Tuesday, April 24, 2012

You HAVE to check this picture

In today's post, we'll be highlighting an older trick that's being used again by spammers and malware authors.

I received the following mail:


"Excuse me,I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??."


Some other example mails with a similar subject and content:
RE:Check the attachment you have to react somehow to this picture
Hello ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :)))) .

RE:You HAVE to check this photo in attachment man
Hi there ,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

There are a few more but I'll stop there. In all cases, you HAVE to check the picture in attachment, how else can you be sure it's not you in an embarrasing photo ;-) ?

Attached is a file called IMG9837.dat. In fact, an executable is embedded with the exact same name:


An Adobe icon is used to trick the user


When executing this file, it will phone home or call back (this term is used for malware that is connecting to a remote address for either receiving instructions or downloading additional malware) to the following IP: 92.246.166.131


Scanreport by IPvoid - http://ipvoid.com/scan/92.246.166.131


In this case, the malware downloads an additional executable called fas.exe. Let's review some more information about both files:


IMG9837.exe
Result: 26/42
MD5: bc3f1b422b01781ad23bd33340ece671
VirusTotal Report
ThreatExpert Report
Anubis Report


fas.exe
Result: 3/41
MD5: 6ffb6ce20915dfb7f723d46fcea87b3f
VirusTotal Report
ThreatExpert Report
Anubis Report


In this case, fas.exe will load one of the known fake Defragger rogues, for example:


System Defragmenter. This rogueware also hides your Desktop and Start Menu
(picture: bleepingcomputer.com)




Prevention

- Be wary when receiving such emails, even if it's from someone you know.
- Don't open attachments from unknown senders - ever.



Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Conclusion

Pretty simple. Never open any emails from unknown senders, and certainly not attachments.

Keep your Antivirus and Operating System up-to-date, as well as your applications (for example Adobe and Java) !

Follow the steps above should you have been hit by this spam campaign/rogueware.

Wednesday, April 11, 2012

Hacked Hotmail accounts... and the consequences

It's a trend I'm seeing more and more, even with some of my relatives:

Their Hotmail account is getting hacked, and from then on is being used by scammers or malware authors to spread their malicious intent.

In almost all cases, you'll receive an email with (No Subject), and the only content is a link pointing to some website. But wait: it seems that all those websites have (probably an outdated version of) Wordpress installed.

When you click the link, you will be redirected to either a scam/phishing page or scareware/rogueware.

Either way, you'll first get the following message:


Message you receive when clicking on the link

So let's take a closer look at the 2 scenarios you get on your plate:

Scenario #1 - scam


Scam page

In scenario number one, you'll be presented with an awesome News page, where you can read several testimonials of how great working from home is.

It also has some fascinating news stories on how to make lots of money by simply being at your comfortable home. This includes reactions on the articles - of course this is all fake.

If you click on any of the links on this website, you'll be ultimately redirected to - hxxp://internetprofitpacket.com

Administrative Contact:
WhoisGuard
WhoisGuard Protected
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US


UrlQuery Result:
Suspicious
http://urlquery.net/report.php?id=40849

URLvoid Result:
1/25 (4.00%)
http://www.urlvoid.com/scan/internetprofitpacket.com/


Ultimately you land on the following page:


Landing page where you'll need to pay

After paying a small price, you'll get lifetime access to the Internet Profit Package ! What honor !

Obviously, you'll get scammed and your credit card details might get stolen.


Scenario #2 - scareware

Likewise as in scenario #1, you'll get the nice message that you got here thanks to your friend.


Seems like you're infected ... right ?

You'll then be presented with a pop-up indicating critical process activity has been found and a scan will be launched... (I think we all know this one by now) :


Fake Explorer window indicating numerous infections

If you click on any button, a file will be downloaded with the name of setup.exe.

In this case, the file was downloaded from:
hxxp://fail-safetylow.info/bb61f9bcec711d56/29/setup.exe

This site and several other rogueware pages are hosted on the IP:
64.120.207.107


Several other rogueware sites are hosted on this IP


We'll now see some more details about the downloaded file:

setup.exe
Result: 5/40
MD5: 8b0c16a50c0bca1eb0b45bd411eb30e5
VirusTotal Report
ThreatExpert Report
Anubis Report

This file drops another executable:

Protector-hfpt.exe
Result: 5/42
MD5: f04cb906356f19a1dbf68c62f162c4e7
VirusTotal Report
Anubis Report


The payload is a rogueware called "Windows Antibreaking System" :


Windows Antibreaking System setup screen



Windows Antibreaking System main screen


Prevention

- Most important of all: use a strong password ! You can verify your current password, or create a new one to check its strength on the following website: http://www.passwordmeter.com

- Second important rule:
don't use the same password for each and every website !

