Thursday, November 12, 2009

Newest Zeus = NACHA: The Electronic Payments Association

This morning I was meeting with some graduate students in the UAB Computer Forensics program to discuss what projects we would be running in the lab. When the topic of Zeus came up, we observed that we had seen no new spam on the IRS Zeus Campaign in the past 2.5 hours, which probably meant the bad guy was about to change his "look".

Sure enough, I came back from my morning meetings to find 150 copies of the newest Zeus distribution campaign. The new campaign pretends to be the National Automated Clearing House Association (NACHA), which is the group that manages the relationships between participating financial institutions. During the 3rd Quarter of 2009, they report that they brokered 3.77 billion transactions worth more than $7.3 trillion. I was observing this morning that the criminals know more about our financial networks than the average banking consumer who probably doesn't understand what NACHA is or how the organization works. When I shared this thought with Brian Krebs today, he commented "I assure you that the comptrollers of the companies being targeted by these criminals know who NACHA is!" (Krebs is the author of the Washington Post's Security Fix column, and a leader in researching this family of attacks.

In this case, the spam subject lines are:

Please review the transaction report
Rejected ACH transaction
Rejected ACH transaction, please review the transaction report
Unauthorized ACH transaction
Unauthorized ACH Transaction Report
Your ACH transaction was rejected
Your ACH transaction was rejected by The Electronic Payments Association

Sender names used in the spam, all with the email support@nacha.org, included:

ACH Network
Automated Clearing House (ACH)
Electronic Payments Association
NACHA
nacha.org
National Automated Clearing House Association

The email message itself reads:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report


------------------------------------------------------------------

Copyright ©2009 by NACHA - The Electronic Payments Association



The website to which you are directed looks like this:



The Transaction Report is described on the website as a "self-extracting, pdf format" file, but is of course really a zbot infector.

The current version of the file is:
File size: 123392 bytes
MD5 : f8150d384940a3ddd24fa5333be0162b

A full Virus Total report is also available, showing 16 of 41 AV companies detecting this version of the malware.

The websites that we are seeing so far on this attack are . . .

nacha.org.corefirstid.com
nacha.org.corefirstid.eu
nacha.org.corefirstid3.com
nacha.org.corefirstid4.com
nacha.org.corefirstid5.com
nacha.org.corefirstid8.com
nacha.org.fffazsa.co.uk
nacha.org.fffazsa.me.uk
nacha.org.fffazsa.org.uk
nacha.org.fffazsf.co.uk
nacha.org.fffazsf.me.uk
nacha.org.fffazsf.org.uk
nacha.org.fffazss.co.uk
nacha.org.fffazss.me.uk
nacha.org.fffazss.org.uk
nacha.org.fffazsx.co.uk
nacha.org.fffazsx.me.uk
nacha.org.fffazsx.org.uk
nacha.org.fstpproid01.com
nacha.org.fstpproid02.com
nacha.org.fstpproid03.com
nacha.org.fstpproid04.com
nacha.org.fstpproid08.com
nacha.org.fstpproid09.com
nacha.org.fstpproid10.com
nacha.org.fstpproid12.com
nacha.org.fstpproid15.com
nacha.org.modsftp01.com
nacha.org.modsftp03.com
nacha.org.modsftp04.com
nacha.org.modsftp05.com
nacha.org.redaczxj.co.uk
nacha.org.redaczxj.me.uk
nacha.org.redaczxj.org.uk
nacha.org.redaczxk.co.uk
nacha.org.redaczxk.me.uk
nacha.org.redaczxk.org.uk
nacha.org.redaczxm.co.uk
nacha.org.redaczxm.me.uk
nacha.org.redaczxm.org.uk
nacha.org.redaczxn.me.uk
nacha.org.redaczxn.org.uk
nacha.org.redaczxs.co.uk
nacha.org.redaczxs.me.uk
nacha.org.tttteacb.co.uk
nacha.org.tttteacb.me.uk
nacha.org.tttteacb.org.uk
nacha.org.tttteacf.co.uk
nacha.org.tttteacf.me.uk
nacha.org.tttteacg.co.uk
nacha.org.tttteacg.org.uk
nacha.org.tttteack.co.uk
nacha.org.tttteack.me.uk
nacha.org.tttteack.org.uk
nacha.org.tttteacx.co.uk
nacha.org.tttteacx.me.uk
nacha.org.tttteacx.org.uk
nacha.org.tyeen.me.uk
nacha.org.tyeep.me.uk
Posted by UAB's Director of Research in Computer Forensics at 10:32 AM

Wednesday, November 11, 2009

The $9 Million World-Wide Bank Robbery

On November 7th and 8th, 2008 a group of Russian and Estonian hackers raised the balances on several ATM "prepaid payroll cards" belonging to RBS WorldPay, headquartered in Atlanta, Georgia. The hackers also modified the business logic regarding the limits on how much money could be withdrawn from a single account via ATM machines. At the pre-arranged time, a world-wide ATM spree began, with hackers using duplicates of 44 payroll cards to make withdrawals from 2,100 ATM machines in at least 280 cities around the world, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.

When the adrenaline rush cleared, the gang had stolen Nine Million Dollars in twelve hours, and the hackers hit RBS WorldPay seeking to destroy all copies of the records of these withdrawals. The "cashiers", the people who actually used the ATM cards, were allowed to keep between 30% and 50% of the funds they withdrew, sending the rest back to the ring-leaders via Webmoney and Western Union.

The questions being asked by EVERYONE was "HOW IS THAT POSSIBLE?!?!?!" For instance, look at the comments on this Boing Boing article: Flashmob of ATM crooks scores $9 million. At that time the news was that "less than 100" cards were used in 30 minutes in 49 cities. Everyone was saying "That's like $90,000 per payroll card? Who has that kind of money on a payroll card?" or "Can you imagine trying to take 3,500 $20 bills out of an ATM?" Keep reading, because those questions are answered below.

