Thursday, February 26, 2009

Another Password Stealer hides as Bank of America video malware

One of our top spam campaigns today at the UAB Spam Data Mine is the newest Snifula/Gozi password stealing trojan, this time disguised as a Bank of America malware.

I'll go ahead and give you the text of their warning, because this is just hilarious on a website THAT INTENDS TO PLANT A KEYLOGGER ON YOUR COMPUTER!

Changes to the Online Security Policy !

Bank of America would like to make you, a valued customer of Bank of America, aware of a form of online fraud - keylogging - that could adversely affect your business and your employees. Keylogging, a process used to steal confidential information such as names, account numbers, and other personal information, is fast becoming one of the most prevalent online threats used by data thieves and fraudsters.

What you can do
We strongly encourage you to take steps today to lower the chance of a keylogger or any other form of malware being installed on your personal computer or your business machines. Here are guidelines to assist you.

1. Install 128-bit logging protection software on all computers: Download now
Installation is quick and simple - download BofAsetup.exe - double click downloaded file - finish installation.

This will reduce the risk of internal fraud, while at the same time making it more difficult for outside programs to find both of your company's user names and passwords...

The email, which we've seen several hundred times so far, will contain a link to one of the following websites:

Faithful readers will already know that these will have all been created today, using the Chinese registrar Its almost not worth looking up, the pattern is so predictable. But, lest we be accused of not being thorough, we did. Yeah, its There are always five domains, all sharing the same nameserver, in this case,

The spam message itself has used FIFTY different subject lines:

Adopt Best Practices Online - Bank of America
Always "Log-off" Internet Banking first then close your browser - Bank of America
Always remember to Log-Off Internet Banking - Bank of America
Avoid accessing your online banking information at Internet or Cyber cafes - Bank of America
Bank of America, and/or Banc of America security # apply updates
Bank of America, and/or Banc of America security # Ensure that your operating system has all latest patches and updates installed.
Bank of America, and/or Banc of America security # Ensure that your operating system updated.
Bank of America, and/or Banc of America security # latest patches and updates installation.
Bank of America, and/or Banc of America Security alert
Bank of America, and/or Banc of America security measures
Bank of America, and/or Banc of America security measures 2008
Bank of America, and/or Banc of America security measures 2008 you can take to protect your company
Bank of America, and/or Banc of America security measures you can take to protect your company
Bank of America, N.A. (BANA) and/or Banc of America also provides extensive information regarding identity theft prevention
Bank of America, N.A. (BANA) and/or Banc of America has developed a Fraud Prevention Checklist
Bank of America, N.A. (BANA) and/or Banc of America has developed a new 128 bit sofware
Bank of America, N.A. (BANA) and/or Banc of America has developed an update for log in page
Bank of America, N.A. (BANA) and/or Banc of America has developed new anti-Fraud feature
Bank of America, N.A. (BANA) and/or Banc of America has developed new free protection tool
Bank of America, N.A. (BANA) and/or Banc of America has developed serious protection
Bank of America, N.A. (BANA) and/or Banc of America has developed special file protection
Bank of America, N.A. (BANA) and/or Banc of America is committed to providing you with a convenient, safe and secure online banking
Bank of America, N.A. (BANA) and/or Banc of America News - security development
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use 128 bit file
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use fraud prevention procedures
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use security update
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use updated browser
Bank of America, N.A. (BANA) and/or Banc of America recommend to review your account security
Bank of America, N.A. (BANA) and/or Banc of America would like to announce latest update
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you lates development
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you news
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you security updates
Bank of America, N.A. (BANA) and/or Banc of America would like to open new security features
Bank of America, N.A. (BANA) and/or Banc of America would like to stop fraud practice
Check your computer manufacturer's (hardware/operating system) Web site for "patches"
Do not share your Internet Banking User name and Password with anyone - Bank of America
Don't share access to your computer with strangers - Bank of America
Financial data confidential at all times - Bank of America
Install Firewall software on your home and networked computers - Bank of America
Learn about computer infections and be aware of the latest computer viruses - Bank of America
Memorize your Password and Bill Pay Security Key and never write it down or reveal it to anyone - Bank of America
Only provide information that you initiate through an application - Bank of America
Our systems and security procedures- Bank of America
Protect them and change your Passwords on a regular basis - every 60 days - Bank of America
Protect Your Computer - Bank of America
Protected from unauthorized use - Bank of America
The security of your information is paramount- Bank of America
This will help prevent others from being able to view your online banking information - Bank of America
Use a combination of both letters and numbers - Bank of America.
Your Log-In Information - Bank of America
Your Password to your online account information - Bank of America

The faithful readers will also already know that these websites are all "Fast Flux hosted", and that they use the same Fast Flux network as the ASProx phishing spam.

