Tag Archives: phishing

Million Dollar Twitter Contest Hijacked by Scammers

Scammers are taking advantage of recent Super Bowl social buzz in a scheme which target entrants of an Esurance contest. The company premiered a commercial following Super Bowl, where they offered US$1.5 million dollars to one lucky Twitter user who used the hashtag #EsuranceSave30.  Following this, Symantec Security Response has observed a number of fake Esurance Twitter accounts being created to leverage the attention generated by this contest.

Many of these Twitter accounts used variations of Esurance’s brand name and logo to convince users they are affiliated with the company. These accounts include the following Twitter handles:

  • EsuranceWinBig
  • EsuranceGW
  • Essurance
  • Esurrance
  • Esurnace
  • Esuranc

There are also other accounts that use logos and imagery making them look like they belong to Esurance, but their names have nothing to do with the brand. An example is an account named @HelpfulTips, whereby the “l” in Help is the capitalized letter “i”.

This account, created in December 2012, has racked up thousands of followers but performed an “account pivot” during the contest–it changed its avatar, bio and header image, and claimed to be part of the Esurance giveaway. The account added thousands of Twitter followers and received more than 40,000 retweets for a tweet related to the contest overnight.

figure1_15.png
Figure 1: Twitter account which claims to be associated with the Esurance giveaway

Earlier this afternoon, it performed yet another account pivot–after gaining enough followers from the Esurance tweets, it reverted back to a LifeHacks account.

figure2_14.png
Figure 2: Fake Esurance account pivots back after gaining thousands of followers

Many accounts of such nature focus on gaining retweets and followers, but Symantec has identified further abuse. For example, one of the fake Esurance accounts has asked its followers to donate money to increase their chances of winning the contest:

figure3_9.png
Figure 3. Twitter account asks for donations to increase their chances of winning the contest

This campaign was shut down quickly, but already  received US$261 in donations by then.

These accounts could also be used to send phishing links to followers, asking them to login to Twitter to earn more entries in the contest.

Why are these accounts being created in the first place? By riding on the popularity of the contest and the hashtag, some of these accounts have gained anywhere between 1,000 to 100,000 followers. After that, the owners of these accounts are able to sell these fake accounts to individuals who are looking for accounts with real Twitter followers instead of fake ones. This can then be used for affiliate spam.

As more brands use Twitter for marketing purposes, Symantec advises users to look for and follow updates and contest rules from Twitter accounts that are “verified” and/or officially associated with the brand.  In this case, Esurance has provided a set of official rules and frequently asked questions on their website.

If you suspect an account is attempting to mislead users on Twitter, you can report the account to Twitter.

To learn more about social media scams, follow Symantec Security Response team on @threatintel and read our blogs on previous Twitter scams:

Estafadores Cibernéticos Inician Campañas Relacionadas con el Mundial de Brasil 2014

Estamos iniciando el año en que se jugará el Mundial de futbol y es natural que en los siguientes meses veamos varias campañas relacionadas con este evento. Habrá mucho marketing y promociones asociadas con el entusiasmo y el interés que genera el  evento. Entre todo el marketing y correos electrónicos promocionales legítimos, podríamos recibir correos con premios prometedores como entradas gratuitas o notificaciones de la lotería diciéndonos que hemos  ganado un automóvil, por ejemplo.

Si piensa que suena demasiado bueno para ser verdad podría estar en lo cierto.

Los estafadores trataran de aprovecharse del entusiasmo vinculado con la Copa Mundial que se llevará a cabo en Brasil en junio y las consecuencias de que los usuarios sean víctimas de un fraude podrían ser graves. Los estafadores no solo pueden vaciar una cuenta bancaria sino que también podrían llenar de malware nuestra computadora. Esto puede implicar el robo de datos personales al descargar un Troyano o comprometer nuestro equipo y hacerlo parte de un Botnet.

En los últimos días, Symantec ha detectado varios correos fraudulentos relacionados con el Mundial de futbol, a continuación los detalles.

El primer ejemplo de fraude que Symantec identificó es un correo electrónico similar al que mostramos a continuación, el cual contiene un vínculo a un código malicioso:

Versión en portugués:

De: Parabens Voce foi o ganhador de um Par de ingressos atendimento.promo5885631@Domain.com

Asunto: Copa do Mundo FIFA 2014

fifa-1.png

Figura 1. Traducción del encabezado del correo electrónico con código malicioso (malware)

fifa-2.png

Figura 2. Ataque de código malicioso relacionado con el Mundial de la FIFA

fifa-3.png

Figura 3. Traducción del contenido del correo electrónico con malware

Se invita al usuario a hacer clic en la liga para imprimir el boleto al partido.

