MoMusings

I’ve no idea how many of you out there in blog-land use Twitter, but I’d guess quite a few of you do?

As a relatively new Twitter user, I’ve not seen much of the problems that Twitter has experienced over the last year, including account hacking, phishing, 419 scams, worms and other malcode problems. One area that seems (at least to me) to have been rather quiet has been spam via Twitter.

Until the last week or so, I’ve never received any. I’d be interested to know how many of you out there in blog-land who use Twitter have seen similar things to what I’m about to discuss.

I don’t think there is a specific name for Twitter spam, so I’ve coined one; Twam.

I’m sure the more creative of you out there can come up with something better?

Let’s have a look at a couple of examples I’ve seen in the last week or so:

1. The Vote For Me Twam
I received the following notification and when I checked out the profile for that user all their tweets were requests to vote for them in some beauty pageant.

As you can see at the time I was sent this they had a fair few followers and were following (Twamming) lots of other Twitter users. when I checked this particular account again this morning, it was still active and still only begging for you to vote for her at 60P per text no less! The number of followers now stands at 343 and she is following (Twamming) 1,986 other Twitter users.

2. The Porn Advertising Twam
I received the following notification just this morning and when I checked out the profile for that user they only have one tweet with a link to a porn site! So.they seem to be using Twitter to advertise their porn site.

Shortly after receiving the above notification, I received another using the same name, but from a different Twitter account. Their feed was exactly the same as the first one I received just 30 minutes earlier.

When I just checked both of these accounts (before publishing this) that were advertising a porn website they have now been closed by Twitter.

Needless to say I have blocked these Twitter accounts, as I don’t want to see what they offer and I don’t want to give them any credibility by being seen as being followed by them.

I wonder if this is the start of a major spam (twam) attack on this social networking site? I wouldn’t be surprised as this fate has already befallen FaceBook, Myspace and many other similar sites.

For those of you who are interested in following me on Twitter (no not you spammers/twammers) you can easily find me via my name or my Twitter account which is talkytoaster.

If you spot anything interesting feel free to send me a Tweet or a Direct message.

Take care and happy Tweeting.

The 419 scammers have a decided to use Gala, a UK Bingo and on-line gaming company as their latest one to impersonate, they do this to try and get you to swallow their scam as real.

Here’s a couple of screen shots showing one copy of the emails I’ve seen so far today:

The use of a “trusted” brand name is to try and make it more believable, so that you will be willing to actually contact them to try and get the alleged winnings.

However, you’ll end up being put on a suckers list; receiving even more of these scams, even via the postal service and over the phone too. Not only that you will also be asked to pay some administrative or legal fees to release the money to you…there is no money, you haven’t won anything except the chance to be less gullible in the future.

If you want to find out more about these scams and how they work you can find other postings on the subject on this blog, and also on my published papers and articles page here: http://momusings/com/papers

If you get an email claiming that you’ve won something in a competition you never entered be very skeptical. If you want to know if it is real or not then please feel free to contact me.

Gala do appear to have a lottery game, but it is online at their website, they don’t do e-mail lottery at all….you have been warned

We all like a bargain, right?

How many of you out there use coupons to get discounts on things you buy, or plan to buy?

Do you use the paper coupons that you get from flyers, papers, magazines and brochures, or do you use the electronic coupon codes instead?

Whichever you do use, I’m sure that you all love the feeling that you’ve saved some of your hard earned money by using them? Of course the cynics amongst us would say it is just social engineering to get us to buy a particular brand or even buy something we didn’t really plan to buy, or in some cases even need…….So whilst I’m on this topic I was intrigued when I received the following email yesterday:

Here’s a screenshot of one of the email that I’ve received:

Oh goody I thought, coupons!

I clicked on the link and this is where I ended up:

Now that’s interesting, how have they managed to show me offers for a town near where I live?

A quick look at the page source shows that they are using GeoIP [Geographic resolution of the IP address used to request the page, in other words my routers public IP address].

