A new malicious spam campaign is exploiting the rumors surrounding the health of former Cuban leader, Fidel Castro. The emails show a photo of Castro allegedly lying in a coffin as part of a fake breaking news alert. The emails ask the recipient to click on a link leading to a video reporting on the death, but instead it leads to a malicious domain that tries to download a Trojan onto the visitor’s computer.

The rumors about Castro’s health have been flying for several years so it’s not surprising the criminals behind this campaign chose to exploit them.

“Fidel Castro’s health situation has become more complicated and is the reason why President Hugo Chavez decided not to go back to Cuba to continue to receive chemotherapy and instead decided to go to Hospital Militar Carlos Arvelo in Caracas for his fourth dose of chemo,” said a Venezuelan newspaper.

The malware the spam is distributing has been identified as Troj/DwnLdr-JGW), a downloader that retrieves and installs another piece of malware (Troj/Agent-SYF) onto the visitor’s computer. Troj/Agent-SYF gives the criminals control over the infected system, steals personal info, and may execute browser hijacks in order to perpetuate click fraud.

Spammers have been exploiting headlines, public figures and popular trends for years. They especially favor the fake “breaking news” alert which urges recipients to click on a link to watch a video that promises exclusive footage. If they do so, they are taken to a site that tells them they need to install a codec or software update before they can view it, which is how the malware is distributed.

Recently on Twitter there was a flurry of tweets about Castro’s death, making it apparent that this campaign, which appears to be targeting Spanish speaking people, is reaching many of them. Let’s hope they didn’t fall for it and get infected!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malicious Spam Campaign Exploits Castro’s Health Rumors

Apple’s iTunes store, situated behind the company’s walled ecosystem, has been a tough nut to crack for cyber miscreants, although it has had problems with them from time to time. The other site, LinkedIn, an online community oriented toward networking for professionals, has done a good job of guarding its members’ accounts from Internet low lifes.

A key point of vulnerability for both services, though, is email. On occasion, the services communicate with their members through ordinary email. That gives electronic grifters an opportunity to gouge subscribers with a minimum of ingenuity.

For example, anyone who has ever bought anything at the iTunes store expects to receive a receipt from it after making a purchase. So the arrival of an email containing a receipt becomes so routine that it wouldn’t raise any red flags in a recipient’s mind.

Black Hats are aware of that and in their recent escapade exploited it. They sent phishing spam to a pool of users. Since iTunes has 160 million members, odds were good that a significant number of the guppies in the pool would be iTunes users. The spam resembled a receipt from the iTunes store. To catch the recipient’s attention, the purchase total on the receipt was some outrageous number. If you’re used to purchasing a song or two at a time at 99 cents or an app under $10, then a receipt for $100 for merchandise is going to attract your notice as quickly as the Rockettes dancing on your lawn.

All too conveniently, the receipt contained a link to click to remedy any problems that recipients have with charges levied on them by the store. When the concerned iTunes store user clicks on the link, they’re asked to download an Adobe player file. The file, of course, is fake. It installs malware on the target’s computer then sends their browser to one of more than 100 black websites in the .info domain where  a particularly vicious Trojan named after the lord of the Greek gods, Zeus, is activated.

Among members of the security community, Zeus is considered one of the most lucrative malware programs ever created by cyber thieves. In a typical Zeus adventure, after the badware steals a victim’s banking  information, it’s used to withdraw money from the victim’s accounts through a nation’s automated money transfer system. The money is usually sent to bank accounts set up by “money mules.” The mules take a cut of the filched cash sent to the account and ship the rest to the ringleaders of the operation who are usually located overseas.

Recently, a large global Zeus operation was taken down by a multinational law enforcement task force. According to authorities, the gangsters clipped $70 million from their victims and had another $150 million in the pipeline before they were busted. Much of that money was stolen from small businesses or non-profit organizations that had to absorb the losses into their bottom lines.

Although the latest blow against Zeus produced significant results, it’s doubtful its impact will be long-lasting, according to one analyst at the technology research firm, Gartner.