Pero, la liga lleva a un URL malicioso que descarga un archivo adjunto llamado eTicket.rar y  que contiene el programa ejecutable: eTicket.exe, como se muestra en la imagen a continuación.

fifa-4.png

Figura 4. Imagen del archivo adjunto (malware) que se descarga al hacer clic en la liga

Al ejecutarlo, se instala el archivo thanks.exe en el directorio de Programas/Inicio y se activa un Troyano en constante evolución Infostealer.Bancos y ese archivo continuará funcionando en segundo plano sin que el usuario lo note. Luego, tratará de evadir las medidas de seguridad, robar información financiera confidencial, registrar los datos recolectados y finalmente los enviará al atacante remoto. También hemos descubierto que el malware está dirigido especialmente para las  instituciones financieras brasileras.

Los clientes de Symantec están protegidos contra este ataque gracias a la tecnología de “Seguimiento de vínculo” (‘Link following’), que revisa todas las páginas de Internet referidas en un correo electrónico en busca de virus u otras amenazas, lo que permite identificar el malware en el URL incluido en el mensaje. A partir de esto, se creó la detección para que en el futuro los correos que contuvieran diferentes ligas a este malware, sean reconocidos como infectados y puestos en cuarentena.

Otro ejemplo de engaños en Internet relacionados con este tema es una supuesta promoción de la marca CIELO en Brasil. CIELO es un operador de tarjetas de crédito y débito en Brasil.

fifa-5.png

Figura 5. Phishing por correo electrónico relacionado con el Mundial 2014

El mensaje traducido es el siguiente:

fifa-6.png

Figura 6. Traducción del contenido del contenido del correo de phishing

Al dar clic en la liga dentro del correo con el siguiente URL:

<http://conteudo.casavilaverde.com/logs/copa2014/index.php?%email%>

Se redirige al usuario a:
 
http://cielobrasil2014l.fulba.com/copa,fuleco.dll/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html
  
Entonces la página de Internet solicita al usuario ingresar su nombre, fecha de nacimiento y el número de identificación fiscal de Brasil (Cpf).

fifa-7.png

Figura 7. El URL del phishing abre la página de Internet alterada y solicita datos personales.

Al proporcionar la información, el usuario es dirigido a la página que mostramos abajo que solicita los datos bancarios de los usuarios.

fifa-8.png

Figura 8. La página de Internet alterada solicita datos bancarios.

En un análisis más profundo encontramos que el dominio conteudo.casavilaverde.com está hackeado y se muestra como:
 

fifa-9.png

Figura 9. El dominio del URL en el correo está hackeado

Finalmente, el tercer ejemplo detectado por Symantec es una nueva versión de estafa nigeriana con los siguientes encabezados:

De: “FIFA 2014 World Cup Award”<globalpromotions@ @[domain].ru>

Asunto: Window Live Games 2014 FIFA World Cup

fifa-10.png

Figura 10. Adjunto del ejemplo de fraude nigeriano relacionado con el Mundial

El correo incluye un archivo adjunto que supuestamente es un premio patrocinado por grandes marcas y para obtenerlo se solicita al usuario información personal. El correo también contiene una nota que trata de parecer legítima pero inmediatamente se advierte que es algo amateur en comparación con los otros dos ejemplos mencionados. No hay imágenes ni URL en este correo y el hecho de que contenga un adjunto Word hace que resulte sospechoso.

Los sistemas de monitoreo avanzados de Symantec pudieron identificar los tres ejemplos de estafas electrónicas presentadas en este blog protegiendo así a nuestros clientes.

Mientras que los primeros dos correos están redactados en portugués dirigidos a personas en Brasil, los correos no deseados pueden personalizarse fácilmente por regiones, países e idiomas, teniendo en cuenta el interés que existe actualmente en el futbol.

Los eventos mundiales pueden ser muy lucrativos para los estafadores ya que tienen el potencial de estafar a más cantidad de personas debido al interés sobre dichos eventos. Como consecuencia, Symantec espera que la cantidad de correos fraudulentos se incremente a medida que se acerca la fecha del evento.

