MoMusings

I’ve no idea how many of you out there in blog-land use Twitter, but I’d guess quite a few of you do?

As a relatively new Twitter user, I’ve not seen much of the problems that Twitter has experienced over the last year, including account hacking, phishing, 419 scams, worms and other malcode problems. One area that seems (at least to me) to have been rather quiet has been spam via Twitter.

Until the last week or so, I’ve never received any. I’d be interested to know how many of you out there in blog-land who use Twitter have seen similar things to what I’m about to discuss.

I don’t think there is a specific name for Twitter spam, so I’ve coined one; Twam.

I’m sure the more creative of you out there can come up with something better?

Let’s have a look at a couple of examples I’ve seen in the last week or so:

1. The Vote For Me Twam
I received the following notification and when I checked out the profile for that user all their tweets were requests to vote for them in some beauty pageant.

As you can see at the time I was sent this they had a fair few followers and were following (Twamming) lots of other Twitter users. when I checked this particular account again this morning, it was still active and still only begging for you to vote for her at 60P per text no less! The number of followers now stands at 343 and she is following (Twamming) 1,986 other Twitter users.

2. The Porn Advertising Twam
I received the following notification just this morning and when I checked out the profile for that user they only have one tweet with a link to a porn site! So.they seem to be using Twitter to advertise their porn site.

Shortly after receiving the above notification, I received another using the same name, but from a different Twitter account. Their feed was exactly the same as the first one I received just 30 minutes earlier.

When I just checked both of these accounts (before publishing this) that were advertising a porn website they have now been closed by Twitter.

Needless to say I have blocked these Twitter accounts, as I don’t want to see what they offer and I don’t want to give them any credibility by being seen as being followed by them.

I wonder if this is the start of a major spam (twam) attack on this social networking site? I wouldn’t be surprised as this fate has already befallen FaceBook, Myspace and many other similar sites.

For those of you who are interested in following me on Twitter (no not you spammers/twammers) you can easily find me via my name or my Twitter account which is talkytoaster.

If you spot anything interesting feel free to send me a Tweet or a Direct message.

Take care and happy Tweeting.

The 419 scammers have a decided to use Gala, a UK Bingo and on-line gaming company as their latest one to impersonate, they do this to try and get you to swallow their scam as real.

Here’s a couple of screen shots showing one copy of the emails I’ve seen so far today:

The use of a “trusted” brand name is to try and make it more believable, so that you will be willing to actually contact them to try and get the alleged winnings.

However, you’ll end up being put on a suckers list; receiving even more of these scams, even via the postal service and over the phone too. Not only that you will also be asked to pay some administrative or legal fees to release the money to you…there is no money, you haven’t won anything except the chance to be less gullible in the future.

If you want to find out more about these scams and how they work you can find other postings on the subject on this blog, and also on my published papers and articles page here: http://momusings/com/papers

If you get an email claiming that you’ve won something in a competition you never entered be very skeptical. If you want to know if it is real or not then please feel free to contact me.

Gala do appear to have a lottery game, but it is online at their website, they don’t do e-mail lottery at all….you have been warned

Yes, I know I haven’t posted for ages, but I’ve been kind of busy helping customers with outbreaks, ethical hacking, application testing and computer forensics. I have also been busy writing an article for a magazine (more on that in a moment) and writing abstracts for the 2009 Virus Bulletin conference; one of which was accepted, I’ll blog about that when I have more time.

OK, enough of the lame excuses from me.

So, back to the article…

Over the last few months one particular malware family has been hyped out of all proportion and unless you’ve been living under a rock or had no access to a computer since the end of November you must already know which malware family I’m writing about?

At the beginning of March this year, after spending a significant amount of time dealing with the most virulent variant at that time, the B variant (or variants). I was asked to write an article for a magazine on Conficker, which I duly did.

It was submitted, and I’d made it clear that there was no way that my employer would willing waive it’s copyright. So, what do I get asked to sign?