So, for example, the IP address, Shaw Communications in Calgary, is hosting our current video malware, but has also been seen hosting malware (which is Snifula/Gozi), such as domains such as, , as well as the current "Net Teller" phishing campaign on domains like,,,,, and -- the "Comerica" phishing on domains such as,,,,,

Of course there are hundreds of other hacked home computers which are also hosting these domains. The five that currently come back when I make a query are:

And, lest I miss the chance to remind you, YOUR ANTI-VIRUS SOFTWARE WILL NOT PROTECT YOU. The current detection of this malware is THREE of 39 products can identify this virus:

Don't rely on your Anti-Virus software, rely on being a smart Internet user.

Good luck!

Wednesday, February 25, 2009

Money Tight? Watch out for Coupon Offers from CyberCriminals

While investigating the Waledac malware, UAB malware analysts Brian Tanner and Thom Savage discovered a new scam targeting those who may be feeling the economic pinch.

Over Valentine's Day weekend, the UAB Spam Data Mine had revealed dozens of websites spreading a fake Valentine's Day ecard as a way of tricking users to visit websites which would infect their computer with the Waledac virus.

When revisiting the same domains, Tanner and Savage, who study in the UAB Computer Forensics program, found that they now contained a Coupon website instead of a Valentine's Day e-Card.

Based on the new evidence, the students logged in to the UAB Spam Data Mine looking for new coupon scams, and quickly identified emails, with URLs such as:

The website includes a geo-location code, so that the page seems to offer coupons localized for where your computer is located. In our case, the pages offered coupons for "Birmingham, United States" on a page that looked like this:

A quick Google search found that "" is a real company, based in Cummings, Georgia, run by Amy Bergin. (We've left her a voicemail to offer our assistance). Her website looks like this:

Some of the many domain names used in the current coupon scam malware are:

The malware name changes with nearly every visit, however we have seen it named:


Some of the other email subjects we received were:

All sales on one site
Useful information, Look at it!
You'll thank me
You can find such coupons and sales only here! Up to 90% off!
You will be appreciated
A good way to save money is to use these coupons

Like the Valentine's Day e-card malware last week, this malware is HUGE. More than 438 KB - or more than 10 times larger than much of the malware we see.

The current version gives this report from VirusTotal:

9 of 39 anti-virus products detecting. Notably neither AVG, McAfee, Symantec, or TrendMicro know that this is a virus at this time.

Friday, February 13, 2009

Javeline Spins an Identity Theft Survey

Kevin Poulsen at Wired Debunked Javeline's Identity Theft Report already, but I can't help myself from lending an outraged voice to the matter.

I'm not sure if I've ever seen such a blatant spinning of the facts to meet the desires of a research sponsor. Read this statement from Javelin's report, which was funded by Wells Fargo and Intersections, Inc., an online identity protection company:

Despite the hefty blame - largely perpetuated by the media - placed on the Internet and cyber-crime, online identity theft methods (phishing, hacking and malware) only accounted for 11% of fraud cases in 2008.

How did they reach that absolutely amazing and so absolutely inaccurate statement?

Let's look at the methodology. First, they did a survey of 4,784 people. Among them they found roughly 10% who called themselves a victim of identity fraud. 487 people.

Next they asked those 487 people if they knew where their fraud originated? 157 people said they did, and the other 330 people said they did not. Then they asked those 157 people how it occurred, and 11% of them said it had occurred "online" while another 11% said it had occurred via a "data breach".

According to the Pie Chart javeline then presents 43% of identity fraud victims had their wallet stolen while 19% had their data stolen during a transaction, and 13% of them had their data stolen through "friendly" identity theft - such as a family member using their knowledge of you to take out a loan using your credit.

What is their recommendation then?

Preventing theft of your information doesn't require spending money on security products or even a whole lot of effort. Practicing safe habits in your day-to-day activities can go far in reducing your risk of becoming a victim. Covering the keypad as you enter your PIN at the ATM, keeping sensitive documents in a locked drawer at home, or shredding old financial statements -- these are all considered basic precautionary measures that are easy and work to your benefit.

