• You Know It’s Awkward When…you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?

  click to enlarge

  Better steer clear from this spam if you don’t want your system to be prodded by exploits.

  Details of this email can be found here.

• “Deb Walden” Gives Chase to User Information.

  click to enlarge

  Online banking clients, be warned: a spam campaign using the names of Chase Bank and its EVP is in the wild. It advises you, the recipient, to verify your online account via an attached file due to “multiple error attempts to access your account online.” For details about this mail, refer here.

  Now before rushing to open the attachment so you can quickly regain full access of your account, first of all, please calm down. Receiving a spam like this is no real indication of any attempt to breach your account, especially if the email lacks any markings of legitimacy from its company of origin. Also, never open nor attempt to share the attached file as it calls back to a phishing site.

• Fake Transaction, Fake Termination. It appears that, out of nowhere, American Express OPEN has aborted a transaction you don’t remember carrying out. The purported email then advises you to check out the detailed version of the notice to find out how this termination occurred.

  click to enlarge

  The detailed notice, however, and all the links on the message body, lead only to a page where a Blackhole Exploit Kit is hosted. If your system is found to be vulnerable, do expect to be alerted by your AV of an attempted Cridex infection. That is, of course, if you have an updated AV installed.

  Spam details here.

• This Fake Verizon Mail Looks the Part but Fails to Deliver.

  click to enlarge

  For one thing, the text in the message body where it’s supposed to communicate the purpose of why the email was sent doesn’t make much sense. Confirmation for what? I should visit my Verizon account page because…?

  What matters here is that recipients should not click any of the malicious links in the message body as they lead to serious system infections.

  More about this campaign here.

The GFI Labs Team

click to enlarge

Once users download and open the attached HTM file, they are redirected to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability.

You can find details of the spam email in this GFI Software Tumblr blog entry.

The GFI Labs Team

• Fake BBB Complaints Spam Can Unsettle Businesses. This spam lets recipients know that the Better Business Bureau, or BBB, has purportedly received a “complaint of uneasiness” from one of recipient’s clients. Details are deliberately not disclosed in the email body but points to a link recipients can refer to for details. The link does not lead to any details that may shed light on the matter at hand, however; instead, recipients are redirected to a URL where a Blackhole Exploit Kit awaits.

  click to enlarge

  A previous sample of this spam is found to contain a link where an information stealer can be downloaded onto systems.

• Fake EFTPS Spam is Equal Parts Unsettling for Businesses and Workers. If there is probably one thing payroll processors do not want to hear, it’s payroll issues. Receiving a notice from the Electronic Federal Tax Payment System, or EFTPS, that a supposed payroll batch has been declined may cause more than just dissatisfied employees: details and contact links in the email body of this spam lead to a Cridex system infection.

  click to enlarge

• Spammers Lead FedMail ACH Spam Recipients to Cridex.

  click to enlarge

  A hint of urgency in this fake Federal Reserve System email, considering it pretends to originate from the central banking system of the United States, may allow someone to click the link without thinking because, well, it’s “only” an announcement. But when it comes to fooling people via email, one has to understand that the more inconspicuous it might appear or sound on the outside, the more one has to be careful in dealing with it. This spam is no different and must be handled with caution.

Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them.

The GFI Labs Team

The malicious spam, this time, poses a question then gives a less-than-stellar answer to it, something criminals are counting on that recipients may simply accept and believe. Well, we better not take their word for it.

Here’s what the email looks like:

click to enlarge

From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend

I’d like to add you to my professional network on LinkedIn.

[Allow button] View invitation from {redacted}

WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?

{redacted} connections could be useful to you

After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:

click to enlarge

This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.

click to enlarge

Like we’ve said before, when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites.

Related posts:

• Fake LinkedIn Mails Lead To Cridex
• New Phishing Campaign Targets LinkedIn Users with Fake Reminders
• Zeus LinkedIn mails still out for delivery

Jovi Umawing (Thanks to the GFI Labs team)

• “Mailbox Upgrade” Email is a Phish. If you’re using Microsoft Outlook or Outlook Express, I’m sure you’re familiar with this kind of email landing in our inboxes, especially if IT has set a limit of how much your inbox can carry.

  click to enlarge

  First off, let me point out two things: one, 20GB of email space is too huge to be believable, and IT normally sets the limit of 2GB; two, IT does not tell their email users to validate anything. What they normally advise is to delete emails or move them to another location to free up space. Users who click the link on the mail is led to a phishing page. Reference here.

• Unsolicited “Adobe CS4 License” Leads to Malware.

  click to enlarge

  I wish there won’t be takers for any outdated Adobe CS4 license any time soon, much less a bogus one.  This leads to a Blackhole-Cridex system infection. Details here.

