Sunday, February 21, 2010

Phishers target accounts

A new phishing campaign came out about two hours ago, this time targeting bloggers who use Google's "" and "blogspot" services.

The emails are pretty straightforward:

Subject: Your Blogger Account

Dear Blogger account owner,
To update your Blogger account please click the following link:

Thank you for using Blogger.

This is a post-only mailing. Replies to this message are not monitored or answered.

The webpages are of course not actually Blogger, but are phishing sites on ".kr" domains, which have been favored lately by the Avalanche/Zeus group.

Updated: 22FEB2010 @ 9AM Central time

These are the sites we've seen spammed so far this morning . . .

The phishing site itself looks like this:

We've seen about 350 copies of this phishing campaign so far, but again, its just started up. Look for more URLs to follow.

What the Bad Guys Know: We'll Click on ANYTHING!

For years the bad guys have been working to perfect the perfect social engineering schemes. By "social engineering" we are talking about the fact that in most situations the biggest security risk present at a computer has nothing to do with technology and everything to do with the human at the keyboard. The bad guys have made a science out of sending various malicious links and malware attachments to people and determining what message is required to make the human at the keyboard do what they want them to do.

What message is required to make you open an attachment to your email? A few that bad guys have discovered work reliably are to tell you that its information about an undelivered package (such as the UPS, DHL, USPS, FedEx scams we've seen), or a message that says your email is going to be deleted unless you confirm you still want it. For years an obvious one has been to pray on male insecurity about their sexual prowess, promising that clicking their link will lead to a larger penis which will make the women you know beg you for sex every night!

But recently the bad guys have figured out that it really doesn't matter what they type in the email, if they only need a few people to buy their product or follow their link. The current round of Zeus spam doesn't have a meaningful subject, and doesn't contain any text at all! Only a link.

And people are clicking on it like mad to infect themselves! What mystery! I think I'll click and see what it is!

The top email subjects right now are:

Subject: FW:
Subject: Fw:
Subject: Re:FW:
Subject: Re:

Many different domain names, currently all ".kr" domains, are being used, with hostnames prefixed before the domain name of:


There are multiple ways to get infected here. When you visit the website, which looks like this:

you are being invited to update your Macromedia Flash Player by downloading the file "update.exe". That file is a Zeus bot installer. The VirusTotal Report shows that its currently detected by 25 of 41 different Anti-virus products, most calling it some form of Zeus or Zbot.

The other form of infection though is from the IFRAME hidden on the page. Before congratulating yourself on being too smart to click on the Macromedia update file, realize that just by visiting the website, you have exposed yourself to this iframe:


that iframe is going to in turn loads two other iframes - one which forces you to open a malicious pdf file, named "xd/pdf.pdf" and the other which calls another iframe "xd/sNode.php"

sNode.php is going to check some logic to see which browser you are running and attempt some browser specific driveby infections, defaulting to dropping a Flash file "nowTrue.swf" if it can't find another way to infect you based on a browser exploit.

This seems to be their current toolkit:

nowTrue.swf is recognized by 24 of 41 Anti-Virus products as malicious code - most calling it a "SWF Dropper" of some sort according to this VirusTotal Report.

pdf.pdf, which was updated yesterday, is only detected by 11 of 41 Anti-Virus products as malicious code. Here's its VirusTotal report.

Later today I'll self-infect a VM and try to get some screen shots of the action.

All of the websites distributing this malware are fast-flux hosted on the Avalanche botnet. In the list below, I used my personal spam collection for the 18th and 19th. For the 20th and 21st (early am only), the list is from the UAB Spam Data Mine, where we received just about 10,000 copies of this email yesterday, with more than 7,000 of our unique email addresses receiving copies.

Websites from 18FEB2010:

Websites from 19FEB2010:

Websites from 20FEB2010:

Websites from 21FEB2010: