6745766951223432832012-01-13T11:05:00.001-05:002012-01-16T01:33:33.032-05:00Moving HouseYes, we are :)
<br />
<div class="separator" style="clear: both; text-align: center;">
<a alt="Click to visit the new GFI Labs Blog" href="http://www.gfi.com/blog/labs/" title="Click to visit the new GFI Labs Blog"><span id="goog_160560414"></span><span id="goog_160560418"></span><span id="goog_160560422"></span><span id="goog_160560430"></span><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWc6c7nsSM-jDORPg8hkI-zsK_oEavrj7RBu8BX6ubo0QvsCNeDkr0gdVBvbpvdUPiW7sWgj5mBmN36oAbsNP2w4VduRJDsrDZi6kohY7BtthDilcjppb0QE333iKLBlsEk06B/s320/NewGFILabsBlog_screen.png" width="320" /><span id="goog_160560431"></span></a><br /><i>Click the image to visit the new GFI Labs Blog</i></div>
<br />
An inevitable move, this. After all, <a href="http://www.gfi.com/blog/gfi-software-acquires-sunbelt-software/">Sunbelt Software has been part of GFI Software</a> for more than a year now.<br />
<br />
This didn't happen overnight, though. We tip our hats to our colleagues in Malta who worked hard to put up our new home and brought the Labs under one domain. At the very least, you, dear Reader, are now spared the confusion of whether to call this website the "Sunbelt Blog" or the "GFI Blog" ;)<br />
<br />
What you're reading here now is our 4,100th published post; it is also our last. We're just glad that our "Goodbye!" is short-lived.<br />
<br />
Moving to a new home is just the start of better changes that are about to take place. To continue receiving the latest research and noteworthy information security news from us, we urge you to update your RSS to point to the <a href="http://feeds.feedburner.com/GFILabs">new GFI Labs Blog feed</a>.<br />
<br />
Cheers to all of our avid readers! Chris and I will see you on the other side :)<br />
<br />
Jovi Umawing<span id="goog_160560432"></span><span id="goog_160560433"></span><a href="http://draft.blogger.com/"></a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-58932601807678477742012-01-12T03:58:00.000-05:002012-01-12T03:59:51.336-05:00Phishers Use US-CERT Email Address as Bait<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_u9DgL5S2Wxy0VvH7an38P0YYeaq0io-TELtknrcyMwT4UdzxaltX1eUEmOuKQNzHE8JvT5LhVQPq1gEsrZklpLaM-6YLW7F_MUHNoUEqdDBeqSR4Df1Zuqj0ssDlqzBnupbi/s1600/us-cert_logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_u9DgL5S2Wxy0VvH7an38P0YYeaq0io-TELtknrcyMwT4UdzxaltX1eUEmOuKQNzHE8JvT5LhVQPq1gEsrZklpLaM-6YLW7F_MUHNoUEqdDBeqSR4Df1Zuqj0ssDlqzBnupbi/s400/us-cert_logo.jpg" width="400" /></a></div>
The <b><a href="http://en.wikipedia.org/wiki/United_States_Computer_Emergency_Readiness_Team">United States Computer Emergency Readiness Team</a> </b>(simply known as <a href="http://www.us-cert.gov/" style="font-weight: bold;">US-CERT</a>) is the latest bait phishers used to get users to install malware on user systems.<br />
<br />
US-CERT is a highly esteemed and trusted body of security professionals who tackle cybersecurity issues in the United States. They also work with security vendors to address vulnerability issues. With such impressive credentials, it is possible that some private organizations, including federal, state, and local governments, might have fallen prey to this campaign since they appear to be the targets.<br />
<br />
From the <a href="http://www.us-cert.gov/current/index.html#phishing_campaign_using_spoofed_us">US-CERT website</a>: <i>"Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.<br /><br />
"The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.<br /><br />
"The attached zip filed is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the <b>Zeus/Zbot</b> Trojan known as <b>Ice-IX</b>."</i><br />
<br />
The complete report is found <a href="http://www.us-cert.gov/current/index.html#phishing_campaign_using_spoofed_us">here</a>.<br />
<br />
Jovi UmawingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-13808520023485128062012-01-11T23:57:00.002-05:002012-01-12T00:00:40.695-05:00StalkTrak App gets Naked, Famous.<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/WkWpx6bi0a8" width="500"></iframe><br />
<br />
"No way" indeed.<br />
<br />
<a href="https://en.wikipedia.org/wiki/The_Naked_and_Famous">The Naked and Famous</a> were displaying the following Tweet on their <a href="https://twitter.com/#!/tnaf">feed</a> earlier:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-znAoKv23BFs/Tw5U7GOmFsI/AAAAAAAAB0E/5845ShUayKw/s1600/TNAF_img1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="http://4.bp.blogspot.com/-znAoKv23BFs/Tw5U7GOmFsI/AAAAAAAAB0E/5845ShUayKw/s400/TNAF_img1.jpg" width="400" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
Visiting hampaw(dot)ru takes the end-user to tivvitter(dot)com/twitter_stalk-trak_app_user, where they are presented with an application install page for something called "StalkTrak":<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia98c77q7-A-X2ZkviyNTyT4FhAM7MZJmh3N8QFycuRZd1TypB61Jee6gltByAgBlQRZ97cSulcoYYdGq3oYrLwpr1ZllQ6jANu42eaEUULGFCdAvMZYpIPNCnkR-LIgpnbyEhQQ/s1600/TNAF_img2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia98c77q7-A-X2ZkviyNTyT4FhAM7MZJmh3N8QFycuRZd1TypB61Jee6gltByAgBlQRZ97cSulcoYYdGq3oYrLwpr1ZllQ6jANu42eaEUULGFCdAvMZYpIPNCnkR-LIgpnbyEhQQ/s320/TNAF_img2.jpg" width="297" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-jLxfJsWYiM4/Tw5kc1Q75zI/AAAAAAAAB0M/1AprDvBpKm4/s1600/TNAF_img_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://4.bp.blogspot.com/-jLxfJsWYiM4/Tw5kc1Q75zI/AAAAAAAAB0M/1AprDvBpKm4/s320/TNAF_img_2.jpg" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
The end-user can only progress to the next page if they enter both a username and a password - continuing past this screen will result in links to "StalkTrak" being sent to their followers.<br />
<br />
Stalking apps are an old and tired scam dating back to the Myspace days, but unfortunately we continue to fall for them. Please steer clear of the above URL, and think twice before allowing any applications involving "Stalking" to access your Twitter account. You can always clean up your Twitter account <a href="https://twitter.com/settings/applications">here</a> by revoking access to unwanted applications.<br />
<br />
Christopher Boyd (Thanks to Jovi Umawing for assistance)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-9676512284172742282012-01-11T09:15:00.001-05:002012-01-11T10:24:30.635-05:00GFI's Take on What Online Crime Will be Like in 2012In a recent release of GFI Software's VIPRE report, GFI Labs revealed that recycled tactics from cybercriminals will not cease this new year. Modifications on these tactics will only be slight, and will depend greatly on the kind of targets these online criminals are aiming at. To quote Senior Threat Researcher Christopher Boyd: "Most cyber-attacks at any given time rely on old techniques deployed with a new disguise. The reason we see them again and again is quite simply because they work, and we anticipate 2012 to bring many fresh takes on old scams."<br />
<br />
You can read more about this report <a href="http://www.gfi.com/page/107684/gfi-software-warns-2012-will-be-rife-with-familiar-cybercrime-tricks">here</a>.<br />
<br />
Jovi Umawing<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-36357994631563511892012-01-11T00:56:00.001-05:002012-01-11T01:07:22.390-05:00Bogus Video Game Crack Leads to RootkitMatthew, one of our malware researchers at the AV Labs, came upon a <b><i>MediaFire</i></b> link on a <i><b>YouTube</b></i> account that purports to direct users to a site where a crack code for the video game <b><i><a href="http://en.wikipedia.org/wiki/Pro_Evolution_Soccer_2012">Pro Evolution Soccer 2012 (PES 2012)</a></i></b> (otherwise known as <b><i>World Soccer: Winning Eleven 2012</i></b>) can be downloaded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgROApC7bx0d7aEFz7iVYFhRgJSFv7YlpDey6Ugu37fb4FQnxEeB8DnU5X0r5YMdajkui_d1dB_Si2OmsAd8bQzolUVn_nWpr4WFAt78WWNeETXkveX-kupifPZs9NrjjVhJLam/s1600/YT_ZeroAccess_img01.jpeg" imageanchor="1"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgROApC7bx0d7aEFz7iVYFhRgJSFv7YlpDey6Ugu37fb4FQnxEeB8DnU5X0r5YMdajkui_d1dB_Si2OmsAd8bQzolUVn_nWpr4WFAt78WWNeETXkveX-kupifPZs9NrjjVhJLam/s320/YT_ZeroAccess_img01.jpeg" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge
