“Anonymous asked: have you made $$$ with tumblrtasks(.)com yet?? my bff just raked in 3k last month its crazy”

Visiting the link takes you to an advert landing page linked to an affiliate ID. The banner across the top claims that “You asked for the monetization of your blogs and we listened. While we await the finalization of contracts regarding the placement of ads on your blogs, we invite you to make money in the meantime by following these steps:

1. Fill out the form
2. Pay the $9.95 trial fee
3. Start earning money today”

Click to Enlarge

Of course, adverts on Tumblr are a topical subject at the moment so it’s no wonder that someone would attempt to cash in on this particular angle. As before, it’s just an attempt to make some money from unsuspecting Tumblr users. Ignore the spam, and be mindful of the fact that this one will probably be back in an all new form sooner rather than later…

Christopher Boyd

Steve (not his real name), like many of today’s teens and social networking butterfly, maintains a personal Tumblr account and updates it on a daily basis. One morning, he received a Tumblr notification email in his inbox saying that a fellow user with the handle of machohutcho started following him. He checked out his new follower’s Tumblr page and it looked something like this:

click to enlarge

Upon seeing the latest posts on that tumblelog, Steve immediately blocked it and put up a post for his followers, warning them about that account.

Some of us may not be as intuitive as Steve and proceed to following back machohutcho‘s supposedly new tumblelog. But if we take the time to look closer, hovering the mouse pointer over the wild-atrocisity(dot)tumblr(dot)com URL actually directs users to  bit(dot)ly/x9FANj. Its long URL is 88(dot)80(dot)0(dot)10/gayporn/randum.html, which then redirects to 88(dot)80(dot)0(dot)10/login, a fake login page:

click to enlarge

If you, dear Reader, are also into Tumblr and normally do not log out of your account, do note that the interface used by the scammers behind this fake page is an old one. Tumblr is now using a different login interface—and it is, by default, a secure page.

Filling in the Email address and Password fields then hitting the Log In button results to your credentials being stolen and a PHP code being executed on the server side. I reckon the individual/group behind this phish can change the URL at will, but as of this writing, this code simply directs users to a specific and seemingly legitimate tumblelog every time.

Taking a deeper look at 88(dot)80(dot)0(dot)10 reveals more than its location (Sweden!). AS33837 (PRQ), the autonomous system number (ASN) associated with this IP, is found to be associated with other phishing efforts and several nasty malware. Google has a simple and comprehensive advisory page about this PRQ network that you might want to read here.

  
click to enlarge

Screenshot 1 above may not mean much, but what is depicted in Screenshot 2 might be used a potential lure to users to enter their credentials into the fake login page with the promise of purported clips containing some Tumblr employees displaying lascivious behavior.

Be careful when visiting tumblelogs while surfing within Tumblr. Before clicking links from anyone, make sure that the URL displayed on the page is also the URL reflected at the bottom left-hand side of your Web browser. This is an easy and practical way of knowing where the URL will actually take you.

Also, steer clear of spammy profiles. To keep your Tumblr stream spam/scam free, please take the initiative to block suspicious accounts and, like Steve, tell your friends about them.

Jovi Umawing

Today we’re looking at a fake BBC URL which drops the end-user onto a “work from home and earn $10,000+ a month” fake news site, but not before it’s attempted to load up the PC with malware via a rather nasty collection of exploits. The URL in question is bbcmoneynews(dot)com:

Click to Enlarge

How does this website hate thee? Let me count the ways.

The site contains:

1 ) An encrypted Blackhole exploit kit, which we detect as Exploit.JS.Blacole.cd

2)  A malicious Java applet, which we detect as Trojan.Java.Generic

The Blackhole exploit kit exploits known vulnerabilities to download and execute malicious files, checking for installed applications that may be vulnerable to exploits targeting them (in this case, Flash and Adobe Acrobat).

