Thursday, February 27, 2014

2013 FTC Consumer Sentinel Report - Identity Theft By U.S. City

Each year the Federal Trade Commission publishes a detailed report on the Fraud and Identity Theft complaints they received during the previous year, not just at the FTC, but throughout their Consumer Sentintel Network.

Some of the leading members of that network include the Better Business Bureau and the FBI's Internet Crime and Complaint Center (IC3.gov).

You can review the entire 2013 Consumer Sentinel Network Data Book on your own if you want to look up more about your state.

Just like last year, fraud that began by telephone/telemarketing was the top category, but 33% of all Fraud complaints started with an email!

Complaints by category were:

14% - Identity Theft
10% - Debt Collection Fraud
7% - Banks and Lenders
6% - Imposter Scams
6% - Telephone and Mobile Service Scams
4% - Prizes, Sweepstakes and Lottery Scams
4% - Auto-related Fraud
3% - Shop-at-home and Catalog Sales fraud
3% - Television and Electronic Media fraud
2% - Advanced Payment for Credit Services fraud

In the Fraud categories, over 1 million complaints were filed including $1.6 billion in fraud, where the median reported amount paid was $400. (Only 61% of those alleging fraud stated a loss amount.)

Within the category of Identity Theft, the top categories were:

34% - government documents/benefits fraud
17% - Credit Card Fraud
14% - Phone/Utilities Fraud
8% - Bank Fraud
6% - Employment-related Fraud
4% - Loan Fraud

In 2012, there were 369,145 Identity Theft Complaints registered by Consumer Sentinel.
In 2013, there were 290,056 Identity Theft Complaints.

That's a 21.5% reduction in Identity Theft Complaints! Does this indicate that Identity Theft improved from 2012 to 2013? Or does it indicate that Identity Theft has become so common place that people don't get irate and call the Better Business Bureau or the FTC when it occurs?

Wire Transfer Tops the Fraud Losses List

American consumers are just DESPARATE to throw their money away in Wire Transfers. Even though every wire transfer place I've visited in the last two years has big warning signs about the various forms of fraud involving sending your money away in a wire transfer, it continues to be the top way in which fraudsters separate their victims from their money.

YEARComplaintsMoney Wired Out
2011115,901$438,343,577
2012109,138$456,541,454
2013104,984$507,713,984
Western Union and MoneyGram both have warning pages to help protect consumers! Follow their advice to not lose the average $4836 that more than 100,000 complained about last year!

Western Union has Eight Tips at their Knowledge Center:

  1. Never send money to people you haven't met in-person
  2. Never send money to pay for taxes or fees on lottery or prize winnings
  3. Never use a test question as an additional security measure to protect your transaction
  4. Never provide your banking information to people you don't know
  5. Never send money in advance to obtain a loan or credit card
  6. never send money for an emergency situation without verifying that it's a real emergency. (Gee - like a London Traveler Scam?)
  7. Never send funds from a check in your account until it officially clears - which can take weeks
  8. Never send a money transfer for an online purchase

MoneyGram has a great page called The 11 Most Common Wire Transfer Frauds that include:

  1. The Vehicle Purchase Scam
  2. The Fake Loan Scam
  3. The Lottery or Sweepstakes Scam
  4. The Internet Romance Scam
  5. The Mystery Shopper Scam
  6. The Charity Scam
  7. The Relative in Need Scam
  8. The Internet Purchase Scam
  9. The Newspaper Ads Scam
  10. The Check or Money Order Scam
  11. The Elder Abuse Scam
They even have a nice Dodge the Scams Game to help you get it down pat!

Green Dot MoneyPak

In the most significant change in fraud payment behavior, this year 28% of fraud losses occurred via Prepaid cards, which was almost exclusively Green Dot Money cards. Two years ago this category of fraud losses didn't even exist! From 2012 to 2013 the number of victims went up 500% and the amount of money lost went up 600%!!

YEARComplaintsPrepaid Card Fraud Losses
201110$9,054
201216,914$6,946,619
201384,671$42,858,396

(image from DotFab.com, click to visit)

How much of this fraud was due to the CryptoLocker and PoliceLock Ransomware? We can't be sure, but this is a PROFOUND shift in fraud loss behavior and a great deal of it is certain to be based on those two malware campaigns. We blogged about CryptoLocker using Greendot late in the year in our story Tracking CryptoLocker with Malcovery and IID, but the FBI's Donna Gregory reported on the malware as far back as this August 2012 FBI Ransomware Story where she said "We’re getting inundated with complaints!" referring to the complaints coming in to the FBI's IC3.gov complaint form, which is one source of Consumer Sentinel Data.

2013 - Top Cities for Identity Theft

Last year, 16 of the top 25 Identity Theft Metropolitan area were in Florida. This year it has fallen to 13.