</i></div>
<br />
Of course, one doesn't need to go hunting for a <b><i>YouTube</i></b> page for the URL. Here it is: <i>http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld</i>.<br />
<br />
Users visiting the page can readily download and extract the compressed file <i>Pro Evolution Soccer 2012 Keygen</i>. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn't actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuP8lUlu-P1rOc5MS4NllNanDiMGPZSw1ryvTXQsJdp5ULBZnYsElUKf07MDT0hnNOt3jGX6hMJyj6tGVQ3niF_s_b3beKg8t_qKTBgHCk5Pp7d6g7KuKNgXqcT6yrw1BOFFIw/s1600/YT_ZeroAccess_img02.jpeg" imageanchor="1"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuP8lUlu-P1rOc5MS4NllNanDiMGPZSw1ryvTXQsJdp5ULBZnYsElUKf07MDT0hnNOt3jGX6hMJyj6tGVQ3niF_s_b3beKg8t_qKTBgHCk5Pp7d6g7KuKNgXqcT6yrw1BOFFIw/s320/YT_ZeroAccess_img02.jpeg" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge
</i></div>
<div style="text-align: left;">
<i><br /></i></div>
<i>http://tinyurl(dot)com/64ad4m</i> is actually <i>http://lnkgt(dot)com/7RM</i>, a survey page that users must answer before their password is given to them.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPx_cxu82U4hWMqqj6_HtvmxmJtQYb8oQHyLvivBVXFCqGnmmzLD2oRxbIKJHfsdwwXDDmpq-RrD7rHr7JA9YeJHYs7XoMxHFwZCPwwEf-9yNDCykGacHT3fPKSMrmbOwou-YQ/s1600/YT_ZeroAccess_img03.jpeg" imageanchor="1"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPx_cxu82U4hWMqqj6_HtvmxmJtQYb8oQHyLvivBVXFCqGnmmzLD2oRxbIKJHfsdwwXDDmpq-RrD7rHr7JA9YeJHYs7XoMxHFwZCPwwEf-9yNDCykGacHT3fPKSMrmbOwou-YQ/s320/YT_ZeroAccess_img03.jpeg" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge
</i></div>
<br />
Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it's a rootkit: <b><i>ZeroAccess</i></b>, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. <a href="http://www.virustotal.com/file-scan/report.html?id=46ee3ee0ecba97d29506a16c5b624235e2fbfae4ee2557d6754f1b03840dfc9e-1326121487">Take a look</a>.<br />
<br />
Do note that the <i>MediaFire</i> URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2JVHJ-8t5w_2Lj9sO8a_fRUhtCN5Zvax-MFEsU2-ru7rHiDrvYJUKffFZruYZH5onRfwZb9y2HcGpqT_5fy8DCxtSxXGfqJrJF6UtvPTMCBWsAXVtdToA2isyozCmIlO0eHzg/s1600/YT_ZeroAccess_img04.jpeg" imageanchor="1"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2JVHJ-8t5w_2Lj9sO8a_fRUhtCN5Zvax-MFEsU2-ru7rHiDrvYJUKffFZruYZH5onRfwZb9y2HcGpqT_5fy8DCxtSxXGfqJrJF6UtvPTMCBWsAXVtdToA2isyozCmIlO0eHzg/s320/YT_ZeroAccess_img04.jpeg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<br />
The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!
<br />
<br />
Jovi Umawing (Thanks, Matthew)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-78139901197076956912012-01-04T03:53:00.002-05:002012-01-04T03:53:23.397-05:002011: The Year that was for Facebook and Online Threats<b>CommTouch</b>, an Internet security service provider, has recently released their <b>Internet Threats Trend Report</b> for 2011. In this report, they have highlighted and analyzed the various threats on <b><i>Facebook</i></b> that had plagued users for the past year, such as social engineering ploys and common methods of attack used. They also identify three ways on how criminals gain and what these are for targeting <i>Facebook</i> users. CommTouch provided an infographic (below) to showcase their analysis in a more coherent format.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQCRuQjcYizyrcuMk_juOiAJxog27PYvK26jqizcTuI9ZpkGJYk1ze1B6WzqeQ-E9OrbTSaZfPRFpA0nX2EamDumB1Hymlk_app65KO3MC5gKtpviNa79OcYa2ayAL0nBtn6bz/s1600/Infographic-Facebook-attack-trends-in-2011.jpg" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQCRuQjcYizyrcuMk_juOiAJxog27PYvK26jqizcTuI9ZpkGJYk1ze1B6WzqeQ-E9OrbTSaZfPRFpA0nX2EamDumB1Hymlk_app65KO3MC5gKtpviNa79OcYa2ayAL0nBtn6bz/s320/Infographic-Facebook-attack-trends-in-2011.jpg" width="106" /></a><br /><i>click to enlarge</i></div>
<br />
The 19-page Internet Threats Trend Report mentions malware and spam trends in Q4 of 2011. It also ranks website categories that are most likely to house malware if compromised—Sites tagged as <i>Pornography</i> are at #3. Below are other notable finds in summary:<br />
<ul>
<li>India, Vietnam, and Pakistan were the top three countries with the most zombie computers.</li>
<li>Phishers mostly targeted sites that were related to <i>Games</i> and <i>Gaming.</i></li>
<li>In Q4, spammers used fake <i>@gmail.com</i> email addresses to trick users into responding to their spam messages.</li>
</ul>
The report can be downloaded <a href="http://www.commtouch.com/download/2244">here</a>.<br />
<br />
Jovi UmawingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-5604487161011852842012-01-01T21:11:00.002-05:002012-01-01T21:17:47.227-05:00Team Meat Spun Right Round<i>"It's fine, trust me. I've done this stuff for a while now."</i> <a href="https://twitter.com/#!/SuperMeatBoy/status/150072842627710976">Famous last words</a>.<br />
<br />
Team Meat, developers of <a href="https://en.wikipedia.org/wiki/Super_Meat_Boy">Super Meat Boy</a>, had a bit of an issue this past week when their Super Meat World database was compromised. This resulted in the game being broken, and all user created levels being deleted.<br />
<br />
They were notified by a person in <a href="http://forums.somethingawful.com/showthread.php?noseen=0&threadid=2803713&pagenumber=258">this thread</a> on Twitter that access to their database was wide open, but the responses from the official Meat Boy account seemed to be a bit of a <a href="http://i.imgur.com/eCYSF.png">brush off</a> in the eyes of some watching the drama unfold. Before you could say "This is going to go horribly wrong", it all went horribly wrong and login details were posted across various forums.<br />
<br />
The post it notes summary of events can be found <a href="http://forums.steampowered.com/forums/showpost.php?p=27911192&postcount=8">here</a>; a thread on the official forums lies <a href="http://supermeatboy.com/forum/index.php/topic,2259.msg28861.html#msg28861">this way</a> and if you'd rather take in the full horror of an entire game being put through the wood chipper then check out this <a href="http://img820.imageshack.us/img820/1641/itsfinetrustme.png">blow by blow account</a>. The game is now back up and running, but we have what may be the final game developer of 2011 to join the "Whoops, we were hacked" company of Sony, Square Enix, Steam, Nintendo, SEGA, Bethesda, EA, Codemasters, Epic and others.<br />
<br />
Let's see if the trend continues in 2012, assuming the Mayans don't get us all first...<br />
<br />
Christopher BoydUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-30237150646944040052011-12-30T05:40:00.000-05:002011-12-30T05:40:23.936-05:00Steam: All your coal are belong to usThe rather awesome <a href="https://en.wikipedia.org/wiki/Steam_(software)">Steam</a> gaming platform has a festive competition running at the moment - perform certain tasks in a selection of games drawn each day (or sign up to a few non gaming activities like join a forum, or link your Steam and Facebook accounts) and receive a free random gift. I have to admit - I'm not doing very well so far.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-_CXHhmeZoDc/Tv2M68nC6zI/AAAAAAAABzY/ezcWNms4MYY/s1600/steamcoal1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="http://2.bp.blogspot.com/-_CXHhmeZoDc/Tv2M68nC6zI/AAAAAAAABzY/ezcWNms4MYY/s320/steamcoal1.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
