Fake US Anti-Spam Law Used in Latest Phishing Campaign
Phishers posing as banks are redirecting victims to a fake website then requesting logon credentials in order to compromise bank accounts.
Read more…
Tag Archives: phishing
Spearphishing scams hope you’ll take the bait
Yesterday on our blog, avast! Virus Lab researcher Jaromir Horejsi, explained a banking Trojan called Tinba. The cybercrooks behind Tinba use a social engineering technique called spearfishing to target its victims. You have probably heard about email scams that use phishing. This classic technique uses authentic-looking emails to lure the victims to fake websites, then […]
Image Stock Spam Reemerges
Image stock spam, which can affect share prices and cause financial loss, has become more prominent in the last week.
Read more…
E-card Spam Claims to Help Users Get Rich Quick
The scam uses websites that pose as legitimate companies to trick people.
Read more…
.club gTLD Used in Hit-and-Run Spam Attacks
Spammers have been abusing generic top-level domains, released by the Internet Corporation for Assigned Names and Numbers earlier this year, in hit-and-run spam attacks.
Read more…
Phishing for Apple IDs: Keep an Eye Out for Suspicious Emails
Following reports of Apple IDs being compromised and devices being held for ransom in Australia and New Zealand, Apple issued a statement to ZDNet proclaiming that their iCloud infrastructure had not been breached. They went on to warn users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.” Symantec would like to advise owners of Apple devices to keep an eye out for emails attempting to phish for Apple ID login credentials.
Going Phishing for Apple IDs
While there have been no confirmed reports as to how these Apple IDs were compromised, one possible explanation is phishing scams. Due to all the media attention this event has received, Symantec is cautioning users to be skeptical of emails claiming to be from Apple. This event presents scammers with more credibility when attempting to phish for Apple IDs, especially now that many users are concerned about the safety and security of their Apple IDs and devices.
What does an Apple ID phishing email look like?
Figure 1. Example of an Apple ID phishing email from early May
There are a number of different Apple ID phishing emails that have been in circulation in recent months. The emails adopt some of the following subject lines:
- Please update your Apple account now
- Apple – Your Account Is Not Confirmed
- Please Verify Account Information For Your Apple ID
- please verify the email address associated with your Apple ID
These subjects are used to trick users into opening emails, improving the odds that they may click on the links within them.
What does an Apple ID phishing page look like?
If a user clicks on a link within the phishing email, they are directed to a Web page that on the surface looks like the real My Apple ID page. However, if users check the address bar, they will see a suspicious URL for a website that is not secure (HTTPS), which should raise suspicion.
Figure 2. Example of an Apple ID phishing Web page
Once the attacker harvests the Apple ID login and password, they direct users to a second phishing page that asks for financial and personal information, such as credit card number, date of birth, and a security question.
Figure 3. Apple ID phishing page requests financial details
Once this information has been submitted, the user is directed back to the real Apple.com. However, their Apple ID along with their personal and financial details have now been compromised.
Localized phishing for Apple IDs
In addition to the English language phishing sites, we have also observed instances of Apple ID phishing sites localized for targets in other countries.
Figure 4. Apple ID phishing page localized for China
Figure 5. Apple ID phishing page localized for Italy
In addition to these localized versions, we found some Apple ID phishing sites that require a target to select his or her country to make sure they are served the correct, localized phishing page.
Figure 6. Apple ID phishing page asks users to select localized version
These countries include the United Kingdom, the United States, Canada, Italy, Germany and Other, which is just another English version of the phishing page.
Ways to Prevent Apple ID Phishing
- Watch out for suspicious emails. If you receive an email claiming that your Apple ID has been disabled or that you need to update your information, do not click on the link within the message. Open up a browser tab and browse to apple.com instead.
- Pay attention to the address bar. If you happen to click on a link in an email, look closely at the URL in your address bar. If the URL looks suspicious, like the examples shown in this blog, do not type in your Apple ID and password. In modern browsers, look for the green lock symbol and “Apple Inc.” to confirm you are on the real Apple website.