So, if you are in say Manchester, UK you would be shown ones allegedly tailored for that area, likewise if you are in, say, San Diego, US or Munich, Germany or even Sydney, Australia.

More digging shows that the page is also laced with exploit code, to catch the un-patched and infect their systems [using a hidden IFRAME].

So, what happens when I click on the ‘Click Here‘ icon on the page?

Ah, I get offered an executable file [list.exe], not a PDF or any real coupons at all, a windows binary file that I suspect is actually malware, probably a new variant of Waledac. So lets refresh the page and see if anything changes?

Yes, the filename offered changes, after the page reload it became: saleslist.exe! More page reloads show that it is using a number of different names in rotation. So, I scanned the files [both of them] and they are identical in size and MD5 hash, this means they are identical internally.

At the time of posting this blog entry the detection of the offered files was rather poor, with only 9 out of 32 tested scanners identifying that this is a malicious file. Most of the ones that did detect it were using heuristic or generic detection, which means this is indeed a new variant.

So it sems that once more the bad guys and girls are trying new social engineering techniques to try and get us to infect our systems and effectively press-gang our systems into the botnet army they control. These are the same group of cyber-criinals responsible for the Valentine Day fake e-card development kit that I blogged about recently.

Here are some useful links if you want to know more about Waledac [please bear in mind that the descriptions used may not be valid for this new variant]:

• http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html
• http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2008-122308-1429-99
• http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml

Don’t let your guard down just because you think you are getting a good deal, some free coupons, free iPod, laptop, or whatever…….Just remember there is no such thing as a free lunch, someone has to pay for it, either directly or indirectly, don’t let it be you…

UPDATE:
As I was finishing off this blog entry, I re-checked the site, and found that the files offered, still use the same list of names [15 so far], but the filesize and MD5 hash value is now different to yesterdays. Seems they are seeding new variants each day…..so, be on you guard!

…Another Chance to Get Infected!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Saturday?

It seems that the bad guys and girls are back playing cupid again and couldn’t resist the opportunity to try and get you to infect your computer, yet again using the guise of a valentine e-card, again. The latest wave of these started yesterday:

Here’s a screenshot of one of the email that I’ve received:

If you are foolish enough to click on the link in the email, you’ll end up on a page that looks like the one below, at least for now it does:

Very nice of them to offer you a tool to make your own valentine day greetings? Of course, in reality it is just an infected file used to recruit your PC into the botnet army of the author of this malcode.

When I first started to see these Valentine Day e-mails, late last week [a test run maybe?] the landing page looked like this instead:

However you spend the day, whatever you do for the ‘love-of-your-life‘, don’t become part of the collateral damage of the annual ‘Valentine’s Day [Malware] Massacre‘.

If I see anymore ‘bogus’ Valentine’s Day e-mails, I’ll try and post details here when I can. Also, if you see any that I haven’t yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle!

At the time of posting this blog entry the detection of the offered files [at least two distinct unique files (MD5 hash value)] was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is offering different file names, although the actual file is internally identical in many cases, as mentioned above.

If I get any further useful data or news then I’ll try and post it here.

Oh, and don’t forget the risk of getting an infection isn’t just for Valentine’s Day, it is for everyday of the year, don’t let your guard down…….stay safe!

I’d like to start this post with an apology [yes, again] as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won’t be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here’s a new one I’ve not seen before, the following e-mail arrived in my ‘Phish‘ inbox late last night [screenshot below]:

That’s nice if I answer just seven questions in a simple survey I will get £25…..I smell a phish, so what do we see when I click on the link?

Hmmmmm…..looks pretty good, quite believable wouldn’t you say?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the survey and then click on submit. This is where I’m taken too next:

Aha…..Just as I suspected, this is a phish, as it wants personal data and my credit card data, including the CVV so that the promised £25 can be credited to my card, yeah right. So, let me enter in some more bogus data and click on the Submit button again.

I particularly like the mis-use of the MasterCard SecureCode,VeriSign and Verified by Visa logos, just trying to make you feel secure, how reassuring, eh?

