Archive for February 6th, 2008
February 6th, 2008 by Jake Soriano (Technical Communications)
Another spam run is spotted by Trend Micro again using the United States Internal Revenue Service (IRS) to phish for sensitive information from affected users.
The following is a sample email message that promises a $93.60 tax refund to the recipient:
The spammed email message, using in its banner the seal of the IRS of course, asks recipients to submit a tax refund request by filling out a form. Probably in an effort to buy time, the message warns those who receive the “tax refund” proposal that processing their requests may take six to nine days.
The form, as the message says, can be accessed by clicking a link in the message. This redirects to the following page, which at first glance may look like a genuine document from the IRS:
A suspicious eye, however, would immediately recognize the sensitive nature of the information being asked of users: social security and credit card numbers, as well as ATM personal identification numbers.
The IRS has been used by malware authors before in their activities; one of the more notable ones would be the bogus IRS sites discovered by Trend Micro researchers last January to be containing links to malicious .EXE files.
This social engineering technique would look to be productive for spammers and phishers especially now that it’s tax season. Users are advised to be careful in clicking links in spammed messages. Sensitive information also should never be disclosed to unknown and untrusted sources.
February 6th, 2008 by Dianne Lagrimas (Technical Communications)
Yahoo! Music Jukebox may dish out malware instead of hits, after the discovery of exploits made for ActiveX vulnerabilities in the media player. The Register identifies Elazar Broad as the researcher discovering the targeted vulnerabilities: two unpatched ActiveX flaws which, when successfully exploited, cause a buffer overflow that may allow an attacker to run malicious code on the affected system. Broad posted a proof-of-concept (POC) code on a public Web site, and a day after, malware authors pounced on the POC, modified the code, and voila - a new exploit making its rounds on the Web.
It seems that malware authors are having a grand time exploiting various Web applications via ActiveX flaws. Just hours ago, we reported that malicious URLs are exploiting the Chinese gaming platform Lianzong, add to that zero-day ActiveX flaws in Facebook and MySpace. Interestingly, the exploits taking advantage of the flaws in both Yahoo! Music Jukebox and the Chinese gaming application are detected by Trend Micro as EXPL_EXECOD.A, proof that malware authors are modifying codes to specifically target certain applications. It may seem like a stretch but it’s safe to say that this tactic broadens the target “audience” of this exploit.
As of this writing, Yahoo! has not issued a patch for the ActiveX vulnerabilities. However, proactive detection of the exploit and the malicious URLs by Trend Micro products’ Web Threat Protection technology ensures our customers that they are safe from the unwanted effects of the malware/malicious URL.
February 6th, 2008 by Robert McArdle (Threats Analyst)
For generations, kids all over the world have enjoyed Spot The Difference puzzles, but who says us adults can’t join in the fun? Can you spot the difference between the real banking login page, and the phishing attack below?
Not very easy is it? Let’s look at the source code and see what differences appear there. Well, to be honest there are very few differences and most are simply a case of correcting the paths or images/links from the real site to still work correctly on the phishing site. For example, in the picture below the red highlighted site is the real one, and the yellow the phishing site:
The truth is the source code is almost identical, the form on the page is submitted to the page itself. In the case of the real bank, this will authenticate and log the user in. In the case of the phishing one - well, let’s just say they are most likely not going to use your details to send you free money.
The only real difference noticeable to the user is in the URL, and even this is very difficult to spot unless you are really looking for it.
Where does this threat come from? It is currently being spammed around by a certain well-known botnet (starts with “S” and ends with “torm”), specifically targeting Australian email accounts. It looks like this page was actually put together by someone outside of the normal Storm group, but they are most likely renting a section of the network. Luckily, Trend Micro automatically protects our customers by blocking the URL with our Web Reputation Services.
One last thing, remember when I said there were virtually no differences between the 2 page sources? Well I lied a little bit - check this out (again Red=Real, Yellow=Fake)
When you access the real banking page, a piece of PHP script takes your IP address and stores it as a hidden variable on the page, so the bank can track what IPs people are logging in from. The top IP address is my own from when I accessed the site. The bottom one, however, is the attackers’, from when they downloaded the real page to create their phishing site. They obviously never bothered removing this incriminating evidence (or just did not notice) before putting up the page. However, the IP traces back to a standard ISP in Argentina, and users most likely recieve a new IP every time they connect to the network - so the chances of finding the culprits are unfortunately slim.