Como medida preventiva para los usuarios recomendamos no compartir información personal o confidencial. Debido al riesgo de pérdida financiera y de información confidencial en juego, Symantec aconseja a los usuarios estar alerta y seguir los siguientes consejos de seguridad:

  • Ser precavido al recibir correos no solicitados, inesperados o sospechosos
  • Evitar dar clic en ligas incluidas en correos sospechosos, no solicitados o inesperados
  • Evitar abrir archivos adjuntos en correos no solicitados
  • Mantener actualizado el software de seguridad
  • Actualizar las firmas antispam de forma periódica.

Symantec constantemente monitorea los ataques de spam para asegurarse de informar a los usuarios con información sobre las más recientes amenazas.

¡Que no te tomen fuera de lugar cuando se trata de ofertas y promociones, especialmente aquellas que parecen muy buenas para ser verdad!

 

Os fraudadores e golpistas digitais iniciam suas campanhas para a Copa do Mundo da FIFA 2014

Com aproximidade da Copa do Mundo da FIFA 2014 é natural que muitas campanhas de marketing e promoções relacionadas a este evento global sejam veiculadas para aproveitar o entusiamo deste momento. Porém, entre todos os e-mails e mensagens legítimas, muitos golpes online também já comecaram a ocorrer, com promessas de entradas grátis para os jogos e até um carro ao vencedor de um sorteio.

Os fraudadores e golpistas digitais já iniciam seus ataques e exploram o tema ligado à Copa do Mundo da FIFA no Brasil. As ramificações para o usuário ser uma vítima pode ter consequências de longo alcance. Não só o internauta pode ter sua conta bancária esvaziada pelos fraudadores, mas também infectar seu computador com ameaças, como malware. O que poderia acontecer, por exemplo, após a instalação dessa ameaça é o golpista roubar dados e informações pessoais do proprietário da máquina por meio do download de um Trojan, ou comprometer o computador e torná-lo parte de um Botnet.

A Symantec identificou vários emails maliciosos sobre a Copa do Mundo da FIFA. Na primeira amostra o golpe contém um link para um malware.

World Cup 2014 1 edit.png

Figura 1 – E-mail contendo malware relacionado à Copa do Mundo FIFA 2014

Após o clique, o usuário é direcionado a uma URL maliciosa, que faz o download do eTicket.rar (que abriga o eTicket.exe – Figura 2). Ao ser executado, o arquivo desencadeia o trojan Infostealer.Bancos, que instala o thanks.exe no diretório /Programas/Startup. 

Este arquivo, que irá tentar escapar de medidas de segurança, rouba informações financeiras e confidenciais, registra os dados colhidos e os envia para um criminoso remoto. Também foi descoberto que o malware foi personalizado para atingir instituições financeiras brasileiras.

World Cup 2014 2 edit.png

Figura 2 – Imagem da tela após clicar no hiperlink com malware

Outro exemplo de ataque é uma suposta fraude que utiliza a marca CIELO como chamariz para uma promoção falsa, que leva a uma página de phishing.

World Cup 2014 3 edit_0.png

Figura 3 – Email de phishing relacionado à Copa do Mundo FIFA 2014

Ao clicar no botão da promoção, a página de phishing

 http://conteudo.casavilaverde.com/logs/copa2014/index.php?%email% é redirecionada para <http://cielobrasil2014l.fulba.com/copa,fuleco.dll/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html> e solicita o nome, data de nascimento e CPF do usuário.

World Cup 2014 4 edit.png

Figura 4 – A URL abre uma página da web falsa solicitando dados pessoais

Após fornecer essas informações, uma nova página (Figura 5) é aberta, que solicita os dados bancários do usuário.

World Cup 2014 5.png

Figura 5 – URL solicita os dados de serviços bancários

Em uma análise mais aprofundada, a Symantec descobriu que o domínio conteúdo.casavilaverde.com foi hackeado e abre como na Figura 6.

World Cup 2014 6 edit.png

Figura 6 – Domínio da URL hackeado

Há, também, um golpe nigeriano, que traz um anexo que parece estar relacionado a um sorteio patrocinado por grandes marcas (Figura 7). Para parecer legítimo, esse e-mail contém um aviso, mas, por não conter imagens ou URLs e por ter apenas um documento do Word anexo, esse golpe parece ser mais simples do que os demais.