The final page [shown above]informs me that my data has been entered correctly [yeah right!] and that I should see my £25 credit payment on my credit card within 3-5 businees days. More like my credit card will be misused or sold on to others to misuse within 3-5 businees days! Oh, and then I get taken to the real McDonalds UK website, nice

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I’ve seen one targeting McDonalds in the UK.

So, if you are an McDonald’s customer, or think that you’d like £25 for free, be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details….

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

Here’s an offer I received via e-mail that seems to be the answer to most peoples prayers; a large pile of money just for helping out someone move some money. Of course in reality it isn’t as simple as that, but I’m getting ahead of myself.

Here’s a screenshot of the e-mail in full:

It says it was sent by Tim McCarron of Fidelity Investments here in the UK. He is a fund manager for them. It seems that Tim, allegedly, has acquired over 145 Million US Dollars from his employers without their knowledge. Moreover he wants my help to move the funds, and for my trouble he will give me 50 percent; very generous. That is over 72.5 Million US Dollars…..tempting, isn’t it?

All he wants from me are some personal details, some proof of identity, such as a copy of my drivers licence or passport, and a bank account number to use for the transaction.

To prove that he really exists, Tim has even included a link to some details about himself and his performance which is available on the Fidelity Investments website.  How thoughtful!

Here’s a screenshot of the webpage in the first link:

See, there’s Tim’s name and various other detals about him and the funds he manages. Yes, this is the real Fidelity Investments website.

Let’s look in to this in more detail.

OK, the email reply address seems odd, it is timmacarron@superposta.com (seems Tim can’t even spell his surname correctly) but the From: address header in the email tells me his email address is tmcarron@ymail.com……hmmm, I’m confused. I know he is trying to cover his tracks, but why use two free webmail addresses?

So, what does this tell me?

Well for one this email is not from the real Tim McCarron, or from anyone at Fidelity Investments. Furthermore, there is NO MONEY; sorry to disappoint you.

If it was real, then the person responsible would have committed fraud; as they have stolen money from their employers and potentially customers too. Furthermore, if you took part in this, if it was real, you would also be committing fraud as well as money laundering….lucky there is no money then, eh?

Yes, this is yet another 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. If you were foolish enough to reply to the email you would be assured that the money was real, but somehwere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead
of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called “suckers list” and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such a tempting offer, remember the old adage “if something seems too good to be true, it probably is….too good to be true“. Also, think very carefully before
you click on any links or contact anyone mentioned in these email, at the very least you could end up on a phishing site, you could lose some of your money, or worse, as there have been cases of beatings and even murders linked to these scams.

Oh, and just in case you were wondering, the links in the email were included by the scammer to try and give extra credence to their outlandish financial proposal.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Oh yes, and the personal details you supply them will almost certainly be used for identity theft and/or in another 419 scam, using your personal details and proofs to attempt to make it more believable.

Well, I received a rather interesting invite sent to me via the Yahoo! Calendar service. Have a look at it [screenshot below], what do you think?

Hands up all those that are tempted to respond to this?

OK

Now, hands up all those that are NOT tempted to respond to this?

Hmmm….

So, before I cover this in more detail, let me see what happens when I click on the RSVP to this invitation text, which is a hyperlink. This is where we end up [screenshot below]

This is the real Yahoo! Calendar website, so it isn’t a phishing scam, is it? Is it real, does someone really want to give me a cheque for 1.5 Million US Dollars, or is it some other form of scam?

OK, time to tell you what is going on here, and what the e-mail is all about, and why the sender used Yahoo! Calendar to send it.

The email really was sent via the Yahoo! Calendar service, and clicking on the link contained in the e-mail really does take you to the genuine Yahoo! Calendar site and a real Yahoo! Calendar invite. But why?

The answer to the why, is that this enabled the e-mail sender to have a better chance of getting the email, seen in the first screenshot, to the intended recipients, yes I said recipients, not recipient. Did you notice that in the web site screenshot the 90 undecided text? Yes, this invite was sent to 90 intended recipients, not just me. Does this mean that this was sent by someone with over 135 Million US Dollars to give away?

