Saturday, October 31, 2009

Facebook Safety & Million Member Facebook Groups

Two of my friends today invited me to join "Million User" facebook groups. Not that it matters really, but the two groups were:

PETITION FOR FACEBOOK TO INSTALL A DISLIKE BUTTON...NEED 1,000,000 MEMBERS ASAP..INVITE EVERYONE YOU KNOW TO JOIN

and

If 1,000,001 people join, Facebook will re-install the old News Feed!


The first group, IN SIX DAYS, has grown from 1 user to 401,200 users! Some of you are cheering saying, YES! Now Facebook will be FORCED to have a "Dislike" button!

The second group now has 719,000 users! HINT: Despite the topic, Facebook is not going to re-install the old News Feed.

Would you like to see the secret truth about why people create "million user groups"?

Enter the seedy world of the online advertiser. Not the Madison Avenue advertising companies, but the punks who sit at home and devise ways to advertise their wares through spam, SEO (search engine optimization), and social network spam. They are making more money than you, and filling our lives with virtual junkmail, and in many cases, malware.

Note that what they are doing below is probably NOT illegal. Slimy, yes. Illegal? No. Although it may violate Facebook rules, that's an issue for Facebook, not the police.

Here's an example post from a forum on a "Black Hat" website. The forum is in a group called:

Black Hat Forum > Black Hat SEO > Social Networking Sites > FaceBook

The user "almir" is a typical user there. After each of his messages to his shady advertising friends, he signs with his own advertisement -- claiming that he controls a Facebook Group with 550,000 members, and he'll post your message to his group for $800. Almir says that between his groups, he has about 2 million people he can post to on Facebook. At his peak he was making about $250 per day from his ads, and he says on a good day, he could make $600. Lets see. 365 * 250 = $91,250 per year. Not bad money for making up reasons that a million people should join your group.

Another user there, "LeDave", claims he controls more than 100 Facebook groups, and the ads that he posts there generate between 6,000 and 7,000 clicks per day to "ClickBank". (ClickBank is an affiliate advertising site where you get paid every time someone follows your link. Following the links makes money for the guy controlling the Facebook group. If the users BUY things, you get a commission.) LeDave claims he was the creator of the "1,000,000 members against the new facebook layout" group. He claims he grew that group to more than 3 million users! Why? So he could make money selling links to his members!

One of the other members has a group with 1.5 million users. He offers to help newbie advertisers "get launched" by recommending their group to his users for the low low price of $100 per recommendation.

(this information from the thread . . .

http://www.blackhatworld.com/blackhat-seo/facebook/130560-facebook-groups-finally-getting-makeover-hard-make-viral-group-again.html

)

So, remember that the next time you join a "million member group", what you are really doing is helping these advertisers make it easier to spam you with their ads. While it may seem a great "social cause", its not. Nobody cares if 1 million people join the group. Except the guy getting paid for it.

Here are a few other "of course, we should join that!" million member groups:

I bet I can find 1,000,000 people who hate cancer
Members: 1,609,864 members

I bet I can still find 1,000,000 people who dislike George Bush!
Members: 968,146 members

1,000,000 Hamish and Andy Fans by 01/01/10
Members: 731,824 members

1,000,000 AGAINST THE NEW FACEBOOK LOOK!!!
Members: 713,565 members

"WE HAVE TO SAVE FACEBOOK" PETITION - 1,000,000 PEOPLE NEEDED!!!!!
Members: 466,648 members

I Bet I Can Find 1,000,000 People Who Just Want Peace
Members: 379,282 members

Not saying that all those groups are advertising driven. Just suggesting that its a serious possibility.

Yes, I like Facebook! (But not all the Apps)



Are you surprised? Yes, I'm a Cybercrime Investigations guy who likes Facebook. I give a "Privacy & Security" lecture to our CIS 105 class each term at the University where I warn of the dangers of Social Network Sites, but when used properly, I love Facebook (for play) and LinkedIn (for work).

In my lectures I warn of things like having your privacy settings set too broadly - sharing your information with the whole world - and things like installing Applications without understanding who wrote them or what their Terms of Service are.

Facebook has been getting better with setting rules for their developers, but its still important to know what access and rights developers have to your personal information when you use their apps. My general rule is that if I don't know the developer, I don't install the app. For instance, I play PopCap games in Facebook. I've used their apps for years, I've worked with their tech support, and I trust them to do the right thing. I have no idea who wrote the Facebook Application "How Long Will You Survive When Zombies Rule the World", but 1,461,000 Facebook users have trusted them to do the right thing with their personal data. To install the app in Facebook (as with every app) I am cautioned:

By proceeding, you are allowing How long will you survive when zombies over run the world? to access your information and you are agreeing to the Facebook Terms of Use in your use of How long will you survive when zombies over run the world?


I'm not so trusting with strangers. (No offense, Zombie dudes. Random example from things I was invited to install today.)

Those "Terms of Use" link you to the "About Platform" page, which reminds you that when you install an application, you are giving the developer of that application permission to access such things as:

your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, your relationship status, your dating interests, your relationship interests, your network affiliations, your education history, your work history, your course information, copies of photos in your photo albums, metadata associated with your photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your in-box, the total number of "pokes" you have sent and/or received, the total number of wall posts on your Wall, a list of user IDs mapped to your friends, your social timeline, notifications that you have received from other applications, and events associated with your profile.



If you want to know more about Applications on Facebook, here are the new policies that Application Developers have to agree to follow -- Facebook: Developer Principles and Policies.

Tips for Facebook Users, From Facebook


I know the guys at Facebook and have been very pleased with how pro-active they are with responding to security issues, and with warning their users. If you haven't seen these steps, you should definitely check them out.

Facebook: Protecting Account Security

Facebook: Privacy Settings and Fundamentals

There are lots of other great tips from Facebook. I would encourage users (and parents of children who use Facebook) to visit their Help Center to learn more.

Wednesday, October 28, 2009

FACEBOOK PHISH! Users Beware!

The FDIC spam campaign that we reported on yesterday in our story Fake FDIC Spam Campaign Spreads Zeus has already moved on to its next attack. Now its trying to steal your Facebook passwords in what appears at first glance to be a "traditional" phishing attack. (Please see the end of this article for an update on how this "phish" actually is another Zeus malware infection vector.)



The UAB Spam Data Mine has already received more than 250 copies of the new phishing email this morning, which claims:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.

Before you are able to use the new login system, you will be required to update your account.

Click (here) to update your account online now.

If you have any questions, reference our New User Guide

Thanks,
The Facebook Team


The email is fake, of course, and so are the websites they point to. So far we've identified 31 unique domain names registered by the criminal for use in this Facebook account.

The website looks like this:



UAB Malware Analyst Brian Tanner took the new Facebook Phish for a drive through the lab, and confirmed that this is NOT JUST A PHISH - in fact it might not be a traditional phish at all. Its actually a Zeus Bot installer, pointing at the same command & control site as yesterday's FDIC version of Zeus:



Clicking on the prompted "UpdateTool.exe" is the infection vector for Zeus. According to the VirusTotal Report for this malware, only 8 of 41 AV products are currently labelling this executable as malware.

File size: 105472 bytes
MD5 : 1198d2ddf09061fbfb70de423cde059f

Update 29OCT09 AM


Spam for this campaign is still coming fast and furious to the UAB Spam Data Mine. More than 200 fresh copies were received already this morning.

File size: 105984 bytes
MD5...: 6aad88ba4805b2daa4fc6106a5376065

A
VirusTotal report
for the current version is showing 9 of 41 detections.

Update - 01NOV2009


From October 27th until November 1st, we've seen 242 different domain names used by this campaign. Here are the ones that are currently live at this point in time (5:25 PM) --

www.facebook.com.heratsb.eu
www.facebook.com.heratsd.eu
www.facebook.com.heratsf.eu
www.facebook.com.heratsg.eu
www.facebook.com.heratsh.eu
www.facebook.com.heratsk.eu
www.facebook.com.heratsl.eu
www.facebook.com.heratsm.eu
www.facebook.com.heratsn.eu
www.facebook.com.heratso.eu
www.facebook.com.heratsq.eu
www.facebook.com.heratsr.eu
www.facebook.com.heratss.eu
www.facebook.com.heratst.eu
www.facebook.com.heratsy.eu
www.facebook.com.lllujiob.eu
www.facebook.com.lllujioc.eu
www.facebook.com.lllujiod.eu
www.facebook.com.lllujiof.eu
www.facebook.com.lllujiog.eu
www.facebook.com.lllujioh.eu
www.facebook.com.lllujioi.eu
www.facebook.com.lllujioj.eu
www.facebook.com.lllujion.eu
www.facebook.com.lllujiot.eu
www.facebook.com.lllujiov.eu
www.facebook.com.lllujiox.eu
www.facebook.com.lllujioy.eu
www.facebook.com.lllujioz.eu
www.facebook.com.ttteraa.eu
www.facebook.com.ttterab.eu
www.facebook.com.ttterac.eu
www.facebook.com.ttterad.eu
www.facebook.com.ttterae.eu
www.facebook.com.ttteraf.eu
www.facebook.com.ttterag.eu
www.facebook.com.ttteran.eu
www.facebook.com.ttteraq.eu
www.facebook.com.ttterav.eu
www.facebook.com.ttterax.eu
www.facebook.com.ttteraz.eu

Here is the full list . . .

