Saturday, February 26, 2011

Windows Live Phishing


This morning I received an email claiming that the database and email account center for Windows Live would be upgraded. They need to delete all unused account and to make sure that yours won't be deleted, you have to notify the Windows Live team.


Email subject: Account Alert!!
Windows Live Team Alert Confirmation


You need to reply with your User name, Password, Date of Birth and Country or Territory. In reality this is a typical phishing campaign for retrieving your login details.


In the last 2 paragraphs it also states:

"YOUR DETAILS WILL NOT BE SHARED"
-> this is to comfort you so you know that your credentials are safe
and
"Warning!!! Account owner that fails to verify his/her account after two weeks of receiving this warning will lose his or her account permanently."
-> This is your typical scare tactic; if you don't do as instructed, your email account will be deleted.



Conclusion

In reality, Windows Live will not send you any emails instructing you to send your password to them so they can verify it is still active. Also, they won't delete your account without a valid reason.

Never reply to these kinds of messages, delete the email and you're good to go.

Tuesday, February 15, 2011

Facebook rogue applications still lurking around


Recently I made a post on Malware Disasters about rogue applications on Facebook.

Here's a small excerpt:

For quite some time now there are rogue applications trying to convince you that you are able to check whoever viewed your profile. There are a lot of different names for this rogue application, some but not all include:


  • creep exterminators
  • catch them being creepy
  • creepy profile peekers
  • privacy bros
  • we catch stalkers


Profile Creeps application



You can read the full article here:
http://malwaredisasters.blogspot.com/2011/02/facebook-rogue-applications-still.html



Conclusion

Conclusion is quite simple: never trust an application on Facebook that promises things that look too good to be true. When things look too good to be true, they probably are ;) .

Always be careful when allowing applications access to your data and/or wall.

Wednesday, February 9, 2011

United Parcel Service notification #82929

Today I received an email with the subject "United Parcel Service notification #82929"

Apparently my order was sent to my home address and now they are sending me an email with additional information. How kind of them :) .



You can supposedly find more information in attachment


The text is mostly the same, here's a small variant:
Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.



There is a file attached called "USPS_Document.zip" Other variants may be: "UPS_Document.zip", "UPS.zip", "UPS-tracking.zip", and so on. In the ZIP archive you will find a file called UPS_Document:


UPS_Document.exe


What stands out here is that the file is no PDF file, as you might think, but is in fact a malicious executable.


UPS_Document.exe
Result: 38/41 (92.7%)
MD5: 047bcd79fa681442b37bdf9b56c2257f


UPS.exe


Result: 17/43 (39.5%)
MD5: a668f20228e37a12bc033f5e2c014007
VirusTotal
ThreatExpert



Other subjects of this email might be:
- United Parcel Service notification #[random number]
- UPS Delivery Problem #[random number]
- UPS notification #[random number]
- United Parcel Service
- Post Express Service. Track your parcel! NR[random number]
- Post Express Information. You need to get a parcel NR [random number]
- UPS ticket #[random number]



Conclusion

You should never trust an email which has:

- only a URL included in the message
- an attachment that you need to open to view 'information'
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Additionally, if you have executed the file, and believe you are infected, you can follow this guide to remove the malware:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

Feel free to add any comments if you have any problems or questions.

Tuesday, February 8, 2011

"m28sx" worm: back in business ?


You might remember my previous post about a new Twitter worm called "m28sx" that spreads a fake antivirus (aka rogueware) called Security Shield:

Today I got an email with the subject "HELLoo" and only a link in it. The link ended with m28sx.html.


Different redirects starting at the compromised website


There are 3 redirects before you eventually land on the fake scanner page:

Messagebox alerting you of infections on your system



Fake scan message showing numerous infections



The following file is dropped:

pack.exe
Result: 7/43 (16.3%)
MD5: b7fcca77d20fb5ac43792ad56f6fc75e

The payload is a rogueware called 'Security Shield'.

When executing the dropped file (pack.exe) :

A warning that Security Shield was installed successfully



Security Shield rogueware finding (non-existant) infections



Conclusion

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL. In this case, a website was compromised and the "m28sx.html" was placed. Actually, be careful with ANY URL ;) .

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

As an extra note: this one might re-surface again on Twitter, so be on the lookout these days for links that end with "m28sx".


Saturday, February 5, 2011

Scam tactic still active

In a previous post I already warned you about New scam/phishing tactics .

Recently I received a similar email, telling me my Google Earth boarding pass is ready.
Apparently the same guys are back trying their tactic once again.

The subject of the email was
Google Earth Enhancement: Your Boarding Pass is Ready


Email from 'The Earth Team'


Banner urging you to download the 2011 version


The domain where you can 'buy' Google Earth is listed below. Note it might still be active, so be careful with the link(s).

hxxp://earth-online-locations.com
Result: 1/17 (6 %)
Domain Hash: 080a81b600bddf891a7b473e5958ab9f


Conclusion

Basically the same as in my previous post. Simply delete the email and don't look back.

If you really want to download Google Earth, you can download it directly (and for free) from http://www.google.com/earth/index.html