Apple’s iTunes store, situated behind the company’s walled ecosystem, has been a tough nut to crack for cyber miscreants, although it has had problems with them from time to time. The other site, LinkedIn, an online community oriented toward networking for professionals, has done a good job of guarding its members’ accounts from Internet low lifes.

A key point of vulnerability for both services, though, is email. On occasion, the services communicate with their members through ordinary email. That gives electronic grifters an opportunity to gouge subscribers with a minimum of ingenuity.

For example, anyone who has ever bought anything at the iTunes store expects to receive a receipt from it after making a purchase. So the arrival of an email containing a receipt becomes so routine that it wouldn’t raise any red flags in a recipient’s mind.

Black Hats are aware of that and in their recent escapade exploited it. They sent phishing spam to a pool of users. Since iTunes has 160 million members, odds were good that a significant number of the guppies in the pool would be iTunes users. The spam resembled a receipt from the iTunes store. To catch the recipient’s attention, the purchase total on the receipt was some outrageous number. If you’re used to purchasing a song or two at a time at 99 cents or an app under $10, then a receipt for $100 for merchandise is going to attract your notice as quickly as the Rockettes dancing on your lawn.

All too conveniently, the receipt contained a link to click to remedy any problems that recipients have with charges levied on them by the store. When the concerned iTunes store user clicks on the link, they’re asked to download an Adobe player file. The file, of course, is fake. It installs malware on the target’s computer then sends their browser to one of more than 100 black websites in the .info domain where  a particularly vicious Trojan named after the lord of the Greek gods, Zeus, is activated.

Among members of the security community, Zeus is considered one of the most lucrative malware programs ever created by cyber thieves. In a typical Zeus adventure, after the badware steals a victim’s banking  information, it’s used to withdraw money from the victim’s accounts through a nation’s automated money transfer system. The money is usually sent to bank accounts set up by “money mules.” The mules take a cut of the filched cash sent to the account and ship the rest to the ringleaders of the operation who are usually located overseas.

Recently, a large global Zeus operation was taken down by a multinational law enforcement task force. According to authorities, the gangsters clipped $70 million from their victims and had another $150 million in the pipeline before they were busted. Much of that money was stolen from small businesses or non-profit organizations that had to absorb the losses into their bottom lines.

Although the latest blow against Zeus produced significant results, it’s doubtful its impact will be long-lasting, according to one analyst at the technology research firm, Gartner.

          “[T]he arrests will not stop ACH and wire fraud,” opines Gartner analyst Avivah Litan. “It just slows down the ability for the fraudsters to use Zeus to commit it.”

“There are many other attack vectors that enable the crooks to get into online bank accounts and money transfers that don’t use Zeus,” she continues. “For example, there’s a relatively new piece of malware called Spyeye. It’s a landmark infection that doesn’t require administrative privileges on the PC and operates as a relatively quick hit-and-run type of attack.”

Be that as it may, law enforcement agencies appear to be getting a handle on Zeus networks once they’re uncovered. In the iTunes case, the Zeus websites were blacklisted in a matter of days.

The iTunes scam was similar to one apparently launched from Russia against LinkedIn members in the prior week.

          “In the past few days, we’ve noticed an increase in phishing emails doing the rounds using the LinkedIn name,” the service’s Principal Product Manager Vincente Silveira wrote in a blog on October 1. “As you can imagine, we are working round the clock with leading email service providers to combat this problem,” he added.

He recommended the following tips for protecting yourself against phishing attacks.

• Please use caution when clicking or opening emails, seemingly from sites you trust.
• Spammers try to mimic legitimate emails, but they often make mistakes like typos or include information that’s not relevant to you. Be suspicious of emails that include names you don’t recognize.
• Keep in mind that a site like LinkedIn would never ask you to open an email attachment or install a software update.
• These spurious emails can infect your computer with a virus or spyware. To protect yourself, make sure you have anti-virus and anti-spyware software installed and it is up-to-date.
• Before clicking on a link in an email, place your cursor over the link to verify that they lead to the appropriate site.
• When in doubt, open a new browser window and go directly to LinkedIn.com to check your inbox and verify the connection request or message.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishers target iTunes, LinkedIn users

WhenU covers Continental with its own Google ads -- charging ad fees for traffic Continental would otherwise receive for free.

Google has been called on the carpet by a prominent spyware fighter for contributing to the bottom line of Internet snoopsters.

          “By paying spyware vendors to show advertisements, Google both enlarges and prolongs the spyware problem,” Harvard Business school Assistant Professor Ben Edelman recently wrote on his Web site.

“In particular,” he continued, “Google’s funding supports software that users struggle to remove from their computers. Google’s payments make it more profitable for vendors to sneak such software onto users’ computers in the first place.”

Edelman’s criticism of Google is largely based on the search king’s relationship with two firms: InfoSpace and WhenU. InfoSpace, among other things, distributes Google pay-per-click advertising. It uses subcontractors, like WhenU, to assist in circulating those ads.