- Enable two step verification for your Apple ID. With two step verification enabled, if your Apple ID is phished, an attacker cannot log in to your account without obtaining physical access to your cellphone or other trusted devices.
Sophisticated Google Drive Phishing Scam Returns
Google Drive phishing page served over SSL from the legitimate Google Drive service itself.
Read more…
Spammers Quick to Take Advantage of Second Posthumous Michael Jackson Album
May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.
This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.
The following are subject lines seen in this spam campaign:
- Subject: $ Planet Earth (Michael Jackson poem) $
- Subject: * List of songs recorded by Michael Jackson *
- Subject: * List of unreleased Michael Jackson songs *
- Subject: [ Hold My Hand (Michael Jackson and Akon song) ]
Figure 1. Example of Michael Jackson spam email
We expect more spam exploiting this news in the coming days and believe the possibility of such emails being phishing attempts or containing malware to be very strong.
Users are advised to adhere to the following best practices:
- Do not open emails from unknown senders
- Do not click on links in suspicious emails
- Never enter personal information on suspicious websites, as they may have been created for phishing purposes
- Keep your security software up-to-date to stay protected from phishing attacks and malware
What Spam Would Mom Like This Year?
On May 11, 2014, many countries will celebrate Mother’s Day. Plenty of online articles have been giving gifts ideas and advice for making the day special for mom. Companies have also been sending a huge number of promotional emails with a special message about Mother’s Day. Unsurprisingly, spammers have been exploiting this occasion to send out a fresh batch of spam.
Symantec started observing Mother’s Day spam from early April and we have seen a steady increase in the volume of messages ever since. Previous Mother’s Day spam emails often stuck to certain categories. Spam emails offering flower deliveries, jewelry, personalized messages, coupons, and other gifts for mothers were the most common. Survey and product replica spam were also observed in the past.
The following are the major Mother’s Day themed spam campaigns seen this year.
Flowers for Mother
A beautiful bunch of flowers is something any mother will love and spammers use this theme more than any other. From last month, we have seen numerous emails promising flower deliveries by Mother’s Day. Most of these emails included links that redirected to fraudulent websites and some of the links redirected through multiple domains just to increase the traffic.
Figure 1. Preview of a spam email for ordering flowers
The email headers for this category are as follows.
Subject: $19.99 for Flowers and a Vase for Mother’s Day
From: [brand] <Online@[domain]>
Subject: [brand]: $19.99-Flowers for-Mom &-Vase!
From: “[brand] Special” <[brand]Special@[domain]>
Subject: Hi, 50% off Flowers for Mom
From: Fresh Flowers <[brand]@[domain]>
Personalized jewelry for Mom
Beautiful jewelry, particularly rings and pendants with a personalized inscription, is another theme that is a hit around Mother’s Day. Spammers also claim to offer personalized cards or notes along with the product. Like most spam, these emails will usually have links to other sites.
Figure 2. Preview of a spam email selling personalized rings for Mother’s Day
The email header for jewelry-themed spam messages are as follows.
Subject: Give Mom Something Unique This Year
From: Mothers Rings <rings@[domain]>
Product replica spam
This category is not too different from others, except that these spam emails advertise websites selling fake watches, jewelry, and other expensive goods. We observed these emails earlier this year and we continued to see them today. In these campaigns, the spammers give users deadlines for placing orders for the products.
Figure 3. Preview of replica spam related to Mother’s Day
Email headers seen with this spam campaign are as follows.
Subject: Why so soon?
From: Paige (Mother’s Day deadline) <Paige@[domain]>
Lose weight by Mother’s Day
We believe that Mother’s Day-themed weight loss medication spam is a spinoff from an ongoing weight loss spam campaign, which has been the largest spam category by volume over the last couple of weeks. These emails include links which redirects to fake news sites offering information about new weight loss products.