That gift could be a redeemable coupon for a free game, a discount or...a lump of coal. All is not lost should you be handed a lump of coal - collect seven, and you can craft it into another randomly selected discount or free game.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-jaEw1jiF3KI/Tv2OXrKNQlI/AAAAAAAABzk/dFNKLOBsr6s/s1600/steamcoal2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-jaEw1jiF3KI/Tv2OXrKNQlI/AAAAAAAABzk/dFNKLOBsr6s/s320/steamcoal2.gif" width="262" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
This is, of course, where it all goes horribly wrong.<br />
<br />
<b>1)</b> Gamers are exploiting the various "Indie Bundle" packs that go on sale periodically. This particular gaming bundle is a "pay what you want" affair, typically stuffed full of great games and additional offers should you pay a little extra (we still need to <a href="https://paperghost.posterous.com/the-humble-indie-bundle-some-interesting-stat">have that talk</a>, Windows users). The latest <a href="http://www.joystiq.com/2011/12/25/humble-indie-bundle-4-earns-2-million/">Humble Indie Bundle</a> went live not so long ago, and in a mad dash to create as much coal as possible to increase the chances of free games in Steam gamers were <a href="http://www.joystiq.com/2011/12/22/humble-indie-bundle-4-abused-by-scrooge-like-steam-scamming/">paying the base amount</a> for Indie Bundles, redeemable against Steam accounts.<br />
<br />
From <a href="http://www.platformnation.com/2011/12/21/humble-indie-bundle-4-adds-precautions-in-response-to-steam-exploiting/">Platform Nation</a>: <i>"For just 1 penny you can nab yourself a Steam redeemable key, and make your account valid for entry in the Epic Giveaway and the freebie prizes. That means you can create 100 accounts for just $1"</i><br />
<br />
Whoops. They must have really gone to town on that one, given that the mass purchasing caused the price of the bundle to drop by more than 25 cents.<br />
<br />
Greedy gamers have also been targeting the "IndieGala Bundle" which gives a separate Steam account for each game - effectively five duplicate accounts for the lowest potential price of a penny. Once you've got your hands on all those wonderful discount coupons and free games, you can potentially gift them to your "main" account and sit upon a throne of murkily acquired titles.<br />
<br />
<b>2)</b> With shades of <a href="http://www.theregister.co.uk/2010/02/21/xbox_hacking_phishing_analysis/">Xbox achievement tampering</a>, people are distributing save files / text files to unlock Steam game achievements needed to win coal / coupons. Here's an <a href="http://www.cheapassgamer.com/forums/showpost.php?p=9250871&postcount=11022">example</a> of someone loading up a file not belonging to them, nabbing the required achievement in <a href="http://arstechnica.com/gaming/news/2011/09/the-binding-of-isaac-takes-on-religion-in-a-randomly-generated-zelda-styled-roguelike.ars">Binding of Isaac</a> and getting their hands on a free game. That's kind of dreadful, and by "kind of" I mean "completely".<br />
<br />
<b>3)</b> Gamers are firing up a Steam achievements modding tool, to ensure they nab as much coal as possible.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-O6-TNR_kJug/Tv2SKUVFOZI/AAAAAAAABz8/oegIj-CFfKM/s1600/steamcoal4.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="http://3.bp.blogspot.com/-O6-TNR_kJug/Tv2SKUVFOZI/AAAAAAAABz8/oegIj-CFfKM/s320/steamcoal4.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
Here's someone who clearly went on an "unlock all the things" <a href="http://i.imgur.com/F4ojd.jpg">rampage</a>. As you can imagine, these antics are <a href="http://forums.steampowered.com/forums/showthread.php?t=2354508">not proving popular</a> with non cheating gamers.<br />
<br />
Coal farming isn't going unpunished, and Valve are starting to clamp down on anyone seen to be farming and / or exploiting. You may well be seeing many more examples like the below on forums posted up by vaguely annoyed gamers who want their accounts reactivated:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-3yQWk78Djq0/Tv2O_lAhkLI/AAAAAAAABzw/SL7wB-67CAg/s1600/steamcoal3.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="69" src="http://3.bp.blogspot.com/-3yQWk78Djq0/Tv2O_lAhkLI/AAAAAAAABzw/SL7wB-67CAg/s320/steamcoal3.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
If Valve catch you being naughty this festive season, they won't even leave you with coal. Top that, Santa...<br />
<br />
Christopher BoydUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-46194386602439378062011-12-22T01:50:00.000-05:002011-12-22T01:50:12.842-05:00Hobbits and surveys: not a good combinationIt's not long since <a href="http://www.bbc.co.uk/news/entertainment-arts-16281896">The Hobbit trailer</a> made a lot of people very excited, and already we're seeing fake claims of "watch this movie online" leading to surveys.<br />
<br />
For example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-EDCPukHuqN4/TvLSQrfIvII/AAAAAAAABzA/W0uXJe73dLc/s1600/hobbitfilm1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="http://4.bp.blogspot.com/-EDCPukHuqN4/TvLSQrfIvII/AAAAAAAABzA/W0uXJe73dLc/s320/hobbitfilm1.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-1wU6iqoFhzg/TvLSSg38ItI/AAAAAAAABzI/Ci28tcAy8jk/s1600/hobbitfilm2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://1.bp.blogspot.com/-1wU6iqoFhzg/TvLSSg38ItI/AAAAAAAABzI/Ci28tcAy8jk/s320/hobbitfilm2.png" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
You know the drill - fill in the survey to "view the content", then fail to be impressed by the total lack of content on offer. You'll either see nothing at all, or websites asking you to sign up to monthly fees. Don't fall for it!<br />
<br />
Christopher Boyd (Thanks Robert)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-75565828892814617662011-12-20T06:47:00.003-05:002011-12-20T06:53:52.643-05:00Phishers are Back to Target Chase ClientsRobert Stetson, one of our malware researchers at the AV Labs, found a new phishing scam in the wild.<br />
<br />
The scam arrives as an email that directs users to the URL, <i>data-server(dot)host(dot)org/email/protect/chase/</i>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0jQK1RVkT5KTvcO_CYZ7zPhYY-2Sk5sFurzmWU23f11L1CBikPMhP6zKp9iXmA-3WknRzCBuV9p04bm27qa4jX-uKQNZxr0B7Gr2IZnPKp2ltCDdLiRe1w_6HGmeGCbrcL-r0/s1600/12202011_chase-phish_img1.jpg" imageanchor="1"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0jQK1RVkT5KTvcO_CYZ7zPhYY-2Sk5sFurzmWU23f11L1CBikPMhP6zKp9iXmA-3WknRzCBuV9p04bm27qa4jX-uKQNZxr0B7Gr2IZnPKp2ltCDdLiRe1w_6HGmeGCbrcL-r0/s320/12202011_chase-phish_img1.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
After <b><i>Chase</i></b> clients provide their credentials into the fields of the purported legitimate bank page and click <i>Log on</i>, they are then directed to another UI where they are to enter their email address and its password.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-CFYD8taSZSJFJXywhbEvTCXldyp-IAQeclgEJvFCmMBu2GFH1EIhN1LvpkhnmTEARSLgc5L7bE-GlCzZGpFYEAuizSfaH_mew-9Qwj3BlZx5klxkou7G05kPwce1KrEbs13Q/s1600/12202011_chase-phish_img2.jpg" imageanchor="1"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-CFYD8taSZSJFJXywhbEvTCXldyp-IAQeclgEJvFCmMBu2GFH1EIhN1LvpkhnmTEARSLgc5L7bE-GlCzZGpFYEAuizSfaH_mew-9Qwj3BlZx5klxkou7G05kPwce1KrEbs13Q/s320/12202011_chase-phish_img2.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhACnLnStfU0Y8DB7Yk6vrHDsc6sIH0zbjwRUMppIkGfX1oqJwxMt6eUPc0f2GlivOPIkaS26YM-GWAHb2XLzYNK3FjCkSGTVU7E4i1mkvTLpyYbKD265kGm9_KnyqzzCzFwt4E/s1600/12202011_chase-phish_img3.jpg" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhACnLnStfU0Y8DB7Yk6vrHDsc6sIH0zbjwRUMppIkGfX1oqJwxMt6eUPc0f2GlivOPIkaS26YM-GWAHb2XLzYNK3FjCkSGTVU7E4i1mkvTLpyYbKD265kGm9_KnyqzzCzFwt4E/s320/12202011_chase-phish_img3.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<i><br /></i><br />
<i>Chase</i> clients, please be duly warned about this. For the rest, please delete from your inbox doubtful mails that purport to come from banks (including yours). If you received an email from your bank about your account, confirm with them via customer service.You know what they say: Better safe than sorry.<br />