13 of top 25 in Florida (16 in 2012)
4 of top 25 in California (0 in 2012)
3 of top 25 in Georgia (6 in 2012)
1 each in Alabama, Arkansas, Michigan, Tenessee, and West Virginia

RankMetro/Micropolitan AreaPer 100,000
1Miami-FortLauderdale-WestPalmBeach, FL340.4
2Columbus, GA-AL214.7
3Naples-Immokalee-MarcoIsland, FL214
4Jonesboro, AR190.9
5Tallahassee, FL179.4
6CapeCoral-FortMyers, FL174.9
7Atlanta-SandySprings-Roswell, GA170.7
8PortSt.Lucie, FL163.9
9Beckley, WV160.9
10Tampa-St.Petersburg-Clearwater, FL155.5
11Orlando-Kissimmee-Sanford, FL149.6
12Detroit-Warren-Dearborn, MI142.9
13Lakeland-WinterHaven, FL140.2
14Stockton-Lodi, CA133.1
15Montgomery, AL132.2
16Vallejo-Fairfield, CA128.2
17Jacksonville, FL125.7
18Memphis, TN-MS-AR125.5
19Valdosta, GA125.4
20Ocala, FL125
21Gainesville, FL122.6
22Sebastian-VeroBeach, FL122.4
23LosAngeles-LongBeach-Anaheim, CA119.1
24Deltona-DaytonaBeach-OrmondBeach, FL118.9
25Fresno, CA118.2
26Albany, GA117.6
27SanFrancisco-Oakland-Hayward, CA116.8
28NorthPort-Sarasota-Bradenton, FL116.6
29Bakersfield, CA116.5
30Macon, GA116.2
31Riverside-SanBernardino-Ontario, CA115.2
32Savannah, GA115.1
33PuntaGorda, FL115
34Dallas-FortWorth-Arlington, TX114.8
35Crestview-FortWaltonBeach-Destin, FL112.4
36PalmBay-Melbourne-Titusville, FL111.3
37Flint, MI109.7
38Lynchburg, VA108.1
39Jackson, MS107.4
40Washington-Arlington-Alexandria, DC-VA-MD-WV106.3
41HomosassaSprings, FL105.5
42Niles-BentonHarbor, MI105.2
43Houston-TheWoodlands-SugarLand, TX104.7
44Fayetteville, NC102.9
45Sacramento--Roseville--Arden-Arcade, CA101.3
46Modesto, CA101.1
47Phoenix-Mesa-Scottsdale, AZ101.1
48LasVegas-Henderson-Paradise, NV100.8
49Chicago-Naperville-Elgin, IL-IN-WI100.4
50Killeen-Temple, TX99.4
51Auburn-Opelika, AL98.4
52NewYork-Newark-JerseyCity, NY-NJ-PA97.7
53SanJose-Sunnyvale-SantaClara, CA96.4
54Reno, NV96.1
55Philadelphia-Camden-Wilmington, PA-NJ-DE-MD95.5
56Chico, CA95.5
57Napa, CA94.5
58Pueblo, CO94.3
59Baltimore-Columbia-Towson, MD93.4
60SanDiego-Carlsbad, CA93.4
61Milwaukee-Waukesha-WestAllis, WI92.8
62Madera, CA92.8
63RockyMount, NC92.5
64Laredo, TX92.3
65Beaumont-PortArthur, TX92
66Denver-Aurora-Lakewood, CO92
67Cleveland-Elyria, OH91.7
68SantaCruz-Watsonville, CA89.6
69Brownsville-Harlingen, TX89.4
70Goldsboro, NC88.9
71Mobile, AL88.6
72Merced, CA88.4
73SantaMaria-SantaBarbara, CA88.2
74AnnArbor, MI88.2
75Tucson, AZ87.9
76Augusta-RichmondCounty, GA-SC87.8
77AtlanticCity-Hammonton, NJ87.4
78Redding, CA86.9
79Greenville-Anderson-Mauldin, SC86.6
80Athens-ClarkeCounty, GA86.2
81McAllen-Edinburg-Mission, TX85.6
82CorpusChristi, TX85.5
83BatonRouge, LA85.4
84SierraVista-Douglas, AZ85.3
85Austin-RoundRock, TX85.2
86Florence, SC85.1
87Albuquerque, NM85
88Boulder, CO84.9
89Pensacola-FerryPass-Brent, FL84.9
90ColoradoSprings, CO84
91California-LexingtonPark, MD83.7
92Dalton, GA83.7
93Hattiesburg, MS83.3
94SanAntonio-NewBraunfels, TX83.2
95WarnerRobins, GA83
96Oxnard-ThousandOaks-Ventura, CA82.8
97Trenton, NJ82.7
98Houma-Thibodaux, LA82.6
99Dover, DE82.6
100St.Louis, MO-IL82.1

Alabama Identity Theft: 2012 compared to 2013

Forgive me, dear reader, for focusing on my own state just this once . . .

In 2012, Alabama's top cities for Identity Theft, and their Per Capita complaints received, were:

#15 - Columbus, GA/AL (205.9 per 100,000)
#16 - Montgomery, AL (203.7 per 100,000)
#42 - Auburn-Opelika, AL (124.1 per 100,000)
#62 - Birmingham-Hoover, AL (111 per 100,000)
#91 - Enterprise-Ozark, AL (97.8 per 100,000)
#97 - Huntsville, AL (95.5 per 100,000)
#100 - Mobile, AL (93.5 per 100,000)
#118 - Anniston-Oxford, AL (90.2 per 100,000)
#125 - Tuscaloosa, AL (88.4 per 100,000)
#132 - Dothan, AL (87.2 per 100,000)
#145 - Gadsden, AL (84.3 per 100,000)
#195 - Decatur, AL (72.8 per 100,000)
#198 - Daphne-Fairhope-Foley, AL (72.4 per 100,000)
#303 - Florence-Muscle Shoals, AL (56.4 per 100,000)

How does that compare to 2013's numbers?

