Archive for the ‘Phishing’ Category

View All Phishing

New Google AdWords Phish In-the-wild

By Rodel Mendrez  •  October 4th, 2011  •   Phishing


For those of you who have a Google AdWords account, be wary of a new Google AdWords spam campaign we have seen in-the-wild earlier this week. The spam email may use the following subject lines:

Google AdWords: You have a new alert.

Google Team: You have a new alert

Here is an example of the spam email posing as a notification email from Google AdWords.

 

If you notice in the sample email, the URL link that appears to be linking to your Adwords account looks dodgy. But if that obvious sign didn’t prevent you from clicking the link, you would have been redirected to a Google AdWords phishing webpage.

After entering a username and password, the webpage sends these credentials to the cyber-criminal’s webserver.

The HTTP POST request when the user enters their Google account credentials. It sends the username and password to the phisher's webpage.

Of course, once you enter your Google account credentials in the phishing page this will NOT just compromise your Google AdWords account but all your Google services like GMail or Google+ will be affected as well. When you receive these sorts of notification emails, always double check the URL before you click on them – if it looks suspicious, it probably is.

Tags:    |    |  

View All Phishing

Phishing Scam in an HTML Attachment

By Rodel Mendrez  •  March 15th, 2011  •   Phishing

In a traditional phishing scam, a phisher usually sets up a website with a fake login form imitating a legitimate online services such as bank, social networking website, auction site or a payment processing service. In an attempt to lure in users, the phisher spams a link to the website through email or instant messaging. Unfortunately for the phishers, modern browsers like Mozilla Firefox and Google Chrome have become quite good at detecting phishing, immediately warning users when a potential phishing site is being opened.

Mozilla Firefox and Google Chrome warning users of a phishing site.

Phishers, however, have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser.  For example, take a look at these spam samples:

Multiple sample of phishing spam campaign with an HTML attachment.

The HTML attachment, stored locally, successfully opens in the browser without the user being warned.

Sample of a phishing HTML form targetting PayPal users. HTML file is saved in the local directory.

When the victims enter their information and click the “Agree and Submit” button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver (in one case, Fritolay.com)

Usually, stolen information are sent to a hack PHP webserver. (note: we notified Fritolay of the offending php file and observe that it has now been removed.)

The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity. Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective. Logically, however, the browser should be able to detect a URL when the browser sends the POST request. So what makes this type of phishing tactic harder to detect from the browser perspective?  Here’s a couple of reasons:

1. Few PHP URLs are reported as abuse.  Average users are not able to report any URL because no phishing URL is visible, unless they are technical enough to view the HTML source code.

2. The URLs are hard to verify as phishing sites.  The URL alone without the accompanying HTML form would be hard to verify as a phish site because the PHP script runs on the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand’s homepage.

We have seen an increase in these types of phishing spam campaigns over the last few months. Last month we blogged about a clever phishing campaign targeting Bank of America online users that uses this same phishing tactic. So be wary of HTML attachments included in an email.  If the email seems suspicious, avoid opening the HTML attachment. And if you do happen to open it, be particularly leery of any HTML form requiring you to enter sensitive information.

Tags:    |    |    |    |    |  

View All Phishing

‘Just applied for my own @facebook.com email account’ Phish Spreading

By Anonymous  •  March 11th, 2011  •   Phishing

There is a new scam making the rounds on Facebook today.  This particular scam is surrounding Facebook’s recently revamped Messaging product, which now gives Facebook users an opportunity to own a @facebook.com e-mail address.  In the past, there were scams surrounding the launch of this product, which followed in the footsteps of similar Facebook scams: requiring Facebook users to authorize a rogue application, fill out a survey to earn the scammers referral money, and at the end, users would be redirected to http://facebook.com/about/messages

Today’s scam is different – users are now being phished for their Facebook login credentials:

Facebook E-Mail Scam Wall Post

New Facebook Phishing Campaign Spreading

Read More

Tags:    |    |    |    |    |  

View All Phishing

Back to School; Time to Go Phishing

By David Broome  •  February 23rd, 2011  •   Phishing

As university students prepare to go back to their studies this year, their email accounts and personal information are ripe for the picking.

Today we observed phishing emails being sent to tertiary students to warn that their passwords have expired, or on a separate email, that their password will expire within 2 weeks. Both of these emails provide a convenient link to a website that promises remedy the situation.

The link in the above message points to the hxxp://[redacted].cz.cc. The cz.cc domain is a free hosting service that the phishers are using to host their forms.

Read More

Tags:    |    |  

View All Phishing

RapidShare.com – The Phishing Begins

By Yaniv Miron  •  February 20th, 2011  •   Phishing

A few weeks ago, M86 Security Labs discovered how to create a phishing page on RapidShare.com. As most of you probably know, RapidShare is one of the largest file sharing websites, with thousands of users worldwide.