<br />
Jovi Umawing (Thanks to Robert)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-50305983246078272222011-12-16T07:15:00.003-05:002011-12-16T10:26:08.513-05:00"Curious Who's Stalking You?" - Yes, we've heard it beforeThis social media "stalking" thing, to the best of my knowledge, all began on <i><b>MySpace</b></i>. We've seen them emerge on <b><i>Twitter</i></b>, too: our friends at Sophos <a href="http://nakedsecurity.sophos.com/2011/08/12/twitter-finally-released-a-stalkers-app-no-its-a-phishing-scam/">wrote</a> a so-called "app" that <i>Twitter</i> purportedly released to track a user's stalker. Only this time, no such app is ever involved.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsByaiJO_-agV08JC3F6OzARPh8qthFdmeMXCDTmYqKXWO8AClzWkLWu7lx7b1KIsKytdzFQDMe7jq3VxOpKET9zR4ZXZFu4LQ16h_iNGCnHH44w3_0KTB8DessT403PrmFXnI/s1600/twit_spam_img1.jpg" imageanchor="1"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsByaiJO_-agV08JC3F6OzARPh8qthFdmeMXCDTmYqKXWO8AClzWkLWu7lx7b1KIsKytdzFQDMe7jq3VxOpKET9zR4ZXZFu4LQ16h_iNGCnHH44w3_0KTB8DessT403PrmFXnI/s320/twit_spam_img1.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<div class="separator" style="clear: both; text-align: center;">
<i><br /></i></div>
We've seen the tweet above pointing users to the URL, <i>canbin(dot)ru</i>—a domain created just late last month. Once users click it, they are then directed to <i>twvitter(dot)com/user_login-sessions/?timed_out=1</i>. It's a phishing page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyirXMBsZMtedrocYS4bzG15ZE88eobcnKX8XjZzEuHIQzGBJC4aJpSHptO3YajpxoVzrCwgfjDcggjb4JeXJ1WYUAz-NZ1IMwNAwuJxoveTv_KYoUCK7XTr_THXZ1wAJr1SuV/s1600/twit_spam_img2.jpg" imageanchor="1"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyirXMBsZMtedrocYS4bzG15ZE88eobcnKX8XjZzEuHIQzGBJC4aJpSHptO3YajpxoVzrCwgfjDcggjb4JeXJ1WYUAz-NZ1IMwNAwuJxoveTv_KYoUCK7XTr_THXZ1wAJr1SuV/s320/twit_spam_img2.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<div class="separator" style="clear: both; text-align: center;">
<i><br /></i></div>
There are two things we can take note from it: (1) the URL, which clearly tries to play tricks with our eyes (much like <a href="http://blog.trendmicro.com/updating-vvindows/">this</a> one), and (2) the purported <i>Twitter</i> session that has timed out. Naturally, if one is logged onto <i>Twitter</i> and sees the message, they'll wonder for a second, and then unknowingly key in their user name and password anyway. Perhaps the only "error" we can see in this attack is that the site attempts to access the actual <i>Twitter </i>site the same way a real third-party app or site would to make everything seem legit. However, <i>Twitter </i>requires tokens from such apps and sites. Since we know that this is a bogus page, it doesn't have a token; thus, it can't successfully redirect users to their actual accounts as it was supposed to.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTqePodNIL6V9gYM-X_VCEiAMHMSNJF0V1ZOiaL__5GENwgvLkmRm-ps5C-hSDk2TueY2Xy3fDkYVvTC2gCYWQe4lYMnpKIrAYNxhWI-NmUWxr_CODAEDbn20xPIiIyQvEUS9o/s1600/twit_spam_img3.jpg" imageanchor="1"><img border="0" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTqePodNIL6V9gYM-X_VCEiAMHMSNJF0V1ZOiaL__5GENwgvLkmRm-ps5C-hSDk2TueY2Xy3fDkYVvTC2gCYWQe4lYMnpKIrAYNxhWI-NmUWxr_CODAEDbn20xPIiIyQvEUS9o/s320/twit_spam_img3.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>click to enlarge</i></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We impore you, Dear Reader, to please exercise caution when clicking links on tweets. Even better: use your better judgment on whether you'd believe a supposedly interesting tweet or not before considering visiting the URL that goes with it. More often than not, scam tweets are designed to sound this way to actually make Internet users click them. Please don't be fooled.
<br />
<br />
Just like the "Girl Killed Herself" scam that made rounds within <i>Twitter </i>not so long ago, this, too, will probably go down in history as a classic attack involving two social networking giants. This is <i>not</i> a comforting news. As long as user continue to fall for scams, they will just keep coming.<br />
<br />
Jovi Umawing (Thanks to Chris for spotting this)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-48186803450153095152011-12-14T06:19:00.001-05:002011-12-14T06:19:27.421-05:00Protecting Against DDoS is Probably THE Best Holiday Gift to Give Your CompanyFor the lot of us who rely on the Internet to get news updates, we are made familiar with <b>Distributed Denial of System (DDoS)</b> attacks. Anonymous being on the headlines continuously for months made this kind of online crime conspicuous, even ushering it unexpectedly to the realm of mainstream.<br />
<br />
DDoS attacks have been used not just by the aforementioned group but also by other groups and individuals for various reasons: making a stand for what they believe in, showing support for the beliefs of others, or doing it "just because". We can't deny the fact that names of companies that fell prey on DDoS attacks were huge and they encompass industries, but one cannot totally eliminate the very likely possibility of small- and medium-sized businesses being targeted as well.<br />
<br />
Those whose businesses have an online presence are aware and worried, and if possible, they want to be protected from DDoS attacks. So how can this be done? InfoWorld published an article that tells business people just that. You can check it out <a href="http://podcasts.infoworld.com/d/security/how-deny-ddos-attacks-181523?_kip_ipx=1110830460-1323850097">here</a>.<br />
<br />
Jovi UmawingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-4007651208874071342011-12-13T13:47:00.000-05:002011-12-13T13:47:33.293-05:00Adblock FussI'm a big fan of Adblock Plus - it's a great add on if you don't want to be hit over the head with any number of spinning, flashing adverts torn straight from the pages of Dante.<br />
<br />
However, an interesting change has been made to the program with the release of 2.0 and some users are up in arms about it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-1rEta-ToYb8/TueXanvh1TI/AAAAAAAAByw/YsPR5tMdT2U/s1600/adblckpls1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="http://1.bp.blogspot.com/-1rEta-ToYb8/TueXanvh1TI/AAAAAAAAByw/YsPR5tMdT2U/s320/adblckpls1.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
<i>"Adblock Plus has also been configured to allow non-intrusive advertising. You can change this selection at any time in the filter preferences."</i><br />
<br />
Blasphemy? Madness? Sparta? Who knows, but we now have a situation where <a href="https://adblockplus.org/forum/viewtopic.php?f=1&t=8872">users aren't happy</a> about the opt in by default setting, or indeed approving adverts in general no matter how limited the scope. There's a page on the Adblock Plus site that outlines <a href="https://adblockplus.org/en/acceptable-ads">some of the reasons</a> for this change:<br />
<br />
<i>"You can allow some of the advertising that is considered not annoying. By doing this you support websites that rely on advertising but choose to do it in a non-intrusive way...In the long term the web will become a better place for everybody, not only Adblock Plus users. Without this feature we run the danger that increasing Adblock Plus usage will make small websites unsustainable."</i><br />
<br />
As for why this is set live by default:<br />
<br />
<i>"If we ask users to enable this feature then most of them won't do it — simply because they never change any settings unless absolutely necessary. However, advertisers will only be interested in switching to better ways of advertising if the majority of Adblock Plus users has this feature enabled."</i><br />
<br />