The Columbus, Georgia/Alabama Metro area rose 13 places in the national rank to be the second worst city in America for Identity Theft.
Montgomery, Alabama had a very slight rise in rank (from #16 to #15), although the number of complaints per capita fell, it is still one of the worst cities in America for Identity Theft.
Mobile, Alabama rose in rank by 29 places, moving from #100 to #71.

All other cities in Alabama FELL in their national rank for Identity Theft -- but one must ask, as above, is that because crime is declining? or is apathy increasing? Have we become so desensitized to Identity Theft that we no longer feel the need to complain?

#2 +13 - Columbus, GA-AL (214.7 per 100,000) = +8.8 per 100,000
#15 +1 - Montgomery, AL (132.2) = -71.5 per 100,000
#51 -9 - Auburn-Opelika, AL (98.4) = -25.7 per 100,000
#71 +29 - Mobile, AL (88.6) = -4.9. per 100,000
#117 -55 - Birmingham-Hoover, AL (77.7) = -33.3 per 100,000
#131 +1 - Dothan, AL (74.8) = -12.4 per 100,000
#152 -55 - Huntsville, AL (68.5) = -27 per 100,000
#167 -42! - Tuscaloosa, AL (65.2) = -23.2 per 100,000
#226 -81! - Gadsden, AL (57.5)
#234 -116! - Anniston-Oxford-Jacksonville, AL(56.5)
#268 -70! - Daphne-Fairhope-Foley, AL (52.1)
#316 -121! - Decatur, AL (44.2)
#357 -54! - Florence-MuscleShoals, AL (36.7) -

Do YOU Know How to File an Identity Theft, Fraud, or Phishing Complaint?

If someone scammed you out of your money or stole your identity, that is a CRIME! What should you do? CALL THE POLICE!

But there are some other guidelines as well.

The Federal Trade Commission has two web pages that help you understand what to do if you have been the victim of identity theft:

FTC: What to do if you have been a victim of Identity Theft
FTC: How to file an Identity Theft Complaint with the FTC

FTC: March 2-8 is National Consumer Protection Week - tips and videos you can share with your friends are on this site!

You STILL want to call your local Police to let them know about the crimes against you. If someone stole YOUR identity or scammed you, they are likely targeting others as well! Besides your local law enforcement, it would be helpful if you could take the time to share what happened to you with the FBI Internet Crime & Complaint Center (ic3.gov). This unique center in West Virginia gathers hundreds of thousands of cybercrime complaints per year into a database that can be accessed by law enforcement across the country. Perhaps you will only be another drop in the bucket, but you MAY provide the missing link that ties many smaller losses together into a major investigation!

For PHISHING EMAILS, be sure to report that phish to Malcovery's PhishIQ system! By sending us the address of that suspicious or fake bank website, our automated systems will preserve forensic evidence about the phishing website and work on linking it to other websites that may have been created by the same criminal!

Appendix: The rest of the list (Top Identity Theft Cities by Rank)

