Fraudsters and Scammers Kick Off Their Campaigns for the 2014 FIFA World Cup

Contributor: Sean Butler

As it’s the start of a Football World Cup year it’s only natural that we will see many campaigns in relation to this global event. There will be many marketing and promotional campaigns taking advantage of the hype and excitement surrounding this event. Amongst all of the legitimate marketing and promotion emails, you may also receive emails promising anything from free match tickets, to competitions and lottery prizes stating that you have won a car.

Sound too good to be true? Well, you would be right in thinking that!

Fraudsters will be looking to exploit the enthusiasm that comes with the FIFA World Cup, which will be taking place in Brazil this June. The ramifications of you being scammed could be very serious indeed. Not only could you become a victim of fraud by having your bank account emptied by these fraudsters, you could also end up with malware on your computer. This malware could do anything from stealing your personal details by downloading a Trojan, to compromising your computer and making it part of a botnet.

Symantec has already spotted several FIFA World Cup related scam emails. The first scam sample Symantec discovered, relating to the FIFA World Cup, is an email that contains a link to malware.

The email has the following headers:

From: Parabens Voce foi o ganhador de um Par de ingressos atendimento.promo5885631@Domain.com

Subject: Copa do Mundo FIFA 2014

This email header can be translated as:

From: Congratulation you were the winner of a pair of tickets atendimento.promo5885631@Domain.com

From: FIFA World Cup 2014

World Cup 2014 1 edit.png

Figure 1. Malware attack email related to FIFA World Cup

This email can be translated as:

You are the winner of a pair of tickets to the FIFA World cup 2014 Brazil!

Print your e-Ticket copy and collect the ticket from the ticket center in your city

Print Ticket

Check out the address of the ticket center in your city here

The recipient is enticed to click the on the link and print the match tickets. However, the link leads to a malicious URL that downloads the file eTicket.rar, which contains an executable file named eTicket.exe.

World Cup 2014 2 edit.png

Figure 2. Clicking on the link leads to malicious download

Next, a file named thanks.exe (Infostealer.Bancos) is dropped in the following location so that it runs every time Windows starts:

Programs/Startup/thanks.exe

The Trojan will continue to run in the background and try to evade security measures, steal confidential financial information, log the stolen data, and send it to a remote attacker at a later time. We have also discovered that the malware is customized to target Brazilian financial institutions.

Symantec customers would have been protected against this attack because our ‘Link following’ technology, which checks all Web pages referenced within an email for viruses and other threats, correctly identified the malware at the end of the URL. Detection was then created so that future emails containing different links to this malware will be treated as though they are infected and then quarantined.

Another scam involves a fraudulent CIELO Brazil promotion. CIELO is a Brazilian credit and debit card operator.

World Cup 2014 3 edit_0.png

Figure 3. Phishing email related to FIFA World Cup 2014

This email can be translated as:

Congratulations, you have been chosen to take part in the Cielo Cup 2014.

To promote World Cup 2014, you must register to compete for prizes worth 20 thousand Reais,

Tickets, accommodation in exclusive places during the 2014 world cup and you could also win a Fiat Doblo 0 Km. (Sic)

Don’t waste time! PURCHASE Register right now at no extra cost and avail the benefits of our promotion.

Join this Mega Promotion and compete for these Super Prizes.

Click here to unlock your promo code

If the recipient clicks the “Click Here” button, they are redirected to the following URL:

http://cielobrasil2014l.fulba.com/[REMOVED]/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html

The webpage asks for a username, date of birth, and a Brazilian tax registration number (CPF).

World Cup 2014 4 edit.png

Figure 4. Spoofed Web page asking for personal credentials

On providing the required information, the user is sent to the page shown in Figure 5, which asks for the user’s banking credentials.

World Cup 2014 5.png

Figure 5. Spoofed Web page asking for banking credentials

On further analysis, we found that the domain conteudo.casavilaverde.com used in the phishing scam had been hacked.