          “[T]he arrests will not stop ACH and wire fraud,” opines Gartner analyst Avivah Litan. “It just slows down the ability for the fraudsters to use Zeus to commit it.”

“There are many other attack vectors that enable the crooks to get into online bank accounts and money transfers that don’t use Zeus,” she continues. “For example, there’s a relatively new piece of malware called Spyeye. It’s a landmark infection that doesn’t require administrative privileges on the PC and operates as a relatively quick hit-and-run type of attack.”

Be that as it may, law enforcement agencies appear to be getting a handle on Zeus networks once they’re uncovered. In the iTunes case, the Zeus websites were blacklisted in a matter of days.

The iTunes scam was similar to one apparently launched from Russia against LinkedIn members in the prior week.

          “In the past few days, we’ve noticed an increase in phishing emails doing the rounds using the LinkedIn name,” the service’s Principal Product Manager Vincente Silveira wrote in a blog on October 1. “As you can imagine, we are working round the clock with leading email service providers to combat this problem,” he added.

He recommended the following tips for protecting yourself against phishing attacks.

• Please use caution when clicking or opening emails, seemingly from sites you trust.
• Spammers try to mimic legitimate emails, but they often make mistakes like typos or include information that’s not relevant to you. Be suspicious of emails that include names you don’t recognize.
• Keep in mind that a site like LinkedIn would never ask you to open an email attachment or install a software update.
• These spurious emails can infect your computer with a virus or spyware. To protect yourself, make sure you have anti-virus and anti-spyware software installed and it is up-to-date.
• Before clicking on a link in an email, place your cursor over the link to verify that they lead to the appropriate site.
• When in doubt, open a new browser window and go directly to LinkedIn.com to check your inbox and verify the connection request or message.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishers target iTunes, LinkedIn users

          “Virus scanning has to extend beyond the PC to all types of removable storage”, Jason Holloway, Northern European sales manager with SanDisk said .”Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users cant turn off, disable or work around the protection, and would stop these infections from spreading.”

Conficker has spread like wildfire across the net and has infected over 7 million computers. It was first spotted in 2008. Experts still aren’t sure what its purpose is since its botnet is seldom used.

A year ago Manchester council’s computers were attacked by Conficker, forcing the town to write off parking tickets and spend over $1 million pounds to fix the infection. It’s not yet known if the Manchester police will have to overlook any violations or void any arrests because of their infection.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Conficker Worm Cripples Police Department

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Vicious, Data Destroying Virus Discovered

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

In addition, while the original ikee worm was limited in its scope. It wasn’t reported outside of Australia. The latest iteration of the malware targets a wider range of IP addresses. They include the Netherlands, Portugal, Australia, Austria and Hungary.

The new variant, dubbed by one security firm as the “Duh” worm, also changes the root password on a jailbroken iPhone. Once that password is changed, a mobile bandit can access the phone without the owner’s knowledge. What’s more, if an owner discovers his or her phone has been compromised, initially he or she could do little about it. That’s because he or she needed to know the root password to change the root password. That was impossible since the password of an infected phone was known only to the person who infected it.

However, security experts have been able to reverse the tables on the crackers and with a program called John the Ripper, identify the password they’ve been using in the latest version of ikee. It’s “ohshit.” By logging into an infected iPhone with that root password, an owner can change it to something unknown to the cracker.

In addition to changing the password, an owner should kill the files associated with the malware. The path to those files is /private/var/mobile/home. The files are inst, cydia.tgz, duh, sshd and syslog. Owners are also advised to check the passwords for all user accounts, as the malicious software will change the password for any account that uses the word alpine.

Apple has come under criticism for choosing a root password that violates some basic security best practices. It’s a dictionary word and lots of people know what it is. On the other hand, the latest uproar over compromised iPhones doesn’t affect most users because they haven’t modified their handsets to run unauthorized programs. That may also be the reason that Apple has refused to work with White Hats in developing anti-virus software to counter the problem. From the company’s point of view, it has created a secure product. It’s rogue users who are providing the feeding ground for this round of cracker attacks.