101NewOrleans-Metairie, LA82
102Charlotte-Concord-Gastonia, NC-SC81.7
103Prescott, AZ81.5
104SantaFe, NM81.2
105Tyler, TX80.6
106VirginiaBeach-Norfolk-NewportNews, VA-NC80.4
107Monroe, MI80.3
108LittleRock-NorthLittleRock-Conway, AR80.2
109Gainesville, GA80.1
110Hammond, LA80.1
111Bridgeport-Stamford-Norwalk, CT80.1
112LakeHavasuCity-Kingman, AZ78.9
113Seattle-Tacoma-Bellevue, WA78.4
114OklahomaCity, OK77.9
115Columbia, SC77.8
116Vineland-Bridgeton, NJ77.8
117Birmingham-Hoover, AL77.7
118ElPaso, TX77.4
119Muskegon, MI77.2
120NewHaven-Milford, CT77.2
121Midland, TX76.9
122Burlington, NC76.8
123Spokane-SpokaneValley, WA76.7
124Odessa, TX76.6
125HiltonHeadIsland-Bluffton-Beaufort, SC75.9
126Indianapolis-Carmel-Anderson, IN75.3
127Yakima, WA75.2
128Concord, NH75.1
129SanLuisObispo-PasoRobles-ArroyoGrande, CA74.9
130Reading, PA74.9
131Dothan, AL74.8
132Brunswick, GA74.8
133Lumberton, NC74.5
134Allentown-Bethlehem-Easton, PA-NJ74.3
135Wichita, KS74.2
136Charleston-NorthCharleston, SC73.7
137Richmond, VA73.1
138Akron, OH72.4
139KansasCity, MO-KS71.9
140Racine, WI71.6
141Rockford, IL71.5
142Scranton--Wilkes-Barre--Hazleton, PA71.5
143SantaRosa, CA70.9
144Topeka, KS70.6
145Dayton, OH70.4
146Spartanburg, SC69.9
147Salinas, CA69.9
148Shreveport-BossierCity, LA69.8
149Show Low, AZ69.8
150YubaCity, CA69.5
151PanamaCity, FL68.8
152Huntsville, AL68.5
153FortCollins, CO68.4
154Raleigh, NC68.4
155Portland-Vancouver-Hillsboro, OR-WA68.1
156Durham-ChapelHill, NC67.8
157Charleston, WV67.4
158Greeley, CO66.8
159Medford, OR66.4
160Yuma, AZ66.4
161Gulfport-Biloxi-Pascagoula, MS66.4
162Wilmington, NC66.3
163Springfield, MA65.8
164Columbus, OH65.7
165NewBern, NC65.5
166Boston-Cambridge-Newton, MA-NH65.4
167Tuscaloosa, AL65.2
168Flagstaff, AZ64.7
169Lawton, OK64.5
170Saginaw, MI64.4
171Hartford-WestHartford-EastHartford, CT64.4
172Minneapolis-St.Paul-Bloomington, MN-WI64.2
173Wausau, WI64.1
174Duluth, MN-WI64
175Amarillo, TX63.9
176Olympia-Tumwater, WA63.8
177Youngstown-Warren-Boardman, OH-PA63.8
178Asheville, NC63.8
179Toledo, OH63.8
180Bremerton-Silverdale, WA63.7
181Kankakee, IL63.5
182Chattanooga, TN-GA63.4
183Madison, WI63.4
184Bend-Redmond, OR63.4
185Greensboro-HighPoint, NC63.1
186Greenville, NC63
187Rochester, NY62.7
188MyrtleBeach-Conway-NorthMyrtleBeach, SC-NC62.6
189Pittsfield, MA62.5
190BattleCreek, MI62.4
191Visalia-Porterville, CA62.4
192EastStroudsburg, PA62.4
193Kingsport-Bristol-Bristol, TN-VA62.3
194Winston-Salem, NC62.3
195Sherman-Denison, TX62
196Nashville-Davidson--Murfreesboro--Franklin, TN61.9
197ElCentro, CA61.9
198Jacksonville, NC61.9
199Alexandria, LA61.7
200FortWayne, IN61.3
201Kalamazoo-Portage, MI61.2
202SouthBend-Mishawaka, IN-MI61.1
203Tulsa, OK60.8
204Sumter, SC60.5
205LasCruces, NM60.2
206Ashtabula, OH60.1
207York-Hanover, PA60
208Albany, OR60
209Champaign-Urbana, IL59.9
210Cincinnati, OH-KY-IN59.6
211BoiseCity, ID59.5
212Missoula, MT59.5
213Wooster, OH59.4
214Dunn, NC59.3
215Salisbury, MD-DE59.1
216Omaha-CouncilBluffs, NE-IA59.1
217Eureka-Arcata-Fortuna, CA58.7
218Elizabethtown-FortKnox, KY58.6
219Anchorage, AK58.3
220Elkhart-Goshen, IN58.2
221Jackson, MI58
222Hagerstown-Martinsburg, MD-WV58
223Pittsburgh, PA58
224PineBluff, AR57.9
225Providence-Warwick, RI-MA57.8
226Gadsden, AL57.5
227Lafayette, LA57.4
228IowaCity, IA57
229BarnstableTown, MA57
230Waco, TX57
231Springfield, MO56.8
232Springfield, IL56.6
233Worcester, MA-CT56.6
234Anniston-Oxford-Jacksonville, AL56.5
235Kingston, NY56.4
236CollegeStation-Bryan, TX56.4
237Lubbock, TX56.4