www.facebook.com.edilokqf.eu
www.facebook.com.edilokqi.eu
www.facebook.com.edilokqm.eu
www.facebook.com.edilokqn.eu
www.facebook.com.edilokqr.eu
www.facebook.com.edilokqs.eu
www.facebook.com.edilokqu.eu
www.facebook.com.edilokqv.eu
www.facebook.com.edilokqw.eu
www.facebook.com.edilokqx.eu
www.facebook.com.eiye1ua.eu
www.facebook.com.eiye1uc.eu
www.facebook.com.eiye1ue.eu
www.facebook.com.eiye1uf.eu
www.facebook.com.eiye1ug.eu
www.facebook.com.eiye1ur.eu
www.facebook.com.eiye1us.eu
www.facebook.com.eiye1ut.eu
www.facebook.com.eiye1uv.eu
www.facebook.com.fasazab.eu
www.facebook.com.fasazad.eu
www.facebook.com.fasazae.eu
www.facebook.com.fasazaf.eu
www.facebook.com.fasazag.eu
www.facebook.com.fasazam.eu
www.facebook.com.fasazan.eu
www.facebook.com.fasazav.eu
www.facebook.com.heratsb.eu
www.facebook.com.heratsd.eu
www.facebook.com.heratsf.eu
www.facebook.com.heratsg.eu
www.facebook.com.heratsh.eu
www.facebook.com.heratsk.eu
www.facebook.com.heratsl.eu
www.facebook.com.heratsm.eu
www.facebook.com.heratsn.eu
www.facebook.com.heratso.eu
www.facebook.com.heratsq.eu
www.facebook.com.heratsr.eu
www.facebook.com.heratss.eu
www.facebook.com.heratst.eu
www.facebook.com.heratsy.eu
www.facebook.com.herrazzb.eu
www.facebook.com.herrazzd.eu
www.facebook.com.herrazzf.eu
www.facebook.com.herrazzg.eu
www.facebook.com.herrazzh.eu
www.facebook.com.herrazzj.eu
www.facebook.com.herrazzk.eu
www.facebook.com.herrazzo.eu
www.facebook.com.herrazzr.eu
www.facebook.com.herrazzt.eu
www.facebook.com.herrazzu.eu
www.facebook.com.herrazzv.eu
www.facebook.com.herrazzy.eu
www.facebook.com.ibbaswza.eu
www.facebook.com.ibbaswzd.eu
www.facebook.com.ibbaswze.eu
www.facebook.com.ibbaswzf.eu
www.facebook.com.ibbaswzr.eu
www.facebook.com.iokasqzc.eu
www.facebook.com.iokasqze.eu
www.facebook.com.iokasqzh.eu
www.facebook.com.iokasqzr.eu
www.facebook.com.iokasqzt.eu
www.facebook.com.iokasqzy.eu
www.facebook.com.ioooliob.eu
www.facebook.com.iooolioc.eu
www.facebook.com.iooolioe.eu
www.facebook.com.ioooliog.eu
www.facebook.com.iooolioq.eu
www.facebook.com.iooolior.eu
www.facebook.com.iooolios.eu
www.facebook.com.ioooliot.eu
www.facebook.com.ioooliov.eu
www.facebook.com.ioooliow.eu
www.facebook.com.ioooliox.eu
www.facebook.com.iooolioy.eu
www.facebook.com.lef1asza.eu
www.facebook.com.lefassza.eu
www.facebook.com.lefaszab.eu
www.facebook.com.lefaszac.eu
www.facebook.com.lefaszad.eu
www.facebook.com.lefaszak.eu
www.facebook.com.lefaszam.eu
www.facebook.com.lefaszan.eu
www.facebook.com.lefaszav.eu
www.facebook.com.lefaszax.eu
www.facebook.com.lefaszxa.eu
www.facebook.com.lefawsza.eu
www.facebook.com.lllujiob.eu
www.facebook.com.lllujioc.eu
www.facebook.com.lllujiod.eu
www.facebook.com.lllujiof.eu
www.facebook.com.lllujiog.eu
www.facebook.com.lllujioh.eu
www.facebook.com.lllujioi.eu
www.facebook.com.lllujioj.eu
www.facebook.com.lllujion.eu
www.facebook.com.lllujiot.eu
www.facebook.com.lllujiov.eu
www.facebook.com.lllujiox.eu
www.facebook.com.lllujioy.eu
www.facebook.com.lllujioz.eu
www.facebook.com.mibbbad.co.uk
www.facebook.com.mibbbad.me.uk
www.facebook.com.mibbbad.org.uk
www.facebook.com.mibbbah.co.uk
www.facebook.com.mibbbah.me.uk
www.facebook.com.mibbbah.org.uk
www.facebook.com.mibbbal.co.uk
www.facebook.com.mibbbal.me.uk
www.facebook.com.oooeasec.eu
www.facebook.com.oooeasef.eu
www.facebook.com.oooeaseg.eu
www.facebook.com.poresawa.eu
www.facebook.com.poresawd.eu
www.facebook.com.poresawe.eu
www.facebook.com.poresawg.eu
www.facebook.com.poresawj.eu
www.facebook.com.poresawo.eu
www.facebook.com.poresawq.eu
www.facebook.com.poresaws.eu
www.facebook.com.poresawt.eu
www.facebook.com.poresawu.eu
www.facebook.com.poresawv.eu
www.facebook.com.poresawx.eu
www.facebook.com.qqqqasc.eu
www.facebook.com.qqqqasd.eu
www.facebook.com.qqqqasf.eu
www.facebook.com.qqqqasg.eu
www.facebook.com.qqqqash.eu
www.facebook.com.qqqqasj.eu
www.facebook.com.qqqqask.eu
www.facebook.com.qqqqasl.eu
www.facebook.com.qqqqaso.eu
www.facebook.com.qqqqasr.eu
www.facebook.com.qqqqasy.eu
www.facebook.com.saaasaj.eu
www.facebook.com.saaasak.eu
www.facebook.com.saaasam.eu
www.facebook.com.saaasav.eu
www.facebook.com.saaasay.eu
www.facebook.com.saxzask.co.uk
www.facebook.com.saxzask.me.uk
www.facebook.com.saxzask.org.uk
www.facebook.com.saxzasl.co.uk
www.facebook.com.saxzasl.me.uk
www.facebook.com.saxzasl.org.uk
www.facebook.com.saxzasv.co.uk
www.facebook.com.saxzasv.me.uk
www.facebook.com.saxzasv.org.uk
www.facebook.com.saxzasy.co.uk
www.facebook.com.sazzawe.co.uk
www.facebook.com.sazzawe.eu
www.facebook.com.sazzawe.me.uk
www.facebook.com.sazzawf.co.uk
www.facebook.com.sazzawf.eu
www.facebook.com.sazzawf.me.uk
www.facebook.com.sazzawk.co.uk
www.facebook.com.sazzawk.eu
www.facebook.com.sazzawk.me.uk
www.facebook.com.sazzawl.co.uk
www.facebook.com.sazzawl.eu
www.facebook.com.sazzawl.me.uk
www.facebook.com.sazzawy.co.uk
www.facebook.com.sazzawy.eu
www.facebook.com.sazzawy.me.uk
www.facebook.com.ttteraa.eu
www.facebook.com.ttterab.eu
www.facebook.com.ttterac.eu
www.facebook.com.ttterad.eu
www.facebook.com.ttterae.eu
www.facebook.com.ttteraf.eu
www.facebook.com.ttterag.eu
www.facebook.com.ttteran.eu
www.facebook.com.ttteraq.eu
www.facebook.com.ttterav.eu
www.facebook.com.ttterax.eu
www.facebook.com.ttteraz.eu
www.facebook.com.ujtqwaq1.co.uk
www.facebook.com.ujtqwaq1.eu
www.facebook.com.ujtqwaq1.me.uk
www.facebook.com.ujtqwaq1.org.uk
www.facebook.com.ujtqwaqb.co.uk
www.facebook.com.ujtqwaqb.eu
www.facebook.com.ujtqwaqb.me.uk
www.facebook.com.ujtqwaqb.org.uk
www.facebook.com.ujtqwaqk.co.uk
www.facebook.com.ujtqwaqk.eu
www.facebook.com.ujtqwaqk.me.uk
www.facebook.com.ujtqwaqk.org.uk
www.facebook.com.ujtqwaqm.co.uk
www.facebook.com.ujtqwaqm.eu
www.facebook.com.ujtqwaqm.org.uk
www.facebook.com.ujtqwaqo.co.uk
www.facebook.com.ujtqwaqo.eu
www.facebook.com.ujtqwaqo.me.uk
www.facebook.com.ujtqwaqo.org.uk
www.facebook.com.xxxasqwa.eu
www.facebook.com.xxxasqwe.eu
www.facebook.com.xxxasqwi.eu
www.facebook.com.xxxasqwk.eu
www.facebook.com.xxxasqwl.eu
www.facebook.com.xxxasqwo.eu
www.facebook.com.xxxasqwp.eu
www.facebook.com.xxxasqwr.eu
www.facebook.com.xxxasqwt.eu
www.facebook.com.xxxasqwu.eu
www.facebook.com.xxxasqwy.eu
www.facebook.com.xxxasqwz.eu
www.facebook.com.yhheaszb.eu
www.facebook.com.yhheaszc.eu
www.facebook.com.yhheasze.eu
www.facebook.com.yhheaszf.eu
www.facebook.com.yhheaszh.eu
www.facebook.com.yhheaszi.eu
www.facebook.com.yhheaszq.eu
www.facebook.com.yhheaszu.eu
www.facebook.com.yhheaszv.eu
www.facebook.com.yhheaszy.eu
www.facebook.com.yy1azsva.eu
www.facebook.com.yy1azsvc.eu
www.facebook.com.yy1azsvq.eu
www.facebook.com.yy1azsvz.eu
www.facebook.com.yyy1asvf.eu
www.facebook.com.yyy1azsy.eu
www.facebook.com.yyy1azvg.eu
www.facebook.com.yyy1zsve.eu
www.facebook.com.yyyaszai.eu
www.facebook.com.yyyaszal.eu
www.facebook.com.yyyaszao.eu
www.facebook.com.yyyaszap.eu
www.facebook.com.yyyaszaq.eu
www.facebook.com.yyyaszar.eu
www.facebook.com.yyyaszau.eu
www.facebook.com.yyyaszay.eu
www.facebook.com.yyyazsvd.eu
www.facebook.com.zaaaasaa.eu
www.facebook.com.zaaaasag.eu
www.facebook.com.zaaaasaq.eu
www.facebook.com.zaaaasaz.eu

Tuesday, October 27, 2009

Fake FDIC spam campaign spreads Zeus malware

The UAB Spam Data Mine is continuing to experience high volumes of spam claiming to be from the Federal Deposit Insurance Corporation. FDIC.gov spam is using two email subjects:

FDIC has officially named your bank a failed bank
you need to check your Bank Deposit Insurance Coverage

The email messages claim to be from the email address consumeralerts@fdic.gov, which is a real email address used by the FDIC, but obviously being forged by the malware distributors in this situation.

Here's an example email:



You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:

* Visit FDIC website: http://www.fdic.gov/bankinsured/failed/personalfile/holder.php?email=youremail@yourdomain.com&id=233388521333599678361293755617839671

* Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

Federal Deposit Insurance Corporation


The website to which you are directed looks like this:



The website offers a copy of "your personal FDIC Insuranace file" to see whether your coverage has been impacted. The website seems to offer this file as either an Adobe PDF file or a Microsoft Word file. In reality, the first is named "pdf.exe" and the second is named "word.exe", which are both the same file - a 105,472 byte executable file.

A VirusTotal report indicates that currently 9 anti-virus products are able to label this version of the malware, which we expect will be changed regularly by the criminals:

File size: 105472 bytes
MD5 : f4007a6af6dc841cd2961a8b3d2fbb8e

The detections declare it to be Zeus Bot, and UAB Malware Analyst Brian Tanner examined the malware in the lab and confirmed the same, identifying the location of the command & control server and sharing that information with appropriate law enforcement officials.


