Tag Archives: Endpoint Protection (AntiVirus)

Com aproximidade da Copa do Mundo da FIFA 2014 é natural que muitas campanhas de marketing e promoções relacionadas a este evento global sejam veiculadas para aproveitar o entusiamo deste momento. Porém, entre todos os e-mails e mensagens legítimas, muitos golpes online também já comecaram a ocorrer, com promessas de entradas grátis para os jogos e até um carro ao vencedor de um sorteio.

Os fraudadores e golpistas digitais já iniciam seus ataques e exploram o tema ligado à Copa do Mundo da FIFA no Brasil. As ramificações para o usuário ser uma vítima pode ter consequências de longo alcance. Não só o internauta pode ter sua conta bancária esvaziada pelos fraudadores, mas também infectar seu computador com ameaças, como malware. O que poderia acontecer, por exemplo, após a instalação dessa ameaça é o golpista roubar dados e informações pessoais do proprietário da máquina por meio do download de um Trojan, ou comprometer o computador e torná-lo parte de um Botnet.

A Symantec identificou vários emails maliciosos sobre a Copa do Mundo da FIFA. Na primeira amostra o golpe contém um link para um malware.

Figura 1 – E-mail contendo malware relacionado à Copa do Mundo FIFA 2014

Após o clique, o usuário é direcionado a uma URL maliciosa, que faz o download do eTicket.rar (que abriga o eTicket.exe – Figura 2). Ao ser executado, o arquivo desencadeia o trojan Infostealer.Bancos, que instala o thanks.exe no diretório /Programas/Startup. 

Este arquivo, que irá tentar escapar de medidas de segurança, rouba informações financeiras e confidenciais, registra os dados colhidos e os envia para um criminoso remoto. Também foi descoberto que o malware foi personalizado para atingir instituições financeiras brasileiras.

Figura 2 – Imagem da tela após clicar no hiperlink com malware

Outro exemplo de ataque é uma suposta fraude que utiliza a marca CIELO como chamariz para uma promoção falsa, que leva a uma página de phishing.

Figura 3 – Email de phishing relacionado à Copa do Mundo FIFA 2014

Ao clicar no botão da promoção, a página de phishing

 http://conteudo.casavilaverde.com/logs/copa2014/index.php?%email% é redirecionada para <http://cielobrasil2014l.fulba.com/copa,fuleco.dll/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html> e solicita o nome, data de nascimento e CPF do usuário.

Figura 4 – A URL abre uma página da web falsa solicitando dados pessoais

Após fornecer essas informações, uma nova página (Figura 5) é aberta, que solicita os dados bancários do usuário.

Figura 5 – URL solicita os dados de serviços bancários

Em uma análise mais aprofundada, a Symantec descobriu que o domínio conteúdo.casavilaverde.com foi hackeado e abre como na Figura 6.

Figura 6 – Domínio da URL hackeado

Há, também, um golpe nigeriano, que traz um anexo que parece estar relacionado a um sorteio patrocinado por grandes marcas (Figura 7). Para parecer legítimo, esse e-mail contém um aviso, mas, por não conter imagens ou URLs e por ter apenas um documento do Word anexo, esse golpe parece ser mais simples do que os demais.

Figura 7 – Exemplo de golpe nigeriano relacionado à Copa do Mundo FIFA 2014

Eventos globais desse porte podem ser muito lucrativos para os golpistas devido ao aumento do número de interessados no assunto. Até a Copa do Mundo, diversas tentativas para atrair usuários e adquirir informações sensíveis e confidenciais irão ocorrer. Os e-mails de Spam, por exemplo, pode ser personalizados para diferentes países e regiões. Para evitar ser vítima desses golpes, a Symantec aponta as seguintes práticas de segurança online:

• Não compartilhe informações pessoais e confidenciais.
• Esteja atento ao clicar em qualquer link suspeito ou responder a qualquer oferta, especialmente as que parecem muito atrativas.
• Certifique-se de usar fontes autorizadas para fazer transações e procurar dados relacionados à Copa do Mundo.
• Utilize software de segurança original e atualizado em seus equipamentos conectados à Internet, como o  Norton Internet Security.

Contributor: Sean Butler

As it’s the start of a Football World Cup year it’s only natural that we will see many campaigns in relation to this global event. There will be many marketing and promotional campaigns taking advantage of the hype and excitement surrounding this event. Amongst all of the legitimate marketing and promotion emails, you may also receive emails promising anything from free match tickets, to competitions and lottery prizes stating that you have won a car.

Sound too good to be true? Well, you would be right in thinking that!