World Cup 2014 6 edit.png

Figure 6. Hacked domain used in phishing scam

Finally, the third example is a Nigerian scam.

World Cup 2014 7.png

Figure 7. Nigerian FIFA World Cup scam email

The email contains an attachment that claims to be about a lotto sponsored by major brands. The scam ultimately asks the recipient for personal information. The email also contains a notice to try and look legitimate, but this looks amateurish in comparison to the other examples referenced in this blog. There are no images or URLs contained within the email and the fact that it only contains an attached Word document would make anyone suspicious.

Symantec’s advanced monitoring systems were able to identify the above scam emails and protect our customers from receiving them.

While the first two example emails are composed in Portuguese and aimed at people in Brazil, they can easily be customized for different regions, countries, and languages. Considering the influence football has across the globe, such spam mail could potentially trick many people.

Global events can be very lucrative for scammers as they have the potential to scam more victims by appealing to peoples’ interest and curiosity. As a consequence, Symantec expects such scams to increase as we get closer to the 2014 World Cup.

Symantec advises users to be on their guard and to adhere to the following security best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Don’t be caught offside when it comes to special offers, especially ones that look too good to be true!

AVAST Privacy IQ quiz: answers

      No Comments on AVAST Privacy IQ quiz: answers

AVAST Privacy IQ Quiz has finished.  Before we will officially announce the winners, please check how you should answer and learn why! Do privacy policies guarantee that your information will be kept private? Correct answer: No A typical privacy policy includes information about the types of data the company collects and how it analyzes, discloses […]

Demystifying Point of Sale Malware and Attacks

POS_concept.jpg

Cybercriminals have an insatiable thirst for credit card data. There are multiple ways to steal this information on-line, but Point of Sales are the most tempting target. An estimated 60% of purchases at retailers’ Point of Sale (POS) are paid for using a credit or debit card. Given that large retailers may process thousands of transactions daily though their POS, it stands to reason that POS terminals have come into the crosshairs of cybercriminals seeking large volumes of credit card data.

There are numerous internet forums openly selling credit and debit card data in various formats. The most common is “CVV2” where the seller provides the credit card number, along with the additional CVV2 security code which is typically on the back of the card. This data is enough to facilitate online purchases. However some sellers also offer the more lucrative “Track 2” data. This is shorthand for the data saved on a card’s magnetic strip. This data is more lucrative as it allows criminals to clone cards, meaning they can be used in brick-and-mortar stores or even ATMs if the PIN is available. The value of the data is reflected in the online sale price and these prices vary widely. CVV2 data is sold for as little as $0.1 to $5 per card while Track 2 data may cost up to $100 per card.

 

Fig1_6.png

Figure. Credit card data for sale on Internet forums

So how do criminals get this data? Skimming is one of the more popular methods. This involves installing additional hardware onto the POS terminal which is then used to read track 2 data from cards. However as it requires physical access to the POS, and expensive additional equipment, it’s difficult for criminals to carry this out on a large scale. To address this problem criminals have turned to software solutions in the form of POS malware. By targeting major retailers with this malware criminals can accrue data for millions of cards in a single campaign.

POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods. Criminals first exploited this security gap in 2005 when a campaign orchestrated by Albert Gonzalez lead to the theft of data for 170 million cards.

Since then a market has grown in the supply and sale of malware, which reads Track 2 data from the memory of the POS terminal. Most POS systems are Windows-based, making it relatively easy to create malware to run on them. This malware is known as memory-scraping malware as it looks in memory for data, which matches the pattern of the Track 2 data. Once it finds this data in memory, which occurs as soon as a card is swiped, it saves it in a file on the POS, which the attacker can later retrieve. The most well-known piece of POS malware is BlackPOS which is sold on cybercrime forums. Symantec detects this malware as Infostealer.Reedum.B.

