I really hope you enjoy it, you can download the report here.

If the user clicks the link, they are taken to a fake Facebook page where they are invited to download a plug-in to watch the video.

The page indicates that over 4,000 people have already clicked the “Like” button, which is used by the scammers to trick victims into believing that the video is legitimate.

If the user tries to play the video, the worm will act differently depending on the browser used. If you use Firefox or Chrome, the worm installs a browser plug-in and uses it to post the scam to the victims’ friends’ pages. On Internet Explorer, the worm displays an age verification page to access an application called “X-Ray Scanner”.

Then, before the user can take any other action, the browser takes them to a typical scam site where they are asked to enter their phone number. However, if they do so, they will start receiving unwanted premium rate text messages.

Here you have some tips on how to avoid falling victim to this type of scam:

- Be wary of websites offering sensational videos or unusual stories.
- Before you click on a link sent by one of your contacts, make sure it has been intentionally sent by your friend and it is not the result of a massive scam like this one.
- Don’t accept friend requests from people you don’t know. This will help keep your privacy safe.
- Always keep your computer’s operating system and Web browsers up to date, and make sure you have an up-to-date antivirus solution installed.

If, however, you suspect you have fallen into the trap:

- Check your browser plug-ins and remove any suspicious ones.
- Check the applications that have permission to access your Facebook account, and delete those you don’t know.
- Change your Facebook account password. If you use the same credentials to sign in to other services as well, change them too. It is always better to take all necessary precautions.

No tweets so far, the only information about “her” is the message in her profile, where she’s looking for funny guys and gives us a link. Probably it is a spammer, but instead of tweeting links just put the spam link in the profile description. So let’s see what happens when we go there:

It looks like the typical dating site, maybe not for regular relationships but for more spicy moments… It is awesome the number of hot girls that are alone looking for some friends take a look at some of the pictures I could see there:

After checking there were no exploits, etc. I tried to get some more info about that domain, and this is what I got:

So the site was created the day before Alena started following us. Then I created a email address to register in the site,  filling all the fields. Once I did it I was registered, but not for that domain I was in, but for a new one, called XXXBlackBook. I was told I was going to receive an email from them to activate my account, so I went to check my inbox and I had the message:

Once I did it I could access as a regular member to the site. In the same website you have an inbox where other members can send you messages, and in a few minutes I got a new one:

To follow my research, I clicked on the message to take a look at it, but sadly I got this:

So you can get messages but to read them you have to upgrade to a silver or gold account… and it is not cheap:

When I took my credit card my wife came to the room and I had to stop the research

We should be concerned, as the next step could be to close Google or Bing, at the end of the day we all use it to find the stuff we want, and I have seen many times results in those search engines with Megaupoad links. And what next? Will they close Internet?

Anonymous has of course reacted, and has started DDoS attacks against a number of different websites, among the targets we can find the Department of Justice, the RIAA, and Universal Music. Again, the best way Anonymous is able to come up with is to launch DDoS attacks. They could try to give information to the people, etc. but that is boring for them, it  is way funnier to break the law.

Going back to the press release, you can also read this:

This case is part of efforts being undertaken by the Department of Justice Task Force on Intellectual Property (IP Task Force) to stop the theft of intellectual property.

Meanwhile, in the real world, thousands of millions of dollars are stolen every year by cybercriminals (real money, taken from users’ credit cards and bank accounts). But as long as there is no theft of intellectual property, that’s ok. Wait a moment, is that OK? Maybe some priorities should be adjusted.

While we are use to see this kind of fake messages in English, in this case the attacks are localized, we have seen English, German, Spanish or Dutch language (among others), depending on the targeted country. All of the attacks are targeting some European country, so it looks like that all of them are related and the same cibercriminal gang could be behind them.

