New Year, New Apartment, Same Old Scams

      No Comments on New Year, New Apartment, Same Old Scams

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

New Year, New Apartment, Same Old Scams

      No Comments on New Year, New Apartment, Same Old Scams

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

Fake Browser Update Site Installs Malware

      No Comments on Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

Fake Browser Update Site Installs Malware

      No Comments on Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

Comparison of Adware in Windows and OS X: Linkular and Genieo

      No Comments on Comparison of Adware in Windows and OS X: Linkular and Genieo

By definition, Adware is a program bundle which renders advertisements in order to generate revenue for its author. In a more strict sense, e.g. for security solutions, it means an application/installer whose nature lies somewhere between a potentially unwanted application and proper malware, like Trojans or Spyware. It might use more or less aggressive methods, […]

Mobile malware a real threat in 2014

      No Comments on Mobile malware a real threat in 2014

Security industry experts from around the world must have been looking in the same crystal ball to make their predictions for the new year, because everyone agreed that mobile exploits and malware would drive growth for the industry in 2014. Mobile attacks will include malicious software that steals data from legitimate apps, spyware, ransomware and […]

AVAST response to open letter from Bits of Freedom

      No Comments on AVAST response to open letter from Bits of Freedom

Recently an open letter from Bits of Freedom, a group comprised of 24 digital rights organizations and academics, including the Electronic Frontier Foundation (EFF) in the US and Netzpolitik.org in Germany, was sent to security software vendors. AVAST did not receive the letter “officially,” although our company was listed among the vendors. The purpose of […]

AVAST (teddy) has conquered Brazil!

      No Comments on AVAST (teddy) has conquered Brazil!

Brazil is the only Portuguese speaking country in both South and Latin America. It is also fifth biggest country in the world, according to its geographical size and in terms of population. Brazilians represent a fascinating ethnic and cultural fusion, influenced by indigenous, European, African, and Asian cultures. With the upcoming World Cup in 2014 […]

Smartphones need protection in the Middle East and Africa

      No Comments on Smartphones need protection in the Middle East and Africa

The mobile landscape in the Middle East and North African (MENA) regions are changing at a phenomenal speed. Nearly 526 million people in the region will have a mobile handset this year with only the Asia-Pacific region having more mobile users – both significantly more than in North America or Western Europe. Smartphones are the […]

avast! Free Antivirus is the most popular download of 2013

      No Comments on avast! Free Antivirus is the most popular download of 2013

During the launch of avast! 2014 in October, CEO Vincent Steckler told a group of international journalists, “On all the download sites around the world, this year, through the end of September, we have 143 million downloads. That’s the most downloaded product – period.” After a few more months, the highest profile download site, CNET’s […]