e-Gold Phish

We have received some emails, with a notification about unusual behaviour on our account, and that we need to verify our identity. Of course you get a convenient link to check your credentials. If we check the real address you can see that

REAL LINK: https://www.e-gold.com/acct/login.html -> 209.200.169.10 -> Melbourne, FL (USA)

 FAKE LINK: https://www.e-gold.com/acct/login.html -> xxx.xxx.xxx.xxx -> South Korea

[Imageattachment] 

Of course once you follow the link, you get to a fake login e-Gold page, which is quite similar to the real one. After typing your personal data, you get redirected to the real e-Gold site, so that you don't notice what has happened.

So, be careful!

Greetings from Orlando (II)

Loads of interesting cases, ideas, etc. are going on over here. The APWG meeting is over and tomorrow the e-Crime Researchers Summit will start. We are looking forward to seeing what the academics have to say about phishing and all the malware related to it.

Spam as a financial tool (IV)

We keep receiving new samples of yesterday's stock scam.

This new wave, informs about a slight drop, but assures that this is going to change and that the price will reach a 300% income today.

 [Imageattachment]

Unfortunately, today is 15th, and the latest price is 1$. But we could see a lot of movement on Monday and Tuesday.

You can follow the up and downs through this link:

http://finance.yahoo.com/q/bc?s=WEXE.PK&t=5d

 Have a nice day!

Greetings from Orlando

This week the Anti Phishing Working Group (APWG) is celebrating a general meeting along with the e-Crime Researchers Summit. I have presented a paper giving an overview of the phishing in Spain, which has received a good feedback. Some more papers have been presented, providing very interesting data and particular cases. The best thing of this event is the wide variety of representatives meeting here: corporate, academic, law enforcement, etc. all willing to cooperate fighting phishing and phishing-related malware. If you want to know how things go during the week, stay tuned.

Spam as a financial tool (III)

Today we have come across a new wave of stocks-related spam.

The goal, as usual, is to convince users to make a purchase of stocks from a company. In this particular case "West Excelsior Enterprise Inc."

The attack consists on a huge amount of spam sent in a short time. To increase the success rate, they are using lots of messages with slight differences to avoid spam filters. Some of these changes include different text bodies, background colors, subject or sender fields. The message also includes an animated gif instead of a standard one.

 [Imageattachment]

We have checked the stock rate, and it has risen more than 50% since the attack started on Friday. It is possible that the author has bought the stocks at low prices during the previous days, in order to sell them to unsuspicious users that are seeing the price rising, and feel confident that it is a good deal.

I am afraid that we are going to get used to attacks of this type.

We will keep informing.

Trojan subscription

Yesterday we came across a new variant of an old family, which has been visiting us on a monthly basis since February 2006.

The Briz family currently consists of 17 different variants, distributed as follows:
– February: A.
– March: B, C.
– April: D, E, F, G, F, H. We suppose that this was a mini-battle, with the developers trying to push new variants and us trying to detect them. In the end we won this one, but the war still continued…

– May: I.
– June: J, K, L.
– July: M.
– August: N, O.
– September: Nothing, maybe they decided to take a break, perhaps some holidays?…

– October: R.
– November: S.

So it seems that this is not going to stop, probably because it is in fact working well for their owners.

Although it is not very widespread, we have found variants still active all around the globe:
– Japan.
– The Netherlands.
– Spain.
– USA.
– China.
– Taiwan.
– Brasil.

It seems to be quite persistent, as some variants being detected on April are still active at the moment.

OK, but what does it really do? You can find all the information following this link:

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=137177

Bye bye

A different kind of Spam

We have been aware of a spam message pretending to warn of a wave of attacks against Spanish banks, which would take place today (November 9th).

[Imageattachment]

However, the link does not direct you to the site it promises (what a surprise!!). As it can be seen at the lower part of the image, it leads you to a page containing more economic and political subjects. The page itself seems to be harmless. It is just another way of attracting visitors.

Regarding the message, apart from the remarkably awful Spanish it is used on it, we would like to thank the sender/s for the kind warning. If it wasn't for it, I could have had all my bank operations compromised…

Spamta/Stration/Warezov strike back

The creator/s of these codes (whichever name suits you best) seem to be rather bored again. At least this is the idea we can get from the last wave of over 20 different samples seen in the last hours. As in previous occasions, they seem to have been spammed, but their own activity does not seem to be too intense so far. We will "stay tuned"…

Phantom file formats

One of the many tricks employed by hackers in order to entice users into running malware voluntarily is to change the icon of a malicious executable file, so that it passes itself off as a text file, a JPG picture, or… a Word document.

But so far, this is the first time we have seen the following technique.

The show starts with an EXE file called document.exe, which has the same icon as a Word document. However, if you run a hexadecimal editor and inspect the code, its nature can be clearly seen. The MZ string identifies it as an executable file:

Once it is executed, Word opens and displays some gibberish characters. However, at the same time, the executable is carrying out its pernicious actions and is installing a DLL in the Windows system directory.

But… watch closely, as here it goes the tricky part. Once the so-called Word document is opened, its extension changes to DOC. If we run a hexadecimal editor once again, we are displayed the following screen:

Magic!

We also have a video showing the complete process. Keep an eye on the Word icon on the Desktop, you’ll see how both the extension and the icon itself change.

By the way, we currently detect this file as Bck/PcClient.DS.