So, to cut a long story short, it was agreed that the article would not be published by the magazine after all, but I could publish it on my blog, etc. as long as my employers copyright of the material was mentioned.

The upshot of this is my article on the evolution and functionality of Conficker. Please bear in mind that this was completed on the 9th of March 2009, weeks before every man and his cerberus had decided they ought to write such an article.

I hope that you find it useful, enlightening and maybe entertaining too?

The article entitled “Have you been Confickered” can be found here: http://momusings.com/papers/Have-You-Been-Confickered-v1.01.pdf

As usual all feedback is most welcome.

We all like a bargain, right?

How many of you out there use coupons to get discounts on things you buy, or plan to buy?

Do you use the paper coupons that you get from flyers, papers, magazines and brochures, or do you use the electronic coupon codes instead?

Whichever you do use, I’m sure that you all love the feeling that you’ve saved some of your hard earned money by using them? Of course the cynics amongst us would say it is just social engineering to get us to buy a particular brand or even buy something we didn’t really plan to buy, or in some cases even need…….So whilst I’m on this topic I was intrigued when I received the following email yesterday:

Here’s a screenshot of one of the email that I’ve received:

Oh goody I thought, coupons!

I clicked on the link and this is where I ended up:

Now that’s interesting, how have they managed to show me offers for a town near where I live?

A quick look at the page source shows that they are using GeoIP [Geographic resolution of the IP address used to request the page, in other words my routers public IP address].

So, if you are in say Manchester, UK you would be shown ones allegedly tailored for that area, likewise if you are in, say, San Diego, US or Munich, Germany or even Sydney, Australia.

More digging shows that the page is also laced with exploit code, to catch the un-patched and infect their systems [using a hidden IFRAME].

So, what happens when I click on the ‘Click Here‘ icon on the page?

Ah, I get offered an executable file [list.exe], not a PDF or any real coupons at all, a windows binary file that I suspect is actually malware, probably a new variant of Waledac. So lets refresh the page and see if anything changes?

Yes, the filename offered changes, after the page reload it became: saleslist.exe! More page reloads show that it is using a number of different names in rotation. So, I scanned the files [both of them] and they are identical in size and MD5 hash, this means they are identical internally.

At the time of posting this blog entry the detection of the offered files was rather poor, with only 9 out of 32 tested scanners identifying that this is a malicious file. Most of the ones that did detect it were using heuristic or generic detection, which means this is indeed a new variant.

So it sems that once more the bad guys and girls are trying new social engineering techniques to try and get us to infect our systems and effectively press-gang our systems into the botnet army they control. These are the same group of cyber-criinals responsible for the Valentine Day fake e-card development kit that I blogged about recently.

Here are some useful links if you want to know more about Waledac [please bear in mind that the descriptions used may not be valid for this new variant]:

• http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html
• http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2008-122308-1429-99
• http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml

Don’t let your guard down just because you think you are getting a good deal, some free coupons, free iPod, laptop, or whatever…….Just remember there is no such thing as a free lunch, someone has to pay for it, either directly or indirectly, don’t let it be you…

UPDATE:
As I was finishing off this blog entry, I re-checked the site, and found that the files offered, still use the same list of names [15 so far], but the filesize and MD5 hash value is now different to yesterdays. Seems they are seeding new variants each day…..so, be on you guard!

…Another Chance to Get Infected!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Saturday?

It seems that the bad guys and girls are back playing cupid again and couldn’t resist the opportunity to try and get you to infect your computer, yet again using the guise of a valentine e-card, again. The latest wave of these started yesterday:

Here’s a screenshot of one of the email that I’ve received:

If you are foolish enough to click on the link in the email, you’ll end up on a page that looks like the one below, at least for now it does:

Very nice of them to offer you a tool to make your own valentine day greetings? Of course, in reality it is just an infected file used to recruit your PC into the botnet army of the author of this malcode.

