SophosLabs blog

Starting early this morning, we have seen a major uptick in the use of Twitter links inside spam messages. Here are a few different variants of them. Most of the spam refers to online med sites although a few campaigns tout making lots of money:

Following the links will lead a user to arrive at “making-money-with-Google” or Online Pharmacy sites:

The Twitter accounts themselves appear to be legitimate and do not look to be bot-registered. They contain normal-looking tweets in the previous days and months. We’re still looking into how the accounts are compromised. Certain malware such as koobface would steal Twitter credentials. There is also the possibility of the accounts credentials being compromised through phishing.

As for regular users, it’s important now more than ever to scrutinize the links you receive through Twitter. Today these links point to spam sites. Tomorrow these links could be pointing to malware.

Do you think she’s hot? Her name’s Katya and she is my latest entry to my long list of “girlfriend-wannabe” / “potential one-night-stands”. If my mum were to find out about her, she will definitely give me a hard backhand on my head for letting such a great girl like Katya waiting.

Katya wrote me a really sweet email. However, I am appalled by her English. Let me share snippets of her declaration of love for me :)

1.   The agency of acquaintances has a contact to other agencies of acquaintances in other countries and I have received yours e-mail, therefore now I write to you.

I must get hold of her agencies of acquaintances as they do have acquaintances who are pretty young things!

2.   I very much like walks on fresh air, I very much love the nature.

She can walk on air! I’m impressed n_n

3.   I like the sea and it is pleasant to float, in the summer I like to float and sunbathe.

Floating is easy. Dead people float too.

4.   I trust in family and love, and I search for the person to the one whom I will give all heat of my heart and with that whom I will be always together,

I feel for you too girlfriend!

5.   My person, clever also has strong spirit, he is kind and magnanimous and generous, he will be do something for me, and will know, that I will be do something for him.

Yup! I do fit her checklist :D

On that I will finish my blog entry. Katya, “if I have interested you then write to me.” :)

Today we have spotted a batch of messages arriving in our spam systems titled “Conflicker.B Infection Alert”. The message goes like this:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The fact that the so-called antispyware program comes attached with the email is a good indication that something is not looking right.

When the attached program was executed, it did not start a “free system scan” as claimed, but instead it simply moved itself into other folders in the system and have set up itself to be automatically started on windows startup.

Not surprisingly, the attached file is detected by Sophos as Mal/FakeAV-AX and the email message has also been blocked.

This is another example of social engineering tricks employed by malware authors to capitalize on fears of the user to entice them into running malicious software.

As always with dealing with emails, think twice before running what came with the attachment.

I’ve been watching the latest phishing attack happening on Twitter for the last week or so. It seems to be one major campaign that keeps changing the DM (direct message) text every couple of hours. It’s been messages like

“woah… you’re on this ”
“LOL..Nice look ”
“This thing has your pic ”

The links got to videos.twitter. and videos.blog.. Sophos customers using the WS1000 are safe as we’ve been blocking the domain. Interestingly, we’re now seeing new URL shorteners being used, such as wapurl.co.uk and others. Seems the malware authors are tired of bit.ly and 3.ly blocking their stuff or perhaps because third party applications such as TweetDeck won’t preview those, but will happily open them.

I had someone ask the question “Why phish for Twitter credentials?” We saw this type of attack on Facebook. Lots of phishing messages, links, and posts were posted to capture credentials. Then later on we saw the malware attachments spammed out to the email addresses associated with the compromised accounts and when the malware was run, it became part of a botnet to send yet more spam. Taking this history, we are wondering if this will take a similar turn and start sending out malicious emails purporting to be from Twitter saying “Update your account/password” or “Updated Terms of Service, please open.”

Another reason for the phishing attacks would be to expand the “attack surface”. More and more people are tweeting from their iPhones, Androids, Blackberries, Palms and other smart phones. This means a whole new vector to be exploited, since again, most third party Twitter apps do not preview the shortened URL.