This sample exploits the following vulnerabilities:

1) CVE-2006-0003 – IE6 COM CreateObject Code Execution is used to download and execute the following:

i. a Zbot trojan, which we detect as Trojan.Win32.Zbot.bxh
ii. Sirefef, which we detect as Trojan.Win32.Generic.pak!cobra
iii. The Fareit Trojan, which we detect as Trojan.Win32.Zbot.bxh

2) It deploys an SWF file which exploits the following vulnerability:

CVE-2011-0611 – Adobe Flash Player Memory Corruption, which we detect as Trojan.SWF.Generic

3) Depending on the version of Adobe Acrobat installed in the system, it deploys the following PDF files:

i. For version 7 and below, 91973.pdf – CVE-2008-2992 – Adobe Reader util.printf – currently detected as Exploit.PDF-JS.Gen (v)
ii. For version 8 and 9, bc2e7.pdf – CVE-2009-0927 – Adobe Reader Collab GetIcon which we detect as Trojan.PDF.Generic

Ouch. And after all of that, you still have the redirect to the spam site to deal with.

Click to Enlarge

There are a number of different work from home URLs you can expect to be sent to and they all have comments closed (right after everybody said the work from home pack worked, which is of course handy for the site owner) while claiming that the “offer ends tomorrow”. This is a rather nasty pack of malware, and it’s quite possible we may see more of these work from home sites dabbling in exploits – not a comforting thought when you can open up any random forum / website and have a halfway decent chance of seeing a “work from home, earn big money” advert.

Stay patched, stay safe and if you really want to work from home then your accountant is a safer bet than the websites listed above.

Christopher Boyd (Thanks to James, Adam and Mark)

Click to Enlarge

Click to Enlarge

You’ll notice the Me Gusta face, a Keep Calm and Carry On poster reference and even some Underpants Gnomes action in the text underneath the image. As before, the plan seems to revolve around affiliate sign-ups. Keep calm and don’t bother.

Christopher Boyd (Thanks to Jovi for finding this one)

Well, i got my account hacked today, lost all my stuff. Whoever did had the nerve to delete my characters also BlackJackieChan, Timecop both on joker server. Both were lost along with the progress and items, and what is G1 gonna do? Nothing. they cant find whos doing it, lots of people have got their stuff stolen only they were lucky to keep there characters.

However, it seems they can “do something”, in the form of investigating – then rumbling – the person behind the account compromise.

Ok, after a little investigation I have got to the bottom of this. Your best friend in APB:R “beef43302″ logged into your account on Wed (16th 5th), he has not logged into any other account bar his own. AKA: Not an account hacker.

He was in your account for ten minutes.

The admin then links to a screenshot of some of the items the “friend” sent to themselves, and continues:

After sending all the items he then deleted all your characters to cover up the paper trail. As you can see that completely erases our logs, making it impossible for us to follow what has happened.

It gets better:

Your friend logs back into his own account to claim his prizes and when you re-appear (with new toons) he consoles you for your loss, offers to give you a little cash and a sweet ride to get you back on your feet. Begs you not to leave APB:R because you are his only friend, it’s brilliant OSCAR nomination inc!

Seeing as this is a relatively unique case we shall let you decide the fate of beef43302.

As you can imagine, Mr Beef is promptly hit with the banhammer – and then, amazingly, turns up in the thread to dig increasingly large “I didn’t do it” holes in the ground from this page onward. Pretty funny, however there is a serious side to this one in the form of account sharing.

So yes, as expected the “hacked” account wasn’t hacked, I suggest you keep confidential account information to yourself in the future, and change your password now. Even though this was entirely your own fault, and you incorrectly accuse us of incompetence, we shall roll your characters back to before the incident.

The “victim” here is lucky, as many instances of videogame account sharing can result in banhammers for everybody – especially when shenanigans have taken place. Keep your logins to yourself and don’t be tempted to share them with your online pals, unless you like taking the express elevator all the way down to “Where did all of my stuff just go?”

