Tuesday, July 31, 2012

London Olympics Email Scams (updates)

In light of the popularity of the Olympics knowing that scammers will come out of the woodwork to take advantage of the event – we're continually monitoring for Olympic scams and maliciousness, no matter how unsophisticated. And so far, unsophisticated has been exactly what we have been seeing.

Here is an example of the standard sort of Olympics "lottery" pitch that we are seeing from the scammers over email:

Scam attachment


Below are a few updates for what we are currently seeing today:


Received: from [216.172.135.113] by web5710.biz.mail.ne1.yahoo.com via HTTP
From: Lottery Draws Notice [websjod@gmail.com]
Reply-To: internetaward166@gmail.com
Subject: View The E-Mail Attachment And Contact Your Claim Agent
Body: KINDLY OPEN THE ATTACHED FILE
Attachment: 2012 London Olympics Lottery Draws Notice.doc
Scammer email to send data: internetaward166@gmail.com

--

Received: from [173.245.64.182] by web180804.mail.gq1.yahoo.com via HTTP
From: London Olympics 2012 [bolympics111@gmail.com]
Reply-To: London Olympics 2012 [lon2012.0lympics@london.com]
Subject: Read the Attached Letter
Body: Read the Attached Letter
Attachment: LONDON OLYMPICS LOTTERY.pdf
Scammer email to send data: lon2012.0lympics@london.com

--

Received: from [209.73.132.40] by web5717.biz.mail.ne1.yahoo.com via HTTP
From: LONDON 2012 OLYMPICS LOTTERY [smithed2012@gmail.com]
Reply-To: 2012lonolympicsgames@london.com
Subject: Congratulation
Body: INTERNATIONAL PROMOTIONS LONDON 2012 OLYMPICS LOTTERY
Attachment: LONDON 2012 OLYMPICS 1-1.doc
Scammer email to send data: 2012lonolympicsgames@london.com

--

Received: from smtpout.telepacific.net ([208.57.218.234])
From: "Very.co.uk"[account@very.co.uk]
Subject: Account Bonus for Olympics 2012
Body: Dear Customer, Here is a notification that your account is due to be credited. Click on My Account below to accept this offer and also get a discount for the Olympics 2012.
Link: hxxp://contabilidadpymes.cl/images/login/en/index.html
This is a phishing page for very.co.uk online shopping site.

Very.co.uk phish page using Olympics as a driver

--

Received: from [67.195.23.211] by web184804.mail.gq1.yahoo.com via HTTP
From: LONDON OLYMPICS 2012 INTERNET LOTTERY ANNIVERSARY [i.olympic2012@london.com]
Reply-To: LONDON OLYMPICS 2012 INTERNET LOTTERY ANNIVERSARY [revgraigjon01@gmail.com]
Subject: You have won from London Olympic 2012
Body: Open the attachment
Attachment: LONDON OLYMPICS 2012.doc
Scammer emails: revgraigjon01@gmail.com, unclaimrevgraig@consultant.com

--

Received: from User ([217.16.182.244]) by redwood-mtg.com
From: "Mrs. Linda Joseph"[webinfo66@yahoo.com]
Subject: London 2012 Olympics Lottery Winner
Return-Path: webinfo66@yahoo.com
Body: basic scam email asking for victim banking info to be returned in order to claim winnings (summarized due to length)
Scammer email: webinfo66@yahoo.it

--

In addition to these, I’ve seen reports of scams using image files (e.g., JPGs) to by-pass content inspection checks (a common practice among scammers/spammers) containing the same sort of instructions for victims to send their banking information in order to claim their winnings.

In addition to scams, we have seen everything from gambling sites, online shops, TV/streaming services, news / social media sites, and even a florist sending email promotions using the Olympics as a marketing driver.

I will make updates to this post with anything new that I see over email throughout the Olympics, additionally I will make a separate post on the web angle.

Saturday, July 28, 2012

London Olympics: Stay away from scams, data theft and phishing

The Summer Olympics in London have kicked off and cyber criminals, spammers and data thieves are wasting no time, capitalizing on Olympic related scams.  Currently, the volume of websites selling bogus Olympic tickets are on the rise. These sites normally propagate their campaings though unsolicited ad banners, popups, social networking sites and email messages. Let us examine one such site in detail.

This bogus site is liveolympictickets(dot)net, which also has a Facebook page as shown below:





The website claims to sell official tickets for the London Olympics. As you can see from the screen shots below, they have tried to retain the same
aesthetics as the official London 2012 site: [http://www.london2012.com/].  This bogus site allows you to add items to your shopping cart, checkout and pay using a credit card. It works just like any other normal ecommerce website.


The site also has external links which redirect to other websites that have the same kind of bogus tickets offers. Some of these sites include pay-per-click scams.



Let us try to examine what is happening in the background. When you type in your personal details such as email, address, phone no. etc., they get sent via plain text (no encryption). The same applies when credit card details are sent, exposing them on the network.



These websites do not have adequate security mechanisms in place, visiting and entering private information could lead to information leakage/theft. This website is just a needle in the haystack. There are numerous such sites which try to market fake promotions/live streaming/tickets. 