Armed with POS malware, the next challenge for attackers is to get the malware onto the POS terminals. POS terminals are not typically connected to the Internet but will have some connectivity to the corporate network. Attackers will therefore attempt to infiltrate the corporate network first. They may do this by exploiting weaknesses in external facing systems, such as using an SQL injection on a Web server, or finding a periphery device that still uses the default manufacturer password. Once in the network, they will use various hacking tools to gain access to the network segment hosting the POS systems. After the POS malware is installed, attackers will take steps to make sure their activity goes unnoticed. These steps could include scrubbing log files or tampering with security software, which all ensures that the attack can persist and gather as much data as possible. For an in-depth look at how these attacks work see our whitepaper: Attacks on Point of Sales Systems

Unfortunately, card data theft of this nature is likely to continue in the near term. Stolen card data has a limited shelf-life. Credit card companies are quick to spot anomalous spending patterns, as are observant card owners. This means that criminals need a steady supply of “fresh” card numbers.

The good news is that retailers will learn lessons from these recent attacks and take steps to prevent the re-occurrence of this type of attack. Payment technology will also change. Many US retailers are now expediting the transition to EMV, or “chip and pin” payment technologies. Chip and Pin cards are much more difficult to clone, making them less attractive to attackers. And of course new payment models may take over. Smart-phones may become the new credit cards as mobile, or NFC, payment technology becomes more widely adopted.

There’s no doubt that cybercriminals will respond to these changes. But as retailers adopt newer technologies and security companies continue to monitor the attackers, large-scale POS thefts will become more difficult and certainly less profitable.

For more details on how POS attacks are carried out and how to protect against them, see our whitepaper: Attacks on Point of Sales Systems

NFL ?????????????????? Twitter ??????

      No Comments on NFL ?????????????????? Twitter ??????

先週、デンバーブロンコスとシアトルシーホークスのファンが第 48 回スーパーボウルの予想に関するツイートをしていたところ、Twitter ボットから何度もスパムが送られてくるという被害が相次ぎました。また、ポップスターのマイリー・サイラスのファンも、対象となるキーワードを使った同じスパム活動に狙われました。

シマンテックでは去年の夏、BET アワードや、ジャスティン・ビーバー、ワンダイレクション、リアーナのファンを標的とした同様の活動に関するブログを公開しました。最新の活動でも基本的な手口は同じですが、いくつかの改良が加えられています。

この詐欺ではまず Twitter サービス上にスパムボットを仕込んで、ユーザーがつぶやく特定のキーワードを監視します。キーワードになり得るのは、「スーパーボウル」、「ブロンコス」、「シーホークス」や、個々の選手名(デンバーブロンコスのクォーターバック「ペイトン・マニング」、シアトルシーホークスのコーナーバック「リチャード・シャーマン」など)です。マイリー・サイラスの場合は、彼女のフルネームやファーストネームを挙げただけで、スパムボットから返答を受け取る可能性があります。

この返答は、写真が添付されたツイートで、個人に宛てたメッセージに見せるために対象ユーザーの Twitter ユーザー名が表示されています。

NFL Miley Cyrus 1.png

図 1. NFL やマイリー・サイラスに関する賞品当選を謳った、Twitter スパムボットによる写真付きのリプライ

このようなスパムボットは、リンクをツイートすることも、Twitter プロフィールの自己紹介セクションにリンクを含めることもありません。その代わりに、ユーザーにツイートされた画像内にある URL を手動で入力するよう促します。これは、スパム対策フィルタが詐欺師のアカウントを検知しないようにする巧妙な方法です。

NFL Miley Cyrus 2.png

図 2. ユーザーに Twitter ユーザー名を確認するよう促す詐欺サイト

上図のどちらのサイトも同じテンプレートに従っています。これらのサイトはまず、賞品当選の資格を確認するためにユーザー名のチェックが必要だとして、ユーザーの Twitter ユーザー名を要求します。その後、ユーザーのフルネーム、住所、電子メールアドレス、電話番号などの個人情報を要求します。