The last one has appeared a couple of days ago, this time it is targeting Spain. The file is using as icon the following Internet meme:

Once infected, this is what you will see in your desktop:

In the message it says that it has been detected access to illegal material (such as child pornography and spam about terrorism) from that computer, and that the computer will be locked to prevent such a use. To solve that you have to pay a fine of €100:

The worst thing for the user is that it actually blocks the computer, so it is not easy to remove. To do it, restart the computer in safe mode and run a scan with an antivirus solution that is able to detect it.

These are different examples we have seen in the last months:

English

Italian

Dutch

German

Spanish

• Social networks: Social engineering techniques exploiting users’ weaknesses have become the leading attack method in social networks. Trending topics such as the Olympics or the next US Presidential elections will be used as a bait. Cybercriminals will continue to target social media sites to steal personal data.

• Malware increase: In the past few years, the number of malware threats has grown exponentially, and everything seems to indicate that the trend will continue in 2012. In fact, malware is the weapon use by cybercriminals to carry on their attacks.

• Trojans: they are cyber-crooks’ weapon of choice for their attacks, as shown by the fact that three out of every four new malware strains created in 2011 were Trojans, designed to sit silently on users’ computers and steal their information.

• Cyberwar: or maybe it is more accurate to say cyberespionage. 2011 has been the year with most intrusions ever aimed at companies and government agencies. From New Zealand to Canada, from Japan to the European Parliament, there have been countless attacks aimed at stealing secret or classified information. We live in a world where all the information is in digital form, so modern-day spies no longer need to infiltrate a building to steal information. As long as they have the necessary computer skills, they can wreak havoc and access the best-kept secrets of organizations without ever leaving their living-rooms. In 2012 we will see these kind of attacks even more.

• Mac malware: As the market share of Mac users continues to grow, the number of threats will grow. Fortunately enough, it seems that Mac users are now more aware that Mac is not immune to malware attacks and they are increasingly using antivirus programs, hindering cyber-crooks. The number of malware specimens for Mac will continue to grow in 2012, although much less than for PCs

• Mobile malware: Over ten years ago, antivirus companies started making dire predictions of a mobile malware epidemic. Years later, as the situation was not as apocalyptic as predicted, they started claiming that the installation of antivirus software on mobile phones had prevented the catastrophe. Well, they were wrong again. If having an antivirus solution were enough to solve all types of malware problems, the world would be a happier place. Unfortunately though, both users and security vendors alike are in the hands of cyber-crooks, who are the ones who decide which platform to target. In this context, last year PandaLabs predicted a surge in cyber attacks on mobile phones, and the fact that Android has become the number one mobile target for cyber-crooks in 2011 confirms that prediction. In 2012 there will be new attacks on Android, but it will not be on a massive scale. New mobile payment methods –via NFC for example– could become the next big target for Trojans but, as always, this will largely depend on their popularity.

• Malware for tablets: The fact that tablets share the same operating system as smartphones means that they will be soon targeted by the same malware as those platforms. In addition, tablets might draw a special interest from cyber-crooks as people are using them for an increasing number of activities and they are more likely to store sensitive data than, say, a smartphone.

• Cybercriminals targeting small to medium-sized companies: Why do cybercriminals target online banking customers instead of directly attacking banking institutions to steal money? The answer to this question has to do with the cost-benefit ratio of the attack: Financial entities are usually very well protected, and the chance of launching a successful attack is remote and very costly. However, attacking their customers to steal their identity and impersonate them is much simpler. The security of small to medium-sized companies is not that strong, and this makes them very attractive for cyberthieves, who can steal data from hundreds or thousands of users in one go. On many occasions, small to medium-sized companies do not have dedicated security teams, which makes them much more vulnerable.

• Windows 8: The next version of Microsoft’s popular operating system is scheduled for November 2012, so even though it is not supposed to have much on an impact on the malware landscape in the coming year, it will surely offer cyber-crooks new opportunities to create malicious software. Windows 8 will allow users to develop applications for virtually any device (PCs, tablets and smartphones) running Windows 8, so it will be possible to develop malicious applications like those for Android. This, in any event, will probably not take place until 2013.

