SMS messages attempting to lure Android device owners to download an app that supposedly allows the camera on the device to see through clothes are circulating in Japan. This type of spam is usually sent by the malware authors themselves, but in this c…
寄稿: Vivek Krishnamurthi
チェルトナムフェスティバルは、英国で人気の高い障害競馬の祭典です。ナショナルハントフェスティバルとも呼ばれ、毎年 3 月に開催されます。この開催時期は聖パトリックの日とも近く、今年は 3 月 15 日まで続きました。祭典の期間には多くの賭け金が動きますが、その点はスパマーにもよく知られているらしく、ギャンブルを利用したオンラインスパムの増加が現在確認されています。
あるスパムサンプルでは、無料で賭けに参加する手順が説明されていました。メッセージに記載されたリンクを開くとフォームのページにリダイレクトされ、そこで登録すると 50 ポンド相当の賭け金をもらえることになっています。
このスパムメールで確認されたヘッダー情報は、以下のとおりです。
図 1. チェルトナムフェスティバルを利用したギャンブルスパム
登録すると、個人情報がスパマーの手に握られてしまいます。インターネットバンキングに関する情報まで入力してしまうと、事態はさらに深刻です。このようなサイトで賭けに誘われたら、くれぐれもご用心ください。実際には、登録してしまったら 50 ポンドの賭け金では済まないことになります。
迷惑メールや心当たりのない電子メールの扱いにはご注意ください。シマンテックでは、チェルトナムフェスティバルを悪用するスパムの監視を続けるとともに、聖パトリックの日についても同様の警戒態勢をとっています。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
聖パトリックの日は、アイルランドの文化と宗教にとって重要な祝日であり、3 月 17 日に世界各地で祝われますが、特にアイルランド人のコミュニティや組織にとっては大きな意味を持っています。最近、聖パトリックの日に関連するスパムメッセージが、Symantec Probe Network に多数届いていることが確認されています。確認されたスパムサンプルの多くは、車の在庫一掃セールをはじめとして、お買い得商品を宣伝するものです。
興味深いのは、この祝日の名前を、大容量ファイルの送受信に利用できる有名サイトと関連付けて騙そうとするスパムメールが確認されていることです。リンクをクリックすると、悪質なコードをダウンロードする Web ページにリダイレクトされます。このページでは、狙われやすい脆弱性がいくつか悪用されています。これらのスパム活動の主な目的は、電子メールの件名や本文で聖パトリックの日を利用してユーザーを誘うことにあります。「Patrick[RANDOM NUMBERS](パトリック[ランダムな数])」といった件名が一例ですが、このような手口には注意して、リンクはクリックしないようにしてください。
図 1. 聖パトリックの日を狙った悪質なスパムメール
スパムからリンクする Web サイトでは、聖パトリックの日にちなんだ在庫一掃セールが宣伝されています。
図 2. 聖パトリックの日を狙った広告スパム
在庫一掃の特別価格を見ようとして[Get Prices](価格を見る)ボタンをクリックすると、次の Web ページにリダイレクトされ、価格を比較するために車種を選択するよう求められます。
図 3. 車種ごとの価格を比較する在庫一掃 Web サイト
型式と車種を選ぶと、さらに別の Web ページにリダイレクトされ、今度は住所や電子メールアドレス、支払方法などの個人情報を入力する画面が表示されます。これは明らかに個人情報を盗み出そうとする手口であり、注意が必要です。
図 4. ユーザーの個人情報を要求するページ
聖パトリックの日を狙った在庫一掃セールのスパムで、これまでに確認された件名の例を以下に示します。
次に示すスパムメールのサンプルは、偽の広告でユーザーを煽って商品を購入させようとしています。URL をクリックすると、医薬品販売を騙る偽の Web サイトにリダイレクトされます。
図 5. 偽の医薬品販売 Web サイト
迷惑メールや心当たりのない電子メールの扱いにはご注意ください。シマンテックでは、最新の脅威に関する最新の情報をお届けできるよう、24 時間 365 日態勢でスパムの監視を続けています。
安心して聖パトリックの日をお楽しみください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Contributor: Vivek Krishnamurthi
The Cheltenham Festival, also known as the National Hunt Meeting, is a popular horse racing event that occurs every year in March in the United Kingdom. The festival usually coincides with Saint Patrick’s Day. This year, the festival is currently in progress and will end on March 15. A large amount of gambling takes place during the Cheltenham Festival, a fact that spammers seem to be well aware of as we are presently observing an increase in online gambling spam.
One particular sample of spam included instructions on how to register a free bet. The link provided in the message directs the user to a form where they can sign up and get a free bet worth up to £50.
Some of the email header information found in this spam campaign includes the following:
Figure. Cheltenham Festival gambling spam
Once the user registers, their personal details are in the hands of the spammers. This situation can be even more alarming if the user shares their banking details. Beware of any fake betting offers from such sites; the reality is you are partaking in much more than a free bet of £50.
Symantec also advises our readers to be cautious when handling any unsolicited or unexpected emails. We are keeping a close eye on spam related to the Cheltenham Festival event, and another upcoming festival—Saint Patrick’s Day.
St. Patrick’s Day is a global celebration of Irish culture and a religious holiday on March 17, and it is very special to Irish communities and organizations. Recently, we have observed numerous St. Patrick’s Day related spam messages flowing into the Symantec Probe Network. Many of the spam samples observed are encouraging users to take advantage of clearance sales of cars as well as other product offers.
