Spyware Sucks

Catching up on some worrisome domains

sandi — Sat, 15 Jun 2013 02:27:13 GMT

Malvertizing hasn’t gone away – it’s just not in the press as often… keep an eye out for these latest domains, and please treat with extreme caution.

fxpromocode.com

turiserv.com (sharing IP with findsovil.com, humeserv.com, orgitom.com, petohost.com, tovohost.com, vodistat.com)

doxastat.com (previously at 94.242.221.30, shared IP with turiserv.com etc)

flemboyant.com (Registrar: Center of Ukranian Internet Names)

thebestofferyou.com

ezmovetucson.com

Fake Squirrel Mail emails

sandi — Thu, 23 May 2013 23:18:53 GMT

Text of email:

“Dear E-Mail User
Due to the package compromise of 1.4.11,1.4.12 and 1.4.13, we are forced to release 1.4.15 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.
So upgrade to Squirrel Mail Development Team by click Squirrel Mail Login SquirrelMail 1.4.15 Released
We STRONGLY advise all users of 1.4.11, 1.4.12 and 1.4.13 upgrade immediately.”

The page, when I looked at it anyway, didn’t contain any exploits. It's a simple email address/password harvest (of course very valuable to spammers). Of course, you should still stay away from the page. It’s behavior could change at any moment (or even change depending on your IP address, or browser used, or time of date or who knows what…)

Ok, that’s funny

sandi — Thu, 25 Apr 2013 02:58:48 GMT

Note, laughing at this does not indicate support for, or approval of, the act of punching a cat in the face (or any animal, or human, for that matter)

Just like the Boston explosion spam…

sandi — Thu, 18 Apr 2013 23:26:39 GMT

Now the lowlifes are focusing on the Texas explosion.

First, the email

Yes there is a video, but there is also something else… – an iframe that loads content from another site…

They try to be tricky, displaying a message on the web page “Unexpected error. Please, try again later”.

But as you can see, there was no error, Status code 200 is a “success” code.

MalwareBytes breaks Windows computers

sandi — Thu, 18 Apr 2013 02:39:49 GMT

Cite: http://blog.malwarebytes.org/news/2013/04/yesterdays-database-update-issue/

Fix advice: http://forums.malwarebytes.org/index.php?showtopic=125138

If I’m reading the advice properly, the “fix” is basically to transfer all files in the Malwarebytes “Quarantine” folder to their original locations. Doesn’t this mean that *real* bad files already in the Quarantine folder could potentially also be restored?

And, here come the Boston bombing spam

sandi — Wed, 17 Apr 2013 05:32:18 GMT

You don’t want to go there…

Screenshot of sample email

Network traffic at URL – there is Youtube content, but that’s not all – check out the other content being pulled from techpourri.com, and the highlighted EXE

Antivirus tests make it clear that something is not right with that exe, which during tests was seen to use an old MSN Butterfly logo – if I recall correctly they stopped using that logo back in late 2009.

So let’s just take a quick look at what the installer does:

(Note: tmp.exe is later deleted)

More info about the java changes

sandi — Wed, 17 Apr 2013 01:10:10 GMT

Cite:
http://blogs.technet.com/b/mmpc/archive/2013/04/16/how-to-protect-your-computer-against-dangerous-java-applets.aspx

Java changes .. worth being aware of

sandi — Wed, 17 Apr 2013 00:48:58 GMT

ISC has a nice write up:

http://isc.sans.edu/diary/Java+7+Update+21+is+available+-+Watch+for+Behaviour+Changes+/15620

Note that the warning screens are not “click thru” (that is, you need to enable a check box before acknowledging the alert). A small, but important, layer of protection.

FTC Approves Final Order Settling Charges Against Software and Rent-to-Own Companies Accused of Computer Spying

sandi — Tue, 16 Apr 2013 00:45:49 GMT

“Following a public comment period, the Federal Trade Commission has approved nine final orders settling charges that seven rent-to-own companies and a software design firm and its two principals spied on consumers using computers that consumers rented from them. The companies used software to take screenshots of confidential and personal information, log customers’ computer keystrokes, and in some cases take webcam pictures of people in their own homes, all without the customers’ knowledge.”