Really? Didn't you just say my three highest risks are having my wallet stolen, a transaction (which I would think of as a clerk or waiter stealing my credit card data) or a family member stealing my data? How does covering the ATM, and shredding old financial statements help with that? In fact NONE of the methods reported involved stealing my trash!

But let's get back to the big fallacy of the report -- the elephant in the room that Javelin chooses not to talk about.


I can answer that one for you. It was stolen through Data breaches, Malware, Phishing, and Online. It was stolen by the waitress with the skimmer in her apron pocket, and it was stolen by the gas pump that silently reads your credit card data and sends it to the criminal. It was stolen by the website that you bought your kids Christmas present from, that used an insecure shopping cart and gave all its credit card and order data to criminals. It was stolen in the TJX Breach where more than 90 million credit cards were picked up, and it was stolen by the keylogger that is STILL on your computer that you can't find because no antivirus product can detect it.

According to Microsoft's Security Intelligence Report 5, which we coverend in this blog November 11th -- more than 11 million American computers had malicious trojans, backdoors, spyware, or password stealers on them in the first half of 2008!

Some security researchers are reporting that just ONE banking trojan -- Torpig -- stole the bank accounts of More than 300,000 people!. Since Torpig is almost impossible for the average computer user to detect and remove thanks to the "Mebroot" root kit, those people would all be examples of the folks who had no idea how their data was stolen.

WAKE UP, Javelin! Just because people notice their wallet is missing and don't notice the keylogger on their computer does not mean that there is not a risk online!

Although I'm sure your online identity protection survey sponsor had a big smile on their face as they handed you the check for your unbiased report.

Thursday, February 12, 2009

New Trend: Stimulus Scammers

With news of the President's Stimulus package dominating the media, it was only a matter of time before one of our long-time scammers decided to prey on the American public that way. Today we'll look at three "Stimulus Check" spam messages and show you how they are linked to a long-lived scam campaign.

Its been almost exactly a year since the Federal Trade Commission charged Member Source Media for deceptive advertising by email. In that case, A $200,000 Fine was levied against them for email advertisements claiming you could get "free" products and then requiring the consumer to jump through the hoops of completing multiple "offers" and likely never receiving any payment at all. You can read all the details of the case in the 18 page judgement for Civil Penalties and Permanent Injunctive Relief.

As you'll see below, the current case looks exactly like the previous one, which also included offers such as "Claim your $500 Target Gift Card Now". The current scammers seem to prefer WalMart and IKEA gift cards, but the sentiment is the same.

Here are three sets of Email, Web Entry Page, Personal Data Page . . . in each case the domain in the spam does not match the ultimate page to which you are rerouted.

While that certainly looks like they are asking where you want to send your stimulus check, they in fact have no intention of sending you any money.

Again, doesn't it look like they intend for you to receive a check? Be sure not to give them ANY of your personal information!

In whichever of these scams you choose to look at, the bottom line comes down to this. In order to receive any payment whatsoever, you have to complete their "rewards participation programs".

This isn't about getting a Stimulus check at all, and has nothing at all to do with the government. We can prove this to ourselves by looking at some of the other scams these hucksters offer.

For instance, if I choose "config=5421" on, I'm being promised a $1,000 Visa Gift Card.
5420 = Free Pair of Fit Flops
5419 = Free Samsung Washer & Dryer
5418 = North Face Denali Jacket FREE!

So what's the scam?

Now that they have your email address, mailing address, telephone number, and in this case, estimated household income, its time for them to reveal their hand.

To get your check, you have to complete "2 Silver Offers, 2 Gold Offers, and 6 Platinum Offers" from their partners, all within the next 60 days, *AND* you have to personally recruit someone else who *ALSO* has to complete all the offers within 60 days. If you fail to complete all your offers, OR you fail to recruit a friend who completes all the offers, you don't get your check.

Some of the offers include . . .

Trying a Credit Reporting Service
Trying a Make-up Sample Kit
Trying Acai Berry Slim MD
Signing up for NetFlix
Signing up to learn about Government Grant Money
Signing up to learn how to make money on eBay
Signing up for Wrinkle Cream
Signing up for Silkies Hosiery
Taking a Video Professor computer lesson
Signing up for a Disney Movie Club
Trying the Cosmetique 5-Piece Sistina Collection
Signing up for a Disney Movie Library
Ordering Business Cards
Signing up to Learn a Language with OnLingo
Joining the Crafter's Book Club

and on, and on, and on . . .