So far UAB researchers have identified 93 unique domains registered and used by the criminals for this campaign:

www.fdic.gov.h1erfae.eu
www.fdic.gov.h1erfai.eu
www.fdic.gov.h1erfaj.eu
www.fdic.gov.h1erfaq.eu
www.fdic.gov.h1erfar.eu
www.fdic.gov.h1erfat.eu
www.fdic.gov.h1erfau.eu
www.fdic.gov.h1erfaw.eu
www.fdic.gov.h1erfay.eu
www.fdic.gov.milki1a.co.uk
www.fdic.gov.milki1a.me.uk
www.fdic.gov.milki1e.me.uk
www.fdic.gov.milki1i.co.uk
www.fdic.gov.milki1l.co.uk
www.fdic.gov.milki1l.me.uk
www.fdic.gov.milki1y.me.uk
www.fdic.gov.nyuh1awa.eu
www.fdic.gov.nyuh1awb.eu
www.fdic.gov.nyuh1awc.eu
www.fdic.gov.nyuh1awd.eu
www.fdic.gov.nyuh1awe.eu
www.fdic.gov.nyuh1awf.eu
www.fdic.gov.nyuh1awg.eu
www.fdic.gov.nyuh1awh.eu
www.fdic.gov.nyuh1awm.eu
www.fdic.gov.nyuh1awn.eu
www.fdic.gov.nyuh1aws.eu
www.fdic.gov.nyuh1awt.eu
www.fdic.gov.nyuh1awv.eu
www.fdic.gov.nyuh1awx.eu
www.fdic.gov.nyuh1awz.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tt1qwa1.co.uk
www.fdic.gov.tt1qwa1.eu
www.fdic.gov.tt1qwa1.me.uk
www.fdic.gov.tt1qwae.eu
www.fdic.gov.tt1qwae.me.uk
www.fdic.gov.tt1qwaq.co.uk
www.fdic.gov.tt1qwaq.eu
www.fdic.gov.tt1qwaq.me.uk
www.fdic.gov.tt1qwar.co.uk
www.fdic.gov.tt1qwar.eu
www.fdic.gov.tt1qwar.me.uk
www.fdic.gov.tt1qwat.co.uk
www.fdic.gov.tt1qwat.eu
www.fdic.gov.tt1qwat.me.uk
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk
www.fdic.gov.yh1qab.co.uk
www.fdic.gov.yh1qab.eu
www.fdic.gov.yh1qab.me.uk
www.fdic.gov.yh1qak.co.uk
www.fdic.gov.yh1qak.eu
www.fdic.gov.yh1qal.co.uk
www.fdic.gov.yh1qal.eu
www.fdic.gov.yh1qal.me.uk
www.fdic.gov.yh1qao.co.uk
www.fdic.gov.yh1qaz.co.uk
www.fdic.gov.yh1qaz.eu

Of these, 38 domains are currently live:

www.fdic.gov.h1erfau.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk



UPDATE!

- 27OCT09 4PM in Alabama:

The FDIC's Sandra L. Thompson, Director of the Division of Supervision and Consumer Protection has provided an update to this emerging threat on their website:

http://www.fdic.gov/news/news/SpecialAlert/2009/sa09183.html

We're currently down to 16 "live" sites that we've seen in this afternoon's FDIC spam:

www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.pouikif.eu

Thursday, October 22, 2009

FBI and SOCA make a media splash at RSA Europe

I'm returned, sleep-deprived and jet-lagged, from back-to-back conferences in the Seattle area. First there was the Microsoft-hosted Digital Crimes Consortium, which combined three prior conferences - Law Enforcement Tech, Digital PhishNet, and the Botnet conference, into one. With some 400 attendees from more forty different countries, many great international law enforcement collaborations will come from that event. Microsoft was a fantastic host, as always, and the law enforcement folks got a special "badges only" day at the beginning of the conference to learn about new tools from Microsoft to help in the fight against cybercrime.

Next was the Anti-Phishing Working Group / IEEE eCrime Researchers Summit, where UAB students Brad Wardman and Gaurang Shukla and I presented a paper on analyzing phishing URLs to reveal underlying website vulnerabilities being exploited by cyber criminals. Many great papers were presented by academics from around the world, and encouraged by some great corporate and law enforcement participants to continue this growing area of research. The APWG staff, and Randal Vaughn from Baylor, and the whole gang from Internet Identity put together a great conference! Friends from Citibank, Google, PhishLabs, SilverTail, eBay, Affilias, SupportIntelligence, Cyveillance and others shared great industry perspectives to help inform the academics of their pain points that could benefit from research, as well as sharing research of their own. I was especially excited to learn of some fellow dataminers at University of Ballarat, Australia, and to see what they are doing with phishing email detection, but there was a great crowd of researchers presenting from Mississippi State, Texas State, Carnegie Mellon, University College Dublin, University of Konstanz, and University of Buffalo. You'll be able to read all the papers in the near future through the IEEE Proceedings.

But I have to say, despite the jet-lag, I really wish I was at RSA Europe right now. The big news today was a presentation by FBI Supervisory Special Agent Keith Mularski and Andy Auld from the Serious and Organised Crime Agency (SOCA).

I'm tired, so I'm going to let the media tell the story . . . please read the articles below and accept my apologies for not writing my own.

Some of the articles had to take the mud-slinging side of the story:

"Russian Police and Internet Registry Accused of Aiding Cybercrime" (eweek Europe)

"SOCA: Russian Cyber Gang Bribed Police" (ZD Net)

Still, the important points did make it through the hype machine:

"FBI and SOCA need help" (Computer Weekly)

where Keith Mularski says "A partnership with the IT Security industry is important" and Andy Auld, head of intelligence and e-crime at SOCA says "The US, UK, Germany, Netherlands, and Australia have all joined forces to form a taskforce to tackling this international problem."

"FBI and SOCA Seek Help From Security Teams" (V3)

Some saw it as painting a gloomy future:

"Experts See Forecast Worsen for Cybercrime" (PC World)


While others painted it in a more sensational positive light:

"FBI and SOCA plot cybercrime smackdown: White hats get proactive on e-crime" (The Register)

I've worked with both guys in the past, and I know how I'm interpreting the presentation: We've got a big problem we are facing, and only through global cooperation by law enforcement AND industry can we solve it. That's the same messages we heard at Digital Crimes and the same message we heard at APWG eCrimes, but unlike the past, the current round of conferences wasn't just talk. It was presentation after presentation of how the cooperation is actually working!

I have to give one shout-out while I'm blogging. It was great to make a new Russian friend, Pavel, who came all the way to Tacoma to share the message that there are plenty of "good guys" in Russia. Thanks for making the trip, Pavel!

Wednesday, October 21, 2009

Phishing For Love: Banking Insiders

This week in the Eastern District of Pennsylvania, an indictment was unsealed against Miguel Bell, Christopher Russell, Michael Merin, Kareem Russell, and Tamika Brown for their actions in stealing more than $1 Million from Citizens Bank, PNC Bank, Wachovia Bank, M&T Bank, Provident Bank, and SunTrust Bank. Michael Levy, US Attorney in that district, brought the charges.

This entire article is a summation of the charges from the extremely detailed sixty-one page indictment.

The five were charged with the following violations:

18 U.S.C. § 371 - conspiracy to commit bank fraud and aggravated identity theft
18 U.S.C. § 1344 - bank fraud -8 counts
18 U.S.C. § 1028A - aggravated identity theft - 34 counts
18 U.S.C. § 2 - aiding and abetting

The charges resulted from activities between September 1, 2005 and November 30, 2008.

Miguel Bell



Miguel Bell is accused of being the ringleader in the scheme, which consisted of stealing identifying information and account numbers, and then having "check runners" pose as the bank customers and cash fraudulent checks from the accounts belonging to those whose identities they were using.

Bell developed his information feed by pursuing romantic relationships with bank employees and one insurance company employee, and after gaining their trust, compelling them to provide bank information, customer account numbers, and personal identifying information including names, addresses, dates of birth, social security numbers, and driver's license numbers. Bell's love interests also rented cars which he provided to the check runners in order to cash out the accounts.

Bell also required Michael Merin, Rashin Owens, and David Tunnell to recruit bank employees to provide the same information he was getting from his love interests.

Bell verified high account balances by calling the banks' automated banking telephone services.

Bell provided his check runners with fraudulent driver's licenses and to have them photographed, and also provided them with fake checks and "cheat sheets" to help them memorize their new identity. On many occasions he provided transportation and maintained cell phone contact with the check runners while they went into the banks.

Bell took the largest share of all the proceeds, and was in charge of distributing funds to others. Check runners were recruited, used for a day, and paid at the end of the day.

Christopher Russell


The indictment describes Christopher Russell as "the right hand man". Among his roles in the scheme he verified bank balances and recruited check runners, often in exchange for illegal drugs or money for illegal drugs. He accompanied check runners to be photographed for their fraudulent driver's licenses. He provided the identity cheat sheets and fraudulent checks to the check runners, and instructed them on their tasks to perform. He often provided transportation and maintained cell phone contact with the check runners. He would often receive the payout from the check runner, and then pass most of the funds to Miguel Bell for further distribution, and paid the check runners.

Kareem Russell


Kareem is described as a "middle man" in the scheme. He primarily recruited runners, and provided all the same activites as Christopher Russell, including recruiting check runners, providing them with drugs or money for drugs, escorted runners to be photographed for fraudulent drivers licenses, and provided transporation, passed funds to Miguel, and paid his check runners from the proceedings.

Michael Merin


Merin was also called a "middle man", but concentrated on recruiting bank employees in addition to some check runners. Among those recruited:

- Jon Steffon of Citizens Bank (charged elsewhere)
- Kern Haynes of Citizens Bank (charged elsewhere)
- Marcus Nabried of Citizens Bank (charged elsewhere)

Tamika Brown


Tamika Brown was partnered with Christopher Russell and accompanied him in transporting his runners for photography and for fraudulent transactions. She also was in charge of providing the runners with clothes to wear for their photographs and fraud, and for arranging the rental of cars to be used in transporting the check runners.

Recruiting


PNC Bank Employee Tiffany Brodie was in contact with Miguel Bell from at least September 1, 2005 until June 30, 2006, and provided at least four bank accounts and associated personal information to Bell from her customers at PNC Bank.

Tiffany's information allowed check runner James Kennedy to steal $13,050 by pretending to be one of these customers. She also rented cars for Miguel.

Citizens Bank Employee Trena Smith was in contact with Miguel Bell from at least November 1, 2005 until December 20, 2005. She provided information on thirty-seven Citizens Bank account holders, which resulted in $390,039 being stolen by check runners Ralph Guy, Jennie Hill, Priscilla Torres and others, who presented fake ids claiming to be these customers.

Citizens Bank Employee Jon Steffon was recruited by Michael Merin and provided at least fourteen sets of identity data for his customers to Michael, which were used between May 1, 2006 and July 30, 2006 to steal $100,687 from Citizens Bank via check runners. "On or about" June 10, 2006, Miguel Bell possessed hand-written person information on five Citizens Bank account holders, written by Jon STeffon and given to Merin by Steffon. He also held three false Pennsylvanie driver's licenses and two false Delaware driver's licenses in those names, as well as Citibank MasterCards and fraudulent checks in those names.