Cite: http://www.ftc.gov/opa/2013/04/designerware.shtm

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.”

Cite: http://www.ftc.gov/opa/2012/09/designerware.shtm

“As of August 2011, approximately 1,617 rent-to-own stores in the United States, Canada, and Australia have licensed PC Rental Agent. PC Rental Agent has been installed on approximately 420,000 computers worldwide.”

Cite: http://www.ftc.gov/os/caselist/1123151/designerware/120925designerwarecmpt.pdf

Back in October 2012, a news report revealed that a Geelong business called “Rentasaur” said it will continue to install the software on its users’ computers, despite a crackdown in the US on companies that used it:
http://www.smh.com.au/it-pro/security-it/spyware-installed-on-australian-rental-laptops-20121003-26yfd.html

Umm, what?

sandi — Mon, 08 Apr 2013 09:30:51 GMT

Are you sure about that Trillian???

sandi — Wed, 03 Apr 2013 09:16:42 GMT

Was Trillian even around 43 years ago???

American Express hacked

sandi — Sun, 31 Mar 2013 02:24:19 GMT

Oh dear… Cite: https://twitter.com/dimitribest/status/318164212721545216

And… fake BBC emails

sandi — Thu, 21 Mar 2013 09:40:26 GMT

Fake Facebook emails…

sandi — Thu, 21 Mar 2013 09:26:08 GMT

Fake LinkedIn emails… again…

sandi — Thu, 21 Mar 2013 09:25:30 GMT

Fake CNN email

sandi — Tue, 19 Mar 2013 02:37:10 GMT

As always, hover over a hyperlink and you can see the email is fake.

This email has an interesting behaviour that I do not remember having seen before. Check out what you see if you hover over a Red X that traditionally indicates that a picture has not been downloaded. Just goes to show that blocking the download of “pictures” (historically used to stop email senders from tracking when their emails have been opened) can be a very good thing for other reasons.

Here is the text of the fake message:

“* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:

Click the following to access the sent link:

New pope tries to shake off the past - CNN.com*


Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.

*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here”

Oh, that’s interesting–a multi language fake Western Union email…

sandi — Wed, 13 Mar 2013 09:20:24 GMT

Of course, you don’t want to open that attachment. The text of the message is:

“Dear Agent
Ref. 13 March 2013
Please find enclosed your settlement report for the date indicated above. Please pay the amount due today.
If you have any query, please contact your local Settlement Executive.
Thank you for your co-operation.
Regards
Please do not reply to this unnatended e-mail address
---------------
Cher Agent
Veuillez trouver ci-joint votre rapport de règlement pour la date indiquée ci-dessus. Veuillez nous remettre le montant du aujourdhui.
Si vous avez besoin de renseignements supplémentaires, appelez votre Administrateur local.
Merci de votre co-opération.
Bien à vous
--------------------------------------------
Apreciable Agente,
Ref. 13 March 2013
Sírvase encontrar adjunto su reporte de cierre de la fecha arriba indicada.
Favor de contactar a su representante de cuentas para cualquier pregunta adicional.
Saludos
© 2001-2013 Western Union Holdings, Inc.”

Fake Adobe CS4 License email

sandi — Fri, 08 Mar 2013 04:22:42 GMT

As you can tell by hovering over the hyperlink, the email is obviously fake. The text of the email is:

Welcome,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

Fake “Bank of America” emails

sandi — Thu, 07 Mar 2013 00:54:42 GMT

As always, if you hover your mouse button over the hyperlinks, it becomes clear that the email is a fake…

Fake “ADP TotalSource Payroll Invoice” spam emails

sandi — Thu, 07 Mar 2013 00:52:18 GMT

You don’t want to open that attachment… really… email text below:

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.

Year:	13
Week No:	08
Payroll No:	1

Please open attached file to view and check following payrol

This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your

MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.