238Hanford-Corcoran, CA56.2
239Cleveland, TN56.1
240Monroe, LA56.1
241Longview, TX56
242SaltLakeCity, UT55.9
243Canton-Massillon, OH55.9
244Louisville/JeffersonCounty, KY-IN55.8
245Lexington-Fayette, KY55.5
246Lima, OH55.5
247Lansing-EastLansing, MI55.4
248Peoria, IL55.1
249Decatur, IL55.1
250Erie, PA54.9
251Clarksville, TN-KY54.9
252GrandRapids-Wyoming, MI54.8
253Bloomington, IL54.8
254Weirton-Steubenville, WV-OH54.6
255Kennewick-Richland, WA54.5
256Roanoke, VA54.1
257Buffalo-Cheektowaga-NiagaraFalls, NY54.1
258DesMoines-WestDesMoines, IA54.1
259Lebanon, PA53.9
260Williamsport, PA53.4
261Harrisburg-Carlisle, PA53.3
262Bellingham, WA53.2
263FortSmith, AR-OK53.1
264Norwich-NewLondon, CT52.9
265Albany-Schenectady-Troy, NY52.8
266Morristown, TN52.7
267Winchester, VA-WV52.2
268Daphne-Fairhope-Foley, AL52.1
269BayCity, MI52
270Longview, WA51.8
271Salem, OR51.4
272Lawrence, KS51.4
273Meridian, MS51.2
274St.Joseph, MO-KS51
275Texarkana, TX-AR50.9
276WichitaFalls, TX50.9
277London, KY50.6
278Ogden-Clearfield, UT50.1
279Hickory-Lenoir-Morganton, NC50.1
280Billings, MT49.7
281Lincoln, NE49.6
282Manchester-Nashua, NH49.4
283Coeurd'Alene, ID49.1
284Charlottesville, VA48.9
285MountVernon-Anacortes, WA48.8
286JeffersonCity, MO48.7
287Jackson, TN48.5
288MichiganCity-LaPorte, IN48.4
289Syracuse, NY48.3
290Chambersburg-Waynesboro, PA48.1
291Cookeville, TNMicropolitan48.1
292Lafayette-WestLafayette, IN48.1
293Janesville-Beloit, WI48
294Logan, UT-ID47.8
295Evansville, IN-KY47.8
296Bluefield, WV-VA47.5
297Knoxville, TN47.3
298Whitewater-Elkhorn, WI47
299Rochester, MN46.9
300Torrington, CT46.9
301Sheboygan, WI46.8
302Claremont-Lebanon, NH-VT46.7
303Davenport-Moline-RockIsland, IA-IL46.6
304LakeCharles, LA46.6
305Lancaster, PA46.6
306Pottsville, PAMicropolitan46.5
307JohnsonCity, TN46.3
308Danville, VA46
309Carbondale-Marion, IL45.8
310Tupelo, MS45.5
311Springfield, OH44.8
312Provo-Orem, UT44.8
313Roseburg, OR44.6
314Joplin, MO44.4
315Fayetteville-Springdale-Rogers, AR-MO44.3
316Decatur, AL44.2
317Abilene, TX44.2
318Huntington-Ashland, WV-KY-OH44.1
319Morgantown, WV43.9
320SiouxCity, IA-NE-SD43.9
321Johnstown, PA43.8
322CedarRapids, IA43.8
323Eugene, OR43.8
324GrandJunction, CO43.6
325Salem, OH43.6
326Mansfield, OH43.4
327Blacksburg-Christiansburg-Radford, VA43.2
328Jamestown-Dunkirk-Fredonia, NY43
329Portland-SouthPortland, ME42.8
330IdahoFalls, ID42.8
331Kahului-Wailuku-Lahaina, HI42.6
332Cumberland, MD-WV42.6
333FondduLac, WI42.3
334Wheeling, WV-OH41.9
335GlensFalls, NY41.9
336Wenatchee, WA41.5
337Gettysburg, PA41.4
338TraverseCity, MI41.2
339LaCrosse-Onalaska, WI-MN41.1
340SiouxFalls, SD40.7
341Columbia, MO40.6
342Watertown-FortDrum, NY40.4
343SanAngelo, TX40.2
344RapidCity, SD40.1
345Owensboro, KY40.1
346St.George, UT39.1
347Binghamton, NY38.9
348Tullahoma-Manchester, TN38.9
349Bloomington, IN38.9
350GreenBay, WI38.9
351TerreHaute, IN38.9
352UrbanHonolulu, HI38.8
353Utica-Rome, NY38.7
354Ithaca, NY38.4
355Muncie, IN38.2
356Burlington-SouthBurlington, VT37.9
357Florence-MuscleShoals, AL36.7
358EauClaire, WI36.6
359Ottawa-Peru, IL36.2
360BowlingGreen, KY35.9
361Holland, MI35.9
362Appleton, WI35.9
363Hilo, HI35.7
364Lewiston-Auburn, ME34.4
365Oshkosh-Neenah, WI33.5
366Staunton-Waynesboro, VA32.9
367Waterloo-CedarFalls, IA32.8
368Ogdensburg-Massena, NY32.2
369Fargo, ND-MN32.1
370St.Cloud, MN31.7
371Bangor, ME31.2
372Farmington, NM30.8
373Altoona, PA30.7
374Harrisonburg, VA29.5
375StateCollege, PA29.2
376Augusta-Waterville, ME28.7
377Bismarck, ND27.9