When I first started to see these Valentine Day e-mails, late last week [a test run maybe?] the landing page looked like this instead:

However you spend the day, whatever you do for the ‘love-of-your-life‘, don’t become part of the collateral damage of the annual ‘Valentine’s Day [Malware] Massacre‘.

If I see anymore ‘bogus’ Valentine’s Day e-mails, I’ll try and post details here when I can. Also, if you see any that I haven’t yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle!

At the time of posting this blog entry the detection of the offered files [at least two distinct unique files (MD5 hash value)] was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is offering different file names, although the actual file is internally identical in many cases, as mentioned above.

If I get any further useful data or news then I’ll try and post it here.

Oh, and don’t forget the risk of getting an infection isn’t just for Valentine’s Day, it is for everyday of the year, don’t let your guard down…….stay safe!

I’d like to start this post with an apology [yes, again] as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won’t be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here’s a new one I’ve not seen before, the following e-mail arrived in my ‘Phish‘ inbox late last night [screenshot below]:

That’s nice if I answer just seven questions in a simple survey I will get £25…..I smell a phish, so what do we see when I click on the link?

Hmmmmm…..looks pretty good, quite believable wouldn’t you say?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the survey and then click on submit. This is where I’m taken too next:

Aha…..Just as I suspected, this is a phish, as it wants personal data and my credit card data, including the CVV so that the promised £25 can be credited to my card, yeah right. So, let me enter in some more bogus data and click on the Submit button again.

I particularly like the mis-use of the MasterCard SecureCode,VeriSign and Verified by Visa logos, just trying to make you feel secure, how reassuring, eh?

The final page [shown above]informs me that my data has been entered correctly [yeah right!] and that I should see my £25 credit payment on my credit card within 3-5 businees days. More like my credit card will be misused or sold on to others to misuse within 3-5 businees days! Oh, and then I get taken to the real McDonalds UK website, nice

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I’ve seen one targeting McDonalds in the UK.

So, if you are an McDonald’s customer, or think that you’d like £25 for free, be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details….

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

Here’s an offer I received via e-mail that seems to be the answer to most peoples prayers; a large pile of money just for helping out someone move some money. Of course in reality it isn’t as simple as that, but I’m getting ahead of myself.

Here’s a screenshot of the e-mail in full:

It says it was sent by Tim McCarron of Fidelity Investments here in the UK. He is a fund manager for them. It seems that Tim, allegedly, has acquired over 145 Million US Dollars from his employers without their knowledge. Moreover he wants my help to move the funds, and for my trouble he will give me 50 percent; very generous. That is over 72.5 Million US Dollars…..tempting, isn’t it?

All he wants from me are some personal details, some proof of identity, such as a copy of my drivers licence or passport, and a bank account number to use for the transaction.

To prove that he really exists, Tim has even included a link to some details about himself and his performance which is available on the Fidelity Investments website.  How thoughtful!

Here’s a screenshot of the webpage in the first link:

See, there’s Tim’s name and various other detals about him and the funds he manages. Yes, this is the real Fidelity Investments website.

Let’s look in to this in more detail.

OK, the email reply address seems odd, it is timmacarron@superposta.com (seems Tim can’t even spell his surname correctly) but the From: address header in the email tells me his email address is tmcarron@ymail.com……hmmm, I’m confused. I know he is trying to cover his tracks, but why use two free webmail addresses?

So, what does this tell me?

Well for one this email is not from the real Tim McCarron, or from anyone at Fidelity Investments. Furthermore, there is NO MONEY; sorry to disappoint you.

If it was real, then the person responsible would have committed fraud; as they have stolen money from their employers and potentially customers too. Furthermore, if you took part in this, if it was real, you would also be committing fraud as well as money laundering….lucky there is no money then, eh?

Yes, this is yet another 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. If you were foolish enough to reply to the email you would be assured that the money was real, but somehwere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead
of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called “suckers list” and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such a tempting offer, remember the old adage “if something seems too good to be true, it probably is….too good to be true“. Also, think very carefully before
you click on any links or contact anyone mentioned in these email, at the very least you could end up on a phishing site, you could lose some of your money, or worse, as there have been cases of beatings and even murders linked to these scams.