On November 10th, 2009, just about one year later, Special Agent in Charge Greg Jones of the Atlanta FBI issued a press release entitled International Effort Defeats Major Hacking Ring: Elaborate Scheme Stole over $9.4 Million from Credit Card Processor.

VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova, along with an unidentified individual, have been indicted by a federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. IGOR GRUDIJEV, 31, RONALD TSOI, 31, EVELIN TSOI, 20, and MIHHAIL JEVGENOV, 33, each of Tallinn, Estonia, have been indicted by a federal grand jury on charges of access device fraud.


Congratulations to all the great investigators involved in this, from the FBI investigators, the RBS investigations team, and all the locals who got called to pull ATM video all around the world. Well done!

Singled out for praise in the press release were the Estonian Central Criminal Police and the Netherlands Police Agency. The Hong Kong Police worked closely with the FBI to separately charge the criminals who used ATM's based in Hong Kong as part of this scheme.

RBS WorldPay is headquartered in Atlanta, and is owned by Citizens Financial Group, which is itself owned by the Royal Bank of Scotland. Although prepaid debit cards from RBS WorldPay are issued by RBS Citizens of North America, Palm Desert National Bank, The Bankcorp, Inc, and First Bank of Delaware, in this case 42 of the 44 cards used in the scheme were from Palm Desert National Bank.

Let's look at the individuals involved.

SERGEI TŠURIKOV, 25, of Tallinn, Estonia performed reconnaissance and found a path of entry into the RBS WOrldPay computer network. Using unnamed hackers, they found a successful path of vulnerability into the network. TŠURIKOV then introduced these hackers to VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia who was the one to actually mastermind the hack, supported by OLEG COVELIN, 28, of Chişinău, Moldova, and an unknown hacker referred to in the indictment as "HACKER 3". TŠURIKOV also managed an existing ring of "cashiers" - criminals who brazenly take the risk of withdrawing money using counterfeit ATM cards, and then dutifully wire part of their proceeds back to the smarter criminals who don't take such risks themselves.

The key activity that let them get started was to reverse engineer the encryption of the PINs used by the RBS Worldpay computer network. Run by PLESHCHUK's superior hacking capabilities, TŠURIKOV, HACKER 3, and others are then said to have raised the limits on certain of the prepaid payroll cards. PLESHCHUK, TŠURIKOV were logged in to the RBS Worldpay computer network actively observing the world-wide withdrawals taking place on the cards they had distributed for use in this scam. When each card was done, they gave orders in the RBS network to lock that card.

HACKER 3 was primarily responsible for running the network of cashiers and coordinating the simultaneous world-wide withdrawal of what would end up being $9 Million. He was also the funds manager who received the funds from the cashiers and distributed the shares to the other members of the conspiracy.

OLEG COVELIN, 28, of Chişinău, Moldova is the hacker who first found the vulnerability in the RBS WorldPay system, and who shared it with TŠURIKOV so that it could be exploited. COVELIN received stripe data and pins from the hackers which he distributed to his own cashier network to participate in the ATM withdrawal spree.

From November 4th until November 8th, the 44 cards that would be used in the attack were created and distributed to the "lead cashers", who in turn spread the cards to their cashiers, both in the United States and around the world.

To test their scheme, the hackers, PLESHCHUK, TŠURIKOV, and HACKER 3, modified one card distributed to COVELIN and raised the available balance on that account number.

Then on November 8th, the three hackers did the same for the remained of the cards, and the ATM Blitz was on. Cashiers hit the 2,100 ATM terminals in at least 280 cities. At the agreed upon time limit, PLESCHUK and TŠURIKOV tried to begin their clean-up, deleting data in Atlanta Georgia from St. Petersburg, Russia and Tallin, Estonia, attempting to cover their tracks and conceal their unauthorized access and fraud.

The indictment contains "xxxxx"ed out versions of the actual commands issued by PLESHCHUK, such as:

UPDATE Card
SET
ATMxxxxxLimit = 500000, POSxxxxLimit = 500000, ATMxxxxxx=500000, ATMxxxxLimit2=500000 where xxxxPAN IN ('xxxxxxxxxxxx1627')

or

delete from xxxxLogs where xxxxLogID>2400000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

delete from xxxxTransaction where xxxxxxxxID>820000000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

Commands issued by TŠURIKOV are also listed in the indictment such as:

select xxxxxxxxxxxID, xxxxxxxxDateTime, xxxxxxxxAmount, xxxxxxxName, xxxxxMerchxxx, xxxxAddr, xxxxCity, xxxxState, xxxZip, xxxxCounty from xxxxxxxxxxxTransaction where xxxPAN = 'xxxxxxxxxxxx0336' and xxxxxxxxxxxxID > 82300000


Some of the specific counts include:

COUNT ONE: Conspiracy to Commit Wire Fraud 18 USC § 1349.

COUNTS TWO THROUGH TEN: Wire Fraud 18 USC §§ 1343

COUNT ELEVEN: Conspiracy to Commit Computer Fraud (see below)

COUNT TWELVE: Computer Intrusion Causing Damage 18 USC §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(B)

COUNT THIRTEEN: Computer Intrusion Obtaining Information 18 USC § 1349, 18 USC §§ 1030(a)(2), 1030(c)(2)(B)(i), 1030(c)(2)(B)(ii), 1030(c)(2)(B)(iii)

COUNT FOURTEEN: Computer Intrusion Furthering Fraud 18 USC §§ 1030(a)(4), 1030(c)(3)(A)

COUNT FIFTEEN: Aggravated Identity Theft 18 USC §§ 1028A(a)(1), 1028A(b), 1028A(c)(5)

COUNT SIXTEEN: Access Device Fraud 18 USC §§ 1029(a)(5), 1029(c)(1)(A)(ii)

Count Sixteen is where the other parties come into play. These are the guys doing the cashing.

