Spyware Sucks

Ok, that’s funny

sandi — Thu, 25 Apr 2013 02:58:48 GMT

Note, laughing at this does not indicate support for, or approval of, the act of punching a cat in the face (or any animal, or human, for that matter)

Just like the Boston explosion spam…

sandi — Thu, 18 Apr 2013 23:26:39 GMT

Now the lowlifes are focusing on the Texas explosion.

First, the email

Yes there is a video, but there is also something else… – an iframe that loads content from another site…

They try to be tricky, displaying a message on the web page “Unexpected error. Please, try again later”.

But as you can see, there was no error, Status code 200 is a “success” code.

MalwareBytes breaks Windows computers

sandi — Thu, 18 Apr 2013 02:39:49 GMT

Cite: http://blog.malwarebytes.org/news/2013/04/yesterdays-database-update-issue/

Fix advice: http://forums.malwarebytes.org/index.php?showtopic=125138

If I’m reading the advice properly, the “fix” is basically to transfer all files in the Malwarebytes “Quarantine” folder to their original locations. Doesn’t this mean that *real* bad files already in the Quarantine folder could potentially also be restored?

And, here come the Boston bombing spam

sandi — Wed, 17 Apr 2013 05:32:18 GMT

You don’t want to go there…

Screenshot of sample email

Network traffic at URL – there is Youtube content, but that’s not all – check out the other content being pulled from techpourri.com, and the highlighted EXE

Antivirus tests make it clear that something is not right with that exe, which during tests was seen to use an old MSN Butterfly logo – if I recall correctly they stopped using that logo back in late 2009.

So let’s just take a quick look at what the installer does:

(Note: tmp.exe is later deleted)

More info about the java changes

sandi — Wed, 17 Apr 2013 01:10:10 GMT

Cite:
http://blogs.technet.com/b/mmpc/archive/2013/04/16/how-to-protect-your-computer-against-dangerous-java-applets.aspx

Java changes .. worth being aware of

sandi — Wed, 17 Apr 2013 00:48:58 GMT

ISC has a nice write up:

http://isc.sans.edu/diary/Java+7+Update+21+is+available+-+Watch+for+Behaviour+Changes+/15620

Note that the warning screens are not “click thru” (that is, you need to enable a check box before acknowledging the alert). A small, but important, layer of protection.

FTC Approves Final Order Settling Charges Against Software and Rent-to-Own Companies Accused of Computer Spying

sandi — Tue, 16 Apr 2013 00:45:49 GMT

“Following a public comment period, the Federal Trade Commission has approved nine final orders settling charges that seven rent-to-own companies and a software design firm and its two principals spied on consumers using computers that consumers rented from them. The companies used software to take screenshots of confidential and personal information, log customers’ computer keystrokes, and in some cases take webcam pictures of people in their own homes, all without the customers’ knowledge.”

Cite: http://www.ftc.gov/opa/2013/04/designerware.shtm

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.”

Cite: http://www.ftc.gov/opa/2012/09/designerware.shtm

“As of August 2011, approximately 1,617 rent-to-own stores in the United States, Canada, and Australia have licensed PC Rental Agent. PC Rental Agent has been installed on approximately 420,000 computers worldwide.”

Cite: http://www.ftc.gov/os/caselist/1123151/designerware/120925designerwarecmpt.pdf

Back in October 2012, a news report revealed that a Geelong business called “Rentasaur” said it will continue to install the software on its users’ computers, despite a crackdown in the US on companies that used it:
http://www.smh.com.au/it-pro/security-it/spyware-installed-on-australian-rental-laptops-20121003-26yfd.html

Umm, what?

sandi — Mon, 08 Apr 2013 09:30:51 GMT

Are you sure about that Trillian???

sandi — Wed, 03 Apr 2013 09:16:42 GMT

Was Trillian even around 43 years ago???

American Express hacked

sandi — Sun, 31 Mar 2013 02:24:19 GMT

Oh dear… Cite: https://twitter.com/dimitribest/status/318164212721545216

And… fake BBC emails

sandi — Thu, 21 Mar 2013 09:40:26 GMT

Fake Facebook emails…

sandi — Thu, 21 Mar 2013 09:26:08 GMT

Fake LinkedIn emails… again…

sandi — Thu, 21 Mar 2013 09:25:30 GMT

Fake CNN email

sandi — Tue, 19 Mar 2013 02:37:10 GMT

As always, hover over a hyperlink and you can see the email is fake.