Apparently the penalty of a $200,000 fine from the FTC is not enough of a threat to prevent this new group of scammers from continuing where Chris Sommer and friends left off last year.

If anyone in the FTC's Bureau of Consumer Protection would like many samples of such emails, just let me know. The UAB Spam Data Mine would be happy to provide!

We have many examples even just this year of
$500 Disney Gift Card
Victoria's Secret Gift Card
$1000 Wal-Mart Gift Cards
$1000 North Face Gift Card

Here are some of the "offers" you have to fulfill from "" if you want to get your Free Jet Blue Airline Tickets:
Example Offers

If you don't like Jet Blue you can get Free SouthWest Tickets instead.

Of course there are still plenty of Free Laptops, like this one:
or this one:
from Simple Free Rewards
or get His and Hers Laptops

And we've still get SamSung Washers & Dryers.

Wednesday, February 11, 2009

February 2009 Black Tuesday Report - Critical Exchange Server Patch

We interrupt our regularly scheduled Valentine's Day Spam Countdown for an important message about Microsoft Black Tuesday. Yesterday's patches contain a special one for Exchange Server administrators.

The Patch, labeled MS09-003, addresses a vulnerability in "Transport Neutral Encapsulation", or TNEF attachments. These are the ones that non-Exchange users frequently see as a "winmail.dat" file. Basically, its possible for an attacker to create a Rich Text Format file (.RTF) or an X.400 attachment, and send it using TNEF in such a way that when your Exchange Server processes the message, it can corrupt memory on the server, allowing the attacker to remotely execute "arbitrary commands".

It is at least provable in theory that an email message can be crafted then, to execute any command it wants to on your Exchange Server.

The National Vulnerability Database labels this CVE-2009-0098 and gives this Overview:

Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability."

A second related bug allows an embedded MAPI command to be used to cause the Microsoft Exchange System Attendant service and other services that use EMSMDB32 to stop responding to messages, which would pretty much hang Exchange.

That sound pretty much like a Must Patch Now situation. Exploit code has not been seen in the wild yet, and Microsoft's Exploitability Index prediction is that "Inconsistent Exploit Code is Likely" with the most probable result leading to "Denial of Service". The "Remote Execution of Arbitrary Code" sounds like it would be much more challenging to pull off.

Bogdan Materna of VoIPShield Systems is thanked by Microsoft for reporting the underlying issue that lead to MS09-003.

The other big one this month is the standard Internet Explorer Security Roll-up patch. This one is MS09-002 and has two new ways for website authors to add code to their web pages to give them the ability to execute arbitrary code on your windows computer with the same rights as the logged in user.

The first vulnerability is called an "Uninitialized Memory Corruption Vulnerability" and deals with the security context for deleted items.

The second vulnerability is called a "CSS Memory Corruption Vulnerability" and is an attack based on how IE handles Cascading Style Sheets.

The recommended work-around is the same as it always has been for Internet Explorer. Create a "Trusted Sites" zone in your IE settings, and only allow programs to use ActiveX or Active Scripting if they are in your Trusted sites zone!

A special caution is given about surfing the web as Administrator as well . . .

"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

This latter set of vulnerabilities was shared with Microsoft by Tipping Point and the Zero Day Initiative. Sam Thomas, who works with both, is credited with the CSS Memory Corruption.

We'll be back with more Valentine's Day Spam from the UAB Spam Data Mine tomorrow.

Monday, February 09, 2009

Traveler Scams: Email Phishers Newest Scam

Last Friday I had a phone call that sounded like an opportunity to look at a new scam from end-to-end. A retired school teacher in the Birmingham, Alabama area had received an email from a friend, claiming that she was stranded in London, and needed funds urgently to get home. The friend promised to repay the funds as soon as she arrived home safely.

The school teacher wondered if I was interested in the email from a computer forensics perspective. I asked her if her friend used Yahoo or Hotmail, because these are the main targets I've seen in Traveler Scams so far. She also told me that she had sent an email to her friend asking if she had really sent the strange email.

I told her that unfortunately her friend would not be able to reply, because she was almost certainly not in control of her email box. I laid out the normal course of a Traveler Scam for my new friend and asked her if she had a telephone number for her supposed traveler to see how many of our facts we could confirm.

In a normal Traveler Scam here is the layout:

Step One: The Traveler receives an email claiming that unless they reply to the email with their own email password their account will be closed. This is why we categorize this attack as an Email Phish. Someone sends an email, claiming to be a person in authority over your account, and claiming that unless you reply with a password something bad will happen.