SERGEI TSURIKOV gave card numbers and PIN codes to IGOR GRUDIJEV, who then gave the information to RONALD TSOI, EVELIN TSOI, MIHHAIL JEVGENOV, all of Estonia, who withdrew funds worth US$289,000 from ATMs in Tallin, Estonia.



The charges are much cooler than that really - they use this language that I love, because it makes so clear and easy to find in our laws EXACTLY what they were being charged with. As you read below, just picture bad guys going to jail, and smile with me:

knowingly and willfully conspire to: (a) knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, causing loss aggregating at least $5,000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer, in violation of 18 USC §§ 1030 (a)(5)(A) and 1030(b); (b) intentionally access a computer without authorization, and thereby obtain information contained in a financial record of a financial institution, and of a card issuer as defined in 15 USC § 1602(n), and from a protected computer, and the offense being committed for purposed of commercial advantage and private financial gain, and in furtherance of a criminal and tortious act in violation of the Constitution and the laws of the United States, specifically, conspiracy to commit wire fraud in violation of 18 USC § 1349 and wire fraud in violation of 18 USC § 1343, and the value of the information obtained exceeding $5,000, in violation of 18 USC § 1030(a)(2); and (c) access a protected computer without authorization and by means of such conduct further the intended fraud and obtain value, specifically, prepaid payroll card number and PIN codes, and withdrawals from such prepaid payroll card accounts exceeding US$9 million, in violation of 18 USC § 1030(a)(4), all in violation of 18 USC § 371.
Posted by UAB's Director of Research in Computer Forensics at 2:48 AM

Tuesday, November 10, 2009

Zeus / Zbot Malware moves Back to IRS

After a vigorous day of spamming a Fake Myspace Update Tool, the criminals behind this campaign have refocused their efforts back to the Internal Revenue Service.

This time around the spam is almost identical to that which we saw from the September 11th until October 17th. We wrote about this a couple times in articles such as IRS Version of Zeus Continues and A Weekend of Old News, both of which listed many websites previously used by the criminal.

The websites seen so far this morning by the UAB Spam Data Mine have included:

www.irs.gov.ooolnz.co.uk
www.irs.gov.ooolnz.me.uk
www.irs.gov.ooolnz.org.uk
www.irs.gov.ooolnzq.co.uk
www.irs.gov.ooolnzq.me.uk
www.irs.gov.ooolnzq.org.uk
www.irs.gov.ooolnzs.co.uk
www.irs.gov.ooolnzs.me.uk
www.irs.gov.ooolnzs.org.uk
www.irs.gov.oouask.co.uk
www.irs.gov.oouask.me.uk
www.irs.gov.oouask.org.uk
www.irs.gov.oouaso.co.uk
www.irs.gov.oouaso.me.uk
www.irs.gov.oouaso.org.uk
www.irs.gov.oouasr.co.uk
www.irs.gov.oouasr.me.uk
www.irs.gov.oouasr.org.uk
www.irs.gov.oouasv.co.uk
www.irs.gov.oouasv.me.uk
www.irs.gov.oouasv.org.uk
www.irs.gov.oouasz.co.uk
www.irs.gov.oouasz.me.uk
www.irs.gov.oouasz.org.uk
www.irs.gov.ssveef.co.uk
www.irs.gov.ssveef.me.uk
www.irs.gov.ssveef.org.uk
www.irs.gov.ssveeh.co.uk
www.irs.gov.ssveeh.me.uk
www.irs.gov.ssveeh.org.uk
www.irs.gov.ssveem.co.uk
www.irs.gov.ssveem.me.uk


A fresh website image from this morning.

The current version of the malware is:

File size: 83160 bytes
MD5...: 7b4d6fc7369501229b4d7ca6734c228c

VirusTotal is pretty back-logged at the moment. I'll check back for a detection report later in the day and share the results here.
Posted by UAB's Director of Research in Computer Forensics at 8:44 AM

Monday, November 09, 2009

Zeus Malware Moves to Myspace

Beginning about 90 minutes ago, the Zeus malware, also known as Zbot, began a new spam distribution campaign to infect more victims. The newest campaign follows the model of last week's Facebook UpdateTool, only now targeting MySpace users.

This update is pretty much in "Breaking News" mode at the moment, we haven't yet run the malware through the lab for a full analysis, but here's what we can tell you so far:

1. There are 30 recently created domains being used as targets in the spam messages. Here are the host names we've seen so far in spam messages:

accounts.myspace.com.deaaaf.co.uk
accounts.myspace.com.deaaaf.me.uk
accounts.myspace.com.deaaaf.org.uk
accounts.myspace.com.deaaag.me.uk
accounts.myspace.com.deaaag.org.uk
accounts.myspace.com.deaaas.me.uk
accounts.myspace.com.deaaas.org.uk
accounts.myspace.com.iiolii.co.uk
accounts.myspace.com.iiolii.me.uk
accounts.myspace.com.iiolii.org.uk
accounts.myspace.com.iiolik.co.uk
accounts.myspace.com.iiolik.me.uk
accounts.myspace.com.iiolik.org.uk
accounts.myspace.com.iiolio.co.uk
accounts.myspace.com.iiolio.me.uk
accounts.myspace.com.iiolio.org.uk
accounts.myspace.com.iioliu.co.uk
accounts.myspace.com.iioliu.me.uk
accounts.myspace.com.iioliu.org.uk
accounts.myspace.com.ttesza.co.uk
accounts.myspace.com.ttesza.org.uk
accounts.myspace.com.tteszf.co.uk
accounts.myspace.com.tteszf.me.uk
accounts.myspace.com.tteszf.org.uk
accounts.myspace.com.tteszg.co.uk
accounts.myspace.com.tteszg.me.uk
accounts.myspace.com.tteszg.org.uk
accounts.myspace.com.tteszk.co.uk
accounts.myspace.com.tteszk.me.uk
accounts.myspace.com.tteszk.org.uk

2. Spam messages are using a variety of subject lines, including:

message id #5332015152732 (note: each message has a random id #)
MySpace Account update
Please update your MySpace account
Update your MySpace account
You are required to update your MySpace account
Your MySpace account

3. The text of the email messages contains:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

http://accounts.myspace.com.iiolii.me.uk/msp/index.php?fuseaction=update&code=(random)&email=(email address)

If you're unable to click on the link above, copy and paste it into your browser's address bar.

