• A fake website created by simply ripping content off the original site and pasting them on the spurious one

• A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

• Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

• Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Here is the email in question:

• The source of this email (highlighted green) is ‘rbi.org.in’ which is not suspicious but is probably spoofed.
• It informs us to ignore any warning (highlighted red) that the email client might give us. This is suspicious.
• The attachment (highlighted cyan) has a double extension. This is clearly suspicious.

There is even a tail-piece of advice to ‘Beware of Phishing’ to make the user feel good about the message. After all, no thief warns you about impending thievery, right? Wrong!

Once you download and open the attachment you are directed to the following page:

This looks like a normal RBI page. But a closer look at the address reveals for a fact that this not an RBI page. It is a login page but it is not secure, and there is no ‘https’ authentication. This is a cleverly constructed page. Only the ‘Login ID’ and the ‘Password’ fields are custom made. The rest is ‘borrowed’ from the actual RBI site, therefore clicking on any of the menu items would still take you to the valid RBI page.

Let us check what is inside the attachment:

This URL has quite a number of sub-domains (grayed out for security reasons), none of which is even remotely related to the RBI. This is highly suspicious. Double-clicking on the attachment would take you to the page shown above which masquerades as a  bona fide RBI site.

Let us start filling in the form with some fake details:

Once you fill in the details and click next you will be taken to the following page wherein you’ll be asked to fill in your transaction password and mobile number:

Once you click submit it throws a message that the registration is successful. But there was no actual password registration done during the entire exercise. The mail states an additional password is to be created, which was never done here. Whenever a new password is created any valid system would ask you to confirm your password, which was not the case here. Hence this is a clear attempt to phish out confidential details.

The network captures of the above exercises show the password and user names being sent over the Internet as plain text messages:

Never would your bank send your banking credentials as plain text. They are always sent over a secure connection in an encrypted format.

At the time of writing the attack domain was still live. To avoid being a victim of such social engineering attacks, the solution to a large extent still rests with the user, even though URL filtering and phishing heuristics do thwart many of these attempts at phishing. Please read through one of the earlier entries to find out how to recognize and stay away from phishing scams – ‘Teach a Man to Anti-Phish’

Kaarthik R.M
K7 TCL

Yesterday, however, as blogged by my colleague in the Anti-Virus community, the campaign unexpectedly changed insofar as several grammatical and spelling mistakes made their way into the standard fake message “from DHL”:

It is true that on several occasions in the past cybercriminals have been found wanting where communication in English is concerned. However, the latest message with all the errors breaks with the trend seen over the past couple of years. Previous versions of the social engineered message body were largely error free, at least ostensibly, and therefore rather convincing … well, probably only to the uninitiated. In fact the executable file within the ZIP archive in the current campaign even has an Adobe PDF icon.

Given the discrepancy between the old and the new versions of this campaign, one wonders whether there has been a change of helmsman coordinating these attacks who attaches less importance to quality control. On the other hand it is possible that the spelling mistakes have been deliberately introduced to evade targeted spam rules based on standard text patterns. After all the only reason that the bot executable is sent within a ZIP attachment is to circumvent heuristic rules at the gateway which may quarantine emails containing raw executables.

In any case it is important to stay informed about this particular campaign to reduce instances of PEBCAK (Problem Exists Between Chair And Keyboard), and to ensure that your Anti-Virus software is kept up-to-date. K7 products detect the latest bredolab executable as Trojan (0021b05e1).

Samir Mody
Senior Manager, K7TCL

Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

In a whitepaper, entitled “What’s in a name?”, researchers claim that security systems in place to protect online accounts are inherently flawed, claiming that many passwords can often be guessed with just the simplest knowledge about the account holder.

The report specifically highlights “security questions” used to verify users who have forgotten passwords or login credentials, a system used by some of the world’s biggest online names including eBay, Google and Yahoo.

“Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently,” the paper said.

“User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.

“Many common questions have also been shown to have answers readily available in public databases or online social networks.”

The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.

One in three asked for a person’s name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts. This was increased when names were used as security keys, given the popularity of certain names in particular parts of the world, such as Smith in the Western world or Kim in Korea.

“Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names,” said the paper.

“The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names.”