Citizens Bank Employees Jamila Hamler, Marcus Nabried, and Tamea Hill provided personal information of twenty-seven account holders to Merin between July 1, 2006 and July 30, 2006. Tamea Hill provided at least four additional identities to Elton Harris and Rashin Owens, who passed the information to Miguel Bell. These identities were passed to James Kennedy and other check runners to accomplish $213,145 in theft.

Citizens Bank Employee Kern Haynes provided sixteen accounts to Michael Merin, who then passed the information to Bell and Christopher Russell. These identities were used by check runner Eileen Comire and others to accomplish at least $98,375 in theft.

Citizens Bank Employee Regina Tolliver provided information on seven Citizens Bank account holders which was used between March 1 and November 30, 2007 by check runners Richard Maden and Eileen Comire to withdraw $181,577 using their false identities.

Citizens Bank Employee Deonda Barnett provided twelve identities used to steal $24,172 using check runner Eileen Comire and another $18,312 using check runner James Howard.

Citizens Bank Employee Clarissa Gavin provided six account holder identities, which were used by check runner Tommy Antone Murray, Eileen Comire, David TUnnell and others to cash out $70,811.

Car Dealership Recruitment



Rashin Owens and David Tunnell recruited Damoon Hosseinzadeh, an employee at the car dealership "New Concepts, Inc." to provide identity information regarding customers of the dealership. These were used to take $37,900 from Commerce Bank with David Tunnell acting as the check runner.

Insurance Company Recruitment


Colonial Penn Insurance Company employee Lisa Bryant Nelso was used to provide bank account information for persons banking at Citizens Bank, Wachovia Bank, M&T Bank, Provident Bank, and SunTrust Bank.

Ten Citizens Bank identities provided by Nelson were used by check runners to cash out $33,833.

Twenty-five Wachovia identities provided by Nelson were used by check runners to cash out $134,935.

Twelve M&T Bank account identities provided by Nelson were used by check runners to cash out $53,085.

One Provident Bank identity provided by Nelson was used to cash out $7,000.

One SunTrust identity provided by Nelson was used to cash out $2,250.

The Check Runners


There were SO MANY Check Runners, including:
Ralph Guy, Jennie Hill, Priscilla Torres, Gregory Grayson, David Tunnell, Richard Maden, Eileen Comire, and James Kennedy. The indictment actually details their involvement, claiming . . .

Ralph Guy did 37 checks on identities from Pennsylvania, Vermont, Ohio, and Michigan stealing or attempting to steal $174,046.

Jennie Hill did 24 checks on identities from Indiana, New Hampshire, Vermont, Ohio, and Michigan stealing or attempting to steadl $104,422.

Priscilla Torres did 2 checks for $9,243 on identities from Pennsylvanie and Delaware. She also was the driver for other check runners on some occasions.

Gregory Grayson did one check for $2,500 on a New Jersey identity.

James Kennedy did four checks vs. PNC Bank and twenty checks vs. Citizens Bank using at least eleven identities to steal $61,600.

Eileen Comire did at least thirty-seven checks imitating at least twenty-seven account holders to steal at least $240,599 from Wachovia Bank, and an additional $186,913 from Citizens Bank using eighty-eight fraudulent checks and twenty-one account holder identities. She also uses twenty-two checks belonging to twelve M&T account holders to steal an additional $58,135 from M & T Bank.

David Tunnell did seven transactions totalling $41,900 from Commerce Bank using two different identities, and six transactions totalling $45,100 from Citizens Bank using three identities.

Richard Maden used five Citizens Bank identities to present twenty-nine fraudulent checks totalling $97,374.

Notice of Forfeiture


These criminals stand to lose all property, real or personal, that constitutes or is derived from proceeds traceable to the commission of such offenses - up to a value of $1,300,000.

Tuesday, October 20, 2009

TowerNet CapitalOne: Avalanche returns after 15 monthsOne

The Avalanche Botnet, which has been spamming phishing pages, and most recently the IRS Zeus campaign, has returned to traditional phishing. The UAB Spam Data Mine has received hundreds of samples today with subjects like this:

Download and install digital certificate
Enhancements: New Release
How to install digital certificate
Install Digital certificate
Install Digital Certificate software
Obtain Digital Certificate
Pick Up and Install Digital Certificate
Please install digital certificate software
Please read this important information concerning your privacy
Please Read: This Document Contains Important Information
This Document Contains Important Information



Advertised websites in this target group include:

towernet.capitalonebank.com.racder1c.net
towernet.capitalonebank.com.racder1x.com
towernet.capitalonebank.com.raeder1f.net
towernet.capitalonebank.com.rarder1g.com
towernet.capitalonebank.com.raxsder1.net
towernet.capitalonebank.com.rzasder1.com
towernet.capitalonebank.com.t1fliil.com
towernet.capitalonebank.com.t1fliil.net
towernet.capitalonebank.com.t1fliil.tc
towernet.capitalonebank.com.yyy1yyrd.co.uk
towernet.capitalonebank.com.yyy1yyre.co.uk
towernet.capitalonebank.com.yyy1yyrf.co.uk
towernet.capitalonebank.com.yyy1yyrg.co.uk
towernet.capitalonebank.com.yyy1yyrj.co.uk
towernet.capitalonebank.com.yyy1yyrk.co.uk
towernet.capitalonebank.com.yyy1yyrl.co.uk
towernet.capitalonebank.com.yyy1yyrm.co.uk
towernet.capitalonebank.com.yyy1yyro.co.uk
towernet.capitalonebank.com.yyy1yyrq.co.uk
towernet.capitalonebank.com.yyy1yyrr.co.uk
towernet.capitalonebank.com.yyy1yyrs.co.uk
towernet.capitalonebank.com.yyy1yyru.co.uk
towernet.capitalonebank.com.yyy1yyrv.co.uk
towernet.capitalonebank.com.yyy1yyrx.co.uk


The October 2009 Email



Dear Capital One TowerNetSM or Treasury Optimizer user,

As part of the new terms and conditions of the Data Access Agreement between your organization and the Capital One, your organization will be given a Digital Certificate.

Because of the private nature of the client data, worldwide access via Web to that data, and the potential for fraud, the system must be certain of user identity and authorization. Capital One online banking services use two security mechanisms:
1. Customer & User Codes and passwords to identify users; and
2. Digital certificates to ensure that the user is access the business services through a valid computer, in a trusted organization.

Each registered user must have the Capital One's digital certificate installed on his or her machine in order to access online banking services.

To pickup and install your Digital Certificate, please visit:

http://towernet.capitalonebank.com/capitaloneid/usersdir/formpage.aspx/index.php?em=mymail@mydomain.com&id=703121513513613724734835496595606706767090

Please do not respond to this message as it is generated automatically.


Thank you for choosing Capital One!

DO NOT REPLY TO THIS MESSAGE
To protect your privacy, this e-mail box is not equipped to handle replies. If you have any questions, please use the secure messaging options available through Online Banking or contact Customer Service at 1-877-442-3764.

This e-mail is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please contact Customer Service at 1-877-442-3764 immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.

NOTICE ABOUT SERVICING E-MAILS
This e-mail contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

You may receive customer service e-mails even if you have requested not to receive e-mail marketing offers from Capital One.

Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. You can view our privacy policy and contact information at www.capitalone.com. This e-mail relates to financial services offered by the Capital One family of companies, including Capital One Bank (USA), N.A. and Capital One, N.A., members FDIC. ©2009 Capital One.
Capital One is a federally registered service mark. All rights reserved.



The information contained in this e-mail is confidential and/or proprietary
to Capital One and/or its affiliates. The information transmitted herewith
is intended only for use by the individual or entity to which it is
addressed. If the reader of this message is not the intended recipient,
you are hereby notified that any review, retransmission, dissemination,
distribution, copying or other use of, or taking of any action in reliance
upon this information is strictly prohibited. If you have received this
communication in error, please contact the sender and delete the material
from your computer.


A quick check in our spam data mine showed that we had many messages from July 9th to July 23rd, 2008 that looked very similar:

towernet.capitalonebank.com.mj.org.kg
towernet.capitalonebank.com.srv1.com.es
towernet.capitalonebank.com.mem.org.kg
towernet.capitalonebank.com.srv1.com.es
towernet.capitalonebank.com.srv2.com.es
towernet.capitalonebank.com.whymangame.org.es
towernet.capitalonebank.com.simongrog.com.es
towernet.capitalonebank.com.serversid.co.uk




The July 2008 Email



In July of 2008, the spam messages didn't actually take customers to a phishing page, but rather to a "Digital Certificate page". Now we have spam that is claiming to be a Digital Certificate, but actually just seems to be a phish. Some of the Summer of 2008 Digital Certificate domains targeting Capital One included:

dexoim.com
jimmedy.com
jioece.com
jioeres.com
klainey.com
maginele.com
mkeiop.com
niytec.com
nnerdix.com
poemils.com


Note: This is a service message regarding TowerNET Form.

Dear customer:

As part of the new security measures, all Capital One Bank business customers (including all former customers of North Fork bank) are required to complete TowerNET Form (or Treasury Optimizer Form). Please complete the form as soon as possible.

To select your form please click on the following link:

http://towernet.capitalonebank.com/onlineform/IDslcertificatedlls/userdirectory/stack/comdir/userform.aspx?ID=2987123067912365091827359023&refer=23987529

Thank you for being a valued customer.