-------------------------

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you've received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.


4. The websites look like this:



5. Logging in takes you to a page that looks like this:



6. The malware is NOT being distributed from these sites. The malware link actually points to a domain created this morning called:

myspace-files.com

which was registered through "Answerable.com", using PrivacyProtection.

We tried to give Answerable a call, but the crappy VOIP forwarding service they are using to connect to their technical support left me with an agent crackling and saying "I'm sorry, I can't understand you." On the third try, I got a very helpful woman in India who referred me to "support.publicdomainregistry.com" to fill out an abuse desk. We've requested that the domain be terminated.

A VirusTotal report shows that while most of the AV products do not yet detect this malware (14 of 41 can detect it), those which do label it either as Zbot or Bifrost.

File size: 108544 bytes
MD5 : 9014141626efee1175ebee3135f3accf

First Update: 10:20 AM


The malware is now back on the same server as advertised by the spam. Seems something happened to their old malware domain. (evil grin). The new path is:

/msp/updatetool.exe

A Fresh VirusTotal Report shows that the malware has changed in both size and signature. Detection is still 14 of 41, but its a different 14.

File size: 105472 bytes
MD5 : 4c7693219eaa304e38f5f989a8346e51

Second Update: 4:20 PM



There have been sixty-nine unique domains seen in this campaign so far today. The currently live domains at this timestamp are:

accounts.myspace.com.iuuuujef.co.uk
accounts.myspace.com.iuuuujef.me.uk
accounts.myspace.com.iuuuujef.org.uk
accounts.myspace.com.iuuuujeg.co.uk
accounts.myspace.com.iuuuujeg.me.uk
accounts.myspace.com.iuuuujeg.org.uk
accounts.myspace.com.iuuuujek.co.uk
accounts.myspace.com.iuuuujek.me.uk
accounts.myspace.com.iuuuujek.org.uk
accounts.myspace.com.iuuuujer.co.uk
accounts.myspace.com.iuuuujer.me.uk
accounts.myspace.com.yyyyiuj.co.uk
accounts.myspace.com.yyyyiuj.me.uk
accounts.myspace.com.yyyyiuj.org.uk
accounts.myspace.com.yyyyiuk.co.uk
accounts.myspace.com.yyyyiuk.me.uk
accounts.myspace.com.yyyyiuk.org.uk
accounts.myspace.com.yyyyiuo.co.uk
accounts.myspace.com.yyyyiuo.me.uk
accounts.myspace.com.yyyyiuo.org.uk
accounts.myspace.com.yyyyiur.co.uk
accounts.myspace.com.yyyyiur.me.uk
accounts.myspace.com.yyyyiur.org.uk


These have been reported to the Fox Interactive Media and MySpace abuse teams for termination.
Posted by UAB's Director of Research in Computer Forensics at 6:18 AM

Saturday, October 31, 2009

Facebook Safety & Million Member Facebook Groups

Two of my friends today invited me to join "Million User" facebook groups. Not that it matters really, but the two groups were:

PETITION FOR FACEBOOK TO INSTALL A DISLIKE BUTTON...NEED 1,000,000 MEMBERS ASAP..INVITE EVERYONE YOU KNOW TO JOIN

and

If 1,000,001 people join, Facebook will re-install the old News Feed!


The first group, IN SIX DAYS, has grown from 1 user to 401,200 users! Some of you are cheering saying, YES! Now Facebook will be FORCED to have a "Dislike" button!

The second group now has 719,000 users! HINT: Despite the topic, Facebook is not going to re-install the old News Feed.

Would you like to see the secret truth about why people create "million user groups"?

Enter the seedy world of the online advertiser. Not the Madison Avenue advertising companies, but the punks who sit at home and devise ways to advertise their wares through spam, SEO (search engine optimization), and social network spam. They are making more money than you, and filling our lives with virtual junkmail, and in many cases, malware.

Note that what they are doing below is probably NOT illegal. Slimy, yes. Illegal? No. Although it may violate Facebook rules, that's an issue for Facebook, not the police.

Here's an example post from a forum on a "Black Hat" website. The forum is in a group called:

Black Hat Forum > Black Hat SEO > Social Networking Sites > FaceBook

The user "almir" is a typical user there. After each of his messages to his shady advertising friends, he signs with his own advertisement -- claiming that he controls a Facebook Group with 550,000 members, and he'll post your message to his group for $800. Almir says that between his groups, he has about 2 million people he can post to on Facebook. At his peak he was making about $250 per day from his ads, and he says on a good day, he could make $600. Lets see. 365 * 250 = $91,250 per year. Not bad money for making up reasons that a million people should join your group.

Another user there, "LeDave", claims he controls more than 100 Facebook groups, and the ads that he posts there generate between 6,000 and 7,000 clicks per day to "ClickBank". (ClickBank is an affiliate advertising site where you get paid every time someone follows your link. Following the links makes money for the guy controlling the Facebook group. If the users BUY things, you get a commission.) LeDave claims he was the creator of the "1,000,000 members against the new facebook layout" group. He claims he grew that group to more than 3 million users! Why? So he could make money selling links to his members!