Stay away from these websites. The official London Olympics site maintains a list of websites which are known to sell fake tickets, check them before buying any tickets: [http://www.london2012.com/spectators/tickets/ticket-checker/]. 

If you are concerned about the legitimacy of a website, Zulu, Zscaler's cloud based URL risk analyzer can be used to check for malicous/spam/phishing sites etc. Visit [http://zulu.zscaler.com] for more Information.

Friday, July 27, 2012

London Olympics 2012: Prime time for spammers


Spammers love major events as they present an opportunity to social engineer victims with content that they’re likely to be interested in. The Olympics represent a golden opportunity for spammers – the world’s largest sporting event, that will draw a global audience for the next two weeks. As such, we expect to see a plethora of Olympic related scams, which are already beginning to emerge.
Below is an example of an email message that has been circulating that is essentially an Olympic themed version of the ever-popular Nigerian 419 email scam.

From: LONDON 2012 OLYMPICS LOTTERY PROMOTION [mailto:johnwilliamsa2011@gmail.com]
Sent: 15 July 2011 01:09 PM
To: undisclosed recipients:
Subject: CONGRATULATION!

PLEASE OPEN THE ATTACHED FILE

LONDON 2012 OLYMPICS LOTTERY PROMOTION!

The London 2012 Olympics lottery is proud to inform you that you have won £1,950,000.00 GBP (One Million Nine Hundred and Fifty Great Britain Pounds) why you have won? Your e-mail address is one of 15 lucky addresses who have won in the monthly promotion.

We wish to congratulate you on your victory; winners shall be paid in accordance with his/her settlement center. Stated below are your identification numbers:
Batch number: 18/006/1094/lipda/sl,
Reference number: lli/240142/011,
Pin: 2012, file number: flie//5612/1364.
Security code: olylon2012,

FILL THE DETAILS REQUESTED:

1. YOUR FULL NAME………………………………………...
2. YOUR COUNTRY NAME………………………………….
3. MOBILE NUMBER…………………………………………
4. OCCUPATION………………………………………………
5. FAX NUMBER………………………………………………
6. PASSPORT COPY OR ID…………………………………
7. BATCH NUMBE…………………………………………..
8. REFERENCE NUMBER……………………………………
9. PIN NUMBER……………………………………………….
10. FILE NUMBER……………………………………………..
11. SECURITY CODE………………………………………….
12. DATE OF BITH……………………………………………. .

The London 2012 Olympics lottery team, whereby all winners are selected computer ballot draws or server, this email draw or server visits all internet providers and email address around the globe, be it COM, ORG, NET, AOL and all country based web abbreviations, as you have .CA in Canada and .UK in United Kingdom and AOL in USA .ZA in South Africa and India .IN

Remember, you must contact your claim agent Mr. Richards Lord by email or through his office telephone number to make your claim of this great winning prize known to him, with the above requested information.

CONTACT YOUR CLAIM AGENT IN LONDON, UNITED KINGDOM.
MR. RICHARDS LORD
TELEPHONE PHONE: +44 703 174 9631
EMAIL: londonolympic_2012@hotmail.com

You have to note that the London 2012 Olympics Lottery is creating awareness of the Olympics sprit around the world, which is to be host in United Kingdom.

Online Lottery’s Operator, works in collaboration with the London 2012 Olympics Board to ensure that the most effective service is offered to the Lottery winners - within the responsible gaming framework at all times.

MRS. LINDA ROSE.
PROMOTION MANAGER.
LONDON 2012 OLYMPICS LOTTERY AWARD.
COUNTRY: UNITED KINGDOM.

Sample-1


The message is a perfect example of a 419 scam. It asks for personal information and informs you that you’re the recipient of a tremendous financial prize. Below is yet another example.

From: LONDON 2012 OLYMPICS PROMOTION [mailto:uk2012olympics@london.com]
Sent: 01 March 2012 11:49 PM
To: undisclosed recipients:
Subject: 2012 LONDON OLYMPICS E-MAILSSELECT PROMOTION

Head Office
London 2012
One Churchill Place
Canary Wharf
London E14 5LN

LONDON OLYMPICS EVENT AWARENESS AND PROMOTION COMPANY.

2012 London Olympics lottery draw notice 
This is to inform you that London Olympics event awareness and promotion companyand London 2012 summer Olympics Organizing Committee (LSOOC) here in London (U.K), has held an Internet Raffle Draw among all internet e-mail users, and your e-mail address was among the 10,000,000.00 (Ten million) e-mail addresses that was picked by the computer during the Second Quarter Raffle Draw (SQRD).

We are therefore with great pleasure, to notify you that your e-mail address once again, happened to come out top number (1) out of the 10,000,000.00.(Ten million) e-mail addresses on the final ballot draw.

 Please note that this has made you the jackpot winner of the sum of GBP£ 1,000,000.00 (One Million British Pounds) and free entrance tickets to watch the games live in London. 