This email has an interesting behaviour that I do not remember having seen before. Check out what you see if you hover over a Red X that traditionally indicates that a picture has not been downloaded. Just goes to show that blocking the download of “pictures” (historically used to stop email senders from tracking when their emails have been opened) can be a very good thing for other reasons.

Here is the text of the fake message:

“* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:

Click the following to access the sent link:

New pope tries to shake off the past - CNN.com*


Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.

*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here”

Oh, that’s interesting–a multi language fake Western Union email…

sandi — Wed, 13 Mar 2013 09:20:24 GMT

Of course, you don’t want to open that attachment. The text of the message is:

“Dear Agent
Ref. 13 March 2013
Please find enclosed your settlement report for the date indicated above. Please pay the amount due today.
If you have any query, please contact your local Settlement Executive.
Thank you for your co-operation.
Regards
Please do not reply to this unnatended e-mail address
---------------
Cher Agent
Veuillez trouver ci-joint votre rapport de règlement pour la date indiquée ci-dessus. Veuillez nous remettre le montant du aujourdhui.
Si vous avez besoin de renseignements supplémentaires, appelez votre Administrateur local.
Merci de votre co-opération.
Bien à vous
--------------------------------------------
Apreciable Agente,
Ref. 13 March 2013
Sírvase encontrar adjunto su reporte de cierre de la fecha arriba indicada.
Favor de contactar a su representante de cuentas para cualquier pregunta adicional.
Saludos
© 2001-2013 Western Union Holdings, Inc.”

Fake Adobe CS4 License email

sandi — Fri, 08 Mar 2013 04:22:42 GMT

As you can tell by hovering over the hyperlink, the email is obviously fake. The text of the email is:

Welcome,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

Fake “Bank of America” emails

sandi — Thu, 07 Mar 2013 00:54:42 GMT

As always, if you hover your mouse button over the hyperlinks, it becomes clear that the email is a fake…

Fake “ADP TotalSource Payroll Invoice” spam emails

sandi — Thu, 07 Mar 2013 00:52:18 GMT

You don’t want to open that attachment… really… email text below:

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.

Year:	13
Week No:	08
Payroll No:	1

Please open attached file to view and check following payrol

This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your

MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.

Domain alerts…

sandi — Fri, 01 Mar 2013 10:12:47 GMT

Looks like latimes.com has had some issues in recent days… spotted when taking a look at safe browsing information for ads.zitaholdings.com

And huffingtonpost.com

And nbc.com

And msn.com

Anyway, here’s some domains that has been seen in association with infection / malvertizing incidents in recent times…

Wexistat.com
Created 26 February 2013
ICANN Registrar: Internet.BS Corp
Registrant: Thomas Fine, nikas.fak@yandex.ru

adtmc.com
Created 19 February 2013
ICANN Registrar: INTERNET.BS CORP
Registrant: Private WHOIS

esstat.com
Created 1 February 2013
ICANN Registrar: INTERNET.BS CORP
Registrant: Private WHOIS

cpsstat.com
Created 1 February 2013
ICANN Registrar: INTERNET.BS CORP
Registrant: Private WHOIS

azestat.com
Created 1 February 2013
ICANN Registrar: INTERNET.BS CORP
Registrant: Private WHOIS

icestats.net
Created 30 January 2013
ICANN Registrar: EVOPLUS LTD
Registrant: Private WHOIS

Shares IP with mantrads.net, pertaxmedia.com and repassmedia.com, all of which should be treated with extreme caution.

bleatstats.com
Created 1 February 2013
ICANN Registrar: INTERNET.BS CORP
Registrant:

vw-advert.com (wish I had a screenshot of this one; am wondering if it spoofed the VW car company – probably did)
Created 28 January 2013
ICANN Registrar: EVOPLUS LET
Registrant: Private WHOIS

ic-adserver.com
Created 30 January 2013
ICANN Registrar: EVOPLUS LTD
Registrant: Private WHOIS

mantrads.com
Created 16 January 2013
ICANN Registrar: GODADDY.COM, LLC
Registrant: “Self” (jasenward@gmail.com)

4pinteractive.com
Created 30 January 2013
ICANN Registrar: EVOPLUS LTD
Registrant: Private WHOIS

Shares IP address with drtsc.com, eh4xors.tk, kollyxvid.net and porsche-ads.com (that last one is especially interesting)

porsche-ads.com
Created 15 January 2013
ICANN Registrar: EVOPLUS LTD
Registrant: Private WHOIS

Fake AT&T emails

sandi — Wed, 20 Feb 2013 22:51:31 GMT

As always, you can immediately see that the email is a fake by hovering over hyperlinks.