Subject: Drop 10LB by Mothers Day
From: Rid 20 Pounds 2 Weeks <Sophia@[domain]>
Portuguese promo spam
We have seen a Portuguese spam campaign sending a large volume of messages promoting products related to Mother’s Day. This spam campaign uses the name of an online site which sells personalized products.
This spam campaign included links redirecting to a fraudulent website, along with a bogus opt-out option.
Figure 4. Preview of Portuguese promotional spam exploiting Mother’s Day
Here is the email header for this spam campaign.
Subject: Dia das Mães! Ajudaremos você com o presente.
From: “[brand]OnLine” <envio@painel1.[domain]>
Translation:
Subject: Mother’s Day! We’ll help you with this.
Symantec has observed a high volume of Mother’s Day themed hit-and-run spam recently. Most of these emails included links to a .us top level domain (TLD) which, on further analysis, were found to be registered quite recently. The theme of the domain names show that they were created for a Mother’s Day spam campaign. The domain names followed patterns such as flower-1promo-mothersday and mothersdayflower-special.
Symantec antispam filters successfully blocked these spam mails, but as always, we advise our readers not to respond to any of these emails. Remember, take your time to search for a Mother’s Day gift and don’t just click on links found in these spam mails. Symantec wishes all of our customers a happy Mother’s Day.
Heartbleed ????????????????
寄稿: Binny Kuriakose
シマンテックは最近、Heartbleed 脆弱性に便乗したフィッシングメールを確認しました。このフィッシング攻撃は、米軍関係の保険サービスを装って Heartbleed 脆弱性に関するメッセージを送信し、情報を収集しようとします。
Heartbleed は最近発見されたセキュリティ脆弱性で、OpenSSL のバージョン1.0.1 から 1.0.1f に影響します。この脆弱性は OpenSSL 1.0.1g で修正済みです。脆弱性の詳細や対処方法については、シマンテックのセキュリティアドバイザリーを参照してください。
スパマーやフィッシング攻撃者は、最新のニュースや話題を利用してペイロードを偽装します。フィッシングメールでは多くの場合、セキュリティに関する懸念につけ込んで、ソーシャルエンジニアリングの手口を本物らしく見せようとします。電子メールに仕込まれたペイロードによって、受信者が機密情報を漏らすように仕向けるのです。
今回の場合、次のような電子メールが送られてきます。
図 1. Heartbleed 脆弱性に便乗したフィッシングメール
この例には、興味深い特徴がいくつかあります。
- X-Mailer ヘッダーを見ると、送信者が使っている電子メールクライアントが非常に古いもの(Microsoft Outlook Express 6.00.2600.0000)だと分かります。多くのユーザーが依然として古い電子メールクライアントを使っていますが、最新のオンラインビジネスでそのような電子メールクライアントを使ってセキュリティに関する通知を送信することはほぼありません。
- 「has initiate」という文法上の誤りがあります。攻撃者は、最新の話題をいち早く悪用して新しいフィッシング攻撃を実行しようと焦るため、文法の間違いを犯しがちです。また、送信者の母国語が英語ではないことも珍しくありません。
- さらに、このフィッシングメールは有名な米軍関係の保険サービスからのセキュリティ警告と称しているにもかかわらず、掲載されている「ログイン」リンクをクリックすると、実際には危殆化したトルコの製造業社のサイトにアクセスします。
以上は、フィッシングメールの判断基準のすべてではありませんが、フィッシング攻撃にありがちな間違いや矛盾を示しています。
Heartbleed に関するアドバイザリーで詳しく説明しているように、個人情報の提供や更新を要求する電子メールには警戒するようにしてください。また、そのようなメッセージに含まれるパスワードリセットやソフトウェア更新のリンクは、決してクリックしないでください。個人情報の更新や変更が必要な場合は、該当する Web サイトに直接アクセスして実行することをお勧めします。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。