According to Edelman, WhenU, through its spyware, collects cash from Google through some questionable ad practices. Here’s the problem.

When an advertiser buys a pay-to-click ad, it pays when a consumer clicks on the ad and goes to the advertiser’s site. If the consumer makes a purchase, the value of that ad increases and that added value is taken into account when the ad is renewed.

What spyware makers will do through software planted on a user’s computer is pop-up a window containing Google ads after a consumer arrives at a site through a pay-per-click ad. Moreover, among the Google ads in the Window is one for the site behind the pop-up. The advertiser ends up paying for both ads, although only one–the original click-to-pay ad–delivered a customer to the site.

The problem is compounded when the pop-up appears over a page where a click has been converted into a purchase. “[W]hen advertisers evaluate the PPC [Pay Per Click] traffic they bought, they overvalue this ‘conversion inflation’ traffic–leading advertisers to overbid and overpay,” Edelman explained.

He cited an example of a WhenU pop-up at the Web site for Continental Airlines. When he landed on the  site, a pop-up appeared that contained a prominently placed Google ad for the air carrier. Not only that, but the ad in the pop-up suggested that clicking on it would lead to lower fares at the “official” Continental site. “In fact both suggestions are inaccurate, but a reasonable user would naturally reach these conclusions based on the wording of the advertisement and the context of its appearance,” he maintained.

What’s more, he contended that the WhenU pop-up violates Federal Trade Commission rules that sponsored search results be clearly labeled as such. He confessed, however, that the sponsorship message might appear on a computer with a larger display. (His display was 800-by-600 pixels.) Nevertheless, the FTC rules make no exceptions based on screen size, he added.

Edelman, who has been following the activities of InfoSpace and its subaltern WhenU for almost a year, called on Google to clean up its act. It could start that process by cutting loose from InfoSpace, he proposed. Not only does InfoSpace have a track record of improper placement of Google ads, he complained, but “Google does not need a distributor whose business model entails farming out ad placements to subdistributors.”

          “If InfoSpace’s subdistributors seek to distribute Google ads, and to be paid for doing so, let them apply directly to Google and undergo Google’s ordinary quality control and oversight,” he recommended. “Inserting InfoSpace as an additional intermediary serves only to lessen accountability.”

He had another suggestion that would cause a howl of protest in the boardrooms of most companies.

          “Google also needs to pay restitution to affected advertisers,” he said. “Every time Google charges an advertiser for a click that comes from InfoSpace, Google relies on InfoSpace’s promise that the click was legitimate, genuine, and lawfully obtained,” he reasoned. “But there is ample reason to doubt these promises.”

“Google,” he continued, “should refund advertisers for corresponding charges–for all InfoSpace traffic if Google cannot reliably determine which InfoSpace traffic is legitimate. These refunds should apply immediately and across-the-board–not just to advertisers who know how to complain or who manage to assemble exceptional documentation of the infraction.”

As extreme as Edelman’s recommendations may seem to some, their underlying premise remains sound. As long as malicious software makers can profit from their malevolent activity, they will continue to conduct it. The fact that some of these players can operate under a thin veneer of legitimacy only emboldens their more nefarious brethren.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spyware linked to Google ads

Today I was forwarded some spam by a customer wondering whether it was legitimate or not and so came across one excellent example of how a spammer can profit from their malicious endeavors.

Slipping Through the Defenses

The first step towards profit for a spammer is email delivery.  With many businesses and home users protected by anti-spam systems, a spammer needs to either blast out so much junk email that they eventually find an unprotected email address, or they need to craft their email such that it passes through a spam filter undetected.

In this case the latter was true, which actually raised the perception of authenticity to the end user who was not used to very many spam emails reaching their inbox at all.  The quality of the writing also caused it to slip through the recipient’s own mental defenses, convincing them that it was legitimate and that they should follow the actions it suggested.

This spam email contained a link to an affiliate landing page for a piece of utility software.  The domain name included a well known brand name for this particular type of software.  Everyone uses this software, or something like it, so an email announcing a new version of it would appear relevant to most people.

The Affiliate Landing Page

For those that are new to the topic, affiliate marketing is basically a system whereby marketers will promote various products or services in return for a commission on a per-sale or per-lead basis.  Affiliate marketing systems are not necessarily scams, it is a thriving and legitimate business online and many household names on the web have affiliate programs in place.

The landing page for this affiliate was very professionally designed and would lead most people to believe they were on the official website for the software in question.  Only a small disclaimer at the bottom of the page says otherwise, “This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software“.As with all sales pages this one contains a simple “Download Now” call to action.  If the user has already been tricked into visiting the website from the spam email then this call to action would likely be successful and result in a click.

How the Spammer Makes Money

Having tricked the email recipient into visiting the website, and then clicking the “Download Now” link, the spammer can begin to make his money.  This particular spammer has three ways to make money out of this one single spam email, thanks to the way the website is set up.

Firstly, the website collects name and email address details as step 1 of the download process.  Every software company in the world is doing this these days, so most people are conditioned to giving up this information for free downloads.  Cleverly the spammer keeps this part of the form separate from what comes in step 2.