World Cup 2014 7.png

Figura 7 – Exemplo de golpe nigeriano relacionado à Copa do Mundo FIFA 2014

Eventos globais desse porte podem ser muito lucrativos para os golpistas devido ao aumento do número de interessados no assunto. Até a Copa do Mundo, diversas tentativas para atrair usuários e adquirir informações sensíveis e confidenciais irão ocorrer. Os e-mails de Spam, por exemplo, pode ser personalizados para diferentes países e regiões. Para evitar ser vítima desses golpes, a Symantec aponta as seguintes práticas de segurança online:

  • Não compartilhe informações pessoais e confidenciais.
  • Esteja atento ao clicar em qualquer link suspeito ou responder a qualquer oferta, especialmente as que parecem muito atrativas.
  • Certifique-se de usar fontes autorizadas para fazer transações e procurar dados relacionados à Copa do Mundo.
  • Utilize software de segurança original e atualizado em seus equipamentos conectados à Internet, como o  Norton Internet Security.

Fraudsters and Scammers Kick Off Their Campaigns for the 2014 FIFA World Cup

Contributor: Sean Butler

As it’s the start of a Football World Cup year it’s only natural that we will see many campaigns in relation to this global event. There will be many marketing and promotional campaigns taking advantage of the hype and excitement surrounding this event. Amongst all of the legitimate marketing and promotion emails, you may also receive emails promising anything from free match tickets, to competitions and lottery prizes stating that you have won a car.

Sound too good to be true? Well, you would be right in thinking that!

Fraudsters will be looking to exploit the enthusiasm that comes with the FIFA World Cup, which will be taking place in Brazil this June. The ramifications of you being scammed could be very serious indeed. Not only could you become a victim of fraud by having your bank account emptied by these fraudsters, you could also end up with malware on your computer. This malware could do anything from stealing your personal details by downloading a Trojan, to compromising your computer and making it part of a botnet.

Symantec has already spotted several FIFA World Cup related scam emails. The first scam sample Symantec discovered, relating to the FIFA World Cup, is an email that contains a link to malware.

The email has the following headers:

From: Parabens Voce foi o ganhador de um Par de ingressos atendimento.promo5885631@Domain.com

Subject: Copa do Mundo FIFA 2014

This email header can be translated as:

From: Congratulation you were the winner of a pair of tickets atendimento.promo5885631@Domain.com

From: FIFA World Cup 2014

World Cup 2014 1 edit.png

Figure 1. Malware attack email related to FIFA World Cup

This email can be translated as:

You are the winner of a pair of tickets to the FIFA World cup 2014 Brazil!

Print your e-Ticket copy and collect the ticket from the ticket center in your city

Print Ticket

Check out the address of the ticket center in your city here

The recipient is enticed to click the on the link and print the match tickets. However, the link leads to a malicious URL that downloads the file eTicket.rar, which contains an executable file named eTicket.exe.

World Cup 2014 2 edit.png

Figure 2. Clicking on the link leads to malicious download

Next, a file named thanks.exe (Infostealer.Bancos) is dropped in the following location so that it runs every time Windows starts:

Programs/Startup/thanks.exe

The Trojan will continue to run in the background and try to evade security measures, steal confidential financial information, log the stolen data, and send it to a remote attacker at a later time. We have also discovered that the malware is customized to target Brazilian financial institutions.

Symantec customers would have been protected against this attack because our ‘Link following’ technology, which checks all Web pages referenced within an email for viruses and other threats, correctly identified the malware at the end of the URL. Detection was then created so that future emails containing different links to this malware will be treated as though they are infected and then quarantined.

Another scam involves a fraudulent CIELO Brazil promotion. CIELO is a Brazilian credit and debit card operator.

World Cup 2014 3 edit_0.png

Figure 3. Phishing email related to FIFA World Cup 2014

This email can be translated as:

Congratulations, you have been chosen to take part in the Cielo Cup 2014.

To promote World Cup 2014, you must register to compete for prizes worth 20 thousand Reais,

Tickets, accommodation in exclusive places during the 2014 world cup and you could also win a Fiat Doblo 0 Km. (Sic)

Don’t waste time! PURCHASE Register right now at no extra cost and avail the benefits of our promotion.

Join this Mega Promotion and compete for these Super Prizes.

