Tag Archives: Security Response

A Phone Call, a Phish, and a Remote Access Trojan

In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attac…

When Web Servers Serve Evil

      No Comments on When Web Servers Serve Evil

In the last few months, we have witnessed a rise in the number of cases of modified Web servers that inject malicious redirections into every website that it hosts. One example was the malicious Apache module (Linux.Chapro and Trojan.Apmod) that we blo…

Fake Promotional Offers Targeting UEFA Champions League 2013

The 58th season of the UEFA Champions League is coming to an end with the final being played on May 25 at Wembley Stadium in London. Nowadays, cybercriminals are gaining a lot of interest in football, at least inasmuch as how to exploit interest in foo…

Escrow Scams Searching New Avenues

Contributor:  Binny Kuriakose
People dream big when buying expensive items like a car or a property. When those dreams are seen with very affordable price tags it certainly attracts everybody’s interest. There are lots of websites available …

OpUSA begins today, is your organization ready?

Following on from recent concerted campaigns by Anonymous against Israel on April 7 and Facebook on April 5, the latest target for the online hacktivist collective is the USA and American online interests. Today, hackers and script kiddies of various a…

Spammers Continue to Exploit Mother’s Day

Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey.

mothers 1.png

Figure 1: Survey spam targeting Mother’s Day

Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer.

mothers 2.png

Figure 2: Fake survey

 

mothers 3.png

Figure 3: Bogus Web page asking for personal information

We recently blogged about the persistence of spam with .pw URLs and not surprisingly a lot of the Mother’s Day spam messages contain .pw top-level domain (TLD) URLs. The following are some examples of the From header using .pw URLs that we have identified to date:

  • From: Mother’s Day Gifts <Check@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Flowers” <postmaster@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Bouquets” <noreply@[REMOVED].pw>
  • From: “Mother’s Day Bouquets” <MothersDayBouquets@[REMOVED].pw>
  • From: “Mom” <Mom@[REMOVED].pw>

 

mothers 4.png

Figure 4: Another dodgy website related to Mother’s Day

Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.

mothers 5.png

Figure 5: Volume of Mother’s Day spam

The following are some of the Subject lines observed for these spam attacks:

  • Subject: Don’t Forget Mother’s Day – $19.99 Chocolate, Dipped Strawberries
  • Subject: Stunning Personalized Gifts for Mother’s Day
  • Subject: Top Personalized Mother’s Day Gifts
  • Subject: Make Mother’s Day Special With A Personalized Gift
  • Subject: Mother’s Day Car Deal (Half Off Every Make And Model)
  • Subject: Regarding Mothers Day
  • Subject: Celebrate Mom with a $19.99 bouquet.
  • Subject: Mother’s Day Replica’s Women’s Accessories
  • Subject: Mother’s Day Secret Formula.

Symantec advises our readers to use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats.

Have a safe and happy Mother’s Day!

New Internet Explorer 8 Zero-Day Used in Watering Hole Attack

Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Exp…

Google Glass and Tomorrow’s Security Concerns

If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.

Along with the admiration of a device that appears to do everything, comes controversy.  The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.

Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization.  In order to make customize the device, he had to “jailbreak” or “root” it.

The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:

“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.

The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”

Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.

Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.

In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.

.pw URLs in Spam Keep Showing Up

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
 

pw TLD blog update.png

Figure 1. .pw TLD spam message increase
 

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:

  • Subject: For all the moms in your life on Mother’s Day.
  • Subject: Tax Relief Notification
  • Subject: Remove IRS Tax Penalties
  • Subject: Save on the most beautiful bouquets for Mom
  • Subject: Reusable K Cup for Keurig or single-brew coffee maker
  • Subject: Garden Today says, “By far the easiest hose to use”
  • Subject: HOME: Amazingly Strong water hose you can fit anywhere.
  • Subject: The LAST water hose you’ll ever need
  • Subject: No Hassle Pricing on Ford Vehicles
  • Subject: Own a NEW Ford for the Summer
  • Subject: May 1st Ford Clearance Event
  • Subject: Lasik- Safe, Easy, and Affordable
  • Subject: Safe, Easy, and Affordable Lasik
  • Subject: We work with the Biggest and Best Brands in Fashion
  • Subject: Whos the hottest? Post . Vote . Win
  • Subject: Are You and Your Business seen at a global scale?
  • Subject: Power your entire House, Pool and more with Solar Energy
  • Subject: Most EFFECTIVE way to treat Hypertension
  • Subject: Solar power slashes your electric bill in half
  • Subject: Global Business Registry for Networking Professionals
  • Subject: Finally, an EFFECTIVE fat shredding solution
  • Subject: Register with other professionals
  • Subject: Easiest Way To Lower Blood Pressure
  • Subject: Secret To Lowering Blood Pressure Naturally
  • Subject: Refinance Today, Save Tomorrow

In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registrar to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registrar is a more progressive and holistic approach to solving this problem.

The Hexadecimal URL Obfuscation Resurgence

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, he…