One of the other members has a group with 1.5 million users. He offers to help newbie advertisers "get launched" by recommending their group to his users for the low low price of $100 per recommendation.

(this information from the thread . . .

http://www.blackhatworld.com/blackhat-seo/facebook/130560-facebook-groups-finally-getting-makeover-hard-make-viral-group-again.html

)

So, remember that the next time you join a "million member group", what you are really doing is helping these advertisers make it easier to spam you with their ads. While it may seem a great "social cause", its not. Nobody cares if 1 million people join the group. Except the guy getting paid for it.

Here are a few other "of course, we should join that!" million member groups:

I bet I can find 1,000,000 people who hate cancer
Members: 1,609,864 members

I bet I can still find 1,000,000 people who dislike George Bush!
Members: 968,146 members

1,000,000 Hamish and Andy Fans by 01/01/10
Members: 731,824 members

1,000,000 AGAINST THE NEW FACEBOOK LOOK!!!
Members: 713,565 members

"WE HAVE TO SAVE FACEBOOK" PETITION - 1,000,000 PEOPLE NEEDED!!!!!
Members: 466,648 members

I Bet I Can Find 1,000,000 People Who Just Want Peace
Members: 379,282 members

Not saying that all those groups are advertising driven. Just suggesting that its a serious possibility.

Yes, I like Facebook! (But not all the Apps)



Are you surprised? Yes, I'm a Cybercrime Investigations guy who likes Facebook. I give a "Privacy & Security" lecture to our CIS 105 class each term at the University where I warn of the dangers of Social Network Sites, but when used properly, I love Facebook (for play) and LinkedIn (for work).

In my lectures I warn of things like having your privacy settings set too broadly - sharing your information with the whole world - and things like installing Applications without understanding who wrote them or what their Terms of Service are.

Facebook has been getting better with setting rules for their developers, but its still important to know what access and rights developers have to your personal information when you use their apps. My general rule is that if I don't know the developer, I don't install the app. For instance, I play PopCap games in Facebook. I've used their apps for years, I've worked with their tech support, and I trust them to do the right thing. I have no idea who wrote the Facebook Application "How Long Will You Survive When Zombies Rule the World", but 1,461,000 Facebook users have trusted them to do the right thing with their personal data. To install the app in Facebook (as with every app) I am cautioned:

By proceeding, you are allowing How long will you survive when zombies over run the world? to access your information and you are agreeing to the Facebook Terms of Use in your use of How long will you survive when zombies over run the world?


I'm not so trusting with strangers. (No offense, Zombie dudes. Random example from things I was invited to install today.)

Those "Terms of Use" link you to the "About Platform" page, which reminds you that when you install an application, you are giving the developer of that application permission to access such things as:

your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, your relationship status, your dating interests, your relationship interests, your network affiliations, your education history, your work history, your course information, copies of photos in your photo albums, metadata associated with your photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your in-box, the total number of "pokes" you have sent and/or received, the total number of wall posts on your Wall, a list of user IDs mapped to your friends, your social timeline, notifications that you have received from other applications, and events associated with your profile.



If you want to know more about Applications on Facebook, here are the new policies that Application Developers have to agree to follow -- Facebook: Developer Principles and Policies.

Tips for Facebook Users, From Facebook


I know the guys at Facebook and have been very pleased with how pro-active they are with responding to security issues, and with warning their users. If you haven't seen these steps, you should definitely check them out.

Facebook: Protecting Account Security

Facebook: Privacy Settings and Fundamentals

There are lots of other great tips from Facebook. I would encourage users (and parents of children who use Facebook) to visit their Help Center to learn more.
Posted by UAB's Director of Research in Computer Forensics at 4:09 PM

Wednesday, October 28, 2009

FACEBOOK PHISH! Users Beware!

The FDIC spam campaign that we reported on yesterday in our story Fake FDIC Spam Campaign Spreads Zeus has already moved on to its next attack. Now its trying to steal your Facebook passwords in what appears at first glance to be a "traditional" phishing attack. (Please see the end of this article for an update on how this "phish" actually is another Zeus malware infection vector.)



The UAB Spam Data Mine has already received more than 250 copies of the new phishing email this morning, which claims:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.

Before you are able to use the new login system, you will be required to update your account.

Click (here) to update your account online now.

If you have any questions, reference our New User Guide

Thanks,
The Facebook Team


The email is fake, of course, and so are the websites they point to. So far we've identified 31 unique domain names registered by the criminal for use in this Facebook account.

The website looks like this:



UAB Malware Analyst Brian Tanner took the new Facebook Phish for a drive through the lab, and confirmed that this is NOT JUST A PHISH - in fact it might not be a traditional phish at all. Its actually a Zeus Bot installer, pointing at the same command & control site as yesterday's FDIC version of Zeus:



Clicking on the prompted "UpdateTool.exe" is the infection vector for Zeus. According to the VirusTotal Report for this malware, only 8 of 41 AV products are currently labelling this executable as malware.

File size: 105472 bytes
MD5 : 1198d2ddf09061fbfb70de423cde059f

Update 29OCT09 AM


Spam for this campaign is still coming fast and furious to the UAB Spam Data Mine. More than 200 fresh copies were received already this morning.

File size: 105984 bytes
MD5...: 6aad88ba4805b2daa4fc6106a5376065

A
VirusTotal report for the current version is showing 9 of 41 detections.