I'm not entirely convinced that advertisers so fond of flashy, spinning adverts from the back of beyond will tone their adverts down just because of this move - and hey, let's not forget that adverts meeting the requirements to be potentially given the green light ("static ads, text only, no attention grabbing images") can be <a href="http://sunbeltblog.blogspot.com/2011/12/more-bad-ads-in-bing-yahoo-search.html">just as dangerous</a> if not more so than the flashy horrors still on the blocklist.<br />
<br />
One good thing that may come out of this move is a possible reduction in infections. No really, hear me out. I know a lot of people who have told me they never installed Adblock Plus or similar programs because their income was primarily driven by dedicated communities, and they wanted to put something back into those communities by not blocking their (static) advertisements. For example, a professional comic artist or writer is supported by their community; as a thank you, they won't block the adverts on the sites belonging to their fans or webcomic rings.<br />
<br />
As a result, quite a few of them were hit by drive by installs and exploits while browsing the web with no ad blockers in place.<br />
<br />
If the Adblock Plus team do a good job of this, it might actually encourage more people to now try the program and let a few (hopefully harmless) adverts through while using their new found installs to block malicious adverts elsewhere with a clean conscience.<br />
<br />
That can only be a good thing. However, much will depend on their examination of the approved advert networks, their advertising methods, the kind of links those advertisers allow (and how they react to the bad apples that slip through the net) and whether or not the userbase approves of the opt in by default setup.<br />
<br />
We'll have to wait and see how this one plays out...<br />
<br />
Christopher BoydUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-83196254978117965032011-12-13T09:58:00.001-05:002011-12-13T10:14:35.402-05:00Blackhole Exploit Hones in on Amazon UsersLast week, our friends at ThreatPost <a href="http://threatpost.com/en_us/blogs/carberp-and-black-hole-exploit-kit-wreaking-havoc-120511">posted</a> about the ever-growing infection of websites hosting <b>Black Hole Exploit Kits</b>. A Black Hole exploit takes advantage of unpatched Windows operating systems. It also targets other software, such as <b><i>Java</i></b> and <b style="font-style: italic;">Adobe Reader</b>, that can be installed on Windows platforms, which are <i>a lot</i>. Since the kits are already available in the black market (for free), we can only expect more infections and news surrounding this particular kit.<br />
<br />
And, oh: <i><b>Facebook</b></i> users <a href="http://labs.m86security.com/2011/12/cutwail-spam-campaigns-lure-users-to-blackhole-exploit-kit/">should watch their backs</a>, too.<br />
<br />
Our malware researchers at the AV Labs, Robert and Matthew, has seen something in the wild that might spoil the holiday spirits a bit. It began as an email message supposedly from <i>Amazon</i> with the subject <i>"Your Amazon.com order of Omron WXH-108F Fat Loss... has shipped"</i>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXZ3I2d7Wvhl30uDilNsWtaZA0dN8oim1MX3jrg44naY4-cO2bgsAxsRBGjTYUwuw3-fJiZs2HhsXOln1VHxsUB7qI3ez0k1771-46YdH2oR_aAuOyg4dXC9qOCJStMMD3kuS6/s1600/Amazon-blackhole_img1.jpg" imageanchor="1"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXZ3I2d7Wvhl30uDilNsWtaZA0dN8oim1MX3jrg44naY4-cO2bgsAxsRBGjTYUwuw3-fJiZs2HhsXOln1VHxsUB7qI3ez0k1771-46YdH2oR_aAuOyg4dXC9qOCJStMMD3kuS6/s320/Amazon-blackhole_img1.jpg" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge</i></div>
<br />
Clicking any of the links on the email body directs users to <i>jongerencentrumdebus(dot)nl/wp-content/uploads/fgallery/news.html</i>, a likely compromised site, and then directs to <i>ageoloft(dot)info/main(dot)php?page=525447c096f8efbf</i>, a known Black Hole Exploit Kit host.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVmzofdX68R1jPdOOrmwPhc0eKpEIwtqSZCk1aD_wS3CLjegCACvkJ7jhV8iwTDP-O7EVwjHEAgL63f8pvFn7oinbTmV8ddSODSx9xkwBLaWbNmESPNe6A7YO_X7a_dOiJVfNl/s1600/Amazon-blackhole_img2.jpg" imageanchor="1"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVmzofdX68R1jPdOOrmwPhc0eKpEIwtqSZCk1aD_wS3CLjegCACvkJ7jhV8iwTDP-O7EVwjHEAgL63f8pvFn7oinbTmV8ddSODSx9xkwBLaWbNmESPNe6A7YO_X7a_dOiJVfNl/s320/Amazon-blackhole_img2.jpg" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge</i></div>
<br />
The said <i>ageoloft(dot)info </i>automatically downloads a .PDF file (an exploit) onto systems. This then exploits <i>Adobe Reader </i>to run malicious executable files on these systems. Furthermore, a worm, which GFI Software detects as <b>Win32.Malware!Drop</b>, is downloaded onto systems.<br />
<br />
We detect the exploit page as <b>Trojan.JS.Obfuscator.w (v)</b>; the PDF file that is part of the kit, <b>Exploit.PDF-JS.Gen (v)</b>.<br />
<br />
With the number of Internet users shopping online using services such as <i>Amazon</i> and <i><b>eBay</b></i>, it pays to be cautious fourfold, especially at this time of the year. Criminals know when and how users—<i>you</i>—spend their time there.<br />
<br />
Jovi Umawing (Thanks to Robert and Matthew)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-5386702989023684392011-12-09T12:09:00.001-05:002011-12-09T12:11:28.123-05:00More bad ads in Bing, Yahoo searchAnother round of <a href="http://threatpost.com/en_us/blogs/researchers-find-ads-bing-yahoo-leading-malware-downloads-091611">bad ads in Bing</a> and Yahoo search are making an unwelcome return. Bing has fake Firefox adverts:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-3nQ_YCuOsO8/TuI4Ko2wg2I/AAAAAAAAByA/zXEPbSzJPCM/s1600/mrebngdec1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="http://1.bp.blogspot.com/-3nQ_YCuOsO8/TuI4Ko2wg2I/AAAAAAAAByA/zXEPbSzJPCM/s320/mrebngdec1.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-wN8OJdSNJHo/TuI4MBZIxCI/AAAAAAAAByE/CAkNTq6RmQM/s1600/mrebngdec11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="http://1.bp.blogspot.com/-wN8OJdSNJHo/TuI4MBZIxCI/AAAAAAAAByE/CAkNTq6RmQM/s320/mrebngdec11.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
Yahoo has fake Adobe Flash adverts instead, located at gripwise(dot)com(dot)au/player/:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ORZTuA1WWUM/TuI4M-qiOJI/AAAAAAAAByM/GHkAA4kU_t4/s1600/mrebngdec2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="http://4.bp.blogspot.com/-ORZTuA1WWUM/TuI4M-qiOJI/AAAAAAAAByM/GHkAA4kU_t4/s320/mrebngdec2.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-vKEJFwKDT-Y/TuI4Nk5fEZI/AAAAAAAAByU/VsMMkzsBgQE/s1600/mrebngdec22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="http://3.bp.blogspot.com/-vKEJFwKDT-Y/TuI4Nk5fEZI/AAAAAAAAByU/VsMMkzsBgQE/s320/mrebngdec22.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
As you can see from the below screenshot, the Gripwise URL where this is located appears to have been compromised:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-e43x82Yig_w/TuI4Ohs_kTI/AAAAAAAAByc/Sc1RofKFdQ8/s1600/mrebngdec3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="http://4.bp.blogspot.com/-e43x82Yig_w/TuI4Ohs_kTI/AAAAAAAAByc/Sc1RofKFdQ8/s320/mrebngdec3.png" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
Both sites will give you the <a href="http://malwareprotectioncenter.com/2011/11/06/privacy-protection-rogue-of-the-malware-protection-family/">Privacy Protection rogue</a>, and the domain used for the fake Firefox download (ipropertyoffice(dot)com) has active exploits so please steer clear. VirusTotal scores weigh in at <a href="http://www.virustotal.com/file-scan/report.html?id=f96fd4c0f0a04f21a789adf1c825fa66433f766d2943e5b0e27f2082ef3e5756-1323448417">17/43</a>, and we detect as Win32.Malware!Drop.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-6PLfIrhNXRY/TuI4PgCWvkI/AAAAAAAAByo/P62kE_4m4Zw/s1600/mrebngdec4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="http://4.bp.blogspot.com/-6PLfIrhNXRY/TuI4PgCWvkI/AAAAAAAAByo/P62kE_4m4Zw/s320/mrebngdec4.png" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