Sincerely,

Online Banking Team

0x4685 create tmp QH3M X1Z end F1W6 XJKV exe XVRO. start: 0x6, 0x5609, 0x4 97925705631835442299918536989 0x67430426, 0x206, 0x3, 0x392 0x67, 0x988 0x2, 0x23, 0x01703069, 0x1, 0x4856 YTU: 0x0763, 0x43816681, 0x5182, 0x831, 0x99970266 IW8D: 0x6947, 0x4267, 0x07, 0x01751563, 0x9651, 0x373, 0x44043375, 0x5, 0x342, 0x5, 0x6101, 0x99, 0x0223, 0x58, 0x199 GJY: 0x1992, 0x78, 0x5, 0x348, 0x56, 0x409, 0x4538, 0x9683, 0x89015643, 0x44, 0x746, 0x03185899, 0x9, 0x3

end: 0x8, 0x2234, 0x8, 0x436, 0x07, 0x53322197, 0x2873, 0x41, 0x114, 0x6, 0x87, 0x7065, 0x74627088 media: 0x5 api: 0x264, 0x871, 0x9589 OT5 2IUL 0x7916, 0x2898, 0x320, 0x67922853, 0x0113, 0x4701, 0x7559, 0x8186, 0x5, 0x5639, 0x74679667, 0x4 920911942973 0x595 BDLA WH2. 0x4673, 0x16778534, 0x0, 0x9845, 0x423 QV1: 0x20765394, 0x9, 0x22851093, 0x0, 0x3, 0x53759855, 0x726, 0x8, 0x66030524 0x96413662, 0x7, 0x5

serv: 0x139, 0x5, 0x710, 0x871, 0x054, 0x6709, 0x037, 0x2, 0x6621, 0x02753076, 0x18651692, 0x5760, 0x881, 0x6691 0x43852370, 0x7292, 0x7, 0x0, 0x9 6U4: 0x25193089, 0x84976848, 0x6, 0x944, 0x350, 0x94990755, 0x3528, 0x51 YXO: 0x36, 0x50, 0x774, 0x64, 0x40539047, 0x89 578, file. 0x96291281, 0x24, 0x907, 0x0123, 0x3, 0x50, 0x0007, 0x1, 0x38693923, 0x5745, 0x39770877 4XFD: 0x50, 0x5, 0x76148701, 0x500, 0x77686479, 0x7463, 0x73962606, 0x51 0x24, 0x01601735, 0x3, 0x82, 0x54, 0x03, 0x2175, 0x57, 0x61 hex X5I9 exe 9AI api start. dec: 0x97, 0x0, 0x615, 0x3, 0x80455440, 0x25, 0x1, 0x61, 0x6, 0x69, 0x14, 0x61152270, 0x18, 0x33 9629819832066915873

45514408333619487641751706301863961 cvs: 0x85, 0x896, 0x95342281, 0x04 stack: 0x53, 0x71382978, 0x708, 0x0, 0x1, 0x9, 0x338, 0x265 D4HL: 0x61307749, 0x865, 0x647, 0x2002, 0x2, 0x1, 0x87, 0x22, 0x0561, 0x4, 0x31, 0x08


We actually ALSO saw this as "Rock Phish" back in April 2006 -

http://session421087.towernet.capitalonebank.com.kigrt.jp/customerservice/formpage
http://session6152365674.towernet.capitalonebank.com.kigrt.jp/customerservice/

Monday, October 19, 2009

Zipped Malware Attachments in Spam: Here comes Conflicker!

This morning I had a couple tweets from our friends at Arbor Networks. (I actually don't know who tweets their feed, but I always picture it as coming from my friend Jose Nazario...)

The first one said:

malcode being spammed as attachment in emails with subject line "Conflicker.B Infection Alert", claims to be from MSFT (follow: http://twitter.com/arbornetworks)

I checked the UAB Spam Data Mine, and saw that we were also seeing the same spam.


Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division


A couple interesting spam features - first, although the "Sender name" on the spam is "Microsoft Windows Agent", the email actually is setup to use the recipient's own email address as the "From" email. This is a fairly common spammer trick - who blocks email from themselves?

The second interesting feature is that the email contains an attachment named "install.zip". We have been receiving spam for several days claiming to be a Microsoft Outlook update using "install.zip" as the name of the upgrade we should be installing:


You have (5) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.


That email was also "from yourself", using the name "support". The subject for that email was primarily:

Microsoft Outlook Notification for the (your email here)

We received our last Microsoft Outlook Notification email at 1:13 AM.

The very first Conflicker email arrived at 12:50 AM, and started coming in a steady stream by 1:05 AM.

I thought it would be interesting to show what Percentage of all the spam we receive at the UAB Spam Data Mine was a "Zipped Malware Attachment". MOST of these were named "install.zip", and contained "fake antivirus" updates, however some have been Zeus or Zbot infectors.


Zipped Malware has ranged from 2.5% to 6.8% of total spam during past two weeks

(Click for full-sized image)

One of the most interesting days represented by this graph was on October 14th, when we began to receive the spam labelled "new settings" in the graph above:


Dear user of the garsdomain.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox garsmail@garsdomain.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, garsdomain.com Technical Support.


The subject line on these emails was:

A new settings file for the (youremailhere) has just been released

The malware file size was 13063 bytes with MD5 = 8e84d473b6d2e0fa62e4021b09ea94b5.

At the same time, we had a huge number of nearly identical spam messages which instead of having the attachment, pointed to an Avalanche fast flux website and claimed to be a new Microsoft Outlook Web Application update, as we described in our October 14th blog entry: Targeted URLs in spam . . .OWA Settings update.

Other emails represented on this graph are given below:

Subject: Your internet access is going to get suspended

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team


Subject: Western Union transfer is available for withdrawl

Dear customer.

The amount of money transfer: 1037 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number (MTCN) and receiver's details in document attached to this email.

Western Union.
Customer Service.


Subject: UPS Delivery Problem Number 2321 (random number)

Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.


Subject: DHL Tracking Number 3YMH6JJY (Random tracking number)

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.


Thank you for attention.
DHL Express Services.


Subject: Thank you for setting the order No.475456 (always that number)

Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.


Subject: You've received a postcard

Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days.
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.


Of course, no one should ever open a ".zip" file received as an email attachment, but be especially careful of this campaign!

Sunday, October 18, 2009

Hacked Newspaper loads Google News with malware sites

Certain news searches on the Google News site today were pointing users to some troubling websites which seemed to be hosted by the "Chipley Bugle". Having never heard of the Chipley Bugle, I first confirmed that it was a real newspaper from a few sources, including a visit to archive.org's Wayboack Machine, which confirms that the paper has been online since at least 2000.

This is the first time that I've seen a real newspaper used to feed malware-oriented news stories to Google News.

A search for News stories where the source was "chipley_bugle" starts out with normal stories for a small town paper, such as:

BBB reports great turnout
and
Chipola Little Indians program for grades 1-8

It falls apart pretty quickly after that. The next several hundred entries, all posted about 18 hours ago, are for "news stories" with pornographic names of all varieties, and incoherent news stories, such as:

www.privatevoyeur.com
Chipley Bugle - 18 hours ago
At this top benzi knows how to progress hr the ravaged significat and female-to-female time she exists in age to have an boyfriend.

or

www.egotastic.com
Chipley Bugle - 18 hours ago
Naked inmates must be reflected websites, critized producers , and began www.egotastic.com. Janice makes him a late law, flossing him ...

You can verify this behavior by going to Google News and searching for "source:chipley_bugle", although I would recommend not following any of the links!



Many of the "news stories", such as the one above, use the names of real porn websites. If the website is followed, it displays a webpage such as this one, which appears from the URL to actually be on the Chipley Bugle website!



The graphics are actually being called by the Chipley Bugle's website from "imageshack.us", but the webpage is being loaded by what looks to be some content injected into the newspapers content-management system.

A "real" news story for the Chipley Bugle uses a URL like this one:

http://www.chipleybugle.com/index.php?option=com_content&view=article&id=2464:fwc-fills-top-law-enforcement-position&catid=3:local-news&Itemid=23

All of the fake news stories that lead to porn sites use URLs like this one:

http://chipleybugle.com/graduation2009/sponsors/?option=com_content&view=article&id=2415:breast-cancer-awareness-symposium&catid=10:events&Itemid=98

Regardless of whether you say "Enter" or "Exit", the web page forwards thevisitor away from the newspaper site to very hard core porn site calling itself "PornTube". All of the images there lead to the following malware, by claiming a new Adobe Player is needed to view the movie:

The malware has these characteristics:

File name: adobeflashplayerv10.0.32.18.exe
File size: 17920 bytes
MD5 : 5f49907a0e20b4ddebc6c31bde9eb6f1

Its currently only detected by 8 of 41 anti-virus products at VirusTotal, however several anti-virus products will still protect from this type of attack by blocking the malicious website on which the malware is hosted:

davaidavai.cn

which is hosted in the Ukraine on the IP address 80.91.176.190.

This IP address is well-known as a malware infection site, hosting such domains as:

kon4a.org
allsearchweb.org
turbosoftware.org
tubeololo.org
trailerfobia.cn
videopublicclub.cn
xratedtube.cn
xvideostube.cn
go-xtube.cn
hugextube.cn
xmoviesarchive.cn
pumpingstorm.cn
prodaemdeshevo.cn
showallwebs.cn
exclusiveprices.cn
weblmovies.cn
go-xmovies.cn
klikaemnavidos.cn
archieprodaet.cn
ourbestsearch.info
allvideoz.info

again, avoid these webpages as they all lead to malware!

The newest web domain was created toay by a user using the email:

scaryscream@gmail.com

The registrar was one frequented by Ukrainian criminals regularly, the Chinese registrar: 广东时代互联科技有限公司 (also known as "now.cn").



Other in the group used other emails and registrars, such as:

ricm512@yahoo.com who used OnlineNIC
or
exshit@yandex.ru who used Directi Internet Solutions
or
win32parit.b@gmail.com who also used 广东时代互联科技有限公司

Wednesday, October 14, 2009

Targeted URLs in spam . . .OWA Settings update

All of our trap domains are seeing a new spam campaign today where the website being spammed actually SEEMS to be the email recipient's own domain.

The webpage claims to be a new Microsoft Outlook Web Access update.

Sample email:


Dear user of the mydomain.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (mymail@mydomain.com) settings were changed. In order to apply the new set of settings click on the following link:

http://mydomains.com/owa/service_directory/settings.php?email=mymail@mydomain.com&from=mydomain.com&fromname=mymail

Best regards, mydomain.com Technical Support


The email subjects which have been used have been:

A new settings for for the mymail@mydomain.com mailbox has just been released
For the owner of the mymail@mydomain.com mailbox
The settings for the mymail@mydomain.com mailbox were changed

In this entire post, remember that where "mymail@mydomain.com" will be replaced by the actual email recipient's userid and domain name.