NFL Miley Cyrus 3.png

図 3. アンケートに参加してモバイルアプリをダウンロードするようユーザーに促す

ユーザーが先に進もうとすると、架空のスポンサーから、賞品を手に入れるには「特別キャンペーン」を完了しなければならないというメッセージが表示されます。これはアンケートへの誘導であることが一般的ですが、この詐欺はモバイルベースなので、モバイルアプリをインストールするようユーザーに促します。そしてインストールが行われるたびに、アフィリエイトプログラムを通して詐欺師に報酬が入る仕組みになっています。詐欺師たちがこぞってユーザーにスパムを送り付けるのはこのためです。

ここ数年、ソーシャルネットワークサービスの人気上昇に伴い、大勢のユーザーが大きなイベントや有名人について語るようになりました。このような機会はマーケティングにも利用されますが、スパマーや詐欺師の標的にもなりやすいものです。次はどのイベントや有名人が標的になるか、非常に気になるところです。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Oversharers: The NSA Loves Your Openness and the Data You Share via Apps

“It has become second nature to connect various apps like Instagram, SocialCam, Angry Birds, CityVille, and Spotify to your Facebook ID. You just click ‘agree’ without even really knowing what you are agreeing to. What you don’t realize is that social apps linked to your Facebook profile can pretty much track your and your friends’ […]

AVAST polls its U.S. community of users and more than 45,000 come through with their Sunday prediction

It’s cold in New Jersey but football fever is HOT with only two days before the Big Game and showdown between the two championship teams. Who will win? AVAST has joined in the football hysteria by leveraging its vast number of users across the U.S. to help us determine a winner. Denver or Seattle? We […]

How to use avast! Mobile Security: Privacy Advisor

At AVAST we work hard to improve your security and privacy. Mobile malware is increasing. If you aren’t yet convinced that this is an issue, please read the latest blog from the avast! Virus Lab, How are you doing Mr. Android? Nowadays, besides the traditional way to get money – sending premium SMS – the […]

????: ????????????

      No Comments on ????: ????????????
中国では今、新年を迎える準備に沸いています。今年は 1 月 31 日の新月から午年が始まります。世界中で 10 億を超える人々が旧暦の新年を祝うことになり、今年の祝賀行事はこれまで以上に華やかなものになるでしょう。
 
中国の新年は春節とも呼ばれ、この日は感謝祭のように皆が集まり、お祝いの最中にプレゼントの交換が行われます。友人や家族、同僚のほか取引先ともプレゼントを交換して、親愛、敬意、忠義の気持ちを表します。事業主が顧客に贈り物をしたり、お店が日頃の感謝を込めてプレゼントやディスカウントを提供することもよくあります。しか、スパマーもこの慣習を十分すぎるほど熟知しています。
 
スパマーや詐欺師は特別な機会に便乗し、贈り物という素晴らしい習慣を悪用してスパムを送りつけてきます。彼らは友人や事業主の振りをして、プレゼントやディスカウントを謳う電子メールを送り、無防備な人々の気を引こうとします。
 
シマンテックは、有名企業を装って中国の新年を悪用したスパムを確認しています。このスパムメッセージは受信者の博愛心に訴えかけ、愛する人へのプレゼントとして、その企業の商品を勧めています。
 
サンプル
translated.png
図 1. スパムメッセージの件名
 
翻訳
件名: [企業名] から皆様へ、あけましておめでとうございます。
 
 
email_0.png
図 2. 午年にちなんだ中国語のスパムメールのプレビュー
 
翻訳
ご挨拶
 
巳年の終わりも近づき、午年がすぐそこまで来ています。いよいよ新年が始まり、何もかもが新たにスタートを切ります。新年を迎えるにあたり、[商品名] より心からの敬意と感謝を込めて、お客様とご家族にお祝い申し上げます。皆様のご健康とご多幸をお祈りいたします。
 
今後ともご愛顧のほどお願いいたします。皆様にとって素晴らしい新年になりますように!
 
