Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 16 May 2011

ACH Spammer switches to Shortened URLs

Posted on 06:41 by Unknown
For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domains in place for a campaign that we have been calling "NACHA Spam".

In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.

In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.

Here's a sample of the email body:



The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association



This morning's most popular subjects:

count | subject
-------+--------------------------
159 | ACH payment canceled
144 | ACH transfer rejected
143 | ACH payment rejected
143 | Rejected ACH payment
137 | Rejected ACH transaction
137 | ACH Transfer canceled
135 | Rejected ACH transfer
131 | Your ACH transfer
131 | ACH transaction canceled
130 | Your ACH transaction
(10 rows)

count | sender_email
-------+-------------
135 | risk@nacha.org
134 | alerts@nacha.org
134 | risk_manager@nacha.org
133 | alert@nacha.org
133 | admin@nacha.org
129 | transactions@nacha.org
124 | ach@nacha.org
122 | payment@nacha.org
120 | transfers@nacha.org
117 | payments@nacha.org
109 | info@nacha.org
(11 rows)

The "new" feature of today's spam campaign is that the criminals have begun using URL shortening services to do their redirection. Although this is new for the current campaign, we've seen it before. We wrote a technical report on the subject last fall called URL Shorteners Used by Online Drug Dealers.

So far this morning, we've observed 34 different URL shortening services in play on this campaign:

count | machine
-------+-----------------
116 | 2mb.eu
93 | p1nk.me
92 | 80p.eu
92 | mzan.si
90 | linkr.fr
88 | redir.ec
84 | 2.gp
80 | udanax.org
79 | ks.gs
71 | whir.li
71 | qr.net
70 | TinyBP.com
68 | spedr.com
68 | urlzip.fr
66 | tiny.ly
60 | shortn.me
48 | mx.vc
16 | urli.nl
11 | snipurl.com
6 | shrt.st
3 | gd.is
3 | virg10.com
2 | rurls.ru
2 | zipurl.fr
2 | lu2su.net
1 | nutshellurl.com
1 | surl.hu
1 | icy.tsd.to
1 | squeerl.net
1 | 3cm.kz
1 | tuit.in
1 | tqb.qlnk.net
1 | mi13.tk
1 | minu.me
(34 rows)

Some of these are

A full list of the more than 1,000 shortened URLs we've seen follows. Remember, these are MALICIOUS URLs. Don't go there if you aren't trained to deal with this kind of stuff.

count | machine | path
-------+-----------------+--------------
5 | spedr.com | /4y7SQSmS
5 | redir.ec | /tYvk
4 | snipurl.com | /27vmxz
4 | redir.ec | /EcPZ
4 | TinyBP.com | /15kcx
4 | 2mb.eu | /TUQBY8
4 | udanax.org | /ZPLf
3 | 2mb.eu | /W8Li1F
3 | mzan.si | /GwQm
3 | qr.net | /b4e0
3 | linkr.fr | /rLao
3 | tiny.ly | /dPnJ
3 | TinyBP.com | /53wi
3 | whir.li | /3z7g
3 | spedr.com | /G9mJzD3W
3 | 2mb.eu | /T2mMP3
3 | linkr.fr | /Jw7M
3 | udanax.org | /ZP0F
3 | urlzip.fr | /W0T
3 | 80p.eu | /ip
3 | virg10.com | /6t6
3 | qr.net | /b4ev
3 | 2mb.eu | /fKVGJX
3 | mzan.si | /N56x
3 | shortn.me | /igWl
...
(1080 rows)

(List truncated in interest of space -- for the full list of shortened URLs, click here: ACH.shortened.urls.txt.)

While we haven't followed every link, all that we have followed so far redirected to a fake forum page on mnuyspe.co.be (193.105.121.158) where "drive-by" exploits are attempted.
Read More
Posted in | No comments

Wednesday, 4 May 2011

Help stop the Osama bin Laden Videos on Facebook

Posted on 18:15 by Unknown
If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with invitations to watch a video of Osama bin Laden being killed.



The behavior of this particular scam is too cause a link to be posted BY YOU on all of your friends' walls. (There is another popular one going around -- "See Who Viewed Your Profile" -- that behaves in the same way. Facebook confirms that there is no app that can do that, and encourages us to use the "REPORT" feature when we see that.

If you click the link, many geeky "redirections" (described at end of article) happen before you end up on a page that looks like this:



The danger starts if you click "Watch Video". DON'T DO IT!