Monday, February 24, 2014

WhatsApp Spam: a malware distribution scam

On February 19, 2014, Facebook Announced the purchase of WhatsApp for $4 billion in cash and 183,865,778 shares of Facebook stock ($12 Billion in current value) plus an additional $3 billion in shares to the founders that will vest over four years, for a total purchase price of $19 Billion. Within 24 hours, spammers were using WhatsApp lures to attract traffic to counterfeit pharmaceutical websites! Journalists in the United States were scurrying trying to figure out what WhatsApp even is, let alone why it should be worth $19 Billion.

Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a malware lure since at least September 19, 2013. I asked Brendan to give me a list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top Threats" list. This campaign has been solidly in the top ten on:

SEPTEMBER 19, 23, 24, 25, 26
OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
NOVEMBER 14
JANUARY 9, 13, 15, 20, 28

As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013, WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via spam for the quarter. (See ComputerWorld - Senior executives blamed for a majority of undisclosed security incidents.) Curiously, when I asked Brendan about the email I saw THIS WEEK imitating WhatsApp he said that was an example of spammers using the WhatsApp notoriety to drive traffic to counterfeit pharmaceutical websites!

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

We've seen tremendous variety in both the malware being delivered and in the method of delivery over the course of so many spam runs. The first day we made note of the WhatsApp malware, September 19, 2013, we observed 52 different websites being advertised in the emails. Each of these websites had a file called "info.php" that was being called with a very long unique "message" parameter, such as:

/info.php?message=47lvQ31P1Nip+SkTsbYeAVNH+2aJDFeJ9djfprCHGa4=
(a couple digits have been tweaked for privacy)

Websites used for malware delivery,September 19, 2013

aki-kowalstwo.plkoshergiftsuk.comsamedaystationery.co.uk
amicidelcuore.infolichtenauer-fv.deschweitzers.com
arsenalyar.rulocweld.comsentabilisim.com
art52.rumbuhgalter.rusewretro.com
bhaktapurtravel.com.npmdou321.ruspentec.ca
bluereefwatersports.commikemetcalfe.castructuredsettlementsannuities.com
cateringjaipur.commirvshkatulke.ruthaiecom.net
clockcards.iemrsergio.comtiarahlds.com
dj220w.rumuzikosfabrikas.lttk-galaktika.ru
djvakcina.commywebby.rutowi69.de
easywebmexico.comorbitmotion.comtrivenidigital.com
etarlo.ruorderschering.comveerbootkobus.nl
everyday24h.depaternocalabro.itvenetamalaysia.com
globalpeat.compaulhughestransport.comverfassungsschutz-bw.de
gourmetschlitten.compax-sancta.devitapool.ru
idollighting.compennerimperium.dezdrowieonly.ovh.org
juhatanninen.complaneta-avtomat.ru
kasutin.rurkbtservice.ru

Visiting the link from any of of those websites resulted in code on the server resolving your IP address and creating a customer malware name based on your geographic location. For example, when we visited from Birmingham, Alabama IP addresses, we received a file called "VoiceMail_Birmingham_(205)4581400.zip" - 205 is the Area code for Birmingham, Alabama, so both the city name and the telephone number provided were intended to enhance the believability that this was a "real" VoiceMail message that we should open and listen to!

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

This malware delivery mechanism, with the geographically labeled secondary malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also known as DoFoil, is delivered as the second phase of a malware delivery scheme that begins by having computers that are part of the ASProx botnet sending spam. This is the same campaign that delivered Walmart/BestBuy/CostCo delivery messages around the Christmas holiday, and that delivered Courthouse, Eviction, and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky, NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well as the FakeAV label, are likely due to tertiary malware. When secondary malware "drops" (a term that just means that ADDITIONAL malware is downloaded from the Internet after the initial infection) it is common for AntiVirus vendors to apply the label for the "ultimate intention" to all of the malware samples seen in that particular infection chain.

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz's role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar's paper is well worth reading as he explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

Malcovery Security analysts also called attention in our September 19, 2013 report that the WhatsApp spam, when visited from an Android device, detected the OS and dropped a file called "WhatsApp.apk". .apk files are Android's "application package file" which is used to distribute and install Android apps. Examination of the .APK file confirmed thta this was Fake antivirus for your Android phone, containing descriptions of each supposedly detected malware in both English and Russian, as exhibited by this snip from the .APK file:

The URLs used to drop the infection shifted constantly. For example, these are the URLs from September 24th, each using "app.php" instead of "info.php":

abslmm.infoeasychurchsoftware.compsmagic.co.uk
animestyles.comeffectivewithpeople.comreggiegallery.com
arcesubastas.comeuropainthewilderness.comscholarsbangladesh.com
azagom16.comgigp01.comtcfurniture.com
bluereefwatersports.comkillmanheatingandair.comtrivenidigital.com
bodfish.netladuenails.comwfbsusa.com
bptca.comlisapetrilli.comwpsverige.com
chester94.comlunchesruslawncare.comwww.jigsawpuzzlesnow.com
claytonhistorysociety.orglyallfamily.comwww.mindful-way.com
clearthoughtfarm.commypowerlines.comwww.minimesa.net
columbialivingmag.comnotedls.comwww.opalubka-spb.ru
crumptonplats.comonline-kent.co.ukwww.scholarsbangladesh.com
cvhi.caorbitmotion.com

And these were the sites for September 25th:

162.144.3.50gonzomarketing.ustejedoresdearte.com
aandekleiput.beindianhotpeppers.comtheconservativeactivist.com
abslmm.infointerbanc-me.comuhlit.com
academicgames.orgintercom-group.neturokshof.be
acomputertech.comjsmengineering.co.nzuwes-futterkiste.de
allworldhearing.comkepsballs.comvelomotoban.ru
angelomasotti.itmaxmuscleraleigh.comvisibus.ru
animestyles.commiketrig.comwhatshisface.org
arcesubastas.commiwera.dewww.besttechmfg.com
asca-info.commosobladvokatura.ruwww.bonnevilledrivingschool.com
barkersofwindsor.co.ukneonett.netwww.citadelyachts.com
belliottjr.comnight55.comwww.coaching-pattaya.com
bmitraining.co.idnotedls.comwww.dasluae.com
brothermartin.comoysterbaytaxi.comwww.dmdservice.com
buntingarchitecturalmetals.compeakkickboxing.comwww.doanevent.com
caseybarnett.compersonalcarephysio.cawww.gestiondutemps.be
cityofmossyrock.competerscreekauto.netwww.horseamour.com
cvhi.caphoto2canvasdirect.comwww.kyhydropower.com
dasluae.compts.kovrov.ruwww.mhbchurch.qwestoffice.net
debsownbusiness.comrevoltadvertising.cawww.mtnhwybaptistchurch.com
demaravillamassage.comrsme.co.ukwww.musango.ca
dnsprattcanada.comscholarsbangladesh.comwww.rhinocerose.fr
earnquick.coshahmaulik.comwww.wholepersonsoftware.com
ecuavantransportation.comsolardynamicsinc.comwww.zhelezno.ru
finlandiasf.orgsumedacellular.comzhinengqigongworldwide.org

