Category Archives: Phishing Trojans

Trojan software designed to steal login credentials, either by keylogging or by retrieving saved credentials from the victim’s Registry, browser cache and elsewhere.

Phishing Scheme Targets E-Payment Rule-Maker, NACHA

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091112_nacha_logoComing on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they write the rules for the organizations that run the pipes through which money flows between banks and businesses–the circulatory system of the financial world.

In fact, more than 15,000 banks passed 18 billion electronic transactions through the ACH in 2008 alone. ACH is a linchpin in the world’s financial system. But as a rule-making body, NACHA also typically acts behind the scenes, which is why most people who don’t work in the financial services industry probably have never heard of them.

That said, when the world’s largest clearinghouse for transfers of funds between banks supposedly sends you an email like this one, you probably would perk up and pay attention:

20091112_nacha_email

The email’s dire warning: “The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association.”

But it’s a scam, as you probably already guessed.

Continue reading

Lazy Phishers Just Email the Phishing Web Page to You, Now

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091026_bofa_phish_withatt_cropIt was a particularly busy weekend for spammers, especially the creepy, evil ones who are trying to steal information (as opposed to the merely scungy pill vendors and their ilk). Webroot’s Threat Research team has recently seen a glut of phishing messages which, like most, purport to come from banks and ask you to update your account information. But unlike most phishing messages, which contain a link to a Web site, these phishing messages include an attached HTML file which, in essence, puts the phishing page right on your hard drive.

When launched, the HTML file renders a sparse but effective phishing form in the browser. The pages warn the victim that “This account has been temporarily suspended for security reasons” and ask the victim to “confirm that you are the rightful owner of this account” — by providing the “bank” with a wide range of personally identifiable information they should already have, and never would ask you to provide through a Web-based form in the circumstances described in the message.

20091026_bofa_phish_form_clean_cropThese pages also pull graphics from the banks’ Web sites–activity that, when it comes from a phishing site hosted on a server not belonging to the targeted bank, typically alerts the banks to phishy behavior. Because the graphics are loaded only once, from the desktop of the targeted victim, the banks can’t put a stop to it before it’s too late.

Continue reading

IRS Tax “Warning” Fraud Crosses the Pond, Targets the UK

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091013_hmrc_phish_page_cropFor several months, we’ve been seeing spam and phishing Web sites which purport to be IRS notifications of delinquent non-payment of income taxes. Who can blame the fraudsters — almost no three letter agency of the US government inspires more dread and fear than good old Internal Revenue.

In the UK, the counterpart to the IRS is called Her Majesty’s Revenue & Customs (or HMRC), even though it is the British government, and not the Queen’s Coldstream Guards, who dutifully stick a fork in the populace to pay up. The income tax filing deadline in the UK (for people who file using paper returns), October 31, is fast approaching. And a stern warning from the Taxman is no laughing matter, no matter where you live. So it was inevitable that we’d see this successful phishing routine repeated elsewhere (and, probably, again as we get closer to the UK’s electronic tax filing deadline, at the end of January).

The phish attempt begins with an email message warning users that they are about to incur penalties for “Unreported/Underreported Income.” In fact, the wording of both the spam email and the phish page are virtually identical on both the IRS and HMRC versions. The email links to a formal-looking Web page, which contains the officious message “Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement.

Of course, the linked file isn’t a tax statement. It’s a malicious executable, just under 90KB in size, named tax-statement.exe. We classify the files as Trojan-Backdoor-Progdav (other vendors call this spy Zbot), a general-purpose smash-and-grab Trojan designed to give the malware’s distributor total control over the infected machine, mainly for the purpose of aiding identity theft.

Continue reading

Shields Up During National Cyber Security Awareness Month

Posted on by

By Mike Kronenberg

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

October is National Cyber Awareness Month

Be suspicious. About email swindles, bogus security products and online scams. I’m not kidding around. You need to pay attention and be diligent, because cyberthreats are lurking everywhere.

What got me thinking about this was President Obama’s proclamation of October as National Cyber Security Awareness Month. He said that all users — not just those in government — have to practice safe computing. The President is taking this seriously. At the start of the month he authorized the Department of Homeland Security to hire 1,000 cyber security specialists over the next three years. The goal for these professionals is to analyze risks, figure out our vulnerabilities and devise cyber-incident response strategies.