At time of writing, Microsoft have been notified and have said the adverts have been pulled. All the same, be very careful when clicking on sponsored adverts for common downloads such as Firefox, Flash and others. As we've seen time and time again, scammers are all too eager to push malicious files on unsuspecting users.<br />
<br />
Christopher Boyd (Thanks Matthew)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-42045838627959395132011-12-07T20:24:00.000-05:002011-12-07T20:24:41.449-05:00Holiday Horrors: food stamps, phish and PDFsOur monthly Top Ten threat detection report for the month of November is now available to take a look at, along with information on some of the scams we've seen these past few weeks including emails tempting users with <a href="http://sunbeltblog.blogspot.com/2011/11/pdf-malware-is-back-in-season.html">infected PDF files</a>, <a href="http://sunbeltblog.blogspot.com/2011/11/snap-scam-will-make-you-snap.html">food stamp shenanigans</a> involving mobile phone services and phishing emails containing <a href="http://sunbeltblog.blogspot.com/2011/11/phish-for-thanksgiving.html">HTML form attachments</a>, some of which are <a href="http://sunbeltblog.blogspot.com/2011/12/for-your-protection-your-barclays.html">still doing the rounds</a>.<br />
<br />
The Top Ten can be viewed <a href="http://www.gfi.com/page/103544/cybercriminals-kick-off-holiday-season-by-spreading-malware-and-phishing-attacks">here</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-10745948219338190652011-12-07T20:08:00.000-05:002011-12-07T20:08:12.962-05:00"For your protection, your Barclays account has been suspended..."If you see an email arrive in your mailbox with the above title, feel free to discard it - nothing good will come of it, unless your idea of "good" is "filling in all of your personal information into a fake banking webpage then sending it to a scammer."<br />
<br />
The missive is sent from a free Yahoo email address, and works along the same line as <a href="http://sunbeltblog.blogspot.com/2011/11/phish-for-thanksgiving.html">these scam mails</a> from a few weeks ago.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCsKbq3n6FEao9kaXniPkE5etk9dOQnQT0dmUo_1VhNdcLM9pPNU880xv4fDRXk-2hsFOA0P5YYE2LqvziaQaaLlbw4gla8MkcBjMgZsmEAwCqvW4UX_I7Hk-5GlmV_1JyrRgQAA/s1600/fakebclays000.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCsKbq3n6FEao9kaXniPkE5etk9dOQnQT0dmUo_1VhNdcLM9pPNU880xv4fDRXk-2hsFOA0P5YYE2LqvziaQaaLlbw4gla8MkcBjMgZsmEAwCqvW4UX_I7Hk-5GlmV_1JyrRgQAA/s320/fakebclays000.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
They claim your account has been suspended due to a large number of incorrect login attempts, and reactivation is a case of filling in the attached form before the 9th of December - otherwise your account will be disabled. With a fake time limit imposed on the customer, they open up the attached HTML form and see that it asks for an awful lot of information. Name, membership number, passcode, date of birth, mother's maiden name, address...<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCUmHYgB1BMsUVJoaBp3AVP8Hef4Qynr1NTeIYge36e5Lm3vq0TXCV3O9_FA0Si6zbFnW-zE0IwyXpCNmuM_Fh6pLVL-_w-58TpAmltUpqLKJxj2p7Sc6xaQQRzm1Za87OHOgDdQ/s1600/fakebclays1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCUmHYgB1BMsUVJoaBp3AVP8Hef4Qynr1NTeIYge36e5Lm3vq0TXCV3O9_FA0Si6zbFnW-zE0IwyXpCNmuM_Fh6pLVL-_w-58TpAmltUpqLKJxj2p7Sc6xaQQRzm1Za87OHOgDdQ/s320/fakebclays1.gif" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
Of course it gets worse. Before you know it, our panicked bank customer is filling in their sort code, account number, telephone banking password and the three digit security code from the back of their card.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Rm9VlyGNKZ8/Tt9H8VXw-XI/AAAAAAAABx4/bXx83hhYSP4/s1600/fakebclays2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="http://3.bp.blogspot.com/-Rm9VlyGNKZ8/Tt9H8VXw-XI/AAAAAAAABx4/bXx83hhYSP4/s320/fakebclays2.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
Once all of this is done, hitting the "Next" button submits the data to the scammer then redirects to the Barclays website. Please avoid mails such as the above and keep your money where it belongs - your bank will never email you asking for account information (and they certainly won't email you from a free webmail account!)<br />
<br />
Christopher BoydUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-88202332920228286072011-12-05T07:22:00.001-05:002011-12-05T10:05:26.348-05:00"Steam Birthday" crashed by party poopersHere's a rather amateur phish targeting <a href="http://en.wikipedia.org/wiki/Steam_(software)">Steam</a> users, located at steambirthday(dot)com. No birthday prizes for guessing what this scam is all about:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-QkFUPec38xw/Ttys414-wpI/AAAAAAAABxA/sujka4Iyb_c/s1600/steambday1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="http://4.bp.blogspot.com/-QkFUPec38xw/Ttys414-wpI/AAAAAAAABxA/sujka4Iyb_c/s320/steambday1.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
You know you're dealing with a special kind of phish when the opening ramble begins with "Steam is 3 years old: the Steam project started in 2003" and "In a really short time our servers became more and more and today there are more than a thousand meters of them".<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qW_qoCHJDy8/TtyxRJMXG_I/AAAAAAAABxI/LZZzockJkHA/s1600/steambday2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qW_qoCHJDy8/TtyxRJMXG_I/AAAAAAAABxI/LZZzockJkHA/s1600/steambday2.gif" /></a></div><br />
According to the website, Valve - the creators of Steam - are giving away "1000 Gold accounts, which will allow you to play all 72 games for free" (Steam actually has 1,400+ titles available for download). Hitting the gold coloured "Upgrade now" button takes the end-user to a brilliantly convincing phish page. Or, to be more accurate, it takes them to missing images and screwed up HTML code:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-YJHLcbsOMVM/TtyzDRBxnnI/AAAAAAAABxQ/RBXOmLzwdP0/s1600/steambday3.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://3.bp.blogspot.com/-YJHLcbsOMVM/TtyzDRBxnnI/AAAAAAAABxQ/RBXOmLzwdP0/s320/steambday3.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
The site is already flagged in Chrome as a phish page, and hopefully IE and others will follow suit soon. For now, let's hold off on the birthday celebrations.<br />
<br />
Christopher BoydUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-7210586972189885862011-11-29T05:26:00.001-05:002011-11-29T05:40:18.935-05:00New Facebook Worm in the WildOur friends at <a href="http://www.csis.dk/en/csis/about/">CSIS</a>, a Danish security company, has spotted a <b>worm </b>spreading within the <b><i>Facebook</i> </b>platform. In a <a href="http://www.csis.dk/da/csis/news/3387/">recent news article</a> penned by Peter Kruse, the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to <i>Facebook</i> accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including <b>ZeuS</b>, a popular Trojan spyware capable of stealing user information from infected systems.<br />
<br />
The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as <i>Oracle VM VirtualBox</i> and <i>VMWare</i>.<br />
<br />
Please keep in mind that securing your information, including your social network credentials, is a must. Never unknowingly click links on messages sent over by online contacts. Make sure that they did send messages to you first before doing something; else, it is best if you simply delete them from your message inbox.<br />
<br />