Click here to unlock your promo code

If the recipient clicks the “Click Here” button, they are redirected to the following URL:

http://cielobrasil2014l.fulba.com/[REMOVED]/BR.FIFA=2,0,1,4/f&ulec0&id/sele,ca.o&id=br/home.html

The webpage asks for a username, date of birth, and a Brazilian tax registration number (CPF).

World Cup 2014 4 edit.png

Figure 4. Spoofed Web page asking for personal credentials

On providing the required information, the user is sent to the page shown in Figure 5, which asks for the user’s banking credentials.

World Cup 2014 5.png

Figure 5. Spoofed Web page asking for banking credentials

On further analysis, we found that the domain conteudo.casavilaverde.com used in the phishing scam had been hacked.

World Cup 2014 6 edit.png

Figure 6. Hacked domain used in phishing scam

Finally, the third example is a Nigerian scam.

World Cup 2014 7.png

Figure 7. Nigerian FIFA World Cup scam email

The email contains an attachment that claims to be about a lotto sponsored by major brands. The scam ultimately asks the recipient for personal information. The email also contains a notice to try and look legitimate, but this looks amateurish in comparison to the other examples referenced in this blog. There are no images or URLs contained within the email and the fact that it only contains an attached Word document would make anyone suspicious.

Symantec’s advanced monitoring systems were able to identify the above scam emails and protect our customers from receiving them.

While the first two example emails are composed in Portuguese and aimed at people in Brazil, they can easily be customized for different regions, countries, and languages. Considering the influence football has across the globe, such spam mail could potentially trick many people.

Global events can be very lucrative for scammers as they have the potential to scam more victims by appealing to peoples’ interest and curiosity. As a consequence, Symantec expects such scams to increase as we get closer to the 2014 World Cup.

Symantec advises users to be on their guard and to adhere to the following security best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Don’t be caught offside when it comes to special offers, especially ones that look too good to be true!

????: ????????????

      No Comments on ????: ????????????
中国では今、新年を迎える準備に沸いています。今年は 1 月 31 日の新月から午年が始まります。世界中で 10 億を超える人々が旧暦の新年を祝うことになり、今年の祝賀行事はこれまで以上に華やかなものになるでしょう。
 
中国の新年は春節とも呼ばれ、この日は感謝祭のように皆が集まり、お祝いの最中にプレゼントの交換が行われます。友人や家族、同僚のほか取引先ともプレゼントを交換して、親愛、敬意、忠義の気持ちを表します。事業主が顧客に贈り物をしたり、お店が日頃の感謝を込めてプレゼントやディスカウントを提供することもよくあります。しか、スパマーもこの慣習を十分すぎるほど熟知しています。
 
スパマーや詐欺師は特別な機会に便乗し、贈り物という素晴らしい習慣を悪用してスパムを送りつけてきます。彼らは友人や事業主の振りをして、プレゼントやディスカウントを謳う電子メールを送り、無防備な人々の気を引こうとします。
 
シマンテックは、有名企業を装って中国の新年を悪用したスパムを確認しています。このスパムメッセージは受信者の博愛心に訴えかけ、愛する人へのプレゼントとして、その企業の商品を勧めています。
 
サンプル
translated.png
図 1. スパムメッセージの件名
 
翻訳
件名: [企業名] から皆様へ、あけましておめでとうございます。
 
 
email_0.png
図 2. 午年にちなんだ中国語のスパムメールのプレビュー
 
翻訳
ご挨拶
 
巳年の終わりも近づき、午年がすぐそこまで来ています。いよいよ新年が始まり、何もかもが新たにスタートを切ります。新年を迎えるにあたり、[商品名] より心からの敬意と感謝を込めて、お客様とご家族にお祝い申し上げます。皆様のご健康とご多幸をお祈りいたします。
 
今後ともご愛顧のほどお願いいたします。皆様にとって素晴らしい新年になりますように!
 