Fraudsters will be looking to exploit the enthusiasm that comes with the FIFA World Cup, which will be taking place in Brazil this June. The ramifications of you being scammed could be very serious indeed. Not only could you become a victim of fraud by having your bank account emptied by these fraudsters, you could also end up with malware on your computer. This malware could do anything from stealing your personal details by downloading a Trojan, to compromising your computer and making it part of a botnet.

Symantec has already spotted several FIFA World Cup related scam emails. The first scam sample Symantec discovered, relating to the FIFA World Cup, is an email that contains a link to malware.

The email has the following headers:

From: Parabens Voce foi o ganhador de um Par de ingressos atendimento.promo5885631@Domain.com

Subject: Copa do Mundo FIFA 2014

This email header can be translated as:

From: Congratulation you were the winner of a pair of tickets atendimento.promo5885631@Domain.com

From: FIFA World Cup 2014

Figure 1. Malware attack email related to FIFA World Cup

This email can be translated as:

You are the winner of a pair of tickets to the FIFA World cup 2014 Brazil!

Print your e-Ticket copy and collect the ticket from the ticket center in your city

Print Ticket

Check out the address of the ticket center in your city here

The recipient is enticed to click the on the link and print the match tickets. However, the link leads to a malicious URL that downloads the file eTicket.rar, which contains an executable file named eTicket.exe.

Figure 2. Clicking on the link leads to malicious download

Next, a file named thanks.exe (Infostealer.Bancos) is dropped in the following location so that it runs every time Windows starts:

Programs/Startup/thanks.exe

The Trojan will continue to run in the background and try to evade security measures, steal confidential financial information, log the stolen data, and send it to a remote attacker at a later time. We have also discovered that the malware is customized to target Brazilian financial institutions.

Symantec customers would have been protected against this attack because our ‘Link following’ technology, which checks all Web pages referenced within an email for viruses and other threats, correctly identified the malware at the end of the URL. Detection was then created so that future emails containing different links to this malware will be treated as though they are infected and then quarantined.

Another scam involves a fraudulent CIELO Brazil promotion. CIELO is a Brazilian credit and debit card operator.

Figure 3. Phishing email related to FIFA World Cup 2014

This email can be translated as:

Congratulations, you have been chosen to take part in the Cielo Cup 2014.

To promote World Cup 2014, you must register to compete for prizes worth 20 thousand Reais,

Tickets, accommodation in exclusive places during the 2014 world cup and you could also win a Fiat Doblo 0 Km. (Sic)

Don’t waste time! PURCHASE Register right now at no extra cost and avail the benefits of our promotion.

Join this Mega Promotion and compete for these Super Prizes.

Click here to unlock your promo code

If the recipient clicks the “Click Here” button, they are redirected to the following URL:

http://cielobrasil2014l.fulba.com/[REMOVED]/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html

The webpage asks for a username, date of birth, and a Brazilian tax registration number (CPF).

Figure 4. Spoofed Web page asking for personal credentials

On providing the required information, the user is sent to the page shown in Figure 5, which asks for the user’s banking credentials.

Figure 5. Spoofed Web page asking for banking credentials

On further analysis, we found that the domain conteudo.casavilaverde.com used in the phishing scam had been hacked.

Figure 6. Hacked domain used in phishing scam

Finally, the third example is a Nigerian scam.

Figure 7. Nigerian FIFA World Cup scam email

The email contains an attachment that claims to be about a lotto sponsored by major brands. The scam ultimately asks the recipient for personal information. The email also contains a notice to try and look legitimate, but this looks amateurish in comparison to the other examples referenced in this blog. There are no images or URLs contained within the email and the fact that it only contains an attached Word document would make anyone suspicious.

Symantec’s advanced monitoring systems were able to identify the above scam emails and protect our customers from receiving them.

While the first two example emails are composed in Portuguese and aimed at people in Brazil, they can easily be customized for different regions, countries, and languages. Considering the influence football has across the globe, such spam mail could potentially trick many people.

Global events can be very lucrative for scammers as they have the potential to scam more victims by appealing to peoples’ interest and curiosity. As a consequence, Symantec expects such scams to increase as we get closer to the 2014 World Cup.

Symantec advises users to be on their guard and to adhere to the following security best practices:

• Exercise caution when receiving unsolicited, unexpected, or suspicious emails
• Avoid clicking on links in unsolicited, unexpected, or suspicious emails
• Avoid opening attachments in unsolicited, unexpected, or suspicious emails
• Keep security software up-to-date
• Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Don’t be caught offside when it comes to special offers, especially ones that look too good to be true!