Author Archives: Hacker Medic

??????????????????????????

      No Comments on ??????????????????????????

2014 年最初の週に、シマンテックは定番とも言えるソーシャルエンジニアリングの手法を使い、被害者に強制的にマルウェアをインストールさせる Web サイトを確認しました。ドメインは http://newyear[削除済み]fix.com で、2013 年 12 月 30 日に登録されています。シマンテックの調査によると、攻撃の 94% は英国のユーザーを狙っているようであり、広告ネットワークと、無料動画ストリーミングサイトやメディアサイトを通じて攻撃が仕掛けられています。

攻撃者は、以下のような手口で被害者を欺こうとします。

  • URL に「new year(新年)」や「fix(修正)」などの語句が含まれる。
  • いかにもそれらしい見かけのテンプレート(Google、Microsoft、Mozilla などの)を使い、システムの正常な動作には緊急のアップデートが必要であると説明する。
  • ブラウザの種類に応じて、Chrome、Firefox、Internet Explorer の Web ページにユーザーをリダイレクトする。リダイレクト先は偽サイトだが、まるで本物のように見える。
  • JavaScript のループ処理を使って、被害者がしかたなくサイトにとどまるように仕向ける。ブラウザを閉じるには、[Yes/No]オプションを 100 回もクリックしなければならない。

このようなソーシャルエンジニアリング攻撃は、独特ではありますが目新しいものではありません。緊急のアップデートをインストールしなければならないというユーザーの不安感を狙っています。ドメインは昨年末に登録されたばかりですが、もうホリデーシーズンも終わる時期だったので、攻撃者がこの手法を思いついたのは、ぎりぎり最後のタイミングだったようです。

Web サイトは、ウクライナにホストが置かれ、Apache と Nginx によってセットアップされたデュアルハイブリッド Web サーバーを利用しています。被害者のブラウザを識別してリダイレクトを実行しているのは、このうち Nginx です。

ユーザーには、使っているブラウザの種類に基づいて Google Chrome、Mozilla Firefox、または Microsoft Internet Explorer のテンプレートが表示されます(図 1 から 3)。

Fake Browser Update 1.png

図 1. Chrome のユーザーに表示されるページ

Fake Browser Update 2.png

図 2. Firefox のユーザーに表示されるページ

Fake Browser Update 3.png

図 3. Internet Explorer のユーザーに表示されるページ

Fake Browser Update 4.png

図 4: JavaScript のループを使ったボタン。100 回クリックしないと閉じない

この記事の執筆時点では、Internet Explorer 版の Web ページはすでに機能しなくなっています。Chrome のダウンロードページからは Chromeupdate.exe がダウンロードされ、Firefox のダウンロードページからは Firefoxupdate.exe がダウンロードされます。

どちらのサンプルも、シマンテックは Trojan.Shylock として検出します。シマンテックは、この攻撃に対して以下の IPS 定義を提供しています。

Web Attack: Gongda Exploit Kit Website

この手の脅威から身を守るために、シマンテックは以下のことを推奨します。

  • ウイルス対策定義、オペレーティングシステム、ソフトウェアを最新の状態に保つ。
  • 電子メールやメッセージサービス、ソーシャルネットワークで送られてきたリンクがどんなに魅力的でも不用意にクリックしない。
  • ファイルは、信頼できる正規のソースだけからダウンロードする。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

 

 

New Year, New Apartment, Same Old Scams

      No Comments on New Year, New Apartment, Same Old Scams

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

New Year, New Apartment, Same Old Scams

      No Comments on New Year, New Apartment, Same Old Scams

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

New Year, New Apartment, Same Old Scams

      No Comments on New Year, New Apartment, Same Old Scams

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

Fake Browser Update Site Installs Malware

      No Comments on Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

Fake Browser Update Site Installs Malware

      No Comments on Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

Android Tapsnake ??????????: ?????????????????

      No Comments on Android Tapsnake ??????????: ?????????????????

