Matthew and Robert, two of our researchers in the AV Labs, discovered this upon digging deeper into spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate. Complete email details of these spam have documented in our GFI Software Tumblr site.

The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites.

One of the URLs that the Pony downloader calls back to is a domain served on the IP address 74(dot)91(dot)117(dot)49, which is found to host other malicious files like the Blackhole Exploit Kit 2.0, Medfos (a Trojan downloader that hijacks search results), the Simda rootkit, the WinWeb Security rogue AV, and ZeuS.

The following compromised domains are found to be hosted on the above IP:

• 13(dot)carnovirious(dot)net
• 13(dot)blumotorada(dot)net
• 13(dot)lomerdaster(dot)net
• 13(dot)jonemnominik(dot)net
• 13(dot)zabakarvester(dot)net 

Below is a sample screenshot of one of the compromised sites hosting the fake Google Chrome update:

click to enlarge

And here is a sample screenshot of the malicious IP hosting a fake Adobe Flash Player update:

click to enlarge

When it comes to updating software installed in your systems, it is still best to visit their official websites. Free update checkers, such as the FileHippo program, can also assist users in managing software that needs updating in real-time.

Related posts:

• ADP Spam Campaigns are in the Wild
• This Spam Gives Recipients a Second Chance
• News of Brazil’s Former President’s Death Leads to Malware
• Fake Flash Player Fun

Jovi Umawing (Thanks to Matthew and Robert)

There are things better left unsaid, and the above is probably floating around near the top somewhere. A scam from a few months ago – fake Chrome update websites leading to Malware – has returned and is currently turning heads.

Click to Enlarge

The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”.

If you attempt to download the file while using Chrome, the following prompt appears quicker than Christopher Nolan can make a movie about it:

GOOD ADVICE, CHROME.

The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog (scroll down to the “data it tries to collect and steal”).

Put simply, you don’t want this anywhere near your computer and users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page. VIPRE Antivirus detects this threat as Trojan.Win32.Cleaman.aj (v).

The malicious spam, this time, poses a question then gives a less-than-stellar answer to it, something criminals are counting on that recipients may simply accept and believe. Well, we better not take their word for it.

Here’s what the email looks like:

click to enlarge

From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend

I’d like to add you to my professional network on LinkedIn.

[Allow button] View invitation from {redacted}

WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?

{redacted} connections could be useful to you

After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:

click to enlarge

This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.

click to enlarge

Like we’ve said before, when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites.

Related posts:

• Fake LinkedIn Mails Lead To Cridex
• New Phishing Campaign Targets LinkedIn Users with Fake Reminders
• Zeus LinkedIn mails still out for delivery

Jovi Umawing (Thanks to the GFI Labs team)

• “Mailbox Upgrade” Email is a Phish. If you’re using Microsoft Outlook or Outlook Express, I’m sure you’re familiar with this kind of email landing in our inboxes, especially if IT has set a limit of how much your inbox can carry.

  click to enlarge

  First off, let me point out two things: one, 20GB of email space is too huge to be believable, and IT normally sets the limit of 2GB; two, IT does not tell their email users to validate anything. What they normally advise is to delete emails or move them to another location to free up space. Users who click the link on the mail is led to a phishing page. Reference here.

• Unsolicited “Adobe CS4 License” Leads to Malware.

  click to enlarge

  I wish there won’t be takers for any outdated Adobe CS4 license any time soon, much less a bogus one.  This leads to a Blackhole-Cridex system infection. Details here.

• Spammers Target Citibank Clients. Citibank credit card users are recently targeted by this spam circulating in the wild, claiming to be their Citi Credit Card statement. Users who click any of the links, unfortunately, may suddenly find their systems infected with the Zbot/ZeuS banking Trojan. More here.

  click to enlarge

If you come across any of these spam emails, it’s best to simply delete them from your inbox.

Stay safe!

Jovi Umawing

We’re starting off this roundup with a quick recap of what has transpired this week.

First off, the US Elections last November 6: As expected, election-related threats have continued to make rounds that day. We won’t be surprised if we continue to see some of them remain in the wild days after winners have been declared, so let’s keep an eye out for that.

This week in the security industry, we have reports of hits and misses, with a security hole found in Google Compare being the latest on the list. Le Reg has the exclusive story on that.

Brian Krebs of Krebs on Security has reported on a zero-day exploit for the latest Adobe Reader being sold for $50,000 in the cybercriminal underground.

Lastly, our friends at F-Secure have released a Q3 2012 report on the ever increasing threats targeting Android smartphone users despite Google’s effort of improving its current security policies.