Jovi UmawingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-68347635352571934342011-11-28T17:17:00.004-05:002011-11-28T17:48:11.449-05:00FakeScanti Rogue Hijacks HOSTS FilesPatrick, our resident rogue AV expert from the AV Labs, have his eyes set on one particular family—<b>FakeScanti</b>. This rogue family first appeared in the first quarter of 2010, and it has been within the radar ever since.<br />
<br />
Enter <a href="http://malwareprotectioncenter.com/2011/11/18/av-protection-2011-rogue-of-the-fakescanti-family/"><b><i>AV Protection 2011</i></b></a>.<br />
<br />
This particular rogue is the latest variant in a handful of noteworthy rogues within the FakeScanti family. What's interesting about it is that it modifies the infected system's <a href="http://en.wikipedia.org/wiki/Hosts_(file)">HOSTS file</a> upon execution, a capability common to backdoors and worms. <i>AV Protection 2011</i> directs users to <i>46(dot)4(dot)179(dot)109</i>, a malicious IP in Germany where <i><a href="http://malwareprotectioncenter.com/2011/11/10/av-security-2012-rogue-of-the-fakescanti-family/"><b>AV Secure 2012</b></a></i>, another FakeScanti variant, is housed. It does this when users enter either <i>google.com</i>, <i>yahoo.com</i>, <i>bing.com</i>, or <i>facebook.com</i> in the Internet browser address bar.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgusfmpLrjBLsDYFTIktqq0nFQObwIfmceu2FrRbJseP2UKKWzQTjoGpipVekY9X2ly0U0ZAAUp9a_amQqnJk3OPOmIWJdtHCtb_DRZYvShBMVS4XtEX0DLxiF-TjR3JCGAekb0/s1600/avsecure2012.png" imageanchor="1"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgusfmpLrjBLsDYFTIktqq0nFQObwIfmceu2FrRbJseP2UKKWzQTjoGpipVekY9X2ly0U0ZAAUp9a_amQqnJk3OPOmIWJdtHCtb_DRZYvShBMVS4XtEX0DLxiF-TjR3JCGAekb0/s320/avsecure2012.png" width="320" /></a></div>
<div style="text-align: center;">
<i>click to enlarge</i></div>
<br />
Internet users can encounter this rogue if they are led to pages via search engine optimization (SEO) technique or via a spammed link where, once visited, downloads a Blackhole exploit kit where this rogue AV is bundled with. We detect <i>AV Protection 2011</i> as <b>Trojan.Win32.FakeAV.IS (v)</b>. We can also <a href="http://www.virustotal.com/file-scan/report.html?id=3ebee67bbaf2f84f696ad0085554304c0aaac1fbcc036ace405630e289929b49-1321583947">detect</a> and clean the modified HOSTS.<br />
<br />
If you may recall, this isn't the first time HOSTS files are hijacked by criminals to dupe users in so many ways. In <a href="http://sunbeltblog.blogspot.com/2006/01/anatomy-of-malicious-host-file-hijack.html">this</a> particular situation, phishers modified the HOSTS to direct users to fake pages of popular banks, such as Bank of America and Citibank, whenever they key in the legitimate bank URLs in the address bar.<br />
<br />
Users are advised to be wary of clicking links in emails. If you didn't contact the party that sent such mails, it's always best to not bother yourself with them and delete them from your inbox. <a href="http://sunbeltblog.blogspot.com/2011/11/with-rogue-av-its-more-than-game-of.html">Be careful with how you do searches online</a> as well, since the criminals behind rogue AV are still banking on the old yet very effective SEO technique.<br />
<br />
Jovi Umawing (Thanks to Patrick)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-80623459706874442092011-11-28T11:05:00.000-05:002011-11-28T11:05:31.191-05:00"Così fan tutte"A company who make installers distributing the software of third parties recently contacted us to query a detection. As it turns out, their installer was not the problem - they were partnering with a company whose toolbar continues to have a history of misleading and deceptive installs.<br />
<br />
The interesting part of all this was the discussion over how the programs caught the attention of the end-user in the first place. Here, it was big green download buttons on download sites that looked (for all intents and purposes) like the button the end-user should click on to begin their desired download. Instead, it would take them to vaguely named installer files. Examples of said buttons:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-3SOYmiApB0Q/TtOptqQcjLI/AAAAAAAABwQ/kAJ4zPSnDN0/s1600/cosipost1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://2.bp.blogspot.com/-3SOYmiApB0Q/TtOptqQcjLI/AAAAAAAABwQ/kAJ4zPSnDN0/s320/cosipost1.gif" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--Nl5ErhRHf0/TtOpuLqqnoI/AAAAAAAABwU/FhVXjwBDAfw/s1600/cosipost2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="http://1.bp.blogspot.com/--Nl5ErhRHf0/TtOpuLqqnoI/AAAAAAAABwU/FhVXjwBDAfw/s320/cosipost2.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
As a response, the basic argument set forth was "We want to be clean, but it's so difficult when everybody else is doing whatever they can to snag an install over a company attempting to play by the rules". On the surface of it, this would seem to be the case - pre ticked checkboxes, dubious installers and poor notification inside the programs we download are bad enough, but poor choice of advert placement (and adverts that themselves look like Facebook notification prompts and other elements that would fool a regular web-user) muddy the waters still further.<br />
<br />
You can see these on everything from search engines to garden variety adverts on any number of websites you care to mention, and as social networks continue to grow in influence so too do 2.0 themed adverts continue to vie for your attention.<br />
<br />
Disappointingly, the bulk of the case set forth boils down to "everyone else is doing it". Here are some of the examples they sent over:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-HfEKm6QZm6s/TtOqLIPCOmI/AAAAAAAABwg/IrGQ-r3Fz4s/s1600/cosipost4.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="http://4.bp.blogspot.com/-HfEKm6QZm6s/TtOqLIPCOmI/AAAAAAAABwg/IrGQ-r3Fz4s/s320/cosipost4.gif" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
Above you can see a rather large green tick and a "Download now" button which completely overwhelm the simple text link that happens to be the one the end-user is looking for.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-AE6Sc1DKSHo/TtOqMZnGZLI/AAAAAAAABwo/q8jNUqrgUmA/s1600/cosipost3.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="http://3.bp.blogspot.com/-AE6Sc1DKSHo/TtOqMZnGZLI/AAAAAAAABwo/q8jNUqrgUmA/s320/cosipost3.gif" width="320" /></a></div><div style="text-align: center;"> Click to Enlarge</div><br />
The above example has a rather prominent (and unrelated) download banner at the top and another download link off to the right - personally I don't feel this has as strong a case as the first example, although three green download buttons on the same page is always going to cause confusion for somebody.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-M_39L38bhdg/TtOqNDGW45I/AAAAAAAABww/WEXar-PiIcU/s1600/cosipost5.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://4.bp.blogspot.com/-M_39L38bhdg/TtOqNDGW45I/AAAAAAAABww/WEXar-PiIcU/s320/cosipost5.gif" width="320" /></a></div><div style="text-align: center;">Click to Enlarge</div><br />
Above, we can see the actual download button fairly dwarfed by a larger one off to the right. Much like the other two, you can bet this has resulted in a number of "Wait, what?" style downloads.<br />
<br />
None of this is new, of course - you can easily jump back to 2008 or earlier and see the same sort of thing taking place on <a href="http://blog.spywareguide.com/images/gview6.html">Facebook application installer pages</a>. It's worthwhile advising relatives you suspect will wander into these setups to be on their guard, because as far as many companies out there installing Adware and other products are concerned it's a case of <a href="http://wiki.answers.com/Q/What_is_'Cosi_fan_tutte'_in_English">Così fan tutte</a>.<br />
<br />
