Computers

Fake IRS notification e-mails have been in circulation on the Internet over the past few weeks. We've monitored the situation closely and have observed 30 active domain names currently spreading the Zeus trojan affiliated with the spam campaign, as well as 300 links used in the attack over the past month. The e-mail arrives as a notice of unreported income and directs the victim to click on a link (E.g. www.irs.gov.malwaredomain.com).  When clicked, the victim arrives at website designed to look like an official IRS page.    



The website attempts to legitimize itself by referencing the receivers name in the Taxpayer ID field and in the download link. Once the malware is accessed, the zeus trojan is silently installed on the victim’s computer and begins to intercept communication with banking sites in order to facilitate financial fraud.

Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.  

 Most targeted search terms:

• Dallas Cowboys
• NFL
• School
• Emmy Awards
• Autumn Equinox (Mabon)
• Atlanta
• News

..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt

Rogueware: Adware/PCDefender



Tag cloud of targeted terms:

The Ukrainian Facebook scam we blogged about on Friday has similar campaigns for MySpace, ICQ, and Vkontakte. All of the scam sites are identical in design and require the payment of $100 except for the Vkontakte scam site. Vkontakte is a Russian clone of Facebook and the scam offers to hack Vkontakte profiles for 1500 rubles, which is about $50 USD.

MySpace

ICQ

Vkontakte

What's strange here is that the Ukrainian scam crew responsible for these scam sites are making a run at conning Russians, which is a tactic we don't see very often in the labs. 

Yesterday I came across (thanks Sean-Paul!) the following site, which really attracted my attention:

As you can see, it is an online service which promises to hack any Facebook account just for 100 bucks (!). My first thought about this was "ok, just another scam", but I wanted to see how far they could go with this. The first thing they request you is to register in their site, which I did. The next step to hack an account was to provide them with the ID of the Facebook account you wanted to hack; first I created a temporary Facebook account for this test, and then went back to "hack" it.

Obtaining the ID is something trivial, and with that ID anyone can obtain the Facebook username, but that's something that people is not familiar with, so at the end it gives extra credibility to this "service". Once you enter the ID and click on the "Hack it" button, you are given the owner of the Facebook account (the username) and now you have the option to "Start Facebook hacking!":

As you can see, it says it takes some minutes, and in fact it is true. Once it finishes, you will see this:

I clicked on save, but as you haven't paid yet, you are not allowed to view the passwords:

Below you have the payment screen. Once you send the money via Western Union (haven't you ever asked yourself why most of the cybercriminals are using WU services?), you have to fill in the details. Of course, you have to send the money to Ukraine...

Once you send the information, you are told that it will appear in your balance. Of course it won't, as this is all about taking the money from users. And at the end, as the user wanted to hack an account, he won't call the police.

In the website there is a FAQ place, where they say they've been doing business for more than 4 years, and provide a link to a Webmoney account that is in fact 4 years old. But taking a look at this facebook hacking web site, we found out that it's been registered by someone from Moscow a couple of days ago.

Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites.  Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that.  Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week.

Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:   

Malware Info: Adware/SmartVirusEliminator

 Investigating the attack shows us a bigger picture of the targeted keywords:

Most commonly targeted keywords:

• Obama Speech
• GM group enterprises
• Apple
• Beatles
• America
• White House
• Jon Gosselin
• Live Interview
• School Season
  The full list of targeted keywords can be downloaded here: BlackhatSEO2.txt

Over the past six months that PandaLabs has closely tracked the evolution of Blackhat SEO attacks, we’ve seen these targeted campaigns be executed by cybercriminals with increasing levels of speed and sophistication.  Today, Blackhat SEO is truly a mainstream tactic used by cyber criminals.  Targeting real-time news events is a serious problem not only for search engines, but for all parties involved in malware mitigation.  In shifting to the "real-time web," the entire IT security community must also recognize the need for real-time Malware protection and this is precisely why the move to cloud-based antivirus technology is necessary.