Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware

Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware

Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails.

Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC.

More details:

(more…)

Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails

Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails

Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.

More details:

(more…)

Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware

Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware

British users, beware!

Cybercriminals are currently mass mailing millions of emails impersonating the Royal Mail Service in an attempt to trick users into executing the malicious attachment found in the email. Once they do so, the malware opens a backdoor on the targeted hosts allowing cybercriminals to take complete control over the infected PC.

More details:

(more…)

Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit

Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit

Over the last couple of hours, cybercriminals have started spamvertising millions of emails pretending to be coming from HP ScanJet scanner, in an attempt to trick end and and corporate users into downloading and viewing the malicious .html attachment.

Upon viewing, the document loads the invisible iFrame script, ultimately redirecting the user to a landing URL courtesy of the Black Hole web malware exploitation kit.

More details:

(more…)

Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit

Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit

Remember the IRS (Internal Revenue Service) themed malicious campaign profiled at Webroot’s Threat Blog earlier this month?

Over the past 24 hours, the cybercriminals behind the campaign resumed mass mailing of the same IRS email template, exposing millions of users to the threats posed by the social engineering driven campaign.

More details:

(more…)

Beware of Fake Adobe Flash Apps

Beware of Fake Adobe Flash Apps

By Joe McManus

Last week Adobe announced that they would no longer be supporting Flash for Android. Adobe will be removing Flash from the Android Marketplace and users should be wary of fake Flash apps for their Android Devices.  Now to be fair to Adobe, they are not taking flash away from the Android platform but are focusing on the Adobe AIR cross platform runtime environment http://www.adobe.com/products/air.html. The reason Adobe is switching to AIR is to allow app developers to write one program for use on iOS and Android devices.

Let’s look at some of the fake Flash apps for Android that we have seen and what they do. This is just a small sampling; there are too many to highlight them all.

This first app we’ll look at is one of hundreds of premium SMS Trojans being distributed on third party markets that are fake installers for legitimate applications. What they really do is charge for what may or may not be a download of an already free app. The scam works when the user agrees to their ‘Terms’ and the app will send out three SMS messages containing SMS short codes that come with a fee. These messages go to a premium service setup by the malware author and will appear as charges on you phone bill. The charges vary depending on the user’s location but range around $8-12.

This has appeared many times as Flash Player 11, Flash Payer 10, FlashPlayer, etc. Webroot detects them as Android.FakeInst and has been tracking these type of fake installer for over a year; here, here and here.

Our next example is another scam of sorts. It doesn’t charge for anything but will install a bunch of aggressive advertising SDKs that are known to create ad-related notifications, shortcuts and bookmarks. This app requests 24 Android OS and device-specific permissions when, at most, it would need the INTERNET and WRITE_EXTERNAL_STORAGE permissions. The additional 22 permissions are for the ad SDKs. Webroot detects one of the ad SDKs bundled with the app as a Potentially Unwanted Application (PUA) and labels it  Android.Ads.Plankton.B.

Although it does download Adobe Flash for Android after agreeing to their License Agreement it does come with the cost of a bunch of other non-flash related stuff.

This final example is for an app that claims to be Flash Player but really installs an Adobe Flash Icon, that merely opens a browser window full of advertisements. These types of apps are annoying and really are meant to drive web traffic to sites so the developer can receive pay-per-click revenue, and in this case they deceive the customer into thinking they’re getting a known productive app. Like the previous example, this app isn’t malicious, but it’s more deceptive and doesn’t deliver on what it claims, for that Webroot detects Android.DreamStepFlash as a PUA.

Malicious and untrustworthy apps come in many different flavors, and as you can see, Adobe Flash is one that is used to lure unsuspecting users to install. Adobe will continue to release security updates for Adobe Flash and suggests you uninstall if your device is able to upgrade to Android 4.1.

Remember, always choose your apps wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.

Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

Think you’ve received an online greeting card from 123greetings.com? Think twice!

Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.

What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.

More details:

(more…)

French Android Users Hit again by SMS Trojan

French Android Users Hit again by SMS Trojan

Earlier this year, the SMS Trojan Foncy was discovered targeting French-speaking Android Users. Now, we’ve come across a new Trojan targeting them using a similar SMS scam.  The app pretends to be an app called BlackMart Alpha, which is already a little shady since it’s used to download apps that may otherwise cost money. This app is not found on Google Play and is not malicious in itself, but the fact that you can’t get it in the Google Play store makes it a prefect target for malware developers to make fake versions of it. Webroot detects this Trojan as Android.SMS.FakeB-Mart.  It works by sending premium SMS messages to two different numbers (81211 and 81038), which have both been involved with scams that add a hefty Euro charge to the victim’s phone bill. In one case, someone was scammed out of €89.85 , or $110.49. Once the malicious app is installed, it looks like the legitimate BlackMart Alpha app, but doesn’t completely load. A pop-up box opens stating that it’s loading with a increasing percentage. This tricks the user into thinking the app is loading while it’s really sending premium SMS messages in the background.

The app deletes any incoming SMS messages from 81211 to hide any confirmation SMS messages.

Being tricked by this fake blackmarket app when trying to download pirated apps could end up being a lot more expensive than just paying for the app from a trusted app market. Another lesson to always install apps from trusted markets.

IRS themed spam campaign leads to Black Hole exploit kit

IRS themed spam campaign leads to Black Hole exploit kit

Recently, cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a Black Hole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit.

More details:

(more…)

Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware

Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware

Cybercriminals have launched yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill.

Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts.

More details:

(more…)

Millions of spamvertised emails lead to W32/Casonline

Millions of spamvertised emails lead to W32/Casonline

Thanks to a mature monetization model introduced by vendors of bogus online gambling software, cybercriminals continue mass mailing millions of emails in an attempt to earn revenue for each and every new installation of the promoted software.

In this post, I’ll profile several prolific spam campaigns attempting to trick users into visiting a bogus web site, and downloading a copy of the potentially unwanted application (PUA) most commonly known as W32/Casonline.

More details:

(more…)