Guard your corporate network with incisive analysis of the state of online threats by Sam Masiello, Director of the MX Logic Threat Center. The MX Logic ThreatBlog covers a wide range of topics including spam filtering, viruses, worms, and corporate network security. MX Logic is a leading provider of email and web security services in North America.
REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette. The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":
If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.
No code is injected on the user's computer just by visiting the web page. They need to download and install the monopoly.exe executable file that the site tries to deliver. The executable file is just the first stage of the process, however. A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning. At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.
As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now. Don't be fooled. This is merely a counter of how many people have visited the page thus far.
ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
Now onto today's blog post :)
Another celebrity death. Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus. We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year. Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.
Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:
This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms. The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack. Popups with phrases like "Scan procedures finished. 34 Potential aggressive items was found!" and "Your computer remains infected by threats! They might lead to data loss and file structure damage, and needed to be heal as soon as possible. Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.
Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme. Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.
Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.
As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.
The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.
New Malware Campaign Spoofs the IRS
Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
Early this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet spoofing the IRS that is attempting to lure users into clicking on a link which directs them to a web site to download malware. Over the past 3 hours we have been watching approximately 90,000 of these messages hitting our systems per hour.
The email attempts to trick the user into believing that they misreported their income and gives them a link where they can review their tax statement online.
The link in the email does not directly install malware on the user's machine. Instead, potential victims are directed to a web site where they can download an executable file named tax_statement.exe, which contains the malicious code.
