Discount Coupons from Hell...

We all like a bargain, right?

How many of you out there use coupons to get discounts on things you buy, or plan to buy?

Do you use the paper coupons that you get from flyers, papers, magazines and brochures, or do you use the electronic coupon codes instead?

Whichever you do use, I'm sure that you all love the feeling that you've saved some of your hard earned money by using them? Of course the cynics amongst us would say it is just social engineering to get us to buy a particular brand or even buy something we didn't really plan to buy, or in some cases even need.......So whilst I'm on this topic I was intrigued when I received the following email yesterday:

Here's a screenshot of one of the email that I've received:



Oh goody I thought, coupons! ;-)

I clicked on the link and this is where I ended up:



Now that's interesting, how have they managed to show me offers for a town near where I live?

A quick look at the page source shows that they are using GeoIP [Geographic resolution of the IP address used to request the page, in other words my routers public IP address].

So, if you are in say Manchester, UK you would be shown ones allegedly tailored for that area, likewise if you are in, say, San Diego, US or Munich, Germany or even Sydney, Australia.

More digging shows that the page is also laced with exploit code, to catch the un-patched and infect their systems [using a hidden IFRAME].

So, what happens when I click on the 'Click Here' icon on the page?

Ah, I get offered an executable file [list.exe], not a PDF or any real coupons at all, a windows binary file that I suspect is actually malware, probably a new variant of Waledac. So lets refresh the page and see if anything changes?

Yes, the filename offered changes, after the page reload it became: saleslist.exe! More page reloads show that it is using a number of different names in rotation. So, I scanned the files [both of them] and they are identical in size and MD5 hash, this means they are identical internally.

At the time of posting this blog entry the detection of the offered files was rather poor, with only 9 out of 32 tested scanners identifying that this is a malicious file. Most of the ones that did detect it were using heuristic or generic detection, which means this is indeed a new variant.

So it sems that once more the bad guys and girls are trying new social engineering techniques to try and get us to infect our systems and effectively press-gang our systems into the botnet army they control. These are the same group of cyber-criinals responsible for the Valentine Day fake e-card development kit that I blogged about recently.

Here are some useful links if you want to know more about Waledac [please bear in mind that the descriptions used may not be valid for this new variant]:

• http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html


• http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2008-122308-1429-99


• http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml

Don't let your guard down just because you think you are getting a good deal, some free coupons, free iPod, laptop, or whatever.......Just remember there is no such thing as a free lunch, someone has to pay for it, either directly or indirectly, don't let it be you...

UPDATE:
As I was finishing off this blog entry, I re-checked the site, and found that the files offered, still use the same list of names [15 so far], but the filesize and MD5 hash value is now different to yesterdays. Seems they are seeding new variants each day.....so, be on you guard!

Walmart Survey Worth $150 US Dollars...

I received an e-mail yesterday asking me to take part in a survey that Walmart were apparently carrying out to gauge customer satisfaction. A screenshot of the e-mail I received appears below:



So, even though I am not and never have been a Walmart customer, let me see where we go if I click on the link provided, as if I were a Walmart customer. This is where I ended up:



Looks like a very typical web based survey, so what happens when I fill in the details and then click on the proceed button at the foot of the survey page? This is where I ended up next:



OK, so they want some more personal details now, they already have my phone number and e-mail address. Now they want my credit card number, expiry date for it and.......my CVV and ATM pin.....hmmmmm; can anyone smell something 'phishy' yet? ;-)

Yes, this is a phishing scam, squarely targetted at Walmart customers that will be fooled into believing that they will recive 150 US Dollars for filling out the survey and supplying their credit card details. In a few days they will get a surprise, but not the pleasent one they were expecting. Instead of having money credited to their account, they will have lost money through bogus purchases. It may even be worse, their account could be cleared out via ATM withdrawals, or even overdrawn, leaving them with a large bill to pay [unless their bank covers phishing scams and related things] . In the worst case scenario the personal details they gave could be used for identity theft so that loans or mortgages could be set up using the stolen details, leaving the victim with the bills and the resulting damage to their credit rating.