[企業名]
2014 年 1 月
 
このスパムメールの件名には、会社を代表して顧客への挨拶が書かれています。本文には、祝賀の雰囲気を盛り上げるような楽しい画像のプレビューが含まれています。このメッセージを読んだ人が贈り物を買う際に同社の商品を選ぶことを狙って、企業名を記憶させようとしています。
 
シマンテックでは過去にも、中国の新年にちなんだ各種のスパムを確認してきました。中でも最も目立つのが、偽のプレゼントやディスカウントを謳ったスパムです。もう 1 つ重大なスパムに分類されるのが詐欺メールです。たとえば、借金を完済して良い新年を迎えられると思い込ませる、ローンや仕事を案内する偽の電子メールなどが挙げられます。このようなスパムメールはすべて、世界中に広がる中国人社会の強い伝統と価値観につけ込んだものです。
 
中国の新年のお祝いは 1 月 31 日に始まり、元宵節を祝う満月の日まで 15 日間続きます。この元宵節の際にも、同様のスパムが増えるものと予測されます。
 
新年のお祝いは、スパマーがユーザーを標的にする恰好の機会です。スパマーの罠に引っ掛からないためにも、新年にちなんだ迷惑メールは開かないようにしてください。
 
午年が皆様にとって最高の年になりますよう、お祈り申し上げます。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

‘Xin Nian Kuai Le’: Spammers Say Happy New Year

China is gearing up to usher in the Year of the Horse, which begins with the new moon on January 31 this year. With more than a billion people worldwide preparing to celebrate the new year for the lunar calendar, the celebration this year promises more color than ever before.
 
Chinese New Year, also known as the spring festival, is a day for reunion and thanksgiving, where exchanging gifts is at the heart of the celebration. Friends, family, colleagues and even businesses exchange gifts to show love, respect and loyalty. Business owners often send gifts to their customers and shops offer gifts and discounts to show their gratitude. However, spammers are all too aware of this practice.
 
The spammers and fraudsters are known to capitalize on special occasions and exploit the noble gesture of giving gifts in order to send out spam. They are known to pose as friends and business owners and send emails promising gifts and financial offers to attract unsuspecting victims. 
 
We’ve observed spam that exploits Chinese New Year by pretending to be from a reputed company. The spam message appeals to the recipient’s benevolence, asking them to give the company’s products as gifts to loved ones.
 
Sample
translated.png
Figure 1. The subject of the spam message
 
Translation
Subject: [COMPANY NAME] wish users, a happy new year.
 
 
email_0.png
Figure 2. Preview of the Chinese spam email related to the Year of the Horse
 
Translation
Greeting all customers,
 
As the year of the golden snake is coming to an end, year of lucky horse right at our door steps! It’s the beginning of a new year, everything is a new start! As we are about to approach the new year, [PRODUCT NAME] would like to send our greeting to you and your family with utmost respect and well wishes! We wish you a happy and healthy new year!
 
Thanks for your continuous support to the company. We wish you a great Year of the Horse. Happy New Year!
 
[COMPANY NAME]
2014 January
 
The spam sample in discussion has the subject line greeting the customers on behalf of the company. The body contains an image preview which looks cheerful to spread the holiday feeling. The message tries to make the name of the company linger in the minds of the readers so that they may consider its products while gift shopping.
 
In previous years, Symantec had observed a variety of Chinese New Year spam. The most prominent among them promoted fake gift offers and discounts. Scams formed another significant spam category, which included loan offers and job offers, making people think they can pay off any debt they may have and get a good start in the new year. All these spam emails were devised to exploit the strong traditions and values of the Chinese community worldwide.
 
The Chinese New Year festivities commence on January 31 and will continue for 15 days until the full moon, when Lantern Festival is celebrated. We can expect more spam of a similar nature during this  time.
 
The New Year festival is a good opportunity for the spammers to target users. The best practice to avoid falling into the spammers’ traps is to be wary of opening unsolicited new year themed emails.
 
We wish you all the very best in the Year of the Horse!

??????? .zip ?????

      No Comments on ??????? .zip ?????
スパマーは、長らく途絶えていた古い手法を再び使い始めています。.zip ファイルを添付し、ユーザーを欺いて圧縮形式のマルウェアを実行させるという手口です。以下のグラフは、.zip ファイルが添付されたスパムメッセージが、シマンテックの Global Intelligence Network(GIN)で過去 90 日間にわたって検出された件数を示しています。
 
figure1_6.png
図 1. .zip が添付されたスパムメッセージの過去 90 日間にわたる検出件数
 
1 月 7 日を見ると、シマンテックの GIN に届いた .zip 添付スパムのうち 99.81% が、「BankDocs-」の後に 10 桁の 16 進数が続く形式のファイル名でした。
 
figure2_7.png
図 2. 「BankDocs-」で始まるファイル名の .zip が添付された電子メール
 
翌 1 月 8 日になると、99.34% が、「Invoice-E_」の後に 10 桁の 16 進数が続くファイル名になりました。
 
figure3_3.png
図 3. 「Invoice-E_」で始まるファイル名の .zip ファイルが添付された電子メール
 
さらに翌 1 月 9 日には、98.94% が、「Early2013TaxReturnReport_」の後に 10 桁の 16 進数が続くファイル名になります。
 
figure4_2.png          
図 4. 「Early2013TaxReturnReport_」で始まるファイル名の .zip ファイルが添付された電子メール
 