• Spammers Target Citibank Clients. Citibank credit card users are recently targeted by this spam circulating in the wild, claiming to be their Citi Credit Card statement. Users who click any of the links, unfortunately, may suddenly find their systems infected with the Zbot/ZeuS banking Trojan. More here.

  click to enlarge

If you come across any of these spam emails, it’s best to simply delete them from your inbox.

Stay safe!

Jovi Umawing

Below are our noteworthy email threats for the week of December three to seven:

• Phishers Target Wells Fargo Clients. Emails from banks claiming that they are unable to verify their client details (“Regarding what? Didn’t say, of course.”) and then pointing them to a URL where they can confirm their details online should be treated with disdain and must be banished into the the fiery pits of the Trash folder, never to be seen again. More here.

  click to enlarge

• A Short and Sweet Message from the Department of Investigations can perhaps make anyone’s blood freeze for a second or two due to intimidation. But recipients of this spam must snap out of it quick since the vagueness of the message should set off something in their heads.

  click to enlarge

  Clicking the link on the message body allows users to download Cridex. Details here.

• Amazon eBook Spam in the Wild. It’s back and it’s persistent. Spammers behind this malicious spam haven’t given up on this type of social engineering just yet. Users who click any of the links on the message body may also be infected with Cridex. Check this out here.

  click to enlarge

• Spam Pretends to Come from AICPA. The American Institute of CPAs won’t be happy about the fact that another slew of spam carrying its name is again making rounds in the Web. An earlier variant of this spam, which is found in February of this year, is known to have Blackhole exploit kits and rootkits in tow. This variant, however, has Cridex. Details here.

  click to enlarge

We have also highlighted the following spam we found last week that you may also want to check out:

• Fake PayPal Emails: Windows 8 and Vintage Photo Collections
• Spam gets Socl
• Fake delivery notification gets confused, has nice lie down

Stay safe!

Jovi Umawing

It reads:

You have made an Ebay.com purchase.

Hello [removed],

You sent a payment of $564.48 USD to [removed].

Microsoft Windows 8 Pro Anytime Upgrade
Item# 16 $564.48 USD

Click to Enlarge

Clicking the link in the fake PayPal email will take end-users to the usual round of Cridex / Blackhole URLs. On a similar note, there’s an additional email floating around that claims you purchased 84 copies of “Vintage photo collection sexy college girls 1990s or 2000s”.

Click to Enlarge

Last time we saw this one was back in June where the tally was 23, so I guess the book is really popular. As above, Cridex is the name of the game so be sure to only check anything you’ve ordered by logging into your chosen service (and to be fair, you should have a pretty good idea of whether or not you ordered 84 copies of a “sexy college girls” book).

Christopher Boyd

This week’s email threat roundup is a bit longer than usual since we didn’t get to release one during Thanksgiving week.

What we have below are noteworthy spam samples found and documented by our researchers in the AV Labs in our Tumblr page. Most of the samples not highlighted here are either slightly tweaked variants of the previous ones we’ve highlighted before or persistent recurrences of much older spam. No matter how great or small these spam samples have changed, users still end up with the same system infection of information stealers made possible by malware that exploits unpatched software.

Let’s begin:

•  “Provisionally Withheld for Security Reasons”. Or so they say:

  click to enlarge

  This bogus in-the-wild mail hides behind the name of the FDIC, or Federal Deposit Insurance Corporation. If you’re a client, I suggest you think twice before clicking any links, else you’ll find your system infected with a Trojan that steals banking information called Cridex. More here.

• WU Spam Zeroes in on Agents. This spam is designed not to target Western Union clients but those who attend to them.

  click to enlarge

  Anyone curious enough to check out the attached file will most likely have no idea that they are downloading and executing a ZBOT malware. Details here.

• Look Who’s Posting on Facebook.

  click to enlarge

  If you’re not familiar with the previous spam samples we mentioned above, you’ll probably relate more with this one. Facebook normally sends notices to its users via email, provided those users have this feature enabled for their own accounts. If you have an account and you have allowed Facebook to send you email notifications, please be extra careful when handling this spam. Better yet, just access your account and check out what your friends have been posting. You don’t want Cridex on your system now, do you? Details here.

• “You Have One Secure Message”. If reading that has made you go “Ooh!” and click, I’m contacting Houston.

  click to enlarge

  This is similar to the Key Bank spam we also found not long ago. If you, dear Reader, are not careful with this, you might end up housing a ZBOT variant in your system. Learn more about this spam here.

• Spammers Bank on Southwest Airlines. This probably would have been a good idea; however, avid readers of the GFI Labs blog will likely be more wary of anything related to Southwest Airlines spam. Why? Because we have already exposed more believable and highly effective fake spam (on Facebook, no doubt!) banking on it before (1)(2).

  click to enlarge

  More here.

• eFax Malware. Little do we realize that many businesses and individuals still rely on using the fax on top of the usual email. It is, therefore, no surprise to see spammers targeting this unique group of users.

  click to enlarge

  Email recipients who open the attachment will be infected with ZBOT. Details here.

• Another Unclaimed Parcel. This time, spammers are using FedEx to lure unwary recipients. Here’s what the spam look like:

  click to enlarge

  Clicking the Get Postal Receipt link leads users to websites that host a fake AV similar to this fake UPS spam. Details here.

We’re now in the last month of the year. As such, we must expect an increase in email-related threats with themes that revolve around Christmas, New Year and other concepts that are less festive at this time of year, such as the Mayan Apocalypse.

‘Till the next roundup!

Jovi Umawing

Without further ado, here is the roundup of email threats for November 12 to 16.

• “Congratulations! You and {random name} are now connected!”

  click to enlarge

  This is a spam that purports to have originated from LinkedIn. Once users click any of the links on the message body, they are directed to a website that exposes them to a Blackhole-Cridex infection. Details here.

• State of PayPal Account Modification.

  click to enlarge

  Same as the previous spam, this also leads to a Blackhole-Cridex system infection. Email details here.

• Suspicious Cancellation of American Express Transaction.

  click to enlarge

  This spam targets American Express users, informing them that their money transfer has been aborted for undisclosed reasons. Recipients who click any of the links find themselves infected with Cridex, provided the Blackhole exploit kit has found an unpatched software on their system. Details here.

• Fake Verizon Email are Making Rounds Again.

  click to enlarge

  If you’r a Verizon user, look here. If you click the URL to manage your account, you’ll be infected with Zbot, a popular information stealer.

• Bogus AmEx Spam Encourages You to Check You Fiscal Transaction Statement.

  click to enlarge

  Of course, one can easily fall for this tactic if they see the slick looking email above; however, extra caution is advised. The links on the email lead to websites where the Blackhole exploit can take advantage of vulnerable software on your system. More here.

• DHL Failed to Deliver Your Parcel. Or so It Says.

  click to enlarge

  Recipients of this spam are enticed to download a postal receipt that they can use to claim an “undelivered parcel.” This, however, leads to the download of a fake AV instead. Details here.

By familiarizing yourself with the social lures and tactics used by cyber criminals who employ emails to catch their prey, you are more than likely to avoid them and, in turn, warn others about what these threats are. Prevention, after all, is as important (if not more) than remediation.

Stay informed!

Jovi Umawing

We’re starting off this roundup with a quick recap of what has transpired this week.

First off, the US Elections last November 6: As expected, election-related threats have continued to make rounds that day. We won’t be surprised if we continue to see some of them remain in the wild days after winners have been declared, so let’s keep an eye out for that.

This week in the security industry, we have reports of hits and misses, with a security hole found in Google Compare being the latest on the list. Le Reg has the exclusive story on that.

Brian Krebs of Krebs on Security has reported on a zero-day exploit for the latest Adobe Reader being sold for $50,000 in the cybercriminal underground.

Lastly, our friends at F-Secure have released a Q3 2012 report on the ever increasing threats targeting Android smartphone users despite Google’s effort of improving its current security policies.

In the realm of email threats, our researchers in the AV Labs have found some spam and phishing mail samples that we have highlighted below:

1. Malicious New York Division of Unemployment Assistance (DUA) clam spam. The criminals urge the recipient to provide some necessary information for the processing of the said claim. The link on the email body, however, leads to the download of a ZeuS/Zbot variant, a common information stealer. Details here.
2. Malicious airline ticket spam. Recipients of this fake email supposedly from Delta Airlines may find themselves opening a malicious attachment that poses as a plane ticket. Watch out! It’s a rogue AV file. Details here.
3. Malicious iTunes receipt spam. Are you using iTunes? Please be wary, dear Reader, that a new receipt spam making rounds is targeting users. All links on the message body lead to a Blackhole exploit kit. Details here.
4. Malicious spam claiming to be failed deliveries. We have received a handful of those this week, from wire transfers to postal packages. A sample of the former leads users to a Blackhole/Cridex infection and a sample of the latter to a rogue AV infection. Details here and here.

In case you missed it, we have also written about a USAA phishing spam that generally targets military personnel—both active and retired—and their families.

Not every email that ends up in your inbox is safe. It is, therefore, important that we continue to exercise due diligence when handling suspicious emails.

‘Till the next roundup!

Jovi Umawing