In the realm of email threats, our researchers in the AV Labs have found some spam and phishing mail samples that we have highlighted below:

1. Malicious New York Division of Unemployment Assistance (DUA) clam spam. The criminals urge the recipient to provide some necessary information for the processing of the said claim. The link on the email body, however, leads to the download of a ZeuS/Zbot variant, a common information stealer. Details here.
2. Malicious airline ticket spam. Recipients of this fake email supposedly from Delta Airlines may find themselves opening a malicious attachment that poses as a plane ticket. Watch out! It’s a rogue AV file. Details here.
3. Malicious iTunes receipt spam. Are you using iTunes? Please be wary, dear Reader, that a new receipt spam making rounds is targeting users. All links on the message body lead to a Blackhole exploit kit. Details here.
4. Malicious spam claiming to be failed deliveries. We have received a handful of those this week, from wire transfers to postal packages. A sample of the former leads users to a Blackhole/Cridex infection and a sample of the latter to a rogue AV infection. Details here and here.

In case you missed it, we have also written about a USAA phishing spam that generally targets military personnel—both active and retired—and their families.

Not every email that ends up in your inbox is safe. It is, therefore, important that we continue to exercise due diligence when handling suspicious emails.

‘Till the next roundup!

Jovi Umawing

This latest find from our researchers in the AV Labs is filed under the “We Found Another Facebook Spam” pile.

Let it be a warning to you, dear Reader, about this mail that purports to originate from Facebook and bears the subject “Verify your account”. It isn’t clear what this verification notice is about unless you read the content of its message body, which says:

click to enlarge

Hi {recipient’s email address},

You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before

Kind regards,
The Facebook Team

(To help clear up the slight confusion in context, “blocked” here may mean that an account has been deactivated, specifically the spam recipient’s; it has nothing to do with blocking search engine from pulling out and displaying the recipient’s Facebook profile if someone does a search of their name, as some sites suggest.)

This is a seemingly potent social engineering tactic to get panicked (if not half-perplexed, half-curious) recipients clicking away. The tactic may probably be not as effective if the recipient normally thinks twice before reacting to such a message.

Clicking any of the links on the email leads users to various URLs that are clearly unrelated to Facebook in any way. We believe that these sites have been compromised, and sure enough, they all redirect users to a very familiar territory:

click to enlarge

Yep, it’s another Blackhole-Zeus-related threat.

Please ignore and delete this Facebook spam if you have it in your inbox.

For real-time email-related findings by our researchers at the Labs, please visit the GFI Software Tumblr page at www.gfisoftware.tumblr.com.

Jovi Umawing (Thanks to the GFI Labs team)

These past few days, our researchers in the AV Labs have been seeing a slew of spam campaigns purporting to have originated from the Automatic Data Processing, Inc., or ADP, a solutions provider to businesses with concerns involving outsourcing and computing services for the auto and heavy equipment industries.

The campaigns, which had been documented in real time, come in a number of varying content and appearance; however, these spam all lead to malware infection. Below are some of the samples we have captured:

click to enlarge

click to enlarge

click to enlarge

Hyperlinks in the spam actually point to URLs that are inherently malicious or probably compromised, which then direct to IP addresses that host a bogus Adobe Flash Player page where users can download an equally bogus software.

click to enlarge

Similar to the Skype voicemail spam we have documented recently, these ADP spam campaigns are also associated with Blackhole-Zeus infections.

When downloading software, make sure that your source domain/page is legitimate. In this case, it is much safer to type in Adobe’s URL on your browser address bar, navigate to the Downloads page, and get the Player from there.

For the latest email threats in the wild, go to our GFI Software Tumblr page at www.gfisoftware.tumblr.com where we post noteworthy, comprehensive, and up-to-date analyses straight from our experts in the AV Labs.

Jovi Umawing (Thanks to the GFI Labs team)

Click to Enlarge

It reads as follows:

Hi there,

You have a new voicemail

Sign in to Skype to listen to the message.

If you no longer want to receive email alerts about new voicemails, unsubscribe now.

Talk soon,
The people at Skype

It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections.  On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts.

Christopher Boyd (Thanks to the GFI Labs for finding this)

US-CERT is a highly esteemed and trusted body of security professionals who tackle cybersecurity issues in the United States. They also work with security vendors to address vulnerability issues. With such impressive credentials, it is possible that some private organizations, including federal, state, and local governments, might have fallen prey to this campaign since they appear to be the targets.

From the US-CERT website: “Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.

“The subject of the phishing email is: “Phishing incident report call number: PH000000XXXXXXX” with the “X” containing an incident report number that varies.

“The attached zip filed is titled “US-CERT Operation Center Report XXXXXXX.zip”, with “X” indicating a random value or string. The zip attachment contains an executable file with the name “US-CERT Operation CENTER Reports.eml.exe”, which is a variant of the Zeus/Zbot Trojan known as Ice-IX.”

The complete report is found here.

Jovi Umawing

The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

Please keep in mind that securing your information, including your social network credentials, is a must. Never unknowingly click links on messages sent over by online contacts. Make sure that they did send messages to you first before doing something; else, it is best if you simply delete them from your message inbox.

Jovi Umawing