Update - 01NOV2009


From October 27th until November 1st, we've seen 242 different domain names used by this campaign. Here are the ones that are currently live at this point in time (5:25 PM) --

www.facebook.com.heratsb.eu
www.facebook.com.heratsd.eu
www.facebook.com.heratsf.eu
www.facebook.com.heratsg.eu
www.facebook.com.heratsh.eu
www.facebook.com.heratsk.eu
www.facebook.com.heratsl.eu
www.facebook.com.heratsm.eu
www.facebook.com.heratsn.eu
www.facebook.com.heratso.eu
www.facebook.com.heratsq.eu
www.facebook.com.heratsr.eu
www.facebook.com.heratss.eu
www.facebook.com.heratst.eu
www.facebook.com.heratsy.eu
www.facebook.com.lllujiob.eu
www.facebook.com.lllujioc.eu
www.facebook.com.lllujiod.eu
www.facebook.com.lllujiof.eu
www.facebook.com.lllujiog.eu
www.facebook.com.lllujioh.eu
www.facebook.com.lllujioi.eu
www.facebook.com.lllujioj.eu
www.facebook.com.lllujion.eu
www.facebook.com.lllujiot.eu
www.facebook.com.lllujiov.eu
www.facebook.com.lllujiox.eu
www.facebook.com.lllujioy.eu
www.facebook.com.lllujioz.eu
www.facebook.com.ttteraa.eu
www.facebook.com.ttterab.eu
www.facebook.com.ttterac.eu
www.facebook.com.ttterad.eu
www.facebook.com.ttterae.eu
www.facebook.com.ttteraf.eu
www.facebook.com.ttterag.eu
www.facebook.com.ttteran.eu
www.facebook.com.ttteraq.eu
www.facebook.com.ttterav.eu
www.facebook.com.ttterax.eu
www.facebook.com.ttteraz.eu

Here is the full list . . .