The President sounds right on target. For one thing, every unprotected PC (and those without up-to-date security software) is potentially open to attack. If your system is infected with, say, a back-door Trojan, a hacker can grab your passwords, credit card and other account numbers, and increase your risk of identity theft. On top of that, on a national scale, your infected PC can turn into a virtual, brain-dead zombie (what an image!), propagating malicous cyberattacks, and contributing to the damage of the digital infrastructure.

If you’re reading this blog, no doubt you know the obvious ways to bolster your protection: Keep your AV and AS tools updated, double-check that your firewall’s working, check for OS patches, and make sure your wireless router’s WPA is enabled. And with the focus on awareness, you might take a minute and help a novice computer user fortify his or her defenses.

But aside from the usual security tactics, I implement other safeguards on my PC at home and on the family notebook. Read on for a few you can try.

Continue reading

Trojan Decodes Captchas Using Stolen Commercial Tools

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091002_lanci_captchas_cropA new Trojan quietly circulating in the wild uses components from a commercial optical character recognition (OCR) application to decode captchas, those jumbled-text images meant to help a website discern human activity from automated bots.

The OCR-using captcha breaking tool is just one component of the Trojan. Its main purpose appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns originating in the US, and it uses the OCR-cracking software in order to read the captchas and submit the form entries, on pages where the website presents a captcha to the user.

And this is not just any captcha-cracka, but a Swiss Army Knife of sorts. The maker of the “Advanced Captcha Recognition Engine” tool, based in China, claims that the tool is capable of bypassing more than 30 different captcha systems, including those used by Yahoo, MSN, and some of the largest portal sites and banks in China.

20091002_lanci_tocrprop_cropThe captcha decoding tool itself is a kludge, marrying some bespoke files and components expropriated from an older version of a commercial optical character recognition (OCR) suite called TOCR. The UK-based company that makes the TOCR software, Transym Computer Services, also licenses its components to third parties, though it’s not clear they knowingly have a relationship with the Chinese captcha cracker maker, nor were they aware that parts of their engine was repurposed for sale to Chinese malfeasants. The files appear to have been stolen or pirated, and used without Transym’s knowledge.

Continue reading

One Click, and the Exploit Kit’s Got You

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090918_liberty_effectiveness_cropAfter all the brouhaha surrounding the NYTimes.com website hosting ads which spawned rogue antivirus Fakealerts last weekend, I spent a considerable amount of time looking at so-called exploit kits this week. These are packages, made up of custom made Web pages (typically coded in the PHP scripting language), which perform a linchpin activity for malware distributors. Namely, they deliver the infection to the victim, using the most effective methods, based on parameters which help identify particular vulnerabilities in the victim’s browser, operating system, or applications.

There’s no indication that an exploit kit was used by the attackers in the NYTimes.com incident, but it easily could have gone that way. All an exploit kit needs in order to begin the process of foisting an infection is for a potential victim to visit its specially crafted Web page. The end result is what we call a drive-by download.

According to reports, the code injected into the Times website’s ad calls simply spawned another browser window, which in turn displayed fake alert and virus scan results messages. It wasn’t even a website hack; the site’s ad sales department were fooled into accepting a paid advertisement containing the code.

This time, that browser window was used to trick the site’s visitors into executing, and eventually buying, the rogue product. It could have been far worse.

After spending a day investigating a relatively new package, which calls itself (with a total lack of irony) the Liberty Exploit System, it’s easy to see how something like what was done on the Times website could have led news enthusiasts down a much deeper, scarier rabbit hole.

Continue reading

‘Koobfox’ variant digs for Firefox cookies

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

koobfox_stringsA new variant of the Koobface worm started striking out this week, with a twist: Where the older Koobface would steal and use the cookies saved by Internet Explorer which store social network logins in order to spread its infectious messages in the victim’s name, this new variant is pulling down a tool designed to steal credentials saved by Firefox (in the form of cookies and stored passwords). Users of the Firefox browser were, until now, able to thwart the pernicious spy’s ability to hijack a victim’s social network accounts, because the two browsers store their cookies in different locations, and in different formats.

We got wind of the new variant as we saw the characteristic links spreading through various networks yesterday. In our early tests, the worm exhibited similiar skill at spreading over multiple networks: In addition to Facebook, the MySpace, Hi5, Friendster, Tagged and Netlog accounts we use for testing its behavior were used to spread malicious links, posted either to the victim’s “wall” or status, or as messages sent to all of the account-holder’s friends.