Oh, and just in case you were wondering, the links in the email were included by the scammer to try and give extra credence to their outlandish financial proposal.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Oh yes, and the personal details you supply them will almost certainly be used for identity theft and/or in another 419 scam, using your personal details and proofs to attempt to make it more believable.

How many of you out there use Amazon’s Marketplace to sell items?

Well, if you do then this posting should be of some interest and I’d also be interested in how many of you have received similar emails to the one shown in the screenshot below:

Looks like a typical notification from Amazon that your item listed on Amazon Marketplace has been canceled; for those that use this Amazon service this usually happens when your item listing has expired, and is quite normal.

So, let me see where I end up when I click on the link contained in the e-mail; screenshot below:

Is this Amazon.co.uk? Looks genuine doesn’t it? would you sign-in via this page, or not?

For the moment, let us assume [quite rightly] that I’m suspicious of this page, let me have a look at the source HTML for the page above; I’m especially interested in the FORM section (the bit that deals with the login credentials; your e-mail address and Amazon.co.uk password). Here’s a screenshot of the related part of the HTML source for that function:

Hmmm…..notice anything odd?

Surely the real Amazon.co.uk doesn’t use a generic mailto CGI script [in this case a PERL script] to handle login routines, does it?

No, of course it doesn’t, the code in the screenshot above sends your now stolen Amazon.co.uk login details to the bad guys and girls via e-mail using the mailto.pl script hosted on http://www-cgi.paonline. It then goes onto send you to the real Amazon.co.uk page, sneaky huh?

So, this is another phishing scam, in this case they want to steal you Amazon login credentials, so that they can steal any personal details, including and stored credit-card data, or maybe they just want to buy things using your account, and have them sent to a drop-box to then be turned into cash. Such as ordering themselves a new MP3 player, phone, some CD’s or DVD’s or whatever, leaving you to pick up the bill and deal with the resulting mess.

Of course this type of attack is not just limited to Amazon, it would in theory work with any e-commerce site, so be careful out there especially where you have sites that store you credit-card details, as in most cases this is what the bad-guys and girls are after. If they can’t get that then they will just buy things from the site using your stored card data instead.

yet again, as with other recent examples I’ve blogged about it shows that phishers are not just interested in getting you bank details, they are just as happy to get e-commerce site credentials, game login credentials (such as WoW) or webmail account details (how many of you store e-mails which contain personal or financial  details?), amongst many others. Furthermore, do you you the same password for more than a single site? If you do then you are making it easier for the bad guys and girls to compromise your other accounts wherever they may be.

I received an e-mail yesterday asking me to take part in a survey that Walmart were apparently carrying out to gauge customer satisfaction. A screenshot of the e-mail I received appears below:

So, even though I am not and never have been a Walmart customer, let me see where we go if I click on the link provided, as if I were a Walmart customer. This is where I ended up:

Looks like a very typical web based survey, so what happens when I fill in the details and then click on the proceed button at the foot of the survey page? This is where I ended up next:

OK, so they want some more personal details now, they already have my phone number and e-mail address. Now they want my credit card number, expiry date for it and…….my CVV and ATM pin…..hmmmmm; can anyone smell something ‘phishy’ yet?

Yes, this is a phishing scam, squarely targetted at Walmart customers that will be fooled into believing that they will recive 150 US Dollars for filling out the survey and supplying their credit card details. In a few days they will get a surprise, but not the pleasent one they were expecting. Instead of having money credited to their account, they will have lost money through bogus purchases. It may even be worse, their account could be cleared out via ATM withdrawals, or even overdrawn, leaving them with a large bill to pay [unless their bank covers phishing scams and related things] . In the worst case scenario the personal details they gave could be used for identity theft so that loans or mortgages could be set up using the stolen details, leaving the victim with the bills and the resulting damage to their credit rating.