Christopher Boyd

Click to Enlarge

The spam message reads as follows: “Lol half of your followers are on tumblrdatinggame(.)com”

Visiting the URL will result in a dating website totally unrelated to the awesome prospect of “Tumblr dating” being served up under a banner that will either make you laugh or fly into a rage depending on your love for all things meme.

Click to Enlarge

Whoever came up with this one urges end-users to “make an account in the area below then activate it via email”, add “tumblrdatinggame” to profiles then “hook up with Tumblr users in your area”. Taking a look behind the scenes, we can see that the “magic” takes place thanks to the following code coming from eliefreviews(dot)com/images/fling/real(dot)php:

Click to Enlarge

You’ll notice an affiliate ID, along with a reference to acotrk(dot)com (which leads to a site “specializing in dating, download and more CPA offers”). As the end-user is taken to an Adult Friend Finder splash page every time the Tumblr Dating Site is opened, it seems likely this is an attempt to make some affiliate cash every time somebody signs up.

Tumblr continues to be an attractive proposition for those wanting to make a little money or just cause some trouble, and you can bet we’ll be seeing more wallet-swelling brainwaves being cooked up in the near future.

Christopher Boyd

Click to Enlarge

I have a bit of a thing for Mass Effect 2, and I especially have a bit of a thing for orange UI on spaceships. Wouldn’t it be awesome if I could combine the two with a custom Rainmeter skin?

Click to Enlarge

My favourite desktop on the Citadel.

Imagine my surprise, then, to find this popping up on deviantART earlier today:

Click to Enlarge

“One of my first skins i’ve done . Mass Effect will always be a great game ! download if you agree !”

A random deviantART user claiming this is their skin (when it clearly isn’t), the comments are disabled meaning nobody can warn of potential shenanigans and the file in the zip is an .exe instead of a Rainmeter file (.rmskin)?

Click to Enlarge

Hello there, walking definition of “How about no“. For reference, a legitimate Rainmeter skin file would look less like a .exe and more like this:

Click to Enlarge

Incidentally, unticking “hide extensions for known file types” in Windows Folder Options would reveal the fake file as a standard .exe, an extention that would be missing if the option were ticked.

A quick scan of deviantART reveals multiple uploads from spammy looking users, most of whom have comments disabled, have uploaded executables and (in some cases) claim to have created a skin when someone else is claiming to be the creator on the exact same page:

Click to Enlarge

Click to Enlarge

Even Chuck Norris is in on the action, with a “full setup” executable that raises a few red flags along with other executable files provided by the uploader.

Click to Enlarge

While you’re trying to tie the above into some sort of Chuck Norris joke, I should point out that some of the recently uploaded files (and there are quite a few pages of them since the spamming apparently started in the last three or four hours) have been removed and currently look like this:

Click to Enlarge

Strangely, while the files are being removed, the accounts are still live which means continued uploads. The rogue accounts aren’t too difficult to spot – they typically have skins identical to other spammy users, have comments disabled and their profiles contain somewhere between 4 and 6 downloads. Everything you can think of is a potential target, from awesome orange tinted videogames (ahem) and Karate guys who were soundly thrashed by Bruce Lee to “Girls of Otaku“, pictures of cute pink hearts and the inside of Iron Man’s helmet.

Click to Enlarge

I guess this means his boosters will cut out and he’ll end up as the flattest member of the Avengers but whatever.

I can’t stress how many pieces of dubious malware are being uploaded right now and fans of Rainmeter should be extremely careful – we’re going through the files and taking a look, but the spamming could go on for a while until deviantART and Rainmeter manage to shut this spamrun down for good (and these spamruns seem to keep rising from the grave). In the meantime:

1) Stick to trusted sources of Rainmeter skins, and pay attention to comments posted at all times.

2) If comments are disabled, steer clear.

3) If the user is new, if they only have a few uploads, if those uploads look like uploads from other new users: continue to steer clear.

