Monday, December 21, 2009

Some updates . . . Visa/Zeus and Google Jobs

On December 12th we covered a new "Visa.com" version of the Zeus distribution spam.
(See story: Ongoing Visa Scam Drops Zeus Zbot.

There are at least forty domains seen in today's spam. Please see the story above for more on the URL pattern, (the machine name may begin with "alerts", "reports", "statements", "transactions", or a "sessionid" with random characters after the "sessionid" version, but here is one sample URL for each domain:

alerts.visa.com.111ttillil.co.uk
alerts.visa.com.11fttillil.co.uk
alerts.visa.com.11tttillil.co.uk
alerts.visa.com.1jfttillil.co.uk
alerts.visa.com.yjfttillil.co.uk
reports.visa.com.dirpote1.be
alerts.visa.com.dirpote2.be
alerts.visa.com.dirpote3.be
alerts.visa.com.dirpote4.be
alerts.visa.com.dirpote5.be
alerts.visa.com.dirpote6.be
alerts.visa.com.dirpote8.be
alerts.visa.com.dttflji.be
alerts.visa.com.itdflji.be
alerts.visa.com.ittdlji.be
alerts.visa.com.ittfdji.be
alerts.visa.com.ittfldi.be
alerts.visa.com.ittfljd.be
alerts.visa.com.ittflji.be
alerts.visa.com.ittfljx.be
alerts.visa.com.ittflxi.be
alerts.visa.com.ittfxji.be
alerts.visa.com.itxflji.be
alerts.visa.com.ityxlji.be
alerts.visa.com.ixtflji.be
alerts.visa.com.xttflji.be
alerts.visa.com.ydtflji.be
alerts.visa.com.11t1jtiil.com
alerts.visa.com.11t1kt1il.com
alerts.visa.com.11t1kt1pl.com
alerts.visa.com.11t1ktiil.com
alerts.visa.com.11tfjtiil.com
alerts.visa.com.i1tfjtiil.com
alerts.visa.com.ictfjtiil.com
alerts.visa.com.ivtfjtiil.com
alerts.visa.com.11t1jtiil.net
alerts.visa.com.11t1ktiil.net
alerts.visa.com.11tfjtiil.net
alerts.visa.com.i1tfjtiil.net
alerts.visa.com.ivtfjtiil.net

Its too early to know for sure what malware this is, because currently only 4 of the 41 anti-virus products at VirusTotal detect it as anything at all. Sunbelt calls it Bredolab, the three others all say only that it is "suspicious". I'll try to run it through our malware VM later today and make a more definite judgement.

VirusTotal Report here

cardstatement.exe
File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

Google Jobs Update


We warned about a Google Jobs scam back on December 1st (see article: Google Jobs Scam -- Read the Fine Print!!). Google actually sued the scammers who were running that scheme on December 9th (see article: Google v. Pacific WebWorks. Unfortunately the spam, and the scamming, continues unabated.

One example would be the spam messages for this "spaces.live.com" blog:

http://cid-3d8eb92dd2d67dba.spaces.live.com/

which leads to the website "biznews7.org", which forwards to the website "news2010letter.com", which recruits people to join the scam by sharing their credit card number on the site "http://www.safetrialoffers.com/searchsecretsystems/le5/".

On that site, the same scam is still being run by this organization:

Search 4 Profit, LLC.
7614 Arvilla Avenue.
Sun Valley, CA 91352

The Fine Print still reads:

Terms and Disclosures. Billing authorization obtained pursuant to the Uniform Electronic Transaction Act and the Electronic Signatures in Global and National Transactions Act. By submitting this form, I am ordering Search Secret Systems for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy Search Secret Systems, simply do nothing. On the 7th day my credit card will automatically be charged an easy payment of $89.26 once a month for three months. After the three months you will not be billed again. You will then maintain unlimited access to our member site. During your three month program you may cancel anytime by calling 1-877-361-8622 M - F, 8am-8pm MST.




Amazingly, the phone number was answered and a person actually asked how they could help me! When we wrote the first article, the phone rang and rang, but no one ever answered.

Of course, there are still quite a few ways this is illegal, even if they do now answer the phone, including the CAN SPAM violations. The email "from" address is forged and there is no "unsubscribe" link of any sort, nor is there a physical mailing address, despite this being a commercial offer. Here's an example spam message:

Never work in an office again! I've been working for someone else my entire life. A few weeks ago I found out about working for Google online so I decided to check it out. I signed up and read a few articles and tried a few different things and within 6 weeks I was making enough to quit my full time job to work at home! If this sounds like something that interests your, check out URL
http://profiles.yahoo.com/blog/MVO2GFP4W7AEJ42YOXCPAVOTU4
A song, a song, high above the trees




Work for the world's largest employer today lori has Earned $2,069 This December Alone! Check it out here:
http://cid-5ccbbcb19ba7028f.spaces.live.com
O tidings of comfort and joy.


No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!