Interestingly, in one spam campaign, we observed a malicious spam email that tries to trick users by using the name of the event in conjunction with a popular site that allows users to send and receive large files. By clicking on the link, the user is redirected to a Web page that downloads some malicious code, which exploits several common vulnerabilities. The main motive of these spam campaigns is to lure recipients by taking advantage of the St. Patrick’s day holiday in the subject line and body of the email, such as: “Patrick[RANDOM NUMBERS]”. In such cases, users should be careful and avoid clicking on the links.
Figure1. Malicious spam email taking advantage of St. Patrick’s Day
The spam may lead to a website declaring a clearance sale on St. Patrick’s day.
Figure2. Financial spam targeting St. Patrick’s Day
When the user clicks on the “Get Prices Button” for the clearance prices of cars, they get redirected to another Web page that asks them to select the type of car model for a price comparison.
Figure3. Clearance website to compare the prices of car models
After entering the make and model of the car, the user gets redirected to another Web page asking for their personal details, including their address, email address, and payment details. Users should be wary of such information-stealing attempts by spammers.
Figure4. Asking the user for their personal information
Below are some of the subject lines that we have observed regarding the clearance sale spam attacks for St. Patrick’s Day:
The following example is from a spam email that encourages users to take advantage of bogus offers and purchase products. By clicking the URL, the user is re-directed to a fake pharmaceuticals website.
Figure5. Spam website selling fake pharmaceutical products
Symantec advises our readers to be cautious when handling unsolicited or unexpected emails. We at Symantec are monitoring spam attacks 24×7 to ensure that readers are kept up-to-date with information on the latest threats.
Have a great St. Patrick’s Day!
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 20 vulnerabilities. Twelve of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the March releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Mar
The following is a breakdown of the issues being addressed this month:
MS13-021 Cumulative Security Update for Internet Explorer
Internet Explorer OnResize Use After Free Vulnerability (CVE-2013-0087) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer saveHistory Use After Free Vulnerability (CVE-2013-0088) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability (CVE-2013-0089) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer CCaret Use After Free Vulnerability (CVE-2013-0090) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer CElement Use After Free Vulnerability (CVE-2013-0091) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer GetMarkupPtr Use After Free Vulnerability (CVE-2013-0092) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer onBeforeCopy Use After Free Vulnerability (CVE-2013-0093) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer removeChild Use After Free Vulnerability (CVE-2013-0094) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer CTreeNode Use After Free Vulnerability (CVE-2013-1288) MS Rating: Critical
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS13-022 Critical Vulnerability in Silverlight Could Allow Remote Code Execution
Silverlight Double Deference Vulnerability (CVE-2013-0074) MS Rating: Critical
A remote code execution vulnerability exists in Microsoft Silverlight that can allow a specially crafted Silverlight application to access memory in an unsafe manner. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the current user. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-023 Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution
Visio Viewer Tree Object Type Confusion Vulnerability (CVE-2013-0079) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Visio Viewer handles memory when rendering specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
MS13-024 Vulnerabilities in SharePoint Could Allow Elevation of Privilege
Callback Function Vulnerability (CVE-2013-0080) MS Rating: Important
An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to elevate their access to the server after obtaining sensitive system data.
SharePoint XSS Vulnerability (CVE-2013-0083) MS Rating: Critical
An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could potentially issue SharePoint commands in the context of an administrative user on the site.
SharePoint Directory Traversal Vulnerability (CVE-2013-0084) MS Rating: Important
An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to elevate their access to the server after obtaining sensitive system data.
Buffer Overflow Vulnerability (CVE-2013-0085) MS Rating: Moderate
A denial of service vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could cause the W3WP process on an affected version of SharePoint Server to terminate, causing the SharePoint site, and any other sites running under that process, to become unavailable until the process is restarted.
MS13-025 Vulnerability in Microsoft OneNote Could Allow Information Disclosure
Buffer Size Validation Vulnerability (CVE-2013-0086) MS Rating: Important
An information disclosure vulnerability exists in the way that Microsoft OneNote allocates memory from parsing a specially crafted OneNote (.ONE) file.
MS13-026 Vulnerability in Office Outlook for Mac Could Allow Information Disclosure
Unintended Content Loading Vulnerability (CVE- 2013-0095) MS Rating: Important
An information disclosure vulnerability exists in the way that Microsoft Outlook for Mac 2008 and Microsoft Outlook for Mac 2011 load specific content tags in an HTML5 email message.
MS13-027 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Windows USB Descriptor Vulnerability (CVE-2013-1285) MS Rating: Important
An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Windows USB Descriptor Vulnerability (CVE-2013-1287) MS Rating: Important
An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Windows USB Descriptor Vulnerability (CVE-2013-1286) MS Rating: Important
An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Rumors of Venezuelan President Hugo Chavez’s death were rampant on the news and Internet over the past month, and last Tuesday, the Venezuelan Vice President confirmed that Chavez died after a two year battle with cancer. Chavez’s death has…
Contributor: Avdhoot Patil
Phishers have already made their mark in Southeast Asia by targeting Indonesians. For the past couple of years, celebrities have been their key interest in the region. Aura Kasih and Ahmad Dhani are good examples. In March 20…
Symantec recently received information on a new Java zero-day, Oracle Java Runtime Environment CVE-2013-1493 Remote Code Execution Vulnerability (CVE-2013-1493). The final payload in the attack consisted of a DLL file, detected by Symantec as Tro…
Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in docum…
