Posted
by
Luis Corrons at
18 September 09 09:07
Yesterday I came across (thanks Sean-Paul!) the following site, which really attracted my attention:
As you can see, it is an online service which promises to hack any Facebook account just for 100 bucks (!). My first thought about this was "ok, just another scam", but I wanted to see how far they could go with this. The first thing they request you is to register in their site, which I did. The next step to hack an account was to provide them with the ID of the Facebook account you wanted to hack; first I created a temporary Facebook account for this test, and then went back to "hack" it.
Obtaining the ID is something trivial, and with that ID anyone can obtain the Facebook username, but that's something that people is not familiar with, so at the end it gives extra credibility to this "service". Once you enter the ID and click on the "Hack it" button, you are given the owner of the Facebook account (the username) and now you have the option to "Start Facebook hacking!":
As you can see, it says it takes some minutes, and in fact it is true. Once it finishes, you will see this:
I clicked on save, but as you haven't paid yet, you are not allowed to view the passwords:
Below you have the payment screen. Once you send the money via Western Union (haven't you ever asked yourself why most of the cybercriminals are using WU services?), you have to fill in the details. Of course, you have to send the money to Ukraine...
Once you send the information, you are told that it will appear in your balance. Of course it won't, as this is all about taking the money from users. And at the end, as the user wanted to hack an account, he won't call the police.
In the website there is a FAQ place, where they say they've been doing business for more than 4 years, and provide a link to a Webmoney account that is in fact 4 years old. But taking a look at this facebook hacking web site, we found out that it's been registered by someone from Moscow a couple of days ago.
Posted
by
Sean-Paul Correll at
10 September 09 01:52
Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites. Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that. Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week.
Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:
Malware Info: Adware/SmartVirusEliminator
Investigating the attack shows us a bigger picture of the targeted keywords:
Most commonly targeted keywords:
- Obama Speech
- GM group enterprises
- Apple
- Beatles
- America
- White House
- Jon Gosselin
- Live Interview
- School Season
The full list of targeted keywords can be downloaded here: BlackhatSEO2.txt
Over the past six months that PandaLabs has closely tracked the evolution of Blackhat SEO attacks, we’ve seen these targeted campaigns be executed by cybercriminals with increasing levels of speed and sophistication. Today, Blackhat SEO is truly a mainstream tactic used by cyber criminals. Targeting real-time news events is a serious problem not only for search engines, but for all parties involved in malware mitigation. In shifting to the "real-time web," the entire IT security community must also recognize the need for real-time Malware protection and this is precisely why the move to cloud-based antivirus technology is necessary.
Posted
by
Sean-Paul Correll at
09 September 09 12:09
Banking Trojans are one of the most prevalent Malware species in the threat landscape today. Malware
authors aim to keep infections live and undetected long
enough so that they can get what they are really after: money. Financial
motivations lead malware developers to craft the stealthiest banking
Trojans to steal personal and financial data for further exploitation
on the black market. Day after day innocent victims are hacked with the end result being an emptied out bank account. This video demonstrates how dangerous and stealthy
banking Trojans can be and why we must continue to raise awareness on
the issue.
Posted
by
Sean-Paul Correll at
05 September 09 03:51
Rogueware authors continue to push the limits when tricking innocent users into infecting themselves. In this video example, we demonstrate the audio and visual cues used in a scareware campaign.
Posted
by
Sean-Paul Correll at
01 September 09 07:29
Update: Learn about the latest BHSEO attack here.
Blackhat SEO (BHSEO) is currently one of the most prevalent distribution methods for Malware on the Internet. It’s also one of the most dangerous methods because of the user-implied trust in search results. A Forrester research study conducted in 2008 showed that 50 percent of Internet users trust content delivered by search engines. It’s no surprise that cyber criminals have been using malicious search results as a main monetization stream.
The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links. Upon clicking one of many malicious links in the top ranking search results, the victim is put through several redirections and finally taken to a fake scan website designed to infect and extort money.
Fake scan site:
Installer:
File: setup.exe
Size: 72192
MD5: 2C0625D97A5BC7EC299D33CE8C9A299E
Adware/SmartVirusEliminator
Tag cloud of exploited keywords:
Most exploited keywords:
- BBC News 2009
- CNN News 2009
- Ted Kennedy
- Official Website
- USA News
- Hottest Info/News
- CA/California Fire
- Lottery
- Hurricane
- Halloween
The full list can be downloaded here: BlackhatSEO.txt
You can read more about Rogueware in our most recent report: The Business of Rogueware [pdf]
Posted
by
Sean-Paul Correll at
27 August 09 11:36
Panda Security has a California based office in Los Angeles. We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it. To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources.
Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc
Once clicked, the site loads and checks to make sure the user came from Google. If so, the following script begins the redirection to the Rogueware site:
The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected. If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer. At that point it becomes very aggressive and difficult to remove.
File: Antivirus-x_x.exe
Size: 172032
MD5: 0E9BC3499560EEA9261F5883FAE2A10E
Malware Info: Adware/PersonalAntivirus.
Rogueware attacks are among the most prevalent attacks on the Internet today. You can see our latest report on them here: The Business of Rogueware (pdf)
5 Steps to Avoid Infection:
- Always have up-to-date Anti-Malware software installed. If you don’t have one or if your current solution is not removing the Malware, you could download a free trial from us here: http://www.pandasecurity.com/usa/homeusers/downloads/evaluation/
- Don’t rely on search engines to provide valid or safe search results. You can improve your chances of safe browsing by downloading our free Web of Trust browser plugin: http://www.pandasecurity.com/homeusers/downloads/wot/
- Pay close attention to what links you are clicking on. If you don’t recognize the source you may want to research the domain in a separate search or avoid the link all together.
- Rogueware attacks rely on Social Engineering (I.e. making you believe you are infected when you are not). Don’t believe it! Simply close the browser window if you see a scan appear all of the sudden. If you cannot close the window with your mouse you can try ALT+F4 to force close it.
- Don’t be afraid to ask for help. Call your Antivirus Company or a tech savvy friend if you feel that you are in over your head.
Posted
by
Luis Corrons at
27 August 09 12:58
Two days ago about 3 different variants of the same rogueware family that were just changing the name of the "product". The family keeps growing, yesterday we found a new member, called SaveDefense:
The payment gateway remains unchanged too:
Posted
by
Luis Corrons at
26 August 09 11:26
As you already know if you've read our paper about The Business of Rogueware this is a very lucrative business. Everyday we see thousands of new variants, and a few families that appear trying to infect users and to get their money. Three of the new families we've seen this week, called SaveKeep, SaveSoldier and TrustNinja are at the end the same rogueware but rebranded, which is one of the common strategies they use. Guess how we can know that the three of them are in fact the same rogueware:
Another clue to find out that this is the same piece of malware is that they are using the same payment gateway:
Posted
by
Luis Corrons at
20 August 09 09:53
Today, we issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008.
PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007.
PandaLabs estimates that approximately three percent of all users have fallen victim to these techniques. The problem with these types of threats, unlike traditional viruses of the past, is that they are designed to go undetected, and therefore users do not realize they have become victims until it is too late. To avoid falling victim to identity theft, we recommend consumers follow these preventive measures:
1. Be aware of any kind of message that requests personal data from you. It is extremely improbable that online banks, payment platforms or social networks will ever send messages (emails, texts, etc.) to users asking for their login credentials, and much less for their credit card details.
2. Whenever you access an online bank, store, etc. always type the address directly in your browser. It is never advisable to enter these sites through links received through any channel or links returned by search engine results.
3. After having written the address in the browser, double check that the URL is really the one you have entered, and that the address has not changed into something unusual when you have clicked 'Enter.'
4. Check that the page contains the corresponding security certificates (these are generally displayed with a 'locked padlock' icon in the browser).
5. Always have a good security solution installed on your computer.
This will help detect if you are entering a spoof Web page. It is always good to have a second opinion to ensure that you have not been infected by Trojans or the like. You can get this through any reliable free online application, such as Panda ActiveScan (available at http://www.pandasecurity.com/).
6. Above all, if you have any suspicions don't enter your details and contact the corresponding bank, store or service provider that you are trying to access. Any established organization will have a customer service line you can reach directly.
7. If you are someone that frequently uses online services for shopping, banking, etc., you can also get insurance for your online activity, which will cover you in the case of fraud.
Posted
by
Sean-Paul Correll at
14 August 09 12:49
The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.
Sample malspam:
After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.
Fake codec site:
The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate.
Koobface connection log:
On infection, the Koobface worm immediately attempts to download three additional exectuable files.
After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.