www.facebook.com.edilokqf.eu
www.facebook.com.edilokqi.eu
www.facebook.com.edilokqm.eu
www.facebook.com.edilokqn.eu
www.facebook.com.edilokqr.eu
www.facebook.com.edilokqs.eu
www.facebook.com.edilokqu.eu
www.facebook.com.edilokqv.eu
www.facebook.com.edilokqw.eu
www.facebook.com.edilokqx.eu
www.facebook.com.eiye1ua.eu
www.facebook.com.eiye1uc.eu
www.facebook.com.eiye1ue.eu
www.facebook.com.eiye1uf.eu
www.facebook.com.eiye1ug.eu
www.facebook.com.eiye1ur.eu
www.facebook.com.eiye1us.eu
www.facebook.com.eiye1ut.eu
www.facebook.com.eiye1uv.eu
www.facebook.com.fasazab.eu
www.facebook.com.fasazad.eu
www.facebook.com.fasazae.eu
www.facebook.com.fasazaf.eu
www.facebook.com.fasazag.eu
www.facebook.com.fasazam.eu
www.facebook.com.fasazan.eu
www.facebook.com.fasazav.eu
www.facebook.com.heratsb.eu
www.facebook.com.heratsd.eu
www.facebook.com.heratsf.eu
www.facebook.com.heratsg.eu
www.facebook.com.heratsh.eu
www.facebook.com.heratsk.eu
www.facebook.com.heratsl.eu
www.facebook.com.heratsm.eu
www.facebook.com.heratsn.eu
www.facebook.com.heratso.eu
www.facebook.com.heratsq.eu
www.facebook.com.heratsr.eu
www.facebook.com.heratss.eu
www.facebook.com.heratst.eu
www.facebook.com.heratsy.eu
www.facebook.com.herrazzb.eu
www.facebook.com.herrazzd.eu
www.facebook.com.herrazzf.eu
www.facebook.com.herrazzg.eu
www.facebook.com.herrazzh.eu
www.facebook.com.herrazzj.eu
www.facebook.com.herrazzk.eu
www.facebook.com.herrazzo.eu
www.facebook.com.herrazzr.eu
www.facebook.com.herrazzt.eu
www.facebook.com.herrazzu.eu
www.facebook.com.herrazzv.eu
www.facebook.com.herrazzy.eu
www.facebook.com.ibbaswza.eu
www.facebook.com.ibbaswzd.eu
www.facebook.com.ibbaswze.eu
www.facebook.com.ibbaswzf.eu
www.facebook.com.ibbaswzr.eu
www.facebook.com.iokasqzc.eu
www.facebook.com.iokasqze.eu
www.facebook.com.iokasqzh.eu
www.facebook.com.iokasqzr.eu
www.facebook.com.iokasqzt.eu
www.facebook.com.iokasqzy.eu
www.facebook.com.ioooliob.eu
www.facebook.com.iooolioc.eu
www.facebook.com.iooolioe.eu
www.facebook.com.ioooliog.eu
www.facebook.com.iooolioq.eu
www.facebook.com.iooolior.eu
www.facebook.com.iooolios.eu
www.facebook.com.ioooliot.eu
www.facebook.com.ioooliov.eu
www.facebook.com.ioooliow.eu
www.facebook.com.ioooliox.eu
www.facebook.com.iooolioy.eu
www.facebook.com.lef1asza.eu
www.facebook.com.lefassza.eu
www.facebook.com.lefaszab.eu
www.facebook.com.lefaszac.eu
www.facebook.com.lefaszad.eu
www.facebook.com.lefaszak.eu
www.facebook.com.lefaszam.eu
www.facebook.com.lefaszan.eu
www.facebook.com.lefaszav.eu
www.facebook.com.lefaszax.eu
www.facebook.com.lefaszxa.eu
www.facebook.com.lefawsza.eu
www.facebook.com.lllujiob.eu
www.facebook.com.lllujioc.eu
www.facebook.com.lllujiod.eu
www.facebook.com.lllujiof.eu
www.facebook.com.lllujiog.eu
www.facebook.com.lllujioh.eu
www.facebook.com.lllujioi.eu
www.facebook.com.lllujioj.eu
www.facebook.com.lllujion.eu
www.facebook.com.lllujiot.eu
www.facebook.com.lllujiov.eu
www.facebook.com.lllujiox.eu
www.facebook.com.lllujioy.eu
www.facebook.com.lllujioz.eu
www.facebook.com.mibbbad.co.uk
www.facebook.com.mibbbad.me.uk
www.facebook.com.mibbbad.org.uk
www.facebook.com.mibbbah.co.uk
www.facebook.com.mibbbah.me.uk
www.facebook.com.mibbbah.org.uk
www.facebook.com.mibbbal.co.uk
www.facebook.com.mibbbal.me.uk
www.facebook.com.oooeasec.eu
www.facebook.com.oooeasef.eu
www.facebook.com.oooeaseg.eu
www.facebook.com.poresawa.eu
www.facebook.com.poresawd.eu
www.facebook.com.poresawe.eu
www.facebook.com.poresawg.eu
www.facebook.com.poresawj.eu
www.facebook.com.poresawo.eu
www.facebook.com.poresawq.eu
www.facebook.com.poresaws.eu
www.facebook.com.poresawt.eu
www.facebook.com.poresawu.eu
www.facebook.com.poresawv.eu
www.facebook.com.poresawx.eu
www.facebook.com.qqqqasc.eu
www.facebook.com.qqqqasd.eu
www.facebook.com.qqqqasf.eu
www.facebook.com.qqqqasg.eu
www.facebook.com.qqqqash.eu
www.facebook.com.qqqqasj.eu
www.facebook.com.qqqqask.eu
www.facebook.com.qqqqasl.eu
www.facebook.com.qqqqaso.eu
www.facebook.com.qqqqasr.eu
www.facebook.com.qqqqasy.eu
www.facebook.com.saaasaj.eu
www.facebook.com.saaasak.eu
www.facebook.com.saaasam.eu
www.facebook.com.saaasav.eu
www.facebook.com.saaasay.eu
www.facebook.com.saxzask.co.uk
www.facebook.com.saxzask.me.uk
www.facebook.com.saxzask.org.uk
www.facebook.com.saxzasl.co.uk
www.facebook.com.saxzasl.me.uk
www.facebook.com.saxzasl.org.uk
www.facebook.com.saxzasv.co.uk
www.facebook.com.saxzasv.me.uk
www.facebook.com.saxzasv.org.uk
www.facebook.com.saxzasy.co.uk
www.facebook.com.sazzawe.co.uk
www.facebook.com.sazzawe.eu
www.facebook.com.sazzawe.me.uk
www.facebook.com.sazzawf.co.uk
www.facebook.com.sazzawf.eu
www.facebook.com.sazzawf.me.uk
www.facebook.com.sazzawk.co.uk
www.facebook.com.sazzawk.eu
www.facebook.com.sazzawk.me.uk
www.facebook.com.sazzawl.co.uk
www.facebook.com.sazzawl.eu
www.facebook.com.sazzawl.me.uk
www.facebook.com.sazzawy.co.uk
www.facebook.com.sazzawy.eu
www.facebook.com.sazzawy.me.uk
www.facebook.com.ttteraa.eu
www.facebook.com.ttterab.eu
www.facebook.com.ttterac.eu
www.facebook.com.ttterad.eu
www.facebook.com.ttterae.eu
www.facebook.com.ttteraf.eu
www.facebook.com.ttterag.eu
www.facebook.com.ttteran.eu
www.facebook.com.ttteraq.eu
www.facebook.com.ttterav.eu
www.facebook.com.ttterax.eu
www.facebook.com.ttteraz.eu
www.facebook.com.ujtqwaq1.co.uk
www.facebook.com.ujtqwaq1.eu
www.facebook.com.ujtqwaq1.me.uk
www.facebook.com.ujtqwaq1.org.uk
www.facebook.com.ujtqwaqb.co.uk
www.facebook.com.ujtqwaqb.eu
www.facebook.com.ujtqwaqb.me.uk
www.facebook.com.ujtqwaqb.org.uk
www.facebook.com.ujtqwaqk.co.uk
www.facebook.com.ujtqwaqk.eu
www.facebook.com.ujtqwaqk.me.uk
www.facebook.com.ujtqwaqk.org.uk
www.facebook.com.ujtqwaqm.co.uk
www.facebook.com.ujtqwaqm.eu
www.facebook.com.ujtqwaqm.org.uk
www.facebook.com.ujtqwaqo.co.uk
www.facebook.com.ujtqwaqo.eu
www.facebook.com.ujtqwaqo.me.uk
www.facebook.com.ujtqwaqo.org.uk
www.facebook.com.xxxasqwa.eu
www.facebook.com.xxxasqwe.eu
www.facebook.com.xxxasqwi.eu
www.facebook.com.xxxasqwk.eu
www.facebook.com.xxxasqwl.eu
www.facebook.com.xxxasqwo.eu
www.facebook.com.xxxasqwp.eu
www.facebook.com.xxxasqwr.eu
www.facebook.com.xxxasqwt.eu
www.facebook.com.xxxasqwu.eu
www.facebook.com.xxxasqwy.eu
www.facebook.com.xxxasqwz.eu
www.facebook.com.yhheaszb.eu
www.facebook.com.yhheaszc.eu
www.facebook.com.yhheasze.eu
www.facebook.com.yhheaszf.eu
www.facebook.com.yhheaszh.eu
www.facebook.com.yhheaszi.eu
www.facebook.com.yhheaszq.eu
www.facebook.com.yhheaszu.eu
www.facebook.com.yhheaszv.eu
www.facebook.com.yhheaszy.eu
www.facebook.com.yy1azsva.eu
www.facebook.com.yy1azsvc.eu
www.facebook.com.yy1azsvq.eu
www.facebook.com.yy1azsvz.eu
www.facebook.com.yyy1asvf.eu
www.facebook.com.yyy1azsy.eu
www.facebook.com.yyy1azvg.eu
www.facebook.com.yyy1zsve.eu
www.facebook.com.yyyaszai.eu
www.facebook.com.yyyaszal.eu
www.facebook.com.yyyaszao.eu
www.facebook.com.yyyaszap.eu
www.facebook.com.yyyaszaq.eu
www.facebook.com.yyyaszar.eu
www.facebook.com.yyyaszau.eu
www.facebook.com.yyyaszay.eu
www.facebook.com.yyyazsvd.eu
www.facebook.com.zaaaasaa.eu
www.facebook.com.zaaaasag.eu
www.facebook.com.zaaaasaq.eu
www.facebook.com.zaaaasaz.eu
Posted by UAB's Director of Research in Computer Forensics at 7:30 AM
Labels: ,