While it would be interesting to explore the Cross Site Scripting vulnerability that allows this to happen, the more important thing to share is "what should a FaceBook user who sees this activity do about this offending post on their wall?"

Whenever you see something objectionable on your wall, the thing to do is REPORT IT!

Hover your mouse over a message on your wall, and a grey "X" will appear at the top right of the message.



When you click the "X" by the top right corner of the wall post, you are presented with a drop down menu. We're going to choose the bottom item -- "Report As Abuse"



Since the post is not "about me", we go to the lower section and choose "Spam or scam"




When we click "OK" we get an option to block the user. Since this is an innocent mistake by our friend, we don't want to "block" the friend, so just check the bottom box that says "Report to Facebook." If our friend is the sort of helpless, clueless individual that clicks on everything they see, eventually we would want to block this friend.



We get a nice "Thank you" from our friends at Facebook Security! These really help the team! They get the messages and use them to prioritize what things need to be addressed. If many reports are received for the same link, or about the same user, those things get addressed more quickly. Different types of reports go to different sub-groups so just because they are busy helping fight something like today's report doesn't mean that they ignore cyber-bullying.

Facebook WANTS YOU to report things that bother you. That's how they keep a clean neighborhood.

Help them help you. REPORT SCAMS!

Then take a moment more and send your friend a friendly message letting them know what's going on. They might want to let the rest of their friends know.

Facebook security has several recommendations, including a couple that I honestly wouldn't have thought of. (I'll put those first)


  1. Unlike the page which tricked you into showing fake video and report them immediately to Facebook. -- in addition to posting the message to your friends' walls, this tricky Facebook worm causes you to "Like" its page. The more "Likes" a page has, the more people are convinced it's real, so it is helpful to go "UNLIKE" the page. (if you've liked it, it will be a choice on the left side menu.)

  2. If a friend is posting suspicious messages to your wall, they may have malicious software on their computer, or may have clicked something bad themselves. Facebook Help says the best thing to do is tell your friend to contact Facebook Help.

  3. If YOU are the one posting the message, this Facebook Help post is for you: Wall posts were sent from my account, and I didn’t send them. It has helpful hints about anti-virus, not clicking on spam, and how to reset your password.

  4. Have up-to-date anti-virus software

  5. Keep an eye for messages that often feature misspellings, poor grammar and nonstandard English. If it doesn't look like a message your friend would type, REPORT IT! It may be related to malware or a malicious app that is using your friend's account!

  6. Do not open spam mails, including clicking links contained within those messages.

  7. Don’t copy and paste any scripts in your Facebook profile. Several scams have worked by encouraging you to paste something odd in your profile. Some of those scripts install apps, grant permissions, or make you do things you wouldn't want to do!

  8. If you’re using Chrome, make sure you don’t paste any scripts in your browser bar, as the browser tries to preload anything you type in the ‘awesome’ bar.



Geek Alert!

Here's an example stream of what happens if you click one of these links ...
In this case, the link is going to pass through several rounds of redirection, which we can see by doing a "wget" of the destination URL. A "301" command makes your browser move on to another web address without really adding any new content.

In the top example, the destination URL is tinyurl.com/3b8uayr

wget http://tinyurl.com/3b8uayr
Resolving tinyurl.com... 64.62.243.89, 64.62.243.90
Connecting to tinyurl.com|64.62.243.89|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://zamakoko.mo.tl/ [following]
--19:51:27-- http://zamakoko.mo.tl/
=> `index.html'
Resolving zamakoko.mo.tl... 174.122.44.67
Connecting to zamakoko.mo.tl|174.122.44.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://on.fb.me/jM9tNF [following]
--19:51:47-- http://on.fb.me/jM9tNF
=> `jM9tNF'
Resolving on.fb.me... 168.143.174.97
Connecting to on.fb.me|168.143.174.97|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.facebook.com/pages/0sama-tape/121566207922629 [following]
--19:51:59-- http://www.facebook.com/pages/0sama-tape/121566207922629
=> `121566207922629'
Resolving www.facebook.com... 69.63.189.16
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.facebook.com/common/browser.php [following]
--19:52:05-- http://www.facebook.com/common/browser.php
=> `browser.php'
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,771 --.--K/s
19:52:24 (1.40 MB/s) - `browser.php' saved [11771]

Which leaves us sitting here:

Read More
Posted in | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ▼  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ▼  May (2)
      • ACH Spammer switches to Shortened URLs
      • Help stop the Osama bin Laden Videos on Facebook
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile