• ‘Preferred Seat Order’ leads to malware infection. Patrons of American Airlines (AA) were targetted by online criminals via a surge of spam claiming to be “preferred seat order” email notifications.  Image and text links on the message body, once clicked, led users to Blackhole-Zbot system infections.

  click to enlarge

  This isn’t the first time spammers banked on AA to get clicks to infection sites. Unfortunately, we don’t expect this to be the last.

• US Airways online reservation spam makes a comeback. Similar to the AA campaign above, this spam also disguised itself as a notification email. At the time of discovery and writing, we found that users who click links on its message body were directed to pages where a Blackhole exploit code is housed.

  click to enlarge

  Last known variant of this spam was spotted and documented two months ago.

The GFI Labs Team

• You Know It’s Awkward When…you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?

  click to enlarge

  Better steer clear from this spam if you don’t want your system to be prodded by exploits.

  Details of this email can be found here.

• “Deb Walden” Gives Chase to User Information.

  click to enlarge

  Online banking clients, be warned: a spam campaign using the names of Chase Bank and its EVP is in the wild. It advises you, the recipient, to verify your online account via an attached file due to “multiple error attempts to access your account online.” For details about this mail, refer here.

  Now before rushing to open the attachment so you can quickly regain full access of your account, first of all, please calm down. Receiving a spam like this is no real indication of any attempt to breach your account, especially if the email lacks any markings of legitimacy from its company of origin. Also, never open nor attempt to share the attached file as it calls back to a phishing site.

• Fake Transaction, Fake Termination. It appears that, out of nowhere, American Express OPEN has aborted a transaction you don’t remember carrying out. The purported email then advises you to check out the detailed version of the notice to find out how this termination occurred.

  click to enlarge

  The detailed notice, however, and all the links on the message body, lead only to a page where a Blackhole Exploit Kit is hosted. If your system is found to be vulnerable, do expect to be alerted by your AV of an attempted Cridex infection. That is, of course, if you have an updated AV installed.

  Spam details here.

• This Fake Verizon Mail Looks the Part but Fails to Deliver.

  click to enlarge

  For one thing, the text in the message body where it’s supposed to communicate the purpose of why the email was sent doesn’t make much sense. Confirmation for what? I should visit my Verizon account page because…?

  What matters here is that recipients should not click any of the malicious links in the message body as they lead to serious system infections.

  More about this campaign here.

The GFI Labs Team

click to enlarge

Once users download and open the attached HTM file, they are redirected to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability.

You can find details of the spam email in this GFI Software Tumblr blog entry.

The GFI Labs Team

Matthew and Robert, two of our researchers in the AV Labs, discovered this upon digging deeper into spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate. Complete email details of these spam have documented in our GFI Software Tumblr site.

The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites.

One of the URLs that the Pony downloader calls back to is a domain served on the IP address 74(dot)91(dot)117(dot)49, which is found to host other malicious files like the Blackhole Exploit Kit 2.0, Medfos (a Trojan downloader that hijacks search results), the Simda rootkit, the WinWeb Security rogue AV, and ZeuS.

The following compromised domains are found to be hosted on the above IP:

• 13(dot)carnovirious(dot)net
• 13(dot)blumotorada(dot)net
• 13(dot)lomerdaster(dot)net
• 13(dot)jonemnominik(dot)net
• 13(dot)zabakarvester(dot)net 

Below is a sample screenshot of one of the compromised sites hosting the fake Google Chrome update:

click to enlarge

And here is a sample screenshot of the malicious IP hosting a fake Adobe Flash Player update:

click to enlarge

When it comes to updating software installed in your systems, it is still best to visit their official websites. Free update checkers, such as the FileHippo program, can also assist users in managing software that needs updating in real-time.

Related posts:

• ADP Spam Campaigns are in the Wild
• This Spam Gives Recipients a Second Chance
• News of Brazil’s Former President’s Death Leads to Malware
• Fake Flash Player Fun

Jovi Umawing (Thanks to Matthew and Robert)

Immediately after the vulnerability is found, Oracle has released its patch. Despite this speedy response from the company, many security experts have already began advising users to just forget the patch and disable Java in their browsers.

Perhaps some users have already made the move of disabling Java entirely, or perhaps some users have opted still to apply the patch. If you belong in the former group, latter group, let this be our reminder to you: Please make sure that you’re downloading the patch straight from the Oracle website and nowhere else because it’s highly likely that what you may be installing onto your system is malware.

The GFI Labs Team

• Fake BBB Complaints Spam Can Unsettle Businesses. This spam lets recipients know that the Better Business Bureau, or BBB, has purportedly received a “complaint of uneasiness” from one of recipient’s clients. Details are deliberately not disclosed in the email body but points to a link recipients can refer to for details. The link does not lead to any details that may shed light on the matter at hand, however; instead, recipients are redirected to a URL where a Blackhole Exploit Kit awaits.

  click to enlarge

  A previous sample of this spam is found to contain a link where an information stealer can be downloaded onto systems.

• Fake EFTPS Spam is Equal Parts Unsettling for Businesses and Workers. If there is probably one thing payroll processors do not want to hear, it’s payroll issues. Receiving a notice from the Electronic Federal Tax Payment System, or EFTPS, that a supposed payroll batch has been declined may cause more than just dissatisfied employees: details and contact links in the email body of this spam lead to a Cridex system infection.

  click to enlarge

• Spammers Lead FedMail ACH Spam Recipients to Cridex.

  click to enlarge

  A hint of urgency in this fake Federal Reserve System email, considering it pretends to originate from the central banking system of the United States, may allow someone to click the link without thinking because, well, it’s “only” an announcement. But when it comes to fooling people via email, one has to understand that the more inconspicuous it might appear or sound on the outside, the more one has to be careful in dealing with it. This spam is no different and must be handled with caution.

Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them.

The GFI Labs Team

There are things better left unsaid, and the above is probably floating around near the top somewhere. A scam from a few months ago – fake Chrome update websites leading to Malware – has returned and is currently turning heads.

Click to Enlarge

The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”.

If you attempt to download the file while using Chrome, the following prompt appears quicker than Christopher Nolan can make a movie about it:

GOOD ADVICE, CHROME.

The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog (scroll down to the “data it tries to collect and steal”).

Put simply, you don’t want this anywhere near your computer and users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page. VIPRE Antivirus detects this threat as Trojan.Win32.Cleaman.aj (v).

The malicious spam, this time, poses a question then gives a less-than-stellar answer to it, something criminals are counting on that recipients may simply accept and believe. Well, we better not take their word for it.

Here’s what the email looks like:

click to enlarge

From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend

I’d like to add you to my professional network on LinkedIn.

[Allow button] View invitation from {redacted}

WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?

{redacted} connections could be useful to you

After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:

click to enlarge

This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.

click to enlarge

Like we’ve said before, when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites.

Related posts:

• Fake LinkedIn Mails Lead To Cridex
• New Phishing Campaign Targets LinkedIn Users with Fake Reminders
• Zeus LinkedIn mails still out for delivery

Jovi Umawing (Thanks to the GFI Labs team)

• “Mailbox Upgrade” Email is a Phish. If you’re using Microsoft Outlook or Outlook Express, I’m sure you’re familiar with this kind of email landing in our inboxes, especially if IT has set a limit of how much your inbox can carry.

  click to enlarge

  First off, let me point out two things: one, 20GB of email space is too huge to be believable, and IT normally sets the limit of 2GB; two, IT does not tell their email users to validate anything. What they normally advise is to delete emails or move them to another location to free up space. Users who click the link on the mail is led to a phishing page. Reference here.

• Unsolicited “Adobe CS4 License” Leads to Malware.

  click to enlarge

  I wish there won’t be takers for any outdated Adobe CS4 license any time soon, much less a bogus one.  This leads to a Blackhole-Cridex system infection. Details here.

• Spammers Target Citibank Clients. Citibank credit card users are recently targeted by this spam circulating in the wild, claiming to be their Citi Credit Card statement. Users who click any of the links, unfortunately, may suddenly find their systems infected with the Zbot/ZeuS banking Trojan. More here.

  click to enlarge

If you come across any of these spam emails, it’s best to simply delete them from your inbox.

Stay safe!

Jovi Umawing

Below are our noteworthy email threats for the week of December three to seven:

• Phishers Target Wells Fargo Clients. Emails from banks claiming that they are unable to verify their client details (“Regarding what? Didn’t say, of course.”) and then pointing them to a URL where they can confirm their details online should be treated with disdain and must be banished into the the fiery pits of the Trash folder, never to be seen again. More here.

  click to enlarge

• A Short and Sweet Message from the Department of Investigations can perhaps make anyone’s blood freeze for a second or two due to intimidation. But recipients of this spam must snap out of it quick since the vagueness of the message should set off something in their heads.

  click to enlarge

  Clicking the link on the message body allows users to download Cridex. Details here.

• Amazon eBook Spam in the Wild. It’s back and it’s persistent. Spammers behind this malicious spam haven’t given up on this type of social engineering just yet. Users who click any of the links on the message body may also be infected with Cridex. Check this out here.

  click to enlarge

• Spam Pretends to Come from AICPA. The American Institute of CPAs won’t be happy about the fact that another slew of spam carrying its name is again making rounds in the Web. An earlier variant of this spam, which is found in February of this year, is known to have Blackhole exploit kits and rootkits in tow. This variant, however, has Cridex. Details here.

  click to enlarge

We have also highlighted the following spam we found last week that you may also want to check out:

• Fake PayPal Emails: Windows 8 and Vintage Photo Collections
• Spam gets Socl
• Fake delivery notification gets confused, has nice lie down

Stay safe!

Jovi Umawing