Of course not, this is just a new twist on the old 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. The sender just used the Yahoo! Calendar service to try and increase the chances of his invite [the scam text in the invite] getting past any anti-spam defences that the intended recipients might have in place.

There is no money [sorry!], there never was, if you were foolish enough to contact Mr Luke Yayi, you would be assured that the money was real, but somewhere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called “suckers list” and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such an invite, not only ones from a calendar service; it could be from any online service, such as: news groups, blogs, social-networking sites, feedback forms, mailing lists and so on. Think very carefully before you click on any links or contact anyone mentioned in the invites/e-mail body, at the very least you could end up on a phishing site, at worst you could lose money, or worse, as there have been cases of beatings and even murders linked to these scams.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Right, I need to put together another presentation for yet another conference, this time I’m covering penetration testing and ethical hacking.

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don’t mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that’s life!

This posting is a quick review of the conference:

Day 1 – Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address “The AV industry: Quo Vadis?” presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (…again!). The rise of MBR rootkit – Kimmo Kasslin, F-Secure
• When the hammer falls – effects of successful widespread disinfection on malware development and direction – Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT – Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail – Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the “Welcome drinks reception” which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who’s hat did the rounds and photos were taken of those that ended up wearing it, including me. If you’ve ever met Ken, you’ll know which hat I mean as he is rarely seen without it.

Day 2 – Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin "], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn’t now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards – Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam – Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown – Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes “it was like teaching my grandmother how to suck eggs“. In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we’d seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing – present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises – Chris Lewis, Nortel
• SCADA security – who is really in control of our control systems? – Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the “pre-dinner drinks and the Gala dinner and entertainment”.

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say “we have travelled 3,500 miles for a pub quiz!“. Personally, I enjoyed it, it just needed to be shorter.

Day 3 – Friday 3rd October 2008

The final day of the conference had arrived, I’m still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets – Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS – Ryan Hicks, AVG
• Rebuilding testing for the future – Igor Muttik
• Samples.malware.org: sample sharing for the next decade? – Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional “Speakers Photo”. As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? – Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? – Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I’d sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security – Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some ‘comic’ ones. This year it seemed to be another case of “I’m Sparticus“, as a lot of people seemed to be wearing Ken Bechtel’s hat, including me, and no it wasn’t him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that’s another VB conference covered, I’m already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit….any suggestions?

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world’s best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I’ve now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I’m needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don’t bite, honest

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I’ll post a review as soon as I can.

I’d like to start this post with an apology as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won’t be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here’s a new one I’ve not seen before, the following e-mail arrived in my ‘Phish‘ inbox late last night [screenshot below]:

That’s nice if I answer five questions in a simple survey I will get $50…..I smell a phish, so what do we see when I click on the link?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the AAdvantage number and password, and then click on go. This is where I’m taken too next

As you can see, I’m now asked for my Bonus Code and the rest of the page is the alleged survey. So, I’ll fill this in, again using bogus data. Interestingly the Bonus Code is the same in all the copies I’ve received, to multiple e-mail honeypot addresses too. So, now all the data has been entered, let me click on the continue button and see where we go next.

Aha…..Just as I suspected, this is a phish, as it not only asks for personal details, it also wants credit card data, including the CVV and an ATM PIN number too. So, let me enter in some more bogus data and click on the continue button again.

The final page shown informs me that my data has been entered correctly [yeah right!] and that I should see my bonus of $50 on my credit card within 72 hours. More like my credit card will be misused or sold on to others to misuse within 72 hours!

For those of you who like the detail behind the web-page, here is a screenshot of the first page, showing that the actual page is being rendered from two other sites. You may also notice that this phishing site is hosted on Yahoo servers.

Here is a screenshot showing part of the whois record for the phishy domain being used as a front for this scam.

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I’ve seen one targeting an airline, in fact I’d go as far as saying that this may be a ‘Spear Phishing‘ attempt as it seems to have been sent to a small number of people and in far smaller numbers that the more traditional bank phish I see day in and day out..

So, if you are an American Airlines customer be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details….

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!