WhatsApp Spam Used by Cutwail Botnet to deliver Upatre => Zeus Malware

More recently, the WhatsApp malware has been used by an entirely different spam sending malware team. This group, which favors the Cutwail spam botnet, uses spam messages to deliver a malware family known as UPATRE. UPATRE is a tiny malware file that is repacked constantly to ensure deliverability and that has little malicious behavior itself. The only function of UPATRE is to drop additional malware. In this case, the malware is attached as a .zip file that, when executed by the recipient in order to "play their missed message" will cause Zeus to be downloaded as the secondary malware.

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

zubayen . com / up / wav.enc
or from inspireplus . org . uk / images / banners / wav.enc
(spaces added for your safety)

WhatsApp Spam Delivering Canadian Health & Care Mall links?

As WhatsApp reaches the pinnacle of awareness among American spam recipients, it is only natural that the Pharmaceutical spammers would get in on the game. On February 20, 2014, the spammers sent out "Missed Voice Message" spam with a huge number of random URLs belonging to compromised webservers. Each of the compromised webservers, usually the spammer has harvested Userids and passwords for their FTP credentials in previous malware runs, has a newly created .php or .pl file that contains an encoded redirector to a pharmaceutical website.

On February 20th, the advertised spam all redirected to one of more than fifty compromised webservers, each of which then redirected to a Canada Health & Care Mall websites. The advertised URLs have a simple Javascript obfuscation to try to hide the true destination, such as this page:

gjhqv1="\x30";qnnt2="\x68\x74\x74\x70\x3A\x2F\x2F\x74\x68\x65\x64\x69\x65\x74\x70\x68\x61\x72\x6D\x61\x63\x79\x2E\x63\x6F\x6D";setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x71\x6E\x6E\x74\x32\x3B",gjhqv1);

When interpreted as Javascript, the "setTimeout" portion says "make the "window.top.location.href" equal to "gjhqv1". The top portion says "set gjhqv1" equal to thedietpharmacy.com, and do it in "0" milliseconds.

Reviewing 50 URLs of this type, with names such as "reactivates.php" or "bombarding.pl" or "gaelicizes.php", there were only the four redirections: canadavasomax.com
lossdietpharmacy.com
thedietpharmacy.com
wellnessasaletraining.com

each of which looked like this:

Monday, February 17, 2014

Interac Phishers try their hand at IRS

Last week Malcovery Security had an interesting phish show up claiming to be related to the IRS. This one turns out to be a great example of the (activate 1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE (/activate). Here's what the website looked like:


Phish from: bursafotograf.com / profiles / interac / RP.do.htm

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish: First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as:

href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"

href = navy/index.htm
img src = imgs/nfculogo.png  .... but with "alt=President's Choice Financial"

href = suntrust
img src = imgs/suntrust.png  .... but iwth "alt = RBC Royal Bank"

etc . . . 

Phishing Cross-Brand Intelligence

It seems fairly clear that we should be able to find more phishing sites that used the original Interac code, and of course we can in the Malcovery PhishIQ system.

Here is a phish that was seen on June 21, 2013 on the website freevalwritings.com / wp / interacsessions / RP.do.htm

And another first seen on May 28, 2013 on the website anglaisacote.com / interac / RP.do.htm (note the common path on both of these that matches the current IRS phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

An interesting thing about phishing emails that differentiates them from standard spam. While normal spam is often sent via botnets, phishing emails tend to be sent from the same IP address over a period of time. When we use Malcovery PhishIQ to examine the IRS version of the Interac phish, which attempts to steal money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust, Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised URL was actually "130.13.122.25 / irsjspmessageKey-IG09210358i /". That URL forwarded visitors to the website "ernursusleme.com / Connections / irsonlinedeposit /" which then forwarded the visitors to "bursafotograf.com / profiles / interac / RP.do.htm" which is where the screenshot at the top of this article was captured.

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance Document Online".

Two of the emails were sent from 122.3.92.116 (Philippines) and one email was sent from 70.166.118.54 (Cox). What other emails were sent from those IP addresses?

Here are the emails from 122.3.92.116

Date: Subject: From NameFrom Email
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 14, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 16, 2013Confirmation - personal information updateUSAAUSAA.Web.Services@ customermail.usaa.com
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 23, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 30, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Jan 5, 2014Notification of Limited Account AccessPayPalPayPal@ abuse.epayments.com
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferTD Canada Trustnotify@ payments.interac.ca
And here are the emails from 70.166.118.54

Date: Subject: From NameFrom Email
Jan 29, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@customermail.usaa.com
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@ payments.interac.ca
Feb 9, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@ payments.interac.ca
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@ notify.wellsfargo.com
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@ notify.wellsfargo.com

The Power of Cross-Brand Intelligence

To summarize, we started with a new IRS phish, and through some comparisons in the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells Fargo, and Interac all being linked together. Investigators interested in learning more are encouraged to reach out!