The websites look like this:



Of course the link is a new version of the Zeus / Zbot trojan.

http://mydomain.com.bertdffe.co.uk/owa/service_directory/settings.php
http://mydomain.com.bertdffe.eu/owa/service_directory/settings.php
http://mydomain.com.bertdffm.co.uk/owa/service_directory/settings.php
http://mydomain.com.bertdffm.eu/owa/service_directory/settings.php
http://mydomain.com.bertdffo.eu/owa/service_directory/settings.php
http://mydomain.com.bertdffw.co.uk/owa/service_directory/settings.php
http://mydomain.com.bertdffw.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssb.eu/owa/service_directory/settings.php
http://mydomain.com.nerrassso.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssp.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrasssp.eu/owa/service_directory/settings.php
http://mydomain.com.nerrassst.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrassst.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssu.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrasssu.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssw.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrasssw.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssx.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrasssx.eu/owa/service_directory/settings.php
http://mydomain.com.nerrasssy.co.uk/owa/service_directory/settings.php
http://mydomain.com.nerrasssy.eu/owa/service_directory/settings.php
http://mydomain.com.oikkkkua.co.uk/owa/service_directory/settings.php
http://mydomain.com.oikkkkua.eu/owa/service_directory/settings.php
http://mydomain.com.oikkkkuf.co.uk/owa/service_directory/settings.php
http://mydomain.com.oikkkkuf.eu/owa/service_directory/settings.php
http://mydomain.com.oikkkkuh.co.uk/owa/service_directory/settings.php
http://mydomain.com.oikkkkuh.eu/owa/service_directory/settings.php
http://mydomain.com.oikkkkuy.co.uk/owa/service_directory/settings.php
http://mydomain.com.oikkkkuy.eu/owa/service_directory/settings.php
http://mydomain.com.polikka.eu/owa/service_directory/settings.php
http://mydomain.com.polikki.co.uk/owa/service_directory/settings.php
http://mydomain.com.polikki.eu/owa/service_directory/settings.php
http://mydomain.com.polikko.co.uk/owa/service_directory/settings.php
http://mydomain.com.polikko.eu/owa/service_directory/settings.php
http://mydomain.com.polikkp.co.uk/owa/service_directory/settings.php
http://mydomain.com.polikkp.eu/owa/service_directory/settings.php
http://mydomain.com.wsasdec.eu/owa/service_directory/settings.php
http://mydomain.com.wsasdep.co.uk/owa/service_directory/settings.php
http://mydomain.com.wsasdep.eu/owa/service_directory/settings.php
http://mydomain.com.wsasder.co.uk/owa/service_directory/settings.php
http://mydomain.com.wsasder.eu/owa/service_directory/settings.php
http://mydomain.com.wsasdev.co.uk/owa/service_directory/settings.php
http://mydomain.com.wsasdev.eu/owa/service_directory/settings.php
http://mydomain.com.wsasdez.co.uk/owa/service_directory/settings.php

IRS Zeus via Geocities

After a couple days with no "IRS Zeus" spam, the flow of spam messages has restarted. The new spam messages are exactly like the ones we've been seeing since September 9th, with one very significant difference:


Subject: Notice of Underreported Income


Taxpayer ID: e0cdd8db-00000684284766US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: e0cdd8db-00000684284766US

Internal Revenue Service


Two changes are that my email address is no longer part of the "taxpayer id", nor is it part of the URL to which the spam directs me.

When I followed the link in the most recent spam message, I "eventually" end up on the website:

http://www.irs.gov.nerrasssb.co.uk/fraud_application/directory/statement.php?tid=target-00000169290787US

however, that URL is *NOT* what is present in the email message!

http://geocities.com/AnnabelleRichardson78/yredaxubu.htm
http://geocities.com/AshleyWyatt42/ohulociqam.htm
http://geocities.com/AustinHobbs20/nulaxubumul.htm
http://geocities.com/AveryGoodwin43/ihociqamy.htm
http://geocities.com/bcwowpuyne/yredaxubu.htm
http://geocities.com/BillSantos33/nulaxubumu.htm
http://geocities.com/BriannaHensley06/yredax.htm
http://geocities.com/DamienMorris57/apegapyzap.htm
http://geocities.com/ddfsteyxbext/alynahej.htm
http://geocities.com/DevinSnyder65/ikahejov.htm
http://geocities.com/EdwinRandall53/nulaxubumul.htm
http://geocities.com/EltonLawson02/uwalajahe.htm
http://geocities.com/foayoqetpxe/nulaxu.htm
http://geocities.com/FreddyCampbell36/ohuloc.htm
http://geocities.com/hshybmbcg/alynah.htm
http://geocities.com/KirbyRaymond27/ociqam.htm
http://geocities.com/kktpxdqnhb/ulociqamy.htm
http://geocities.com/kmbxpkrkpe/byhegap.htm
http://geocities.com/ktywgegrcudf/byhegapy.htm
http://geocities.com/LiliaMathews67/yredaxubu.htm
http://geocities.com/MarionHudson45/nulaxu.htm
http://geocities.com/MasonSalinas48/rociqamynah.htm
http://geocities.com/MiguelPatterson69/ohuloci.htm
http://geocities.com/MilesFlowers05/alynah.htm
http://geocities.com/msxpytqms/apegapyz.htm
http://geocities.com/MurrayWaters50/byhegapy.htm
http://geocities.com/nmxtumdrfrff/alynah.htm
http://geocities.com/npxqrwxww/apegapyz.htm
http://geocities.com/ocaxbasohmgo36/hiqamyna.htm
http://geocities.com/rhauwqyee/nulaxubumul.htm
http://geocities.com/RobinWhitley59/byhegapy.htm
http://geocities.com/RussChandler61/yredax.htm
http://geocities.com/sfgesqfhrtrx/yredaxubu.htm
http://geocities.com/ShirleyTrevino49/bumulociqa.htm
http://geocities.com/TanyaWeber50/nulaxubumu.htm
http://geocities.com/TiffanyKirby11/yredaxubumu.htm
http://geocities.com/TyreeOsborne93/byhegapyz.htm
http://geocities.com/ufxesabsq/apegap.htm
http://geocities.com/WadeJoyce45/mulociqam.htm
http://geocities.com/yoqrawycf/yredaxubumu.htm
http://geocities.com/zgdgesbnw/ynahejoveke.htm
http://geocities.comgeoffreyPowell47/yredaxubum.htm

Of course none of these URLs actually is the final destination.

The current malware is

File size: 89600 bytes
MD5...: d62e9d994d587e94e04ad3f75ff14f69

you can see a VirusTotal report which shows a 6 of 41 detection rate. Only six anti-virus products out of 41 currently know that this is malware.

Sunday, October 11, 2009

A weekend of Old News

Adobe



I'm not sure whose idea it was that we should be able to execute Javascript inside a PDF or Flash file, but we continue to see this exploited. Let's review:

In February 2009, Kevin Haley from Symantec warned that the Adobe PDF reader had an unpatched bug that was being exploited in the wild.
Adobe acknowledged this in a February 19th security advisory.

In April 2009, Computerworld shared a warning from David Lenoe of Adobe urging people to disable Javascript, saying "All currently supported shipping versions of Adobe Reader and Acrobat, 9.1, 8.1.4, and 7.1.1 and earlier, are vulnerable to this issue.

In May 2009, SANS Internet Storm Center warned that the current version of Adobe Flash Player (9.0.124.0) was vulnerable to a similar exploit.

In July 2009, SANS advised of "YA0D" or "Yet Another 0-Day" in Adobe Flash Player.

And finally we get to this week . . . on October 8th, Adobe again released a security advisory, which could be paraphrased as: "hey! if you run our program, you may get owned. We'll patch it next week," advising that a patch would be released on October 13th.

You know, rather than warning us every sixty days that its dangerous to run Javascript in their programs, perhaps Adobe would consider turning it off by default?

IRS Zeus / Zbot continues


Another day, another million dollars stolen by the Russians. This weekend the fake IRS websites are continuing to be a top spam category with more than 56 new websites pretending to be the Internal Revenue Service.

The current malware is still undetected by most anti-virus products, and as always, it changes on an almost daily basis. The current version was first seen Saturday morning, and only 4 of 41 anti-virus products detected that version. Its now up to 12 of 41 according to this current VirusTotal Report for MD5 fb9580be8bcdca37cc377e365365d4de which is 90,112 bytes in size.

Here are the websites we've seen spammed over the past few days according to the UAB Spam Data Mine:

Those spammed on October 9th . . .

www.irs.gov.beffaxsde.eu
www.irs.gov.bezfalsdo.eu
www.irs.gov.bezfazsda.eu
www.irs.gov.brtferho.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerfas1k.com
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.oiiiterqa.cn
www.irs.gov.oiiiterqa.com
www.irs.gov.oiiiterqa.eu
www.irs.gov.oiiiterqq.cn
www.irs.gov.oiiiterqq.com
www.irs.gov.oiiiterqr.cn
www.irs.gov.oiiiterqr.com
www.irs.gov.oiiiterqw.eu
www.irs.gov.oiiiterqz.cn
www.irs.gov.oiiiterqz.com
www.irs.gov.oiiiterqz.eu
www.irs.gov.oyicoemqu.eu
www.irs.gov.oyicoerqz.eu
www.irs.gov.oyiioerql.eu
www.irs.gov.qazseek.eu
www.irs.gov.qazseep.eu
www.irs.gov.qazsewe.eu
www.irs.gov.qazsewl.eu
www.irs.gov.qazsewm.cn
www.irs.gov.qazsewx.eu
www.irs.gov.qazskem.eu
www.irs.gov.qazsxek.eu
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu
www.irs.gov.yxeeddlrp.eu


Those spammed on October 10th . . .

www.irs.gov.brtferho.eu
www.irs.gov.brtferhv.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerfas1k.com
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu

Those spammed on October 11th . . .

www.irs.gov.brtferho.eu
www.irs.gov.brtferhv.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu


Comcast raises the bar for ISP Behavior


There is one new news item I wanted to call attention to this weekend. According to Brian Krebs "Security Fix" column in the Washington Post Comcast, the largest residential Internet Service Provider, is beginning a new program to alert home PC users who might be infected with malicious bot software.

Good job, Comcast! If we can get more Internet Service Providers monitoring for malicious software, we could dramatically reduce the number of infected computers. We look forward to hearing how this initiative impacts your customers!

Thursday, October 08, 2009

The FBI's Biggest Domestic Phishing Bust Ever

Yesterday the FBI began performing arrests of more than 100 individuals involved in a phishing investigation announced in the Central District of California courts. The case, known as Operation Phish Phry was the top story on the FBI website yesterday. Robert Mueller announced the case during a speech to the Commonwealth Club of California, where he praised the cooperation with the Secret Service and their Los Angeles Electronic Crimes Task Force, as well as state and local law enforcement. He said this was the first joint cyber investigation with Egypt and that this cooperative effort illustrates "the power of our global partnerships." Mueller also used the speech to praise the 32,000 members of the FBI's InfraGard program, "experts on our critical infrastructure" who help the FBI prevent risks to that infrastructure from becoming a reality.

The official press release from the Los Angeles FBI office says the announcement of the case came from:
Keith B. Bolcar, Acting Assistant Director in Charge, FBI Los Angeles
George S. Cardona, Acting United States Attorney, Los Angeles
and
Kieran Ramsey, FBI Legal Attache in Cairo Egypt
along with Egyptian Law Enforcement Authorities.


The 85 page indictment, which was presented to a Grand Jury back in February was unsealed once the arrests began, and contains a wealth of information. WIRED Magazine's Threat Level blog was the first to have a copy of the indictment.

The basic charges are:
18 USC S 1349: Wire and Bank Fraud Conspiracy
18 USC $ 1344(1): Bank Fraud
18 USC $ 1028A: Aggravated Identity Theft
18 USC $ 371: Computer Fraud Conspiracy
18 USC $ 1030(a)(4): Computer Fraud
18 USC $ 1956(h): Money Laundering Conspiracy

I'm especially happy to see the Aggravated Identity Theft charge, as it provides an automatic and non-negotiable +2 years to each sentence, which guarantees none of these people will get a "slap on the wrist", unless the prosecution fails to show they used the identities of at least ten individuals.

Although the investigation is labelled "Operation Phish Phry" by the FBI, the US-based charges deal with the money-laundering aspects more than the actual phishing. The phishing portions of the scheme seem to have been run by a group of nearly fifty individuals primarily in Egypt, who would transfer bank account credentials to the US-based ring leaders, who would use their network to move the money through mule accounts, out to cash, and eventually to be wired back to Egypt (minus a commission for the US-based players). Mueller mentions that the funds came from "approximately 5,000 American citizens" who were presumably the victims of these phishing attacks.