そして 1 月 10 日には、98.84% が「[ブランド名は編集済み]_December_2013_」の後に 10 桁の 16 進数が続くファイル名でした。
 
figure5_0.png
図 5. 「[ブランド名は編集済み]_December_2013_」で始まるファイル名の .zip ファイルが添付された電子メール
 
これらの例は、ファイル名と MD5こそ異なっていますが、すべて同じマルウェアが仕掛けられており、シマンテックはこれを Trojan.Zbot として検出します。Trojan.Zbot は、侵入先のコンピュータから機密情報を盗み出すことを主な目的としたトロイの木馬です。
 
1 月 10 日以降、スパム量は通常レベルに戻っているので、大規模な攻撃は今のところ沈静化しているようですが、スパマーがまた大きな攻撃活動を仕掛けるのは時間の問題でしょう。ウイルス対策ソフトウェアは常に最新の状態に保ち、不明な送信者から届いた添付ファイルは開かないようにしてください。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

???????????????????????

      No Comments on ???????????????????????

詐欺師がインターネットユーザーの気の緩みを狙うのは、特に驚くことでもありません。

シマンテックは、ホリデーシーズン後の数日間にわたって、新たにマルウェアが増加していることを確認しました。休暇が終わると、重要なメッセージを見逃していないかどうかを確かめるために、多くのユーザーがツールや電子メールを確認します。スパマーはそこを狙って、ユーザーが電子メール中の悪質なリンクをクリックすることに期待を掛けているのです。

今回の一連の攻撃では、スパマーはユーザーが緊急性の高い電子メールを開いて返信しようとするところを狙っています。実際にそうすると、マルウェアがユーザーのコンピュータに感染し、機密データが盗み出されてしまいます。

私自身も先週、有名なオンラインストアから送信されたように偽装した配達不能通知を受け取りました。休暇で留守にしていた間に、いくつか荷物を届けることができなかったという内容です。

最初は、何も注文していないのになぜこのような通知が届いたのかいぶかり、ひょっとしたら思いがけないプレゼントなのかもしれないと考えました。しかし、電子メール中のリンクをクリックする前にステータスバーを確認したところ、そのリンクは詐称されたもので、さらに電子メールで使われている言葉遣いや文法上の誤り(図 1 を参照)を見て、疑惑は確信に変わりました。

figure1_10.png

図 1. 文法上の誤りと悪質なリンクが含まれたスパムメール

同様に、スパマーが別の有名ブランドに偽装し、請求書に見せかけて悪質なリンクを埋め込んでいる電子メールも受け取りました。幸い、正規のブランドで使われているテンプレートとは違いがあり、偽装した電子メールのヘッダーはまったく無関係のものでした。さらに調べてみると、埋め込まれているリンクにはマルウェアが仕掛けられていました。図 2 に示すように、スパムには乗っ取られた URL が使われています。
 
figure2_9.png
図 2. 配達不能通知に見せかけた別のスパムメール

さらには、見ず知らずの人の葬儀に招待する電子メールも受け取ったことがあります。私はまず、その家族を知っていたか、または大学時代の友人だった、あるいは近所に住んでいたかどうか確認し始めましたが、そのうち電子メール中のリンクが悪質なものであることに気が付きました。

figure3_5.png
図 3. 葬儀を案内するスパムメール

こうしたスパムメールに対して、ユーザーは 2 つの方向からアプローチする必要があります。警戒しながら電子メールをふるいに掛けることと、詐欺師の間違いを見抜けるようになることです。

こういったスパムメールでは、文法上の誤りや、文構造の不備が多く、ある小売業者に偽装しておきながら電子メールヘッダーはその競合他社になっているといった偽装戦術の失敗も見受けられます。乗っ取られたドメインと URL を順々に使い回す手口も使われますが、それが偽装したブランドや企業と無関係という場合もあります。