Saturday, February 08, 2014

Highest Malware Spam Rate since April 2013

Since 2006, my lab at UAB, part of The Center for Information Assurance and Joint Forensics Research has been gathering spam and finding creative ways to analyze it to find new threats. Last December we licensed that technology to form Malcovery Security who have picked up the reins on the work of finding and reporting on new malicious threats in spam. Between the groups, we've evaluated nearly a billion spam messages, so when one of my analysts says they are seeing something "new" I pretty much listen to them.

This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!

The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!

DateMessages reviewedCountEmail Subject
Feb 5 1,066,187171,186 Bank of America Alert: Online Banking Security Measures
Feb 6 1,176,667303,646 ATTN: Important notification for a Visa / MasterCard holder!
Feb 7 1,113,739267,445 Some important information is missing
Those numbers indicate that for the last three days this single malware distributor was accounting for 16%, 25.8%, and 24% of all the spam we reviewed! How does that compare to normal? The previous day, February 4th, we considered the "Photos" malware campaign to be heavily spammed when it reached 5% of total spam volume for the day.

Microsoft's Security Intelligence Report (volume 15) showed spam message breakdown for the first half of 2013 like this:

Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...

Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.

Here are some more details about the spam messages that were seen in the past three days:


Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)

hYYp://37.139.47.56   /srt/404.php
hYYp://37.139.47.56   /ssd/usa.exe
hYYp://37.139.47.56   /ssd/usa2.exe
hYYp://62.76.187.171   /srt/404.php
hYYp://62.76.187.171   /ssd/usa.exe
hYYp://62.76.187.171   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://85.143.166.119   /srt/404.php
hYYp://85.143.166.119   /ssd/usa.exe

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/usa.exe
hYYp://37.139.47.56    /ssd/usa2.exe
hYYp://37.139.47.56    /ssd/ust2.exe
hYYp://37.139.47.56    /ssd/ust21.exe
hYYp://62.76.179.171    /punta/gae.php
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/usa.exe
hYYp://62.76.187.171    /ssd/usa2.exe
hYYp://62.76.187.171    /ssd/ust2.exe
hYYp://62.76.187.171    /ssd/ust21.exe
hYYp://62.76.187.221    /ssd/usa.exe
hYYp://62.76.187.221    /ssd/usa2.exe
hYYp://62.76.187.221    /ssd/ust2.exe
hYYp://62.76.187.221    /ssd/ust21.exe
hYYp://62.76.42.144    /punta/gae.php
hYYp://62.76.46.249    /punta/gae.php
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.119    /ssd/usa.exe
hYYp://85.143.166.119    /ssd/usa2.exe
hYYp://85.143.166.119    /ssd/ust2.exe

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/ust12.exe
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/ust12.exe
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.175    /ssd/ust12.exe

The IP addresses that would be most critical to block to protect your network would be these. Most of these addresses are on a Cloud hosting service in Russia, "clodo.ru", some on the ASN - St. Petersburg, Russia (clodo.ru) - AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.

37.139.47.56 
62.76.179.171
62.76.187.171
62.76.187.221
62.76.42.144
62.76.46.249
85.143.166.119
85.143.166.175
The .exe that gets dropped is ZeuS, though current detection would make that a bit hard to tell. The main file being dropped this morning has the MD5 hash = b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as of this timestamp, which is showing greatly improved detection over my original run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other vendors list some form of "Generic" as the detection name.

Spamming Computers analysis

How often were the same computers used to send these campaigns? We first created three lists of IP addresses used to deliver the spam on each day. I called them ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP addresses we saw deliver the Bank of America spam on February 5. ss6ip was a list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx spam on February 7.

5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.

107,987 unique IPs were seen if we combine all three campaigns.

Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were 86.64.142.28 (France, 158 messages) and 200.123.8.123 (Peru, 142 messages).

I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware

 ES  3052 - Spain
 AR  2148 - Argentina
 US  1841 - United States
 CO  1387 - Colombia
 MX  1374 - Mexico
 IT  1263 - Italy
 DE  1025 - Germany 
 PE  915  - Peru
 RO  876  - Romania
 BR  833  - Brazil
 GB  666  - Great Britain
 CL  634  - Chile
 FR  537  - France
 IL  489  - Israel 
 CA   379  - Canada
 PL  342  - Poland
 TR  325  - Turkey
 BG  267  - Bulgaria
 PT  259  - Portugal
 GR  238  - Greece
 VE  238  - Venezuela
 AT  183  - Austria
 RS  180  - Republic of Serbia
 EC  131  - Ecuador
 CH  118  - Switzerland
 IN  116  - India
 CZ  104  - Czech Republic
 PA  104  - Panama

Sunday, February 02, 2014

GameOver Zeus now uses Encryption to bypass Perimeter Security

This summary is not available. Please click here to view the post.