NO (*)

(*): One of the characteristics of a targeted attack is that the attacker has previously studied the victim (who is a specific person or organization). This attacker will study the victim: Which systems he is running, where the most valuable information is located, what defenses are built in place, etc. And not only that, also the person(s) will be investigated, in which fields are they working, what hobbies they have, etc. This is why it is almost impossible to avoid these kinds of attacks. However, this is not a reason to lower our defenses, and that’s something that really puzzles me: taking a look at some of the major attacks we have seen in the last years, many of them were possible because there were servers with no antivirus protection, with an outdated operating system, etc. In a single word: negligence.

However, this is not always the case. If we take a look at the 2 most important attacks that have happened during 2011 (the RSA incident and the Duqu case) we will see that both attacks were really sophisticated, and that the way to start the intrusion was a mix of social engineering mixed with some kind of software vulnerability. I would like to point out that in both cases users were receiving a document, and once it was opened the document dropped and run a file in the system, and from that moment on the system was compromised. Of course, these kind of attacks can be done using known or unkown vulnerabilities, and you could argue that a user has no way to detect that a document is malformed in that way, and that the antivirus won’t detect a single thing as it will be new and the attacker has previously checked that the malware pieces involved were not detected: fair enough, I do agree with that.

And what if I tell you that if they had used Panda the attack would have failed? In 2004 we released TruPrevent technologies, with the goal to detect a portion of the brand new malware, that one that was still not detected with signatures. Since then we have included those technologies in our products, and one of those basically prevents that opening a document a file is downloaded and executed. Smart, nice, clean…

Conclusion: in case RSA, or any of the companies attacked by Duqu, had used even the free version of Panda Cloud Antivirus those intrusions wouldn’t have happened… IN THAT WAY. Anyway, remember the answer to the question (“NO”). Attackers would have figured out a way to circumvent it, probably trying a different kind of attack, but the harder we make it, the more chances we’ll have to avoid it.

Cybercriminals always try to confuse their victims, so they use names similar or equal to those used in real antivirus products. In this case they have taken advantage of the famous Panda Cloud AV to do their trick. Once it is installed in your computer, it will create a link in your desktop to open the program, but you won’t need to do it as as soon as it is installed it will open itself and will launch a system scan, which will give you as a result loads of malware found in your system. Of course that won’t be true, but they don’t care:

What any user would do here is to click on “Remove threats”, but once you click on it, a new window will pop up asking you to buy the product:

Of course, if you want to buy it you will be redirected to a web form where you can make the payment:

Of course if you give your credit card to pay the 52$, you’ll get the code to unlock the fake antivirus… if you don’t do it, you’ll get a message every now and then telling you are still infected. And what it’s worse, everytime you try to run any program in your computer it will tell you that it is infected, so your computer will be useless.

So… what to do if you are already infected? You should start your computer in Safe Mode, go to www.cloudantivirus.com and install the real Panda Cloud Antivirus to remove all the malicious files. Easy, isn’t it?

As some of you may remember, in last year’s AVAR in Bali I was awarded the “Wildlist Reporter of the year” prize, so this year I was the one in charge of giving the prize to the next. On Thursday night, after the gala dinner, I went to the stage to announce the next “Wildlist Reporter of the year” winner, and that was my good friend Philipp Wolf, Director of Protection Labs in Avira. In the following picture, from left to right, you can see Luis Corrons, Philipp Wolf and Peter Chung (Wildlist Director):

Wildlist Reporter of the Year

In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information.

The Anonymous Group, who starred in the second quarter, has continued making the headlines in this period, due to the arrest of some members, theft of data from different web sites and operation PayPal.

The PandaLabs report also includes information about cybercrime, cyberwar, social networks, Mac and cell phones, social networks and a wide section to explain about exploits.

The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information.