Monthly Archives: August 2009

The WoW Catphishers are Biting

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

cataclysm_youtube_link2_cropThe body’s barely cold from last week’s BlizzCon, but the script kiddies who write phishing kits have been hard at work putting their best foot forward, crafting account-stealing code that targets gullible WoW players who want an early peek at the just-announced Cataclysm expansion. These Catphish pages, linked off of YouTube video postings that offer promises of early, exclusive access to the expansion, lift graphics and design characteristics directly from the pages hosted by Blizzard, the publisher of the WoW franchise.

Unfortunately for the script kiddies making and hosting the pages, they’re making some of the most boneheaded mistakes imaginable.

Take, for example, this page. The creator of this page was so eager to get his l33t phishing site posted on his favorite message board, he forgot to take a close look at what he was including with his phish kit. It includes not only log files containing links to the live site where he’s hosting this phishing scam, but also to a site where he’s hosting another phishing scam intended to steal a promotional code given to WoW fanatics as a bonus after they paid to watch BlizzCon streamed live to their computer.

Continue reading

How Phishers Target WoW Players

Posted on by

By Andrew Brandt, Curtis Fechner, and Grayson Milbourne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

orc_80_flash_cropYesterday, at the opening of our BlizzCon coverage, we showed you just how commonly phishers target WoW players by posting innocuous-looking links in message board or forums frequented by players. Today, we’ve produced a really short video that shows exactly how someone infects their computer with a phishing Trojan.

As you can see in the video (even through the “censorship”), the page the victim eventually ends up on emulates the appearance of a Flash-video-based porn site. Every single link on the page links to the malware installer, which means that no matter where on the page the victim clicks, he or she is presented with a download dialog box. Check it out.

This simple social engineering trick, so commonly used of late by Koobface to fool social network users, still manages to convince people to execute the malware installer in order to view the video.

We’d all like to take a moment to give one simple piece of advice: If you follow a link and end up on a site you clearly weren’t intending to go to, stop. Don’t download any executable files—and absolutely don’t run any executable files if you happen to download them. If you have to, hit the Alt-F4 keyboard combination to kill the browser right there, but just don’t run anything else.

Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are much more complex versions that can steal the passwords for multiple games.

The installer executable simply drops a DLL file onto the victim’s hard drive, typically to the System32 or another Windows subdirectory. That file performs the keystroke logging, then sends that data to the phisher behind the scam. The installer also modifies the Registry so the DLL loads with every startup.

Keyloggers aren’t the only threats targeting online games. Others include spam phishing-type posts on the public forums for individual guilds, malicious URLs communicated through the in-game chat channels, and even exploits against security weaknesses in Web sites and message boards frequented by members of the WoW playing community.

Continue reading

BlizzCon, Gamers, WoW Trojans, Oh My

Posted on by

By Curtis Fechner and Grayson Milbourne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090820_wow_ret11k_cropTomorrow morning, Blizzard Entertainment (the publisher of the wildly popular World of Warcraft franchise) will kick off another BlizzCon to show off their latest projects and directly interact with their fanbase. World of Warcraft will likely take center stage at the convention, which has become the venue of choice for Blizzard to unveil their newest expansion pack for the enormously popular online role-playing game.

Here at Webroot we have our fair share of past and present WoW players. So we’re quite tuned in to the malware that plagues WoW and other online games. As the gaming market continues to grow at an amazing rate, so does the real-money value of (and the virtual currency stored in)  game accounts  used in association with those games.

Earlier this summer we shared with our readers the top ways that threats get introduced into online games and the best ways to avoid them. With Blizzcon just hours away, and the WoW servers ramping up for the surge in imminent logons to follow, we thought we’d revisit the issue to ramp up security awareness by sharing some of the more atrocious malware variants we’ve seen hitting the WoW gaming community.

Continue reading

Koobface: Not Just for Facebook, Anymore

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

smalltweet_obsThe latest generation of Koobface targets its particularly effective brand of social engineering at more social networks than ever. As the worm has evolved, we’ve seen it grow to encompass a pantheon of services, targeting more than just the widely publicized Facebook, MySpace, and Twitter, but a host of other Web sites where people meet and (apparently) post links of funny videos for one another to watch.

To illustrate how pervasive the worm has become at propagation, we put together the video below. (And no, you don’t need to download some random codec to watch it, just Flash.) If you’ve got two minutes, check it out, but to get the best view, maximize the video window first (click the little “X” next to “vimeo” in the lower-right corner):

For our test, several members of Webroot’s Threat Research team created profiles on the social networks Koobface attempts to infiltrate, logged into those accounts on test computers, then executed the worm’s main installer application.

The worm checks to see which sites among the ones it targets that you’ve logged in to, and downloads specific payloads for each social networking site it targets. That makes sense: Each of those social networks has its own distinct user interface, which the payload targeting that site interacts with. But the sites all have one thing in common: They all permit members to send one another messages containing hotlinked URLs. And that’s what Koobface is best at: Propagating itself by sending links. Nothing surprised us more than finding that we could actually watch the worm interacting with the interface, filling in forms and clicking buttons, as we stared at the screen. Continue reading

Rogues Impersonate Google, Firefox Security Alerts

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090807_warningIn the past week, we’ve begun to see new fakealerts — those disturbingly effective, entirely bogus “virus warning” messages — that appear to impersonate the appearance and text of legitimate warning dialogs you might see while surfing with the Firefox browser, or searching Google. The dialog, in a stern, red dialog box on a gray background, reads “Warning! Visiting this site may harm your computer!” — a dialog that appears to be designed to evoke the look of a Google’s Safe Browsing advisory as displayed in Firefox.

Cast as a kind of split between a warning message and a clickwrap agreement, the text of the dialog box reads “This web site probably contains malicious software program, which can cause damage to your computer or perform actions without your permission. Your computer may be infected after visiting such web site. We recommend you to install (or activate) antivirus security software.”

At the bottom of the dialog box, two buttons, labeled “Continue Unprotected” and “Get security software” are preceded by the sentence “I do realize that visiting this site can cause harm to my computer.” I’d give them points for honesty, but I’d rather not give them points for anything.

Nothing happens when you click the “Continue Unprotected” button, and I’ll give you one guess what happens next when you click the “Get security software” button.

Continue reading

Steam Users Targeted by Phishers

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090804-steam-picA phishing campaign that started around the beginning of the year, targeting gamers who use Valve Software’s Steam network, continues unabated but with a twist: The phishers have registered dozens of domain names, such as trial-steam.tk or steamcommunity###.tk (where the ### can be a two or three digit number), which are used to host the phishing pages. The pages appear to be a “Steam Community” login page which looks identical to Valve’s Steam Community Web site.

There are a few ways you can quickly identify whether you’re on the right page, or a fake. For one, the real Steam Community page is a secure HTTP page, so you should see the “https” in the address bar, and the lock icon in the corner of the browser window. By clicking on this icon, you can view the valid security certificate information, which clearly shows that the site is owned by Valve.

Another way you can tell that you’re on the correct Steam login page is to try using the “Select your preferred language” dropdown at the top of the window to change to any language other than English. If you’re on Steam’s page, the language will change; If you’re on the phisher’s page, it simply refreshes and remains set to English, no matter which language you pick. Also, the real Steam page features a cartoony graphic of “players” chatting amongst themselves which changes periodically. The phishers’ pages always have the same static graphic, shown above.

Read on for some additional details.

Continue reading