Christopher Boyd (Thanks Eric)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-69925026197371806282011-11-24T09:29:00.001-05:002011-11-24T11:42:59.403-05:00"Rogue browsers will make a comeback on the mobile platform."We've seen it here first: <a href="http://sunbeltblog.blogspot.com/2011/10/yapbrowser-has-returned.html"><b><i>YapBrowser</i></b> has risen after being declared dead five years ago</a>—and this discovery is by Chris Boyd himself just a day before he presented at <b>VB 2011</b> to discuss about <b>rogue browsers</b>, of which <i>YapBrowser</i> is.<br />
<br />
If you missed the said conference or Chris's presentation, <a href="http://www.net-security.org/article.php?id=1653">this podcast</a> hosted by our friends at Help Net Security contains a comprehensive, lightning talk from Chris about rogue browsers, their history, their numerous payloads, and the possibility of them plaguing smartphones.<br />
<br />
Not long ago, our friends at Trend Micro <a href="http://blog.trendmicro.com/malware-found-disguised-as-opera-mini/">spotted</a> the first rogue browser for <b><i>Windows Mobile</i></b>, <b><i>Symbian OS</i></b>, and <b><i>Android</i></b> phones, disguising as <i style="font-weight: bold;">Opera Mini</i>, a popular Web browser for mobile phones. This could be the start of a new trend. What we're sure of is that fake browsers are still out there, even if under the radar and on different platforms.<br />
<br />
Jovi UmawingUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-60442520478598908242011-11-23T16:51:00.016-05:002011-11-23T21:00:16.191-05:00Phish for Thanksgiving?Over the previous few days, our research team here at GFI has noticed an uptick in bank phishes winding up in a few of our spam traps. This particular scam is unique in that it comes with an html file attachment which leads to a form that attempts to steal from the unsuspecting victim all types of identifying information from the standard pin and password to their Driver’s License number and even a (fake) description of the last transaction made on the account.<div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIO-NSUXBvjFCVonqcTUjlyhfbhIXopnA1lk_IQhs3JcScrUnItJYhKbdhd2fcz_9xDQiw9jKt4Ahu3a_-PMby_0sH8C1vh6cCD1k_CBPqoe0xs6qBg80U4PeSC2RPHMziWIgNag/s1600/SunTrust_Phish_11_23_2.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 248px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIO-NSUXBvjFCVonqcTUjlyhfbhIXopnA1lk_IQhs3JcScrUnItJYhKbdhd2fcz_9xDQiw9jKt4Ahu3a_-PMby_0sH8C1vh6cCD1k_CBPqoe0xs6qBg80U4PeSC2RPHMziWIgNag/s400/SunTrust_Phish_11_23_2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5678370298618942770" /></a><br />As of this posting, we have seen e-mails targeting Bank of America and SunTrust customers and surely more will follow.</div><div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKmFNqcCqhwEZERRz-jvjnpqfN2K2dHZ5zVhYGtUtfzuoSrm9k_i9K6ZhdBvfAMEfs8KkRxRp_Gq1ueJgcmwIOBbg3wFoQZTDlvjugZkAD3F5HAiJOXiiTD5kl2MCN87f2L4ju8Q/s1600/BOA_Phish_11_22_3.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 354px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKmFNqcCqhwEZERRz-jvjnpqfN2K2dHZ5zVhYGtUtfzuoSrm9k_i9K6ZhdBvfAMEfs8KkRxRp_Gq1ueJgcmwIOBbg3wFoQZTDlvjugZkAD3F5HAiJOXiiTD5kl2MCN87f2L4ju8Q/s400/BOA_Phish_11_22_3.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5678374648097063778" /></a><br />As always, please be wary of e-mails from financial institutions asking for identifying information. When in doubt, call the official phone number listed on the back of your credit card or the known customer service line for your bank.<br /><br />So, while "fish" was likely a <a href="http://en.wikipedia.org/wiki/Thanksgiving_dinner#Historical_menus">staple eaten</a> during the days of the pilgrams, we here in the lab are going to stick to good ol' turkey this year.<br /><br />Stay safe,<br /><br />Robert Stetson<br />Malware Research Team</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-57914426390067506802011-11-22T17:01:00.002-05:002011-11-25T07:40:00.361-05:00VIPRE Black Friday Special<p style="font-family: Georgia, 'Bitstream Charter', serif; font-size: 13px; margin-bottom: 24px; line-height: 18px; text-align: -webkit-auto; ">Here at GFI, we’re dedicated to providing quality antivirus software at exceptional values, and this Black Friday is no exception. Our <span style="color: #0000ff;"><span style="text-decoration: underline;"><a href="http://www.vipreantivirus.com/promos/black-friday/" style="color: rgb(0, 102, 204); ">Black Friday Sale</a> </span></span>features the biggest discounts of 2011 – up to 75% off.</p><p style="font-family: Georgia, 'Bitstream Charter', serif; font-size: 13px; margin-bottom: 24px; line-height: 18px; text-align: -webkit-auto; "><strong style="font-weight: bold; ">Black Friday Sale</strong></p><p style="font-family: Georgia, 'Bitstream Charter', serif; font-size: 13px; margin-bottom: 24px; line-height: 18px; text-align: -webkit-auto; ">VIPRE Antivirus 2012 <span style="text-decoration: line-through;">for $39.95</span> <span style="color: #ff0000;"><strong style="font-weight: bold; "><span class="Apple-style-span" >NOW $9.95!</span><br /></strong></span>VIPRE Internet Security 2012 <span style="text-decoration: line-through;">for $49.95</span> <span style="color: #ff0000;"><strong style="font-weight: bold; "><span class="Apple-style-span" >NOW $19.95!</span></strong></span></p><p style="font-family: Georgia, 'Bitstream Charter', serif; font-size: 13px; margin-bottom: 24px; line-height: 18px; text-align: -webkit-auto; ">With prices this low, you can give the gift of PC security to Grandma, your sister, even that crazy uncle. Is Santa bringing a new laptop this year? Make sure he installs VIPRE on it first! It defends against viruses, worms, spyware, Trojans, rootkits and other Internet threats without slowing down your new (or old) PCs. The VIPRE 2012 editions feature the latest threat definitions and are easier to install and use than ever before.</p><p style="font-family: Georgia, 'Bitstream Charter', serif; font-size: 13px; margin-bottom: 24px; line-height: 18px; text-align: -webkit-auto; ">This weekend’s VIPRE <span style="color: #0000ff;"><span style="text-decoration: underline;"><a href="http://www.vipreantivirus.com/promos/black-friday/" style="color: rgb(0, 102, 204); ">Black Friday Sale</a></span></span> makes it easy and affordable to keep your family safe online this holiday season (and in years to come). So take advantage of the lowest prices of 2011 while the deals last.</p>Rogue Antispywarehttp://www.blogger.com/profile/06824519055198949802noreply@blogger.com0tag:blogger.com,1999:blog-10854312.post-41541120313012769152011-11-22T07:13:00.001-05:002011-11-22T07:13:34.369-05:00From porn stars to strippers: careful with name gamesWay back in 2009, Sophos covered a bit of viral "fun" on Twitter where users of that service revealed their "porn star name" - comprised of your <a href="http://nakedsecurity.sophos.com/2009/05/12/reveal-porn-star-twitter/">"first pet" and your "first street</a>".<br />
<br />
Well, <a href="http://paperghost.tumblr.com/post/13155247988/atraeathing-yukidama-goddessofcheese">look what's back</a> in marginally altered form and racking up 8,000+ reblogs on Tumblr:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-RbPk4DPJRyM/TsuRN5PVqWI/AAAAAAAABuo/j760h93jr_M/s1600/strippernamewhoops.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://3.bp.blogspot.com/-RbPk4DPJRyM/TsuRN5PVqWI/AAAAAAAABuo/j760h93jr_M/s400/strippernamewhoops.gif" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;">Click to Enlarge</div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: left;">Or, you know, don't. Stop and think how many services still ask for your pet name and street name on things such as password reset questions. Then pause to consider an email address you use may be public facing, and have just such a question bolted onto it.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">You may want to keep your clothes on and stick to the day job at that point...</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">Christopher Boyd</div>Unknownnoreply@blogger.com0