[企業名]
2014 年 1 月
 
このスパムメールの件名には、会社を代表して顧客への挨拶が書かれています。本文には、祝賀の雰囲気を盛り上げるような楽しい画像のプレビューが含まれています。このメッセージを読んだ人が贈り物を買う際に同社の商品を選ぶことを狙って、企業名を記憶させようとしています。
 
シマンテックでは過去にも、中国の新年にちなんだ各種のスパムを確認してきました。中でも最も目立つのが、偽のプレゼントやディスカウントを謳ったスパムです。もう 1 つ重大なスパムに分類されるのが詐欺メールです。たとえば、借金を完済して良い新年を迎えられると思い込ませる、ローンや仕事を案内する偽の電子メールなどが挙げられます。このようなスパムメールはすべて、世界中に広がる中国人社会の強い伝統と価値観につけ込んだものです。
 
中国の新年のお祝いは 1 月 31 日に始まり、元宵節を祝う満月の日まで 15 日間続きます。この元宵節の際にも、同様のスパムが増えるものと予測されます。
 
新年のお祝いは、スパマーがユーザーを標的にする恰好の機会です。スパマーの罠に引っ掛からないためにも、新年にちなんだ迷惑メールは開かないようにしてください。
 
午年が皆様にとって最高の年になりますよう、お祈り申し上げます。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Fans de la NFL y Miley Cyrus en Twitter son Blanco de Spam Generado por Robots

Previo al Super Bowl XLVIII los aficionados de los Broncos de Denver y Seattle Seahawks han estado tuiteando sobre el juego y Symantec ha identificado que muchos de ellos han recibido diversos mensajes de spam generados por bots de Twitter. Adicionalmente, los fans de la estrella del pop Miley Cyrus también se han visto envueltos en una campaña de spam muy similar que usa palabras clave específicas.

El verano pasado, publicamos un blog sobre una campaña similar que se centró en los BET Awards y los fans de Justin Bieber, una dirección y Rihanna. La campaña en esta ocasión sigue el mismo modelo pero ahora mejorado.

La estafa comienza con los tuiteros, quienes sin saberlo usan en sus mensajes palabras clave específicas que controlan los robots de spam en el servicio. Las palabras clave pueden ser acerca del Super Bowl, los Broncos , Seahawks , o los jugadores individuales en el equipo , como el quarterback Peyton Manning de los Broncos de Denver o el esquinero Richard Sherman de los Seattle Seahawks. En el caso de Miley Cyrus, las menciones de su nombre completo o su primer nombre por sí solo puede recibir una respuesta de los robots de spam .

Los robots identifican los mensajes y responden con un tuit (mensaje) mencionando al usuario y ofreciendo un supuesto premio o boleto para un sorteo y una imagen.

NFL Miley Cyrus 1.png

Figura 1. Ejemplo de spam de Twitter generado por bots que utilizan fotos adjuntas con supuestos premios relacionados con la NFL o Miley Cyrus

Estos robots de spam no tuitean links o incluyen links en la sección de biografía de sus perfiles de Twitter, en lugar de ello esriben manualmente la dirección URL en los mensajes que envían a los usuarios junto con la imagen. Esta es una medida que han adaptado para asegurar que los filtros antispam no identifiquen o bloqueen sus cuentas.

NFL Miley Cyrus 2.png

Figura 2. Los sitios web fraudulentos solicitan a los usuarios a verificar los nombres de usuario de Twitter

Los sitios Web que se mencionan en las fotos siguen el mismo método y cuando el usuario da clic, en la página de inicio solicitan el nombre de Twitter del usuario alegando que lo necesitan para comprobar su identidad y confirmar la elegibilidad para el premio. Después de eso, el sitio solicita la información personal del usuario, como su nombre completo, domicilio,  correo electrónico y número de teléfono.