Although iPhones represent only 10 percent of the mobile phone market, they tend to be used by higher level executives within organizations because of their status value. While status seekers aren’t likely to hack his or her iPhone and open it up to something like ikee, the prospect isn’t something that system administrators can ignore. Because iPhones aren’t able to report any kind of status information, security experts warn, they present a threat to the enterprise. If an infected phone gains access to a company’s MS Exchange, WiFi or VPN environment, it could put all a business’s confidential information at risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Virus variant turns iPhone into zombie

It’s not yet known who’s responsible for this latest wave of malicious spam, but experts are warning people to be very cautious. Only 13 out of 41 virus scanners caught the virus, meaning that having an up to date virus program may not be enough to protect you. Obviously if you or your company hasn’t inquired about a car for sale on Craigslist you should immediately delete any such messages.

This is only one of several new viruses discovered recently, including one that targets AutoCAD software, and experts say the amount of malware found on the net is only going to rise.

          “Criminals see a better bottom line with more files,” security researcher Sean-Paul Correll said, adding that there are more viruses because the malware writers have automated the creation of virus variants. They are releasing polymorphic engines to distribute a massive number of unique samples… They hope to subvert antivirus lab technology by releasing a large number of samples.”

This has led some virus researchers to proclaim that virus signatures, which are currently the best way to classify threats, will soon be useless. If that happens researchers will have to come up with new ways to find and fight threats.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malicious Spam Exploits Craigslist

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

As recently as April 17, 2009 ZDNet reports the Waledec botnet is on the move again.  For waledec to be effective, cyber criminals are relying on the rotation of different “Subject” themes and the email user’s ignorance of its existence.   That is a hint to educate your email users ASAP.

Some typical Waledec spam email subjects being used:

• Can your love life be re-ignited?
• Are you sure in your partner’s faithfulness?
• Now, It’s possible to read other people’s SMS
• We will tech you to be the master of making love art
• Just type the phone number and read SMS
• Do you want to test your partner?
• Have more fun and pleasure in your intimate life
• Now, you can read any SMS messages from any mobile phones
• Keep a spy eye on your Girlfriend’s mobile
• What’s Your Hall of Shame
• Are you ready to know the truth?

The actual Waledec message body is something like “Get Your Free 30-Day Trial! Do you want to test your partner or just to read somebody’s SMS? This program is exactly what you need then! It’s so easy! You don’t need to install it at the mobile phone of your partner. Just download the program and you will able to read all SMS when you are online. Be aware of everything! This is an extremely new service!”.

Any other unknown conficker children you want to share with us?  Let us know with a comment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Meet Waledec, Conficker’s Child

Recently several readers contacted the News Sentinel to report they were victims of a scheme who had received emails from friends or associates claiming to be stranded overseas and asking for money.

The name and email accounts used were supposedly from known friends of victims. The accounts were used by scammers who sent the “stranded overseas” appeal to make the victims think friends they knew were really stranded and had no money.

Stacie Bohanan, spokeswoman for the Knoxville office of the FBI, said the broken into email accounts were infected by a virus and not “hacked” by an imposter targeting a specific individual. Bohanan said the FBI has been investigating this case.

Jason Pack, special agent with the FBI’s national press office, said the scam is “cyclical” and often runs through various communities as it picks up the contacts shared by local email accounts .

The emails, which appear to come from a friend or associate stranded overseas, are written in a chatty, familiar style and closed with the name of the person whose email account was hijacked.

Victims of the scam need to report it to U.S. government’s The Internet Crime Complaint Center, online at www.ic3.gov .

Bohanan warned that a similar virus claims your credit card account may have been compromised and directs readers to phone the company.

“Do not call that number,” Bohanan said. To check with your credit card company, call only the number listed on the back of your card, she added.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Virus Cracks Open Email Scam