- Be wary when receiving such a mail, even if it's from someone you know.

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons are for example WOT or NoScript.

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32


Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Also, if you know the sender personally, notify him/her that they've been hacked and they need to change their password. If you don't know the sender, immediately remove the email.

In Hotmail, you even have a useful option if you know the sender. Open the email, select Mark as and click on My friend's been hacked!


Help your friend by stating (s)he's been hacked


If you happen to have a Wordpress website, be sure to update it regularly as well as any Wordpress plugins you may have installed. This website will aid you in the matter: Hardening WordPress



Conclusion

Don't fall for either of these, in both cases you'll lose a lot of money !

Follow the above prevention tips to decrease the chance of your computer becoming infected.

Tuesday, April 10, 2012

Free Riot codes scam



Below you can find a list of confirmed phishing and scam websites. In the conclusion (end of this post or click) you'll be able to find some prevention tips and what to do if your account has been hacked.



Facebook. A social networking place. For some a dream come true, for others a true nightmare. Guess in which category phishers, scammers and malware authors reside?

In today's post we will be highlighting a scam specifically focusing on players of the game League of Legends, an action real-time strategy game developed and published by Riot Games.

The scam page on Facebook in question is:
hxxp://www.facebook.com/pages/Free-Riot-codes/141669939249958

Currently, it already has over 41,000 likes:


More and more people are liking the page, thus might be getting scammed



On Youtube as well as on Google+ and Twitter it is -for now- pretty calm. Only a few video's and tweets promoting this scam:


On Twitter, Google+ and Youtube they are also promoting their website, but not as heavily as on Facebook


Example websites where you can get "free" riot points  or "free" riot codes are
(ALL FAKE!):