4) If you do happen to download a zip, open it up and find an executable instead of a .rmskin….well, insert something about steering clear right here.

I think we can all agree an awesome orange desktop is much better than the one that says “Reformatting”, so think twice before grabbing that hot looking skin or you may end up with problems a few steps above “I can’t get this world clock to show Jakarta” on your to-do list.

Christopher Boyd (Thanks to Jovi Umawing for additional information)

Case in point: Youtube, Spamblogs, dubious crack / keygen sites and even Pinterest are filling up with Diablo spam as fever builds over the somewhat problematic launch issues.

Click to Enlarge

Some of the above links lead to unrelated flash games, spam linkdumps, “online key purchasing” websites, a “donation experiment” where installs of the software offered enters the user into a prize draw giveaway, Youtube videos and even something that claims to be a guide to becoming a top of the line Diablo 3 player:

Click to Enlarge

The video is particularly entertaining, given that the guide creator talks about the game as if he’s been playing it forever – no mean feat considering that A) the launch is today and B) the beta gave “a partial look at the first act on normal difficulty“.

Elsewhere, we have Youtube and Surveys:

Click to Enlarge

Click to Enlarge

Of course, this leads to the usual “sign up to lots of offers and refer friends” deal we’ve seen so much of recently.

Click to Enlarge

Of course, hunting for free downloads on search engines will also potentially result in rocks fall, everybody dies. As issues with simply playing the game threaten to linger, it’s possible scammers out there will ramp up the promise of “free” or “working” versions of the game so please be wary and use common sense where getting your fix of Diablo 3 is concerned.

Or just play Guild Wars.

Christopher Boyd

 
Computer view (click to enlarge)

Smartphone view (click to enlarge)

Such Tweets are equally accessible to computer (desktop, laptop, and tablet) and smartphone users. There is no doubt, however, that smartphone users on Android are particularly targeted by these spam. Let me elaborate.

Once users click either good(dash)graft(dot)tk/swig.ph or POSY(dash)PUSY(dot)TK, they are then directed to the Russian Web page, googleapi17(dot)ru/l(dot)php?l=os&ampr=5519&ampa=29#.

Computer view (click to enlarge)

Smartphone view (click to enlarge)

Users who accessed and used this purported scanner are then given the option to download and install a file, which vary depending on whether the target is a PC or a phone. Computer users will be able to download VirusScanner.jar, smartphone users will be able to download VirusScanner.apk. Outcomes are different, too. On the one hand, the .jar file yields an error when executed. On the other hand, the .apk file, which is actually a rogue AV app, is successfully installed. From the screenshot below, notice that it uses the logo of Kaspersky.

  
click to enlarge

Note that the criminals behind these Twitter spam runs may change the destination of the .tk URLs. As of this writing, it leads to this particular rogue AV variant. GFI VIPRE Mobile Security detects it as Trojan.Android.Generic.a.

This isn’t the first time that we encounter applications for Android purporting to be free virus scanners. As such, we encourage you, dear Reader, to only use legitimate AV scanners for your smartphone, and there are a lot of them available in the market right now. We also implore that you avoid clicking or even visiting sites with the .tk extension being spammed on Twitter or on other social networking sites as majority of the domains there were found to be run by spammers and scammers.

Stay safe!

Related posts:

• Spam Leads to Exploits and Fake AV on Twitter

Jovi Umawing (Thanks to Matthew for finding this)

In the recently released VIPRE® Report, GFI Labs provides samples of threats one may find while on Twitter. Apart from spam, Twitter can also serve links leading to Blackhole exploit kits, and then lead users to a site that house rogue AV software.

“With countless studies being released which point to the regularity with which users are visiting their favorite social networking sites, it should come as no surprise that cybercriminals see these sites as prime targets for their attacks as they look to reach as many people as possible,” Boyd added.

To read more, please visit this page:

• GFI Labs Observes Cybercriminals Targeting Users of Major Social Networking Sites in April

Jovi Umawing