Tuesday, October 27, 2009

Fake FDIC spam campaign spreads Zeus malware

The UAB Spam Data Mine is continuing to experience high volumes of spam claiming to be from the Federal Deposit Insurance Corporation. FDIC.gov spam is using two email subjects:

FDIC has officially named your bank a failed bank
you need to check your Bank Deposit Insurance Coverage

The email messages claim to be from the email address consumeralerts@fdic.gov, which is a real email address used by the FDIC, but obviously being forged by the malware distributors in this situation.

Here's an example email:



You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:

* Visit FDIC website: http://www.fdic.gov/bankinsured/failed/personalfile/holder.php?email=youremail@yourdomain.com&id=233388521333599678361293755617839671

* Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

Federal Deposit Insurance Corporation


The website to which you are directed looks like this:



The website offers a copy of "your personal FDIC Insuranace file" to see whether your coverage has been impacted. The website seems to offer this file as either an Adobe PDF file or a Microsoft Word file. In reality, the first is named "pdf.exe" and the second is named "word.exe", which are both the same file - a 105,472 byte executable file.

A VirusTotal report indicates that currently 9 anti-virus products are able to label this version of the malware, which we expect will be changed regularly by the criminals:

File size: 105472 bytes
MD5 : f4007a6af6dc841cd2961a8b3d2fbb8e

The detections declare it to be Zeus Bot, and UAB Malware Analyst Brian Tanner examined the malware in the lab and confirmed the same, identifying the location of the command & control server and sharing that information with appropriate law enforcement officials.


So far UAB researchers have identified 93 unique domains registered and used by the criminals for this campaign:

www.fdic.gov.h1erfae.eu
www.fdic.gov.h1erfai.eu
www.fdic.gov.h1erfaj.eu
www.fdic.gov.h1erfaq.eu
www.fdic.gov.h1erfar.eu
www.fdic.gov.h1erfat.eu
www.fdic.gov.h1erfau.eu
www.fdic.gov.h1erfaw.eu
www.fdic.gov.h1erfay.eu
www.fdic.gov.milki1a.co.uk
www.fdic.gov.milki1a.me.uk
www.fdic.gov.milki1e.me.uk
www.fdic.gov.milki1i.co.uk
www.fdic.gov.milki1l.co.uk
www.fdic.gov.milki1l.me.uk
www.fdic.gov.milki1y.me.uk
www.fdic.gov.nyuh1awa.eu
www.fdic.gov.nyuh1awb.eu
www.fdic.gov.nyuh1awc.eu
www.fdic.gov.nyuh1awd.eu
www.fdic.gov.nyuh1awe.eu
www.fdic.gov.nyuh1awf.eu
www.fdic.gov.nyuh1awg.eu
www.fdic.gov.nyuh1awh.eu
www.fdic.gov.nyuh1awm.eu
www.fdic.gov.nyuh1awn.eu
www.fdic.gov.nyuh1aws.eu
www.fdic.gov.nyuh1awt.eu
www.fdic.gov.nyuh1awv.eu
www.fdic.gov.nyuh1awx.eu
www.fdic.gov.nyuh1awz.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tt1qwa1.co.uk
www.fdic.gov.tt1qwa1.eu
www.fdic.gov.tt1qwa1.me.uk
www.fdic.gov.tt1qwae.eu
www.fdic.gov.tt1qwae.me.uk
www.fdic.gov.tt1qwaq.co.uk
www.fdic.gov.tt1qwaq.eu
www.fdic.gov.tt1qwaq.me.uk
www.fdic.gov.tt1qwar.co.uk
www.fdic.gov.tt1qwar.eu
www.fdic.gov.tt1qwar.me.uk
www.fdic.gov.tt1qwat.co.uk
www.fdic.gov.tt1qwat.eu
www.fdic.gov.tt1qwat.me.uk
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk
www.fdic.gov.yh1qab.co.uk
www.fdic.gov.yh1qab.eu
www.fdic.gov.yh1qab.me.uk
www.fdic.gov.yh1qak.co.uk
www.fdic.gov.yh1qak.eu
www.fdic.gov.yh1qal.co.uk
www.fdic.gov.yh1qal.eu
www.fdic.gov.yh1qal.me.uk
www.fdic.gov.yh1qao.co.uk
www.fdic.gov.yh1qaz.co.uk
www.fdic.gov.yh1qaz.eu

Of these, 38 domains are currently live:

www.fdic.gov.h1erfau.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk



UPDATE!

- 27OCT09 4PM in Alabama:

The FDIC's Sandra L. Thompson, Director of the Division of Supervision and Consumer Protection has provided an update to this emerging threat on their website:

http://www.fdic.gov/news/news/SpecialAlert/2009/sa09183.html

We're currently down to 16 "live" sites that we've seen in this afternoon's FDIC spam:

www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.pouikif.eu
Posted by UAB's Director of Research in Computer Forensics at 8:47 AM
Labels: ,
Subscribe to: Posts (Atom)