Even though the spammer reached the victim via email to begin with that doesn’t mean this information is not worth money to them.  Spammers often target large lists of unverified email addresses with very low success rates.  By collecting email addresses via a web form the spammer builds a much more reliable mailing list to target with further spam emails, or to on-sell to other spammers (either of which makes them money).

Brazenly the website “fails” the first email address submission and requests it again.  At worst the spammer gets the same details entered again, but the best case scenario for them is the person tries a different email address of theirs thereby giving up two real addresses to the spammer.

In step 2 the website offers a membership subscription to the visitor.  The membership is for access to some vaguely defined technical support services, how-to guides, and lists of “useful” software.  Such content is easy to produce for a very low cost so any signups that they receive are profitable.  The content itself is often usually based on further affiliate programs earning them more commissions for any other software they can convince you to download and purchase.

As an added bonus the spammer also offers a download of an “internet accelerator”, which usually means some spyware or a browser toolbar that will pop up advertising on the victim’s computer and generate revenue for the spammer through clicks.

Whether or not the victim signs up for a membership during step 2 is irrelevant.  The email address they provided in step 1 contains a download link for the software originally promoted on the spam email.  This link includes the spammers affiliate code so that they are credited with the commission when the trial software expires and the victim potentially goes ahead with purchasing it.  Regular people will reach for the credit card to get rid of the nag screens that frequently pop up on their screen.

An All Too Successful Business Model

By now most friends will be stunned by the apparent complexity of the spammer’s business model, but really it is quite simple.  The spammer buys or builds an email list, chooses some software to promote, and uses various tactics to try and ensure that they either receive verified email addresses to target with more spam or they receive affiliate commissions for any software that is purchased as a result of their spam.  For the icing on the cake they also throw in the membership scheme and the “internet accelerator” download offer to try and maximize their success rate.

A simple affiliate marketing scam that all starts with a spam email.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Behind the Curtain of an Affiliate Marketing Spam Email

The program records every keystroke on the infected computer, takes screenshots of the screen and records the addresses of every site visited. It also records all documents opened and logs conversations from a variety of IM programs including MSN Messenger, AIM, Skype, and Yahoo! Messenger. This information is transmitted to CyberSpy’s website where their customers log in to retrieve it. The program also comes with instructions on how to disguise the software and send it via email to their unsuspecting victims. Installation is as simple as clicking on a image. From the FTC’s complaint:

          The defendants violated the FTC Act by engaging in the unfair advertising and selling of software that could be: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information. The FTC complaint also alleges that the defendants unfairly collected and stored the personal information gathered by their spyware on their own servers and disclosed it to their clients. The complaint further alleges that the defendants provided their clients with the means and instrumentalities to unfairly deploy and install keylogger spyware and to deceive consumer victims into downloading the spyware.

Fortunately, most anti-virus and anti-spyware programs do detect the presence of RemoteSpy. Experts say the shut down isn’t likely to do much to stem the flow of malware in spam. The cyber crooks will simply find another company to do business with, and sadly, they have plenty to choose from.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

FTC Shuts Down Malware Vendor

Here are a couple of weak spots, as identified by the CERT Coordination Center:

1. Outlook Express HTML protocol handler does not properly validate location of alternate data
This is a cross-domain vulnerability where a specifically formatted URL invoking the InfoTech Storage (ITS)2 format protocol handlers could cause Internet Explorer to load an HTML document located within a Microsoft HTML Help (CHM) file. This HTML document would then be rendered in the Local Machine Zone. This HTML document could contain a script, ActiveX object, or IFRAME element to download and execute malicious code. We have observed this vulnerability used extensively in attempts to install malware.

2. Mozilla may execute JavaScript with elevated privileges when defined in site icon tag
This cross-domain vulnerability in the Mozilla suite of web browsers allows scripts within the LINK tag to run unprompted with the privilege of the user running the web browser. We have observed this vulnerability used in an attempt to install malware.

3. Cross-Site Scripting Attacks
Cross-site scripting (XSS) attacks can occur in programs on web sites that accept user input. If the program does not properly sanitize the input data, the vulnerable program may process input or even execute code that the original program was not intended to do.  For example, a phisher could construct a URL that uses a vulnerable program on a legitimate commerce site. This URL would also contain (probably obfuscated) code, such as JavaScript, that could target account credentials. There have been reports that this type of attack was used in a phishing scam against a bank.

A more common XSS attack that has been used in phishing involves the exploitation of vulnerable URL redirector programs. URL redirectors are often used by web sites to perform custom processing based on attributes such as web browser or authentication status or even just to display a message when clicking on a link to an external site. There have been multiple incidents of commerce sites using URL redirectors that allowed a user to input any external URL they wanted to. Thus phishers were able to send phishing emails with URLs that used the vulnerable redirectors on the legitimate sites to trick people into visiting phishing sites.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing Emails Exploit Browser Weaknesses