最近、デバイスが「Trojan: MobileOS/Tapsnake」という脅威に感染していると思い込ませてユーザーを脅そうとする一連のモバイル広告が確認されています。
 

image1_20.png

図 1. Tapsnake への感染を通知する偽の警告
 

このマルウェア感染警告は偽物です。Tapsnake は Android を狙う比較的古い脅威(シマンテックでは 2010 年にブログでこの脅威について報告しており、Android.Tapsnake として検出します)で、この種の広告の信憑性を高めるために、広告の中でたまたま名前が使われているだけです。シマンテックでは、新品の Android デバイスを使って、この広告を提供するサイトにアクセスしてみました。このデバイスは初期インストールの状態で、他に何も追加されていませんでしたが、それでもこの警告が表示されました。この脅威は iOS デバイスを標的にはしていませんが、Apple 社の iPhone ユーザーからも Tapsnake 警告が表示されたという報告があります
 

image2_11.png

図 2. Android ユーザーを標的にしたスケアウェアの手口
 

この種の警告はたいてい、元々 PC を狙っていたスケアウェアに関連しています。スケアウェアの Web サイトにアクセスすると、コンピュータやデバイスがマルウェアに感染しているという警告が表示されます。このようなスケアウェアサイトが、偽のウイルス対策ソフトウェアの無料ダウンロードを提供している場合もあります。

これはすべて、ユーザーにアプリをダウンロードさせるための策略です。
 

image3_11.png

図 3. Android 用の偽ウイルス対策アプリの提供
 

信頼できるアプリストア以外からアプリをインストールしないようにしてください。また、Google Play アプリストアで提供されているノートン モバイルセキュリティなど、有名なセキュリティソフトウェアだけを信頼してください。スマートフォンやタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト(英語)を参照してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Android Tapsnake Mobile Scareware: Ads Push Antivirus

      No Comments on Android Tapsnake Mobile Scareware: Ads Push Antivirus

Recently we have observed a series of mobile ads intended to scare users into believing that their device is infected with a threat called “Trojan: MobileOS/Tapsnake”.
 

image1_20.png

Figure 1. Fake Tapsnake infection warnings
 

The malware alert is fake. Tapsnake is an older Android threat (we blogged about it in 2010 and detect it as Android.Tapsnake) that just happens to be mentioned in these ads to make them appear more authentic. We visited a site serving these ads using a brand new Android device with a fresh install and nothing on it and still received this alert. Users of Apple’s iPhone have also reported seeing Tapsnake alerts, despite the fact that the threat doesn’t target iOS devices.
 

image2_11.png

Figure 2. Scareware tactics target Android users
 

This type of warning is commonly associated with scareware, which originated on PCs. When users visit scareware websites, they are shown a warning that claims their computer or device is infected with malware. These scareware sites may then offer free downloads of fake antivirus software.

This is all a trick designed to convince the user to download an application.
 

image3_11.png

Figure 3. Android Antivirus app offer
 

Symantec Security Response advises users not to install applications outside of trusted app stores. Instead, users should only trust well-known and reputable security software, such as Norton Mobile Security available on the Google Play app store. For general safety tips for smartphones and tablets, visit the Symantec Mobile Security website.

Android Tapsnake Mobile Scareware: Ads Push Antivirus

      No Comments on Android Tapsnake Mobile Scareware: Ads Push Antivirus

Recently we have observed a series of mobile ads intended to scare users into believing that their device is infected with a threat called “Trojan: MobileOS/Tapsnake”.
 

image1_20.png

Figure 1. Fake Tapsnake infection warnings
 

The malware alert is fake. Tapsnake is an older Android threat (we blogged about it in 2010 and detect it as Android.Tapsnake) that just happens to be mentioned in these ads top make them appear more authentic. We visited a site serving these ads using a brand new Android device with a fresh install and nothing on it and still received this alert. Users of Apple’s iPhone have also reported seeing Tapsnake alerts, despite the fact that the threat doesn’t target iOS devices.
 

image2_11.png

Figure 2. Scareware tactics target Android users
 

This type of warning is commonly associated with scareware, which originated on PCs. When users visit scareware websites, they are shown a warning that claims that their computer has been infected with malware. These scareware sites may then offer free downloads of fake antivirus software.

This is all a trick designed to convince the user to download an application.
 

image3_11.png

Figure 3. Android Antivirus app offer
 

Symantec Security Response advises users not to install applications outside of trusted app stores. Instead, users should well-known, reputable security software, such as Norton Mobile Security available on the Google Play app store. For general safety tips for smartphones and tablets, visit the Symantec Mobile Security website.