This was a tiered operation involving three ring leaders, who used sixteen associates to enlist thirty-eight money mules to receive stolen funds and wire them primarily to Egypt. In order to establish that each of the defendants was definitely involved, the indictment lists 335 "Overt Acts", mostly taking the form of giving a date, place, defendant, and an amount of money transmitted from a stated account to another defendant or unindicted co-conspirator.




(click for larger image, created with i2 Analyst's Notebook by Gary Warner)

The three ring-leaders identified in the indictment were:

Kenneth Joseph Lucas of Los Angeles, California
Nichole Michelle Merzi of Oceanside, California
Jonathan Preston Clark

These three operated a ring of middlemen who recruited the actual money mules. The middlemen were:

Jarrod Michael Akers
Kyle Wendell Akers
Wayne Edwards Arbaugh
Demorris Brooks
Antonio Late Colson
Kenneth Crews
Manu T. Fifita
Jennifer Anabelle Lopez Gonzalez
Tinika Sabrina Gunn
Jason Marcellus Jenkins
Sylvia Johnson
Remar Ahmir Lawton
Kyle Brandon Martin
Frankline Anthony Ragsdale
Steven Aaron Saunders
Rynn Spencer
Raquel Raffi Varjabedian
Candace Marie Zie

Lastly, the actual money mules that were indicted:

Ashley A. Ager
Latina Shaneka Black
Michael Dominick Gunn Dacosta Jr.
Virgil Phillip Daniels
Tramond S. Davis
Shontovia D. Debose
Joshua Vincent Fauncher
Krystal Fontenot
Anthony Donnel Fuller
Michael Christopher Grier
Bryanna Harrington
Shawn K. Jordan
Billy Littlejohn Kelly
Reggie B. Logan, Jr.
Ikinasio Lousiale, Jr.
Raymond V. Mancillas
David P. Mullin
Vincent Nguyen
Ario Plogovii
Brandon R. Ross
Alan Elvis St. Pierre
Courtney Monet Sears
Me Arlene Settle
Paula W. Sims
Jamie Smith
Brandon Kyle Thomas
Christopher Uhamaka
James Michael Viorato
Jovon Darnell Weems
David D. Westbrooks
Bridget Deque Wilkins
Marcus Deshaun Williams

The ages of the defendants range from 19 to 44, with only two being older than 31. Kenneth Crews and Demorris Brooks recruited seven money mules from North Carolina, and one or more unindicted recruiters gathered seven additional mules from Nevada, including at least four from Las Vegas.

Overt Acts are broken into sections:

A. Defendants Lucas and Zie:
Zie opens a bank BOA account, communicates with Lucas by telephone five times, withdraws stolen funds that were tranferred to his bank account. He opens two more account, talks to Lucas 54 times by telephone, and withdraws more stolen funds. Opens more accounts, communicates with Lucas 24 times in a single day, withdraws more stolen funds. The first 14 acts are about these two.

F. Defendants Lucas, Crews, and Logan:
Crews text-messages account numbers opened by Logan to Lucas, who causes funds to move from a victim account to Logan's accounts. Logan withdraws the money.

G. Defendants Lucas and Mancillas:
(Unindicted coconspirator) text-messages Lucas with account numbers opened by Mancillas at BOA. Lucas transfers funds from a victim to the Mancillas account, and Mancillas withdraws the funds.

H. Defendants Lucas and Mullin:
(Unindicted coconspirator) text-messages Lucas the account numbers opened by Mullin at Bank of America. Lucas moves funds from a victim account to the Mullin account, and Mullin withdraws the funds.

They do that over and over and over. The first 200 "Overt Acts" listed all involve Lucas as the one who moves the money from the victim's account.

The credentials for the victim accounts were acquired by phishing, but at this time, we don't have enough details to really know WHICH phishing attacks we're dealing with. It should certainly be pointed out that the phishing attacks were NOT NECESSARILY against Bank of America and Wells Fargo. Funds from any bank can be sent to Mule accounts at any bank, as long as they are both part of the ACH network. Hopefully more details will come out as this case progresses.

The later activities in the indictment make it seem that at least one or more of the defendants had their phone tapped or was cooperating with investigators, such as:

On February 17, 2009, defendants Colson, Weems, and Lucas agreed via telephone that defendant Colson would deliver $1,200 to defendant Lucas

Beginning with Overt Act #201 in the indictment (page 54) the activities turn to Wire Transfers, such as:

On January 12, 2007 in Los Angeles County, defendant J. Akers transmitted $1,300 by Western Union to unindicted coconspirator E.A.

The next forty acts involve Jarrod Michael Akers wiring nearly $100,000 to various parties, mostly unnamed in this indictment. Rehmar Amir Lawton also does more than $30,000 in wire transfers in "Overt Acts". Jonathon Preston Clark, Nichole Michelle Merzi, Candace Marie Zie, Demorris Brooks, Jennifer Lopez Gonzalez and others are also involved in the Wires.

One of the key telephone conversations that was part of the indictment is "Overt Act No. 241":

On December 22, 2008, in Los Angeles County, defendants LUCAS and K. AKERS, in a telephone conversation, discussed the scheme to cause unauthorized transfers of funds into bank accounts for the purpose of allowing coconspirators to withdraw the transferred funds, and defendant LUCAS advised defendant K. AKERS to solicit individuals who need money to assist in the scheme.

Wednesday, October 07, 2009

Microsoft "Your e-mail will be blocked" phish

An interesting phishing campaign has resulted in several news stories about stolen passwords. That got me digging in the UAB Spam Data Mine looking for related emails. I didn't find THAT phish, but we did receive a large number of email messages claiming to be sent by Microsoft.com with this seemingly important warning:


Your e-mail will be blocked within 48 hours for spam, if this is mistake please cintact us.
Please click here for detailes.

Thank You.
Spam security Customer Service


The "Click Here" portion of the email was a link to a website containing the domain name:

58342875324752.com

with a randomized "host name" portion of the machine, such as:

http://jicjhfchcf63990210626.58342875324752.com/1.html
http://bcaifegghi22625742876.58342875324752.com/1.html
http://ahgdjifchf33143196196.58342875324752.com/1.html
http://dacjfiefdf06964096947.58342875324752.com/1.html
http://aggjbdbejf52476850184.58342875324752.com/1.html
http://gichjabdga24449952037.58342875324752.com/1.html
http://cdbbeibcce54169406995.58342875324752.com/1.html
http://cgahdjahih39067688421.58342875324752.com/1.html
http://dibgdfdbjc50687902460.58342875324752.com/1.html
http://geghdgfbbd77652789593.58342875324752.com/1.html
http://hbahfdbfhb41867793765.58342875324752.com/1.html
http://ecfafijdic45542087833.58342875324752.com/1.html
http://jfjhbgidfj46950802509.58342875324752.com/1.html
http://chcdgeecgh27341962790.58342875324752.com/1.html

Email subject lines observed during this phishing campaign included:

Alert: Account Deactivation Notice
Important message about your account information
NOTIFICATION OF LIMITED ACCOUNT ACCESS
Online Access Supended
Online Account Locked
Online Security Measures
Re-Confirm Your Online Access.
Your account has been flagged!
Your account has been placed on restricted status
Your Account Suspension
Your Online Account Needs Update

The spam had a unique forgery in the email headers to make them appear to be from Microsoft. In an email header, there is a "Received" line which shows the address from which an email was sent, such as:

Return-Path:
Received: from dsl-189-139-6-108-dyn.prod-infinitum.com.mx (dsl-189-139-6-108-dyn.prod-infinitum.com.mx [189.139.6.108] (may be forged))
by GarsServer.com (8.11.6/8.11.0) with ESMTP id n96Lew069365
for <85qrhskymaucw@GarsDomain.com>; Tue, 6 Oct 2009 21:40:59 GMT
(envelope-from bec713-security@microsoft.com)
Received: from dns749.microsoft.com(dns697.microsoft.com [189.139.6.108]) by 189.139.6.108 with SMTP id 69811070;

In this case, the "Return-Path" line is fake, and has been added by the sender. The second "Received" line is also fake, trying to convince you that the sending IP "189.139.6.108" is actually a Microsoft computer, which it's not!


The End?


Unfortunately, that's as far as this part of the investigation can go. The website had already been terminated, by asking the Registrar to remove the nameserver from active duty, meaning that no computers can reach the website in question.

But is that really the end?

The nameserver for this domain, which has already been terminated, was ns1.bloktrest.net. By setting that as our nameserver, we can see that the site was "fast flux" hosted on many different IP addresses. For instance, resolving the domain currently, according to bloktrest.net, points us to:

211.220.122.249
59.28.65.79
61.82.161.51
84.126.133.91
85.136.101.254
86.101.82.52
89.74.19.174
94.189.175.182
116.65.199.187
118.34.214.178
118.38.110.10
119.196.189.101
121.141.44.120
121.181.5.75

By hard-coding one of these IP addresses to the domain name, we can see that what WOULD have happened if we had visited the site was that we would have loaded an IFRAME from the site:

(DO NOT VISIT!) us-business-shop-2019.com/shop/?0a8f23e34c3fccbdbc459ef0d52b3910

THAT website has been listed since September 3rd at MalwareDomainList as a LuckySploit exploiter.

So, the question is at large - was this a phishing site at all? or merely a way to get people to have LuckySploit take over their computers?

Whois points to Badness



Here is the WHOIS data for 58342875324752.com which was registered October 5, 2009 at TodayNIC.com, an infamous Chinese registrar.

Administrative Contact:
Name: Ferd Derfo
Organization: Ferd Derfo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133331
Phone: +7.9357738849
Fax: +7.9357738849
Email: molda3333vimo@safe-mail.net

Here is the WHOIS data for us-business-shop-2019.com which was registered at another infamous Chinese registrar, ONLINENIC.com, on July 21, 2009:

Serpino Berbeto ad6@safe-mail.net +1.2128848801
Serpino Berbeto
403 po box
New York NY US 10037

ns1.dns-diy.net
ns2.dns-diy.net

Do a search on "Serpino Berbeto" and you'll find more than 1,000 ways in which this identity is involved in the creation of domains used for the distribution of malware, and with online fraud domains, including fake Escrow sites, spam, pirated software (easy-software-store.com), Canadian Pharmacy (shop29.net).

The Serpino identity is one of the many "resellers" that cause OnlineNIC and other Chinese registrars to be such widely used havens for cybercriminals.

Serpino is hosting this site, and several other recent malware infection sites he's been behind, on a webblock belonging to "The Bigness Group" in St. Petersburg, Russia.

