Beware “Wrong Hotel Charge” Spam Scam

A very malicious spam campaign has been detected and reported by the good folks at m86 Security Labs.  The attack consists of emails appearing to come from reception desk managers at various hotels, targeting Visa users.  The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a rather long explanation in very bad English, claiming that the hotel has charged your credit card for over $1,000 by mistake.

To summarize, the email generally says, “Please see the attached form.  You need to fill it in and contact your bank for the return of funds,” and offers an attachment named (XXX represents a random three digit number).  The unzipped file is Refund-Form.exe which is outfitted with the icon for an Excel file in order to encourage opening (executing) it.  Once executed, the malware downloads another executable from a Russian domain which is a fake AV application named “Security Protection”.

An HTTP request is sent to, requesting a module called ‘grabbers’ from load.php.  A file called update.dat is retrieved, which is actually an encrypted Windows .dll file.  Once decrypted it acts as a password stealer looking for stored passwords and targeting a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers.

Roughly one day after all of this malicious activity takes place, another HTTP request is sent, retrieving another fake AV called “Personal Shield Pro.

Facebook Fake AV Malware Again

On the topic of social media and Facebook in particular, a very complex and effective fake Anti-Virus campaign is targeting Facebook users.  Like most of the cruft that targets Facebook users, it starts with contact by a Facebook friend using the social network’s chat feature.  “Hi. How are you? It is you on the video? Want to see?” asks the “friend” offering a link to a YouTube page.  Intrigued, the target follows the link, and sees that the video with the target’s name in the title, has apparently been commented on both positively and negatively by a bunch of their Facebook friends.

Of course, the target cannot view the video because they appear to be “missing an Adobe Flash Player update”, according to a message written over the blank space where the video is supposed to be displayed.   The file offered for download is Trojan.FakeAV.LVT.   This little miscreant copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware. It then adds a registry key in %SYSTEM% and the malicious code is either added to the list of authorized applications for the software firewall, or it disables the firewall altogether.  Finally it disables all notifications generated by the firewall, the update module, and whatever antivirus it finds installed on the PC, according to BitDefender.

This malware makes the effort to detect which legitimate AV solution the user has installed, and displays customized warning messages that mimic what the legitimate solution would present.  So clever, and so deviant.  Someone deserves a beating.  Of course it “scans and finds” a virus on the system, and asks the user to reboot so that it can clean up the mess.  Unfortunately, the reboot triggers the system to boot into safe mode, allowing the malware to uninstall the legitimate AV solution, and then the system is rebooted into normal mode.  The system is now completely vulnerable, and a downloader component launches to quietly download additional malware from an array of URLs.

The malware agent contains a list of IPs of other infected systems which will be used for exchanging malware, creating a fully-fledged malware distribution system with peer-to-peer update capabilities.  These IP lists are updated regularly so infected systems are always in contact, and constantly exchanging malicious code.

Once a system is compromised by such a viscious malware agent, it should never be fully trusted again.  If you are the unlucky recipient of this insidious and devastating attack, my recommendation to you is to backup ONLY your most important data to SACRIFICIAL MEDIA, and to nuke the system to bare metal.  Because your AV was compromised and the malware causes reboots and loadpoints to be activated, there is no telling what the additional payloads may have done.  Assume the worst; root-kits, password captures, and keystroke logging.  Reformat your hard drives, including the Master Boot Records (MBR), and the same for any removable media that you have used on that system.  Media that can’t be sanitized should simply be destroyed.  Otherwise you are taking chances that malware will still exist on your computer, and be able to load before your Operating System and any defensive software that you install.  That means, you might as well not install it at all.

Now you know why I’m not real fond of malware or its authors.  Stay thirsty my friends…

T&T Supermarkets Breached – 58k Records Exposed

CTV is reporting that the website of Canada’s largest Asian supermarket chain has been hacked.  BC-based T&T Supermarket Inc, with three locations in Toronto has advised the public of “unauthorized and illegal intrusions” on its website  in a press release.  The breaches occurred June 6, 7, 11, and from June 14 to 17.  The personal information of up to 58,000 customers in its database may have been compromised, and the personal computers of some customers could have been exposed to malware.

The compromised data includes usernames, passwords, first and last names, ages, genders, email and street addresseses, cell and other phone/fax numbers.  Information submitted to T&T by job applicants may also have been accessed.  Those who visited the site during June 6th to 17th to place product orders for in-store pick up or apply for jobs may have been redirected to a non-T&T website hosting Fake A-V, instructing them to click a button on the screen to start a malware scan, which could have activated a malware download.

T & T has 20 stores in British Columbia, Alberta and Ontario.  Loblaw Companies Ltd. bought the chain for $225 million in July 2009.  T&T is urging anyone who receives communications purporting to be from T&T not to provide any personal information under any circumstances.  T&T will be contacting customers that may have been affected, but will NOT request personal data, especially sensitive information like credit card numbers.  The company has temporarily suspended its website, retained security experts to conduct a complete investigation, and expects to improve its information security based on their recommendations.

If you believe that you may have been affected, run a reliable commercial anti-virus product on all of your systems, and change any usernames or passwords for unrelated services or accounts elsewhere. All customers are also encouraged to have a heightened awareness of email, telephone and postal scams where personal information is being requested.  Affected individuals can email or call 1-855-926-2342 for assistance.

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading

Beware “MS-Update” Fake AV

Sophos is reporting that Fake AV distributors are reamping up efforts to deploy their malicious wares by closely imitating the Microsoft Update site in a bid to take advantage of the monthly patch cycle.  Be very wary of any alerts that pop up in your web browser.  You should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

In this particular attack, victims are being told to install the fake updates urgently, with attackers claiming that “This installation is essential for the normal work of your system. Critical update is needed.”  Here is a message enticing users to download the Fake AV and infect their machine, errors and all:

“After the download, this tool is run only once checking your whole system for infection. It removes any infection found, any specific, prevalent malicious programs such as Blaster, Sasser and Mydoom. When an infection is found this tool displays a status report with the next computer start. This tool is necessary for you computer to make your system being protected from hi-jacking and its download is crucial if you value your personal data and your privacy.”

Victims tricked into downloading this Fake AV will end up infecting their computers with a potential array of malicious programs.

Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

  • .
  • One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
  • The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
  • Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.