Beware Spam With HTML Attachments

by

When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well. But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! […]

Continue Reading »

Blog Comment Spam Points to Drive-By Site

by

I just want to take a moment to thank the malware author who posted a spam comment to the Webroot Threat Blog blog the other day. You guys make my job so easy. The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats. Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used. The link claims to […]

Continue Reading »

Ransomware App Asks Victims to Pay a Phone Bill

by

Ransomware is nothing new, but a Ukrainian ransomware Trojan that came over the transom last week demonstrated that the concept of “payment” can extend to services other than banking or finance. In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account. Yes, Alice, the hacker wants you to pay his cellphone bill. Once the ransomware has taken hold on a victim’s computer, it […]

Continue Reading »

WoW Expansion Beta Likely to Spawn Phishers, Scams

by

Blizzard’s announcement today that they will begin a closed beta-test for the latest expansion pack is likely to generate a lot of excitement among that particularly low breed of online criminals who steal the fruits of other people’s entertainment when they commandeer passwords for other players. While it’s hard to believe that most players of online games aren’t aware of the profusion of phishing sites attempting to steal logins, the problem clearly isn’t going away, so the warnings remain the same: Keep a close eye on your browser’s Address Bar, and make sure you’re really logging into Blizzard’s Web site, […]

Continue Reading »

Chinese Phishers Get On the Fake Codec Bandwagon

by

Malware distributors in China have started pushing the same kinds of fake codec scams on unsuspecting Chinese Web surfers that criminals elsewhere in the world have mastered. I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime. In the course of investigating some odd-looking URLs (including one which uses the […]

Continue Reading »

“OMG! Vuvuzela banned!” Tweets Infect Followers

by

Malware authors must have a soft spot in their hearts for the long-maligned South African vuvuzela, because once again, the  most annoying noisemaker in World Cup history is driving people to Web sites which push infections down to their computers. This time, people are retweeting the malicious links attached to a message that reads “OMG! Vuvuzela banned!” along with the hashtags #worldcup and #vuvuzelabanned. At last check in Google, references to the malicious links number over 16,000. The tweets use a variety of different link shortening services (including bit.ly, tinyurl.com, is.gd, and dr.tl) to mask the fact that their destination […]

Continue Reading »

Keylogger Poses as Document from Spain’s Central Bank

by

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents. A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible. The page, designed to mimic closely the appearance of the […]

Continue Reading »

More World Cup Shenanigans: “Anti-Vuvuzela Filter”

by

Someone called my attention today to a Web site selling something called an Anti-Vuvuzela Filter that costs €2.95 to download. Only, it’s a complete fraud. For the twelve other people in the world who haven’t been watching the World Cup matches in South Africa, the Vuvuzela is a South African horn that makes an obnoxious buzzing sound when played. The noise is said to be so irritating that fans have been watching the matches on television with the sound muted so they don’t have to hear the incessant wasp-like drone of Vuvuzela-toting fans inside the stadium. If you haven’t experienced […]

Continue Reading »

Rube Goldberg Trojan Works Hard for the Hijack

by

Money drives the motivation for most cybercrime, but it’s been a while since we’ve seen a criminal try to earn their money by driving traffic to a Web site, rather than just taking your cyberwallet. Some anonymous Trojan creator has taken a bold new approach towards a malware work ethic with his or her new browser hijacker Trojan: It creates an entirely new file suffix, and handling instructions within Windows, so that the new (.nak) file suffix integrates seamlessly into the operating system. The Trojan then replaces just the file suffix on any Shortcut that points to either the IE […]

Continue Reading »

Facebook “Photo Album” Spam Drops Trojans

by

A spammed link campaign that spread through Facebook rapidly over the weekend delivered a malicious payload designed to take control of the Facebook account of any infected user, steal passwords, and hijack clicks in the victim’s browser. The messages appear as links sent by a friend, accompanied by the brain-damaged text “You? I find it on Google.” Clicking the link directs recipients to a page on online-photo-albums.org which, at the time, pointed to malware hosted on a server (now offline) based in Bosnia and Herzegovina. This installer drops no fewer than six payloads, including the “clickjacker” Trojan-Bamital, which redirects the […]

Continue Reading »