It is common knowledge that phishers [Authors of a phish] attempt to steal sensitive information such as passwords, credit card details etc. by masquerading as a trustworthy entity. Some key elements of a phish are:

• A fake website created by simply ripping content off the original site and pasting them on the spurious one

• A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

• Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

• Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Recently we received an email from the RBI (Reserve Bank of India), or so it claims to be, regarding a ‘One Time Password’ registration.  This ended up in the spam folder. Let us see why.

Here is the email in question:

• The source of this email (highlighted green) is ‘rbi.org.in’ which is not suspicious but is probably spoofed.
• It informs us to ignore any warning (highlighted red) that the email client might give us. This is suspicious.
• The attachment (highlighted cyan) has a double extension. This is clearly suspicious.

There is even a tail-piece of advice to ‘Beware of Phishing’ to make the user feel good about the message. After all, no thief warns you about impending thievery, right? Wrong!

Once you download and open the attachment you are directed to the following page:

This looks like a normal RBI page. But a closer look at the address reveals for a fact that this not an RBI page. It is a login page but it is not secure, and there is no ‘https’ authentication. This is a cleverly constructed page. Only the ‘Login ID’ and the ‘Password’ fields are custom made. The rest is ‘borrowed’ from the actual RBI site, therefore clicking on any of the menu items would still take you to the valid RBI page.

Let us check what is inside the attachment:

This URL has quite a number of sub-domains (grayed out for security reasons), none of which is even remotely related to the RBI. This is highly suspicious. Double-clicking on the attachment would take you to the page shown above which masquerades as a  bona fide RBI site.

Let us start filling in the form with some fake details:

Once you fill in the details and click next you will be taken to the following page wherein you’ll be asked to fill in your transaction password and mobile number:

Once you click submit it throws a message that the registration is successful. But there was no actual password registration done during the entire exercise. The mail states an additional password is to be created, which was never done here. Whenever a new password is created any valid system would ask you to confirm your password, which was not the case here. Hence this is a clear attempt to phish out confidential details.

The network captures of the above exercises show the password and user names being sent over the Internet as plain text messages:

Never would your bank send your banking credentials as plain text. They are always sent over a secure connection in an encrypted format.

At the time of writing the attack domain was still live. To avoid being a victim of such social engineering attacks, the solution to a large extent still rests with the user, even though URL filtering and phishing heuristics do thwart many of these attempts at phishing. Please read through one of the earlier entries to find out how to recognize and stay away from phishing scams – ‘Teach a Man to Anti-Phish’

Kaarthik R.M
K7 TCL

Bredolab is a family of Russian botnets which are frequently spammed out purporting to be from reputed organisations such as DHL or UPS. The messages have ZIP archive attachments containing the malicious bot executable. This particular spam campaign has been alive for the best part of the last couple of years with little change, which implies that it is still efficacious. Why “fix something that ain’t broke”?

Yesterday, however, as blogged by my colleague in the Anti-Virus community, the campaign unexpectedly changed insofar as several grammatical and spelling mistakes made their way into the standard fake message “from DHL”:

It is true that on several occasions in the past cybercriminals have been found wanting where communication in English is concerned. However, the latest message with all the errors breaks with the trend seen over the past couple of years. Previous versions of the social engineered message body were largely error free, at least ostensibly, and therefore rather convincing … well, probably only to the uninitiated. In fact the executable file within the ZIP archive in the current campaign even has an Adobe PDF icon.

Given the discrepancy between the old and the new versions of this campaign, one wonders whether there has been a change of helmsman coordinating these attacks who attaches less importance to quality control. On the other hand it is possible that the spelling mistakes have been deliberately introduced to evade targeted spam rules based on standard text patterns. After all the only reason that the bot executable is sent within a ZIP attachment is to circumvent heuristic rules at the gateway which may quarantine emails containing raw executables.

In any case it is important to stay informed about this particular campaign to reduce instances of PEBCAK (Problem Exists Between Chair And Keyboard), and to ensure that your Anti-Virus software is kept up-to-date. K7 products detect the latest bredolab executable as Trojan (0021b05e1).

Samir Mody
Senior Manager, K7TCL

In something of a blast from the past, an email borne worm has been sighted spreading around the internet.

Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

Password reminder questions are posing a risk to internet users, according to research from Edinburgh and Cambridge universities. (more…)