hxxp://bilgewaterchests.com      
hxxp://blogs.gamenov.us/lol
hxxp://cheatsjungle.com/league-of-legends-promotional-code-generator-2
hxxp://cheatsjungle.com/league-of-legends-riot-points-generator
hxxp://christmas.riotpromotions.com
hxxp://clasentropsorp.somee.com
hxxp://easycheat.org
hxxp://elohell.org
hxxp://free20skins.jimdo.com
hxxp://free-mystery-skins-2015.esy.es
hxxp://free-riot-points-codes.org
hxxp://free-riotcodes.info
hxxp://free-riotpointscodes.com
hxxp://free3600rp.byethost22.com
hxxp://freehackgames.org/league-of-legends-riot-points-generator-3-2-version              
hxxp://freeleaguecodes.com    
hxxp://freeleaguecodes.congoloid.net
hxxp://freeleaguecodes.net    
hxxp://freeleagueoflegendsriotpoints.com
hxxp://freeleagueoflegendsriotpointcodes.com    
hxxp://freeleagueoflegendskins.co.uk    
hxxp://freelol-skins.blogspot.ba    
hxxp://freelolcodes.com      
hxxp://freelolriotcodes.com   
hxxp://freelolriotcodes.info
hxxp://freelolriotcodes.netii.net  
hxxp://freelolriotpointz.blogspot.com      
hxxp://freelolrpcodez.weebly.com 
hxxp://freelolskins.com   
hxxp://freepoitnsforyou.com 
hxxp://freeriot4free.com
hxxp://freeriotcodes.com            
hxxp://freeriotcodes.filegame.net              
hxxp://freeriotcodes.info  
hxxp://freeriotcodes.org           
hxxp://freeriotcodes.weebly.com              
hxxp://freeriotcodesgift.com 
hxxp://freeriotpoints32.blogspot.com
hxxp://freeriotpoints.me
hxxp://freerpgenerator.com
hxxp://freeriotpointcodes.net
hxxp://freerpriotpoints.wordpress.com
hxxp://freeriotpointsgeneration.com     
hxxp://freeriotpointderiot.yolasite.com
hxxp://freeriotpointscheat.blogspot.com
hxxp://freeriotpointsclub.com  
hxxp://freeriotpointscode.com
hxxp://freeriotpointscodes.com
hxxp://freeriotpointsgenerators.blogspot.com   
hxxp://freeriotpointsleagueoflegends.blogspot.com
hxxp://freeriotpointslol.com        
hxxp://freeriotpointsnow.com              
hxxp://freeriotpointss.com 
hxxp://freerpcodegenerator.com            
hxxp://freerpcodes.com              
hxxp://freerpcodes.tk  
hxxp://freerpleagueoflegends.yzi.me        
hxxp://freerppoint.com    
hxxp://gameskeys.info/riot-points-generator   
hxxp://getfreeriotcodes.blogspot.com              
hxxp://getfreeriotcodes.com              
hxxp://getfreeriotpoints.com 
hxxp://getfreeriotpoints.org 
hxxp://getfreeriotpointsfast.com
hxxp://getfreerppoints.blogspot.com
hxxp://getfrenocturneskin.webs.com          
hxxp://getriotcodes.com      
hxxp://getriotpoints.info       
hxxp://getriotpointscodes.com   
hxxp://getriotpointsforfree.com
hxxp://getriotpointsfree.com
hxxp://getyourfreeriotpointcodes.blogspot.com
hxxp://giftsofsnowdown.com
hxxp://give-aways.net
hxxp://www.godshack.tk
hxxp://gogamecheats.com/league-of-legends-free-riot-points 
hxxp://hackerzzs.blogspot.com              
hxxp://hackscheatsgamesprograms.blogspot.com
hxxp://hacksplanet.net/league-of-legends-hack-2014
hxxp://howtogetfreeriotpoints.com
hxxp://lcs.riotpromotions.com
hxxp://leageuoflegends.com
hxxp://league-gamers.com
hxxp://leaguecodes.net
hxxp://leaguecodes.org
hxxp://leaguegift.com
hxxp://leagueofcheat.com
hxxp://leagueoflegends.byethost33.com
hxxp://leaguesoflegends.nazuka.net
hxxp://leagueoflegends2012hack.blogspot.com    
hxxp://leagueoflegendsrpandipgenerator.blogspot.com
hxxp://leagueoflegendsrphack.com 
hxxp://leagueoflegendvotevelkoz.ye.vc  
hxxp://leaguereward.net
hxxp://leaguerewards.net         
hxxp://leaguerp.com  
hxxp://leaguerp.net
hxxp://leaguerpgifts.com       
hxxp://leagueoflegendseuw.esy.es
hxxp://leagueoflegendsgenerator.wordpress.com
hxxp://leagueoflegendsgiveaway.com
hxxp://leagueoflegendsrpcodegenerator.blogspot.com   
hxxp://leagueoflegendsrpcodegenerator.weebly.com
hxxp://leagueoflegendssupporte.esy.es
hxxp://leagueflegendvoteasestribunall.gaming.lc
hxxp://live.rpgiveaway.com  
hxxp://lol.freepoitnsforyou.com         
hxxp://lolhacktool.blogspot.com 
hxxp://lolfreeriotpoints.blogspot.com
hxxp://lolfreerp.com             
hxxp://lolmultihack2012.blogspot.com
hxxp://lolpromobundles.blogspot.com             
hxxp://lolriotpointcodes.blogspot.com              
hxxp://lolrpgenerator.webs.com   
hxxp://lolrpgifts.com
hxxp://lolrpgiveaways.weebly.com    
hxxp://lolrpoints.com
hxxp://lordhacks.com/league-of-legends-hack
hxxp://lordhacks.com/league-of-legends-promotional-code-generator
hxxp://my-riotpoints.xyz
hxxp://naleagueoflegends.ga
hxxp://oisn.mypressonline.com/league
hxxp://rafflesforprizes.com
hxxp://riot.ws
hxxp://riot-codes.com
hxxp://riot-point.com
hxxp://riot-points-free.info
hxxp://riot-points.free-cards.info   
hxxp://riot.edgehacking.com              
hxxp://riot.freecodesgiveaway.com   
hxxp://riot.generator4points.com          
hxxp://riotcodegenerator.com 
hxxp://riotcodesgenerator.com            
hxxp://riotcodes.hacksfiles.com              
hxxp://riotcodes.net              
hxxp://riotcodesforfree.org              
hxxp://riotcodesfree.com              
hxxp://riotcodesfree.net
hxxp://riotgames.qualtrics.com
hxxp://riotgenerator.com
hxxp://riotgiveaway.net
hxxp://riotpoint.eu
hxxp://riotpointcodes.org
hxxp://riotpointgenerator.com
hxxp://riotpointsgenerator.net
hxxp://riotpointshack.eu
hxxp://riotpoints.4free-games.net
hxxp://riotpoints.alqbyte.com
hxxp://riotpoints.cu.cc  
hxxp://riotpoints.net
hxxp://riotpointsadderforfree.blogspot.com
hxxp://riotpointscampaign.com 
hxxp://riotpointscheat.blogspot.com      
hxxp://riotpointscodes.info 
hxxp://riotpointscodes.net
hxxp://riotpointscodes.org
hxxp://riotpointsgeneratorfree.blogspot.com           
hxxp://riotpointsfree.com  
hxxp://riotpointsgenerator.co
hxxp://riotpointsgenerator.org  
hxxp://riotpointshop.com    
hxxp://riotpointsrewards.weebly.com      
hxxp://riotpoints-free.com
hxxp://riotpromotions.com
hxxp://riotsgiftcard.com
hxxp://rpcode.me
hxxp://rpcodes.info
hxxp://rpcodesnow.com
hxxp://rpfree.com
hxxp://rprewards.com
hxxp://rp-free.blogspot.com              
hxxp://rpgiveaway.com
hxxp://rpointsgenerator.com  
hxxp://rppointsfree.com   
hxxp://smashingsports.co/download/riot-points-generator
hxxp://thefreeriotpoints.com  
hxxp://thefreerp.yolasite.com
hxxp://unlimitedhacks.com/league-of-legends-riot-points-generator 
hxxp://unlockcodehome.com/riot-unlockcodes.php      
hxxp://videogamehacks.net/riot-points-generator
hxxp://www.vix-group.com/lol
hxxp://xpandhacks.net/league-of-legends-riot-points-generator
hxxp://xpandhacks.com/league-of-legends-riot-points-generator-2                