NFL Miley Cyrus 3.png

Figura 3. Los usuarios son invitados a participar en una encuesta y les piden descargar aplicaciones móviles.

Antes de que un usuario pueda continuar y obtener el supuesto premio, se les dice que los patrocinadores solicitan que complete una “oferta/encuesta especial” con el fin de tener la oportunidad de ganar el premio. Por lo general, esto conduce a una encuesta, pero ya que esta estafa está basada en móviles, a los usuarios se les pide que instalen una aplicación móvil y así les generan ganancias económicas a los estafadores por cada instalación exitosa a través de programas de afiliados. Esto incentiva a los estafadores de spam a ser más agresivos con los usuarios pues entre más usuarios contacten por medio de mensajes de Twitter, más posibilidades tienen de obtener ganancias.

El aumento de la movilidad y la popularidad de los servicios de redes sociales en los últimos años ha animado a los spammers y estafadores para dirigirse a estos grupos de usuarios aprovechando los comentarios sobre los principales acontecimientos y personajes públicos, de forma similar a como lo hacen los fabricantes o vendedores. La pregunta es, ¿qué evento o figura pública será la próxima que utilicen?

Frente este tipo de estafas Symantec recomienda a los usuarios tener cuidado y evitar dar clic en este tipo de ligas, además de seguir las mejores prácticas de seguridad, incluyendo el uso de software en sus dispositivos móviles.

Twitter Spam Bots Target NFL and Miley Cyrus Fans

This week, fans of the Denver Broncos and Seattle Seahawks have been tweeting in anticipation of Super Bowl XLVIII, but many have been subjected to a torrent of spam from Twitter bots. Fans of pop star Miley Cyrus have also been plagued with an identical spam campaign using targeted keywords.

Last summer, we published a blog about a similar campaign that focused on the BET Awards and fans of Justin Bieber, One Direction, and Rihanna. The latest campaign follows the same blueprint with improvements.

The scam starts with Twitter users tweeting specific keywords which are monitored by spam bots on the service. The keywords could be about the Super Bowl, the Broncos, Seahawks, or individual players on the team, such as Denver Broncos quarterback Peyton Manning or Seattle Seahawks cornerback Richard Sherman. In the case of Miley Cyrus, mentions of her full name or her first name alone may receive a response from spam bots.

The response is a tweet with an attached photo that shows the targeted users’ Twitter handle in an effort to personalize the message.

NFL Miley Cyrus 1.png

Figure 1. Twitter spam bot replies using photo attachments that claim to offer prizes related to the NFL or Miley Cyrus

These spam bots do not tweet links or include links in their Twitter profiles’ biography section. Instead, they rely on users to manually type the URL found in the picture that was tweeted to them. This is an adaptive measure to ensure that antispam filters do not flag their accounts.

NFL Miley Cyrus 2.png

Figure 2. Scam websites ask users to verify Twitter usernames

Both of the sites that were mentioned in the photos follow the same template. The sites first request a user’s Twitter username, claiming that they need to check the username to confirm eligibility. After that, the site requests the user’s personal information, such as their full name, home and email address. and phone number.

NFL Miley Cyrus 3.png

Figure 3. Users asked to participate in a survey and download mobile apps

Before a user can proceed, the supposed sponsors claim that the user needs to complete a “special offer” in order to have a chance to win the prize. Typically, this leads to a survey, but since this scam is mobile-based, users are asked to install a mobile application, earning the scam operators money for each successful installation through affiliate programs. This incentivizes the scammers to aggressively spam users.

The rise in popularity of social networking services over the last few years has encouraged spammers and scammers to target these large pools of users discussing major events and public figures, similar to how marketers do. The question is, which event or public figure will be targeted next?