Posts filed under 'Spam'
April 17th, 2008 by Macky Cruz (Technical Communications)
In this recently reported targeted attack on CEOs of various companies (also known as “whale phishing,” due to the size and stature of the affluent targets), a bogus subpoena request attempts to trick recipients into clicking a link in the spammed email messages. The link purports to give users access to the related court documents in a bogus subpoena action.
If victims do click on the malicious link in the email, they will arrive at the Web site pretending to house the information (shown above), then prompted to download and install a browser plug-in to proceed in viewing the files.
The malicious “browser plug-in” (named Acrobat.exe in this instance) is actually TROJ_AGENT.AMAL.
The attack seems to work due to various social engineering techniques, each of which is not necessarily new.
The United States District Court has posted an advisory regarding these bogus subpoena requests, and so has the Internet Crime Complaint Center (IC3).
Anyone receiving such a request is thus advised to treat this solicitation with extreme caution. If there is reason to believe that the email is valid, consult the matter with your lawyer. Do not click on links in unsolicited email. Period.
Additional input from Paul Ferguson, Advanced Threats Research
April 10th, 2008 by Jake Soriano (Technical Communications)
With all of the fanfare Senator Barack Obama has been receiving — the race for the in the U.S. Democratic presidential nomination is becoming ever more close — it was only a matter of time until spammers and cyber criminals began to employ his popularity to leverage their malicious activities.
A new spam run that TrendLabs Content Security has recently come across features spammed email messages that entice readers to click a link, which supposedly has a video of Obama’s confessions regarding his “transsexual affairs.” The links lead to the download of the file Barack_Obama-videostream.v182.exe, which Trend Micro detects as BKDR_AGENT.ABTQ.
The upcoming U.S. elections have been targeted by spammers before.
Senator Hillary Clinton, Obama’s main rival in the Democratic presidential nomination race, also became the subject of spamming activities last February, while another candidate, Congressman Ron Paul, had been featured in 2008 U.S. election spam’s first salvo back in November. The two early spam runs, however, sounded in favor of the presidential hopefuls (despite installing malware onto systems). On the other hand, Barack Obama does not seem to have the spammers’ support in this spam run, which alludes to scandalous affairs in an effort to socially-engineer users to peruse salacious content.
Trend Micro users are already protected from this threat, as TrendLabs Content Security already blocks the emails.
April 10th, 2008 by Macky Cruz (Technical Communications)
Although it has existed for quite a while, a recent example of “backscatter spam” is depicted below from earlier this month:
In the above example, notice that the quoted text –and the associated attachment — is a portion of the original spammed email message.
Backscatter is a term coined to refer to the intended effect of sending spam using forged sender addresses. Spammers who send email messages with different sender names in the From field are in fact counting on certain types of mail transfer agent (MTA) programs that return the entire text or message to the forged sender (as in Message Sending Failure messages or bounced email notifications) instead of truncating the messages. MTAs that are configured like this inadvertently cause a spam run, because they “send back” message to users who did not send these messages in the first place.
Similar to malware attacks that reuse old exploits, this recycled technique is just as effective as it was when it first appeared, as long as the conditions that allow it still persist. Mail server administrators should therefore be aware of this to avoid contributing additional volume to the already burgeoning problem of bulk mail.
Trend Micro spam filters are, of course, able to detect backscatter, and effectively deal with it.
April 8th, 2008 by Jake Soriano (Technical Communications)
What is that old cliché about publicity now? The essence seems to be that all publicity, whether positive or negative, is good — good for celebrities but a different thing altogether for Web users, as gossip could lead them to malware.
TrendLabs reported two months ago of a malware operation that took advantage of Yahoo!’s redirection services and pointed users to malicious Web sites. The social engineering technique was the center of gossip during the time: Britney Spears.
The style seems to not have waned as even now celebrities are still being used to lure users to malicious sites, where malware is downloaded into their systems. The following is a screenshot of a spammed email message with a malicious link that would look irresistible for those interested in celebrity gossip:
Britney Spears this time was replaced with another media hound: Nicole Richie. The subject of the spammed mail promises users of a pornographic video supposedly featuring Richie. The observant would notice, however, that the details in the email mention another celebrity: Penelope Cruz. While Cruz is not really in the same league as Britney and Nicole, the supposed graphic content of the “video” in the email would make her still an effective bait for those who might want to “see and find out.”
Users who click the link are redirected to this Web page:
A video would seem to be downloading here but this screen in fact just defers user discovery of malware infection. Trend Micro is still analyzing the malware involved in this spamming activity. Users are still advised not to let curiosity get the best of them.
April 6th, 2008 by Jake Soriano (Technical Communications)
Recycling an old social engineering technique and using two different attack methods, a new spam run emerges as a threat to Web users before Microsoft’s Patch Tuesday. And not because it exploits soon-to-be named vulnerabilities.
What this spamming operation takes advantage of is the anticipation itself for the release of patches by Microsoft. A sample email message looks like this:
Next Posts
Previous Posts