You can +1 it, share it on Facebook, Tweet it ... Share the scam with everyone you like ;-) .

The first link in bold is the one discussed in this blog post. All you have to do to get your Riot Points for free is to follow these 3 easy steps:

Step 1 - Share it on Facebook
Step 2 - Post the following message once on your wall and 5 times on a Different Game Page on Facebook:
WOW! I just got my League of Legends Riot Code for free! So excited! Thanks hxxp://freeriotcodes.com !
Step 3 - Click "Like and Confirm"

Step 2 in the process - posting on Facebook. In this specific scam, it is not being posted automatically to your wall, you actually have to share it yourself


That's it, 3 simple steps and then you'll be able to download your Riot Points or codes free of charge!

... But wait, there's a timer on the page indicating you'll have to wait before the next giveaway:



Somehow, I got lucky and, through one of the other websites, I was able to visit the download page and acquire my points!

However, ultimately I have to complete a survey to finally download my Riot points. I am getting redirected to several other scams and so on. You can win a smartphone, the new iPad, an iPhone, trendy boots, a Macbook ....

In some cases only your phone number is sufficient, in others you'll have to fill in complete information like your full address, email address ...

Some examples of dubious file sharing websites, which are also showing a popup with some Javascript behind it (another survey scam):
hxxp://cleanfiles.net
hxxp://fileharmony.com
hxxp://fileice.net
hxxp://fileme.us
hxxp://fileml.com
hxxp://filenix.com
hxxp://filesquick.net
hxxp://jlyse.net
hxxp://matrixmega.com
hxxp://needforfile.net
hxxp://oceanfiles.me
hxxp://redirectlock.com
hxxp://sharecash.org
hxxp://sharkyfiles.com 
hxxp://skippyfile.com 
hxxp://speedyfiles.net
hxxp://tinyfileshost.com
hxxp://topfiles.me
hxxp://videlocked.pw


There's also a Pastebin link with all the above scam/phishing sites for League of Legends here: League of Legends scam & phishing URLs



Conclusion