Serpino's sites on that netblock include:

yournewvideo.info - 195.88.190.29
brberfsdfsdafs.com - 195.88.190.31
lovisiribkabolishajaimalenkaja - 195.88.190.235
us-business-shop-2019.com - 195.88.190.202
fgddfgdgdfg.com - 195.88.190.235

of course other aliases are also hosting malware on this netblock, which seems to be filling the role of the old Russian Business Network, also of St. Petersburg:

Tourino Markes / moldavimo00@safe-mail.net has registered:
vertigoinvasion.com = 195.88.190.240 - associated with both Zeus and the Fragus exploit kit

Kelly Watsen / potenciallio@safe-mail.net has registered:
landingerfor.org = 195.88.190.235 - associated with LuckySploit exploit kit

Fego Fegochev / moldavimo@safe-mail.net has registered:
ppoqass.info = 195.88.190.246 - associated with the LuckySploit exploit kit
bbortixx.info = 195.88.190.246 - also associated with LuckySploit

Passive DNS reveals all sorts of badness. Recommendation? Everyone should block "The Bigness" and their entire network block!

IRS Zeus Again???



I ran the fast flux IP addresses given above through some checks at a Passive DNS Logging system to see if they were "known" IP addresses. Yes. Several of the IP addresses above are part of the same Fast Flux network which is being used for the "Avalanche" botnet, which is currently behind the IRS Zeus net!

So what happens if we hard-code a host entry for the above IP addresses, and tell it that it is one of the recent IRS domains?

That's right. I added this line to my "hosts" file:

211.53.54.227 www.irs.gov.hyu111a.com

and visited:

www.irs.gov.hyu111a.com/fraud_application/directory/statement.php

an IRS domain which has no active nameserver and has not been live for more than a week. It resolved on the IP address used above for the domain 58342875324752.com, and displayed the IRS Zeus infection website, complete with an active link for downloading the current malware.

File size: 95744 bytes
MD5...: fe80e38049ebb5f082adfb3dd9110d51
Click for Virus Total Report, showing that only 7 of 41 anti-virus products currently detect this Zbot / Zeus Bot infector.

Monday, October 05, 2009

A Day in the Life of Spam

Its been quite a while since I did a "Day in the Life of Spam", but with some recent ups and downs in the trends, I thought it would be worth taking a look again.

For this study, I chose one group of trap addresses for the UAB Spam Data Mine, and decided to try to categorize every email received on October 4, 2009. These particular trap accounts received 10,583 spam emails that day. So how did they break out?

5854 emails or 55.3% = Pharmaceutical products
2303 emails or 21.7% = Watches and other counterfeit goods
1044 emails or 9.8% = Malware distribution
512 emails or 4.8% = Illegal software "OEM" software downloads
397 emails or 3.8% = Fake diplomas or instant degrees
69 emails or 0.6% = Work at home scams
66 emails or 0.6% = Russian language emails
30 emails or 0.3% = Casino spam
28 emails or 0.26% = "Giveaways gotchas" (gift cards, plane tickets,
cell phones, laptops that are called "free" but aren't)
28 emails or 0.26% = Chinese/Japanese emails

200 emails or 1.9% = miscellaneous things other than categories above
insurance, credit reports, DISH Network, ink & toner,
language learning, government grants, dating services,
GI bill info, teeth whitening, government auctions,
ab circle, timeshares, florida rental properties,
colo detox, etc.

Digging in deeper, Canadian Pharmacy dominated the pharmacy category, with what
seems to be at least 19 different spam campaigns, all pushing Canadian Pharmacy
affiliated websites. Compared to other affiliate pill programs, they win hands down:

5358 emails = Canadian Pharmacy
260 emails = Maximum Gentleman penis enlargement
107 emails = Canadian Health Care
61 emails = Online Pharmacy
32 emails = My Canadian Pharmacy
16 emails = Canadian Health & Care Mall
12 emails = Canadian Family Pharmacy
8 emails = Acai Berry

The big changes that stand out especially are that the famous "Russian Brides" spam has almost vanished entirely. Gone also is the Acai Berry spam, which was at one point nearly 15% of all of our spam email messages. 419 scams are disappearing as well, with only 7 emails out of the 10,500+ examined for this "Day in the Life" peek.

When we look at the URLs advertised just in those 5,358 Canadian Pharmacy emails, we find 7,056 unique URLs hosted on 348 domains, of which 234 are ".cn" domains:

aobypwto.cn
aohumwto.cn
bavulov.cn
biyahaj.cn
bjelunep.cn
bobobuk.cn
bohetoj.cn
botazux.cn
bsobidar.cn
bsozefew.cn
busegis.cn
buwaneg.cn
cabavov.cn
cedwoyep.cn
cixivic.cn
cmeqoher.cn
cnahehas.cn
cpiliguk.cn
cqolodar.cn
csimigek.cn
cucodag.cn
cujozas.cn
cuyilec.cn
czavoyig.cn
dadodeg.cn
dahonif.cn
darohus.cn
dbixumaq.cn
ddayatot.cn
dejoviw.cn
dhajeqiy.cn
dijajiv.cn
dilonef.cn
disaniv.cn
dnojisud.cn
doboget.cn
docuyiv.cn
dojiqur.cn
dtusukir.cn
dzayowis.cn
dzolufay.cn
fasosup.cn
fceqinaf.cn
fducilox.cn
fehavux.cn
fejunab.cn
fibujes.cn
ficimap.cn
finahoz.cn
fohiyub.cn
fovihag.cn
fpupewat.cn
fsoresok.cn
fxocefew.cn
gakarid.cn
gbukagef.cn
gebosor.cn
ggefalom.cn
girucav.cn
glimesaf.cn
gmogacof.cn
gmonigec.cn
gobahod.cn
gpevehig.cn
gzevohaq.cn
hakobiz.cn
havarul.cn
hbejivix.cn
hgodakej.cn
hkawutet.cn
hocacap.cn
holoyin.cn
huvayov.cn
hxeqotet.cn
hyunohep.cn
jagegop.cn
jimigok.cn
jiquwac.cn
jirohup.cn
jjunopov.cn
jjunopov.cn
jpatoxih.cn
jranoxug.cn
jvafohit.cn
jvoqidev.cn
jxubocot.cn
kepomat.cn
kkamugag.cn
kovupaj.cn
krecahol.cn
kufanuv.cn
kyejixey.cn
lamadul.cn
lbihakag.cn
lbogupey.cn
lemecij.cn
loganuw.cn
lqihedax.cn
ltexujis.cn
lufogay.cn
luladuz.cn
lwofepib.cn
lwofexiv.cn
lxolemaj.cn
lyarazok.cn
lyuvuced.cn
mahalam.cn
mbajihiz.cn
mivutim.cn
mobivis.cn
moqeqez.cn
mtejuxad.cn
muhazec.cn
myibaqum.cn
nagozuc.cn
nahojut.cn
napojox.cn
nhofewih.cn
niduqab.cn
njihivax.cn
nnifikaj.cn
nocigoj.cn
nosadoc.cn
nqewonih.cn
nropemij.cn
pajikub.cn
pawucit.cn
pazoxif.cn
pevular.cn
pirebav.cn
pkipuyom.cn
pqezosem.cn
puhoquj.cn
puwuwug.cn
qahomeh.cn
qdiwoxaq.cn
qelaquk.cn
qfudocik.cn
qivokex.cn
qiyejas.cn
qoconug.cn
qokutuq.cn
qonanih.cn
qoxifuw.cn
qqisuluw.cn
qtufetag.cn
qudehiv.cn
qzonumeg.cn
rasafas.cn
rewelay.cn
rfozinud.cn
rgekepum.cn
rgekepum.cn
rizexez.cn
rjuyunex.cn
rmenisul.cn
rqasesoy.cn
rwobucem.cn
scelamoq.cn
shetepoc.cn
sirepil.cn
sjowemor.cn
socowuv.cn
sodajud.cn
somorez.cn
soqunup.cn
sorufar.cn
sovuzoq.cn
spojoxiq.cn
tatapum.cn
tawamof.cn
tdiceruk.cn
tfenuhah.cn
thidafak.cn
thodurux.cn
tnawulod.cn
tnikixep.cn
tvufisux.cn
vapabog.cn
vibariq.cn
vivuxab.cn
viyezis.cn
vludihum.cn
vobenog.cn
vohuren.cn
vopaguz.cn
voxaziq.cn
vqamiwur.cn
vriyigip.cn
vvobipad.cn
wabifoy.cn
wbakilit.cn
wbohovuh.cn
wgesirok.cn
wicigeh.cn
wiyisuh.cn
wnexejip.cn
wonefaq.cn
worldvld.cn
wovewab.cn
wuqumud.cn
xehevug.cn
xexugan.cn
xifepuj.cn
xipames.cn
xozowoj.cn
xquwavuk.cn
xuyokir.cn
ycaqoped.cn
ycetuvow.cn
yfolobow.cn
ygemuhop.cn
yinicuv.cn
yipenov.cn
ylafarum.cn
yororom.cn
yujacub.cn
yvukudey.cn
yzigawim.cn
zajeqav.cn
zapoyuf.cn
zcixefat.cn
zecemiz.cn
zfumulik.cn
zicorem.cn
zkodibay.cn
zlesanus.cn
zovoliz.cn
zowimij.cn
zrugaviv.cn
zsomiyon.cn
ztokusut.cn
zuguvov.cn
zupabuv.cn

Another 84 are ".com" domains:

12n3.com
150m.com
adabisnis.com
adorewow.com
adsnote.com
aftermelody.com
angerpeople.com
awaredear.com
barracudacentral.com
betterspoke.com
boldcover.com
cefjedhoha.com
chordspend.com
clickboothlnk.com
cncd-tex.com
coatfew.com
codetwo.com
comfyrace.com
confluencehr.com
connectionends.com
couldfloor.com
creamyglass.com
createsend2.com
entervanish.com
expertreason.com
fallsautumn.com
frankoferosscom.com
gate2service.com
giftedstood.com
gisdany.com
google.com
gotmoral.com
groupfinger.com
havebasic.com
hecreamy.com
helpleave.com
hesheet.com
hoawukfue.com
ihrodinpe.com
images-amazon.com
iomega.com
kezlink.com
livejournal.com
magicrange.com
metalartmaster.com
microsoft.com
mightysing.com
miturl.com
nbcmediacenter.com
onbisnis.com
passport.com
periodtwo.com
pharmacyonlineoffernow.com
posesea.com
proudnoble.com
quietcotton.com
qupdumvov.com
razoncollins.com
renownchief.com
restcalm.com
restthere.com
shegentle.com
shrtn.com
sidecatch.com
smooththan.com
soilbear.com
sonbottom.com
spreadtwenty.com
stoodstudy.com
stringmunchy.com
suchpull.com
t35.com
talkjoyful.com
thebraintree.com
tinytwitt.com
trucktingle.com
waitname.com
webmd.com
weightboxtime.com
whiledesire.com
winsportbike.com
yahoo.com (abused in the form of newly created "yahoo groups")
zestquart.com