Step Two: The Phisher then logs in to the Travelers account, using their real password. They then CHANGE the password, so that the Traveler can no longer access their email.

Step Three: The Phisher reads all the email in the Traveler's account, looking for people who might be "friends".

Step Four: All of the Traveler's Friends get an email, from the Traveler's normal email address, saying "I'm out of the country suddenly and (something bad has happened) and (I need you to send me money immediately to get home)"

Step Five: Because the email REALLY CAME from the Traveler's REAL EMAIL ADDRESS, the Friends are able to send replies, and receive answers, to convince them that this is a real email.

So, that's the theory. How did it play out in our particular example from last Friday?

Here is the email the Friend received from the Traveler, originating from an address which the Friend regularly uses to correspond with the Traveler:

Sent: Saturday, February 07, 2009 3:45 AM

I am sorry I didn't inform you about my traveling to Europe for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Europe which are Dublin,Scotland and England,I am persently in England,London.

I misplaced my wallet on my way to the hotel where my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $2,800 US Dollars to sort-out my hotel bills and get myself back home.

I will appreciate whatever you can afford to send the money today.i'll pay you back as soon as i return,Let me know if you can assist. please use this information to send the money to me.I wait your quickly respond.

Of course there were many alarms that went off for the Friend. There are clear grammatical mistakes, in addition to the statement that "Dublin" is a "major country in Europe", which set off the alarms. So, what did the Friend do?

She emailed the Traveler to ask if this was really her. After she spoke to me, and then the Traveler, by telephone, she received an additional email reply from the hotmail account:

Sent: Saturday, February 07, 2009 3:45 AM

Please note the Email is legitimate,I am stranded in London now,I will appreciate whatever you can afford,I'll pay you back upon my return. dont deny me this help now, hence this happen to be The Greatest help you can render to me so far as a Friend I will feel honored if you dont ignore this request.

So, what was the experience like for the Traveler?

It was exactly as we had supposed it would be.

The Traveler received an email claiming to be from the Administrator of, telling her that Hotmail was running out of space and was going to have to close any accounts which were not being used. In order to prove that it was really her using the account, she needed to reply to the email and give her name, email address, and password, so that they would know not to close her account.

The next time she tried to log in to Hotmail, she couldn't get in. Her password had been changed.

Note that this scam is NOT an original, but we have been hearing quite a few recent reports of it. A Google search on some of the phrases in the email will show that its been seen as early as May of 2008, with a big surge in September and October of 2008 as well, and that there is also an Asian version, which was seen as early as August 2008.

In this case, we also looked at the original headers on the email from the Traveler, who lives in Atlanta, Georgia. I wasn't too surprised to find that the Traveler's account was being logged into from Nigeria.

X-Originating-IP: []

inetnum: -
netname: DOP1-20070404
descr: Wireless Broadband Internet service ,VSAT
country: NG
address: Direct-on-PC Limited
address: Plot B, Block 1
address: Illupeju Industrial avenue
address: Illupeju
address: Lagos
address: Nigeria
address: NG
phone: +234-1-2701700
fax-no: +234-1-2713554

It seems this scam is surging again . . . perhaps the "Yahoo Boys" have just rediscovered this scam...

I am in hurry writing you this message and am really sorry I didn't inform you about my traveling to Malaysia for a program called "Empowering Youth to Fight Racism, HIV/AIDS, Poverty and Lack of Education. The program is taking place in three major countries in Asia, which are Taiwan, Singapore and Malaysia. It has been a very sad and bad moment for me, the present condition that i found myself is very hard for me to explain.

I am really stranded in Malaysia because I forgot my little bag in the Taxi where my money, passport, documents, cell phone which i have all my contacts and other valuable things were kept on my way to the Hotel am staying, I am facing a hard time here because i have no money on me. I now owe a hotel bill of $1,400 and they wanted me to pay the bill soon or else they will have to seize my bag and hand me over to the Hotel Management. I need this help from you urgently to help me back home, I need you to help me with the hotel bill and i will also need $2,000 to feed and help myself back home. So please can you help me with a sum of $3,400 USD to sort out my problems here?

(the latter email included details on how to send a Western Union payment to their hotel)

Please let me know if you've received a Traveler Scam email. My research team is gathering samples to share with appropriate folks at email providers and law enforcement.

Gary Warner
Director of Research
UAB Computer Forensics