Using a well-documented hack to access the Firefox cookie file, the payload (appropriately named ff2ie.exe) looks for a copy of the file sqlite3.dll on the victim’s hard drive, then uses the functionality of that file to pull social network cookie information from the Firefox cookie database (as shown in the screenshot, above), and write an Internet Explorer cookie containing all that information. With the IE cookie(s) in place, the rest of the Koobface payloads work as they did before.

The worm continues to query the download server for payloads targeting 10 social networking services, but for an undetermined reason, it only delivered six targeted payloads. We also saw that, instead of downloading the executable payloads directly, the worm downloaded installers, each of which place various payloads in the Windows folder, then self-delete.

Continue reading

The WoW Catphishers are Biting

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

cataclysm_youtube_link2_cropThe body’s barely cold from last week’s BlizzCon, but the script kiddies who write phishing kits have been hard at work putting their best foot forward, crafting account-stealing code that targets gullible WoW players who want an early peek at the just-announced Cataclysm expansion. These Catphish pages, linked off of YouTube video postings that offer promises of early, exclusive access to the expansion, lift graphics and design characteristics directly from the pages hosted by Blizzard, the publisher of the WoW franchise.

Unfortunately for the script kiddies making and hosting the pages, they’re making some of the most boneheaded mistakes imaginable.

Take, for example, this page. The creator of this page was so eager to get his l33t phishing site posted on his favorite message board, he forgot to take a close look at what he was including with his phish kit. It includes not only log files containing links to the live site where he’s hosting this phishing scam, but also to a site where he’s hosting another phishing scam intended to steal a promotional code given to WoW fanatics as a bonus after they paid to watch BlizzCon streamed live to their computer.

Continue reading

How Phishers Target WoW Players

Posted on by

By Andrew Brandt, Curtis Fechner, and Grayson Milbourne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

orc_80_flash_cropYesterday, at the opening of our BlizzCon coverage, we showed you just how commonly phishers target WoW players by posting innocuous-looking links in message board or forums frequented by players. Today, we’ve produced a really short video that shows exactly how someone infects their computer with a phishing Trojan.

As you can see in the video (even through the “censorship”), the page the victim eventually ends up on emulates the appearance of a Flash-video-based porn site. Every single link on the page links to the malware installer, which means that no matter where on the page the victim clicks, he or she is presented with a download dialog box. Check it out.

This simple social engineering trick, so commonly used of late by Koobface to fool social network users, still manages to convince people to execute the malware installer in order to view the video.

We’d all like to take a moment to give one simple piece of advice: If you follow a link and end up on a site you clearly weren’t intending to go to, stop. Don’t download any executable files—and absolutely don’t run any executable files if you happen to download them. If you have to, hit the Alt-F4 keyboard combination to kill the browser right there, but just don’t run anything else.

Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are much more complex versions that can steal the passwords for multiple games.

The installer executable simply drops a DLL file onto the victim’s hard drive, typically to the System32 or another Windows subdirectory. That file performs the keystroke logging, then sends that data to the phisher behind the scam. The installer also modifies the Registry so the DLL loads with every startup.

Keyloggers aren’t the only threats targeting online games. Others include spam phishing-type posts on the public forums for individual guilds, malicious URLs communicated through the in-game chat channels, and even exploits against security weaknesses in Web sites and message boards frequented by members of the WoW playing community.

Continue reading

BlizzCon, Gamers, WoW Trojans, Oh My

Posted on by

By Curtis Fechner and Grayson Milbourne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090820_wow_ret11k_cropTomorrow morning, Blizzard Entertainment (the publisher of the wildly popular World of Warcraft franchise) will kick off another BlizzCon to show off their latest projects and directly interact with their fanbase. World of Warcraft will likely take center stage at the convention, which has become the venue of choice for Blizzard to unveil their newest expansion pack for the enormously popular online role-playing game.

Here at Webroot we have our fair share of past and present WoW players. So we’re quite tuned in to the malware that plagues WoW and other online games. As the gaming market continues to grow at an amazing rate, so does the real-money value of (and the virtual currency stored in)  game accounts  used in association with those games.

Earlier this summer we shared with our readers the top ways that threats get introduced into online games and the best ways to avoid them. With Blizzcon just hours away, and the WoW servers ramping up for the surge in imminent logons to follow, we thought we’d revisit the issue to ramp up security awareness by sharing some of the more atrocious malware variants we’ve seen hitting the WoW gaming community.

Continue reading