ホリデーシーズン後の憂鬱な気分を乗り越える一方で、電子メールを扱う際には警戒を怠らず、休暇ぼけを詐欺師に悪用されないように注意してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

.Zip Attachment Spam Makes a Grand Return

      No Comments on .Zip Attachment Spam Makes a Grand Return
After a long hiatus, spammers are once again using an old trick, where they attach a .zip file to trick the user into executing the compressed malware. The chart below shows the number of spam messages with .zip attachments over the last 90 days in Symantec’s Global Intelligence Network (GIN).
 
figure1_6.png
Figure 1. Spam messages with .zip attachments over the last 90 days
 
On January 7, 99.81 percent of the .zip attachment spam that came into Symantec’s GIN had the file name “BankDocs-”  followed by 10 hexadecimal characters.
 
figure2_7.png
Figure 2. Email with “BankDocs-” .zip attachment
 
On January 8, 99.34 percent of the .zip attachment spam seen in Symantec’s GIN had a file name “Invoice-E_” followed by 10 hexadecimal characters.
 
figure3_3.png
Figure 3. Email with “Invoice-E_” .zip attachment
 
On January 9, 98.94 percent of the .zip attachment spam seen in Symantec’s GIN had a file name “Early2013TaxReturnReport_” followed by 10 hexadecimal characters.
 
figure4_2.png          
Figure 4. Email with “Early2013TaxReturnReport_” .zip attachment
 
On January 10, 98.84 percent of the .zip attachment spam seen in Symantec’s GIN had a file name “[BRAND NAME REDACTED]_December_2013_” followed by 10 hexadecimal characters.
 
figure5_0.png
Figure 5. Email with “[BRAND NAME REDACTED]_December_2013_” .zip attachment
 
While these examples have different file names and MD5s, they all carry the same malware, identified by Symantec as Trojan.Zbot. This Trojan has primarily been designed to steal confidential information from the compromised computer. 
 
It appears that the large attack has subsided for now, as the spam volume returned to normal levels after January 10, but it is just a matter of time before spammers organize another large campaign. Users should keep their antivirus software up-to-date and should not open attachments from unknown sources.

Scammers Exploit Vacation Hangover with Malware Attacks

It is not surprising to see scammers exploiting the laxity of Internet users.

Symantec has observed another malware wave over the past few days following the holiday season, as many users check their utility and official emails post-vacation to see if they missed out important ones. This is where spammers take their chances that users will click on malicious links in their emails.

In this wave of attacks, spammers are taking advantage of users’ urgency to open a link and respond to the email instantaneously. When this happens, the malware infects users’ computers and extracts confidential data.

Last week, I too, received some delivery failure notification emails that claim to be from well-known stores with an online presence, stating that I missed out a couple of parcels while I was away on vacation.

At first, I wondered how it happened since I did not place any orders, and the thought that they might be surprise gifts also crossed my mind.

However, just before clicking the link, I checked the status bar only to find that the link had been spoofed. This raised my level of suspicion, which was further confirmed by the language and grammatical errors used in the email, as shown in the following figure:

figure1_10.png

Figure 1: A spam email with grammatical errors and a malicious link

Similarly, there was an email in which the spammer masquerades another well-known brand, making the message appear to be a statement, while embedding a malicious link.

Fortunately, there was a goof-up between the template used by the brand and the email headers which belonged to another email, with no association between both. Upon further inspection, it was found that the embedded link contained a malware.

The spam run also used a hijacked URL as shown in the following figure:
 
figure2_9.png
Figure 2. Another spam email on delivery failure

I bumped into another email which invited me to attend the funeral of someone I did not know. I began to check if I knew the family by any chance, or if it was a college friend, or a neighbor, but then discovered that the link in the email was malicious.

figure3_5.png
Figure 3: A spam email on a funeral notice

Such spam emails require users to adopt a two pronged approach–to be on guard while sieving through emails, and be able to see through the mistakes made by scammers.

Some of which could be a coercion to click on a link immediately, but they are full of grammatical errors, faulty sentence structures, tactical errors of spoofing one retail operator and associating the email headers with a competitor. Another tactic employed in such spams is the use of hijacked domains and URLs which are rotated and recycled over time, but have no association with the brands or entity.

While you are overcoming your post-holiday blues, Symantec recommends that you exercise diligence when dealing with your emails, and not let scammers exploit your vacation hangover.