While trying to download a file from RapidShare.com we encountered an error message indicating that the servers were busy.

We decided to test the error message and found that there is an improper input validation vulnerability in the “downloaderror” field.

Below is the original error message from RapidShare:

RapidShare.com Error message – Too many users downloading…

In the following screen, we see a fake phishing message that offers users the opportunity to buy a premium account for RapidShare:

RapidShare.com Fake Error message

A closer look:

For further information, see this demo link:

http://rapidshare.com/#!downloaderror|3|623624|test.avi|723|Too%20many%20users%20downloading%20from%20this%20
server%20right%20now.%20Please%20call%201-800-555-fake-premium%20
or%20email%20your%20Credit%20Card%20to%20fake@premiumfake.com
%20to%20get%20a%20premium%20account%20for%20only%209.95$%20a%20month%20!!!

In addition, we can control all of the “downloaderror” fields. For example, the file folder (623624), the file name (test.avi), and of course the error message.

This type of improper input validation can help malicious attackers create phishing pages within RapidShare.com. A user that receives an email or a link to the malicious phishing page could unknowingly give away credit card information to the malicious attacker either by email or by a phone call.

We contacted RapidShare.com regarding this subject and received a response from the RapidShare Abuse team assuring us that they have fixed the issue.

Tags:    |    |    |    |  

View All CybercrimeView All MalwareView All Phishing

Malicious Advertisement (or The Ad that stole the Site)

By Anonymous  •  November 15th, 2007  •   Cybercrime Malware Phishing

Spyware Sucks published a post about a site hijacked by a malicious advertisement. Once loaded, this advertisement redirects the browser (through 3 other domains) to “malware-scan.com”, a notorious fake anti-malware program.

Once redirected to the site, the browser window is minimized and a new window opens up, showing what seems to be a sophisticated online scan. This is, of course, more scaM than scaN enticing the user to download malicious software. Keeping in mind that this attack is not targeted against computer experts but against normal users, reveals its danger – the well formatted site shows a great graphic, misleading the user into thinking that his machine is infected. Furthermore, the site will continuously open windows asking the user to approve installation and won’t stop until you kill the browser, hoping the user will download the file in order to get rid of the annoying messages.

Another issue is the loss for the original site from which the ad was served. This could have been even more problematic if for instance the malicious advertisement was redirecting the browser to a phishing site mimicking the original site…

Site owners, choose your Ad provider wisely!

Posted by Golan Yosef

Tags:    |    |  

View All CybercrimeView All Phishing

Phishing for Jobs

By Anonymous  •  August 23rd, 2006  •   Cybercrime Phishing

Ever noticed random job offers spammed to your inbox? They seem to offer easy money, and minimal work. These ‘offers’ usually have the following characteristics:

• They want you to use a bank account.
• They involve transfers of money in and out of the account
• You are paid a commission on the amount transferred.

Here is an excerpt from a recent job offer:

Job Offer

Sound suspicious? You would be right to think so. The offers are from criminals seeking to use your account to launder their ill-gotten gains. The scam aims to convert stolen personal and financial data into cash, and is often quite elaborate with real looking companies and websites. While the email phishers grab the limelight for stealing your personal data, these guys are in the background putting the stolen IDs to use.

There seems to be distinct commonalities between certain phishing and ‘job offer’ spam suggesting that the same people are behind both. The Marshal TRACE team has analyzed job offer spam and discovered several unique traits of the message content and style that are shared with phishing spam.

If you sign up to one of these schemes, you’ll become an unwitting collaborator in handling stolen money and goods – a “mule”. Mules help to keep goods flowing through a distribution system, and they insulate the real criminals from the police by making it harder to track financial transactions.

Users should ignore and delete suspicious email job offers. If you get involved in such schemes you may find yourself in trouble with the police.

Tags:  

View All CybercrimeView All Phishing

Man-in-Middle Phishing Attack

By Anonymous  •  July 14th, 2006  •   Cybercrime Phishing

A first ever case of using a “man in the middle” attack against an online bank was reported recently by Security Fix.

The attack targeted Citibank Citibusiness service and was designed to spoof the token key hardware device used by the bank’s customers. Citibusiness requires customers to use a token in addition to their user name and password. The small hardware device generates an additional password that changes every minute or so.

The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim The “man in the middle” is the phishing site, which submits data provided by the user to the actual site. If that site generates an error, so does the phishing site, thus making it look more real. Enter an invalid password, and you get an invalid logon page.

The security industry has long predicted this type of man-in-the-middle attack; it seemed only a matter of time.

Tags:    |