We have to say it again, PLEASE be careful out there. Just because a message came from a friend/follower doesn’t mean it’s completely trustworthy. Check the link with an expander service such as LongURL, use NoScript and URL expander plugins and keep your security software and OS up to date. Otherwise, your machine is likely to be “dinner”

It has been a busy week so far for the writers of e-mail exploits and this Friday morning they continue to try to trick the public into installing their malware. The latest threat to fall into the Sophos spam traps purports to come from Facebook and requests the user to update their account agreement by unzipping and executing an attached file called agreement.exe.

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Of course we all know that it is pure folly to unzip and run an unknown executable attached to an e-mail, however the implied threat of finding their access to Facebook restricted by ‘the deadline’, whenever that may be, is obviously severe enough to panic a number of the users of Facebook into falling for this trick.  

They really should think twice, by agreeing to install agreement.exe they will install a Trojan.

Sophos detects this threat as Troj/Dloadr-CWS.

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Another Twitter direct message (DM) scam was happening today, but apparently this time the hook was to prey on users’ vanity. Several messages were seen with the following text:

“I lost 25lbs using this ”
“whoa this works. i feel good and look good ”
“lol it’s amazing. look and feel great with ”

When a user clicked on the link, it redirected you to this site:

All you had to do to get your “free” bottle was fill out your name, address, phone number and email. However, once you submitted that, you then get to the screen to input your billing information and input your credit card details. Why do you need to input credit card details for something that’s free? With all that information, the cybercrooks have more than enough info to commit identity theft and fraud on your card. They have your name, address, card info and you’ve even confirmed that the address you gave is the billing address too.

At the risk of sounding preachy, these pills never work. They only thing that gets “slimmer” is your wallet.

Twitter users should be especially careful this morning as there’s a new Twitter phish campaign going on. The message that is being seen is using a known tactic where it tries to trick the user into believing there’s some content on the internet about them, whether it be a photo or a video, and tricks them to browse to the link to find out what it is. Similar tactics have been seen in messages on Facebook and even via email. The message simply states the following.

“hi. this you on here? http://blogger.djh****.com”

The good news is if you do a search on Twitter, you’ll have a hard time finding an example of the original message since there’s an overwhelming number of people tweeting to their friends warning them about this campaign. Slowly but surely, people are learning to be more cautious.

This morning as I trawled the spam queues a sense of deja-vu descended on me when this subject line caught my eye:

         Update for Microsoft Outlook / Outlook Express (KB910721)

Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? 

The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’  rather than an attached executable.     

The details have also been updated:

   Quick Details

         * File Name: officexp-KB910721-FullFile-ENU.exe
         * Version: 1.5
         * Date Published: Wed, 21 Oct 2009 16:05:06 +0100
         * Language: English
          * File Size: 100 KB

Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan.  Encore une fois.

The advice from Sophos remains the same.  Visit the genuine Microsoft update site in order to obtain your fixes.

I am tri-lingual! I have realized that I have picked up a brand new language unconsciously. Its Afriglish. It is a term I have coined myself. Probably someone else might have already done so (try using a search engine) as well. It simply means the African blend of English. How did I do it? Purely by reading my scam emails diligently :)

To help everyone pickup or improve their Afriglish, I have a few pointers from scam emails to get everyone started.

1. Installment is spelled install-mental.
But, due to Western Union transfer rules, you will be entitled to $10.000.00 install-mental payment every day till the above mentioned fund is completely paid off.

2. Introduce yourself with an opening that will not take much time
Without taking much of your time, my name is Sir. Ogbonna O. Onovo the Inspector General of Police Force (NPF) of the Federal Republic of Nigeria.

3. Avoid using -ing, e.g. I have a stomachache after all the eats.
Please do let me know immediately you receive it so that we can share the joy after all the suffers at that time.

4. Replace ‘Are you’ with ‘Should you be’
Should you be interested? Please send the following information this emeil address: example@example.kk

5. Reinforce the ‘obvious’.
Attn: Friend, It is obvious that this proposal will come to you as a surprise.

With the above tips, a hot date with your dream mate is imminent. Should she/he be charmed?