Be aware that this Internet Raffle Draw (IRD) was organized by  London Olympics event awareness and promotion company.and London 2012 summer Olympics Organizing Committee (LSOOC), to create awareness to the world, as England is finalizing their preparation for the hosting of the 2012 summer Olympics.

BELOW ARE YOUR WINNING DETAILS:
COMPUTER DRAW NUMBER: 177
EMAIL CODE NUMBER: TTYEEWSSE2211775643000
FINAL JACKPOT NUMBER: 0001
SN: 2012 / LSOOC / LOC / UK 
WINNING INSURANCE POLICY NUMBER: JJA23UK
WINNING FUNDS INSURANCE COMPANY: NFU MUTUAL LONDON
REFERENCE NUMBER: EAASL/941OY1/04
BATCH NUMBER: 12/27/Du34
WINNING NUMBER: 3

Note that this program is being sponsored by below listed U.K companies:
1. Vodafone company U.K Limited
2.Fenchurch communications U.K Limited
3.Business mobile U.K Limited
 Mr. Kuash Behler, Our First Quarter Winner of
GBP£ 2,500,000.00 from Amsterdam, Holland.

Our Second Quarter Winner Mrs. Ali Fatima from Nepal receiving her winning cheque of GBP£1,000,000.00 also on the picture is her husband and friends rejoicing
\With them.

 Congratulations from all our staff, we also extend our thanks to the Sponsors for being part of our awareness and promotional program.
PRIZE CLAIMING INSTRUCTION:

YOU ARE HEREBY NOTIFIED THAT YOU ARE AMONG THE 7 WINNERS OF THE SUM OF GBP£ 7, 000, 000, 00 (SEVEN MILLION British Pounds) EACH ENTITLED TO RECEIVE GBP£ 1,000,000.00 (ONE MILLION British Pounds)

Your Fund is now deposited with our correspondent Paying Bank (BARCLAY'S BANK, LONDON) insured in your name for security reasons, you are advised to please keep your winning details very confidential from the members of the public to avoid double claim as your winning/payment will be cancelled should Two (2) claims be submitted under the above specified winning details.

Please note that claiming agents has been appointed in strategic areas around the world to help and ensure an easy and immediate claim to all our lucky winner's. We have checked your location and your claiming falls under group B.

You are to call and forward you’re winning details to our appointed and accredited Agent    (MR. M. ROBERT NULL)  
Office   Mail:  robertnull2010@null.net
Cell: Tel: + 44-7031741865    Fax: +447014237785   to enable him clear your file for immediate payment. Visit:    http://www.london2012.com    for more details.

You can also confirm your winning by directly calling/contacting our head office here in London on the bellow Details:

Signed By Dr. V. Beavis                                 Copyright © 1996-2012                      
[Award Board Director]                                       The U.K National Lottery Inc.
Head Office U.K                             All rights reserved. Terms of Service - Guideline
E MAIL :  board.directors@london.com                                         
 100860 8556 2548 9576UK

Sample-2

These scams have become so common that the official Olympic website is actually maintaining a list of those which have been identified in order to warn the general public. Here is a list of the email spam/scam variations related to London Olympics 2012:
• 2012 Games Entertainments Co-ordinator
• 2012 Olympic Draws
• 2012 Olympic Promo
• 2012 Olympic Promotion Board United Kingdom – South Africa
• 2012 Olympics, A Lottery For The Future
• 2012 Summer Olympic Lottery
• 2012 Summer Olympic/Paralympic Games
• Australian Lottery (in affiliation with the London 2012 Olympics Committee)
• AUTHORISATION NOTE: P&G WORLDWIDE PARTNER / London 2012 Olympic Games
• BBC Olympic Prize
• Big Big London 2012 Olympic Lottery
• BT & London 2012 Olympics Promotions Team
• CocaCola Company and London 2012 Official Award Notification
• Coca Cola London 2012 Olympic Games Promotions
• Deloitte/London 2012 Olympic Games Promotional Draw
• Ford Olympic 2012 Promo
• Future 2012 Olympics – Congratulations!
Grosvenor/London 2012 Olympic Games Promotional Draw
• London 2012 Draw Results
• London 2012 Employment
• London 2012/ FIFA International Online Lottery
• London 2012 grant award
• London 2012/Microsoft 2011
• London 2012 press release
• London 2012 Olympic Games Raffle Award
• London 2012 Olympics/Microsoft Sweepstake
• LONDON 2012: Ticket Number: LND0026
• Olympic 2012 Awareness Lotto
• Olympic Torch
• P & G Olympic Promotion


It is advisable that if a message contains any of the above mentioned text, such messages should be dropped. Today, many antivirus solutions and email gateways provide aggressive spam filters but messages can always slip through, so individuals should be wary of any message requesting personal information, regardless of the source.

Friday, July 20, 2012

"Click to Play" arrives in Firefox

Popular browser plugins like Flash and Adobe Reader are part of the typical web browser, with an installation base of 90+% on corporate computers (see the State of the Web report). However, they can also represent big security holes. The Blackhole exploit kit, for example, has long contained code to exploit vulnerabilities in Flash, Java and Adobe Reader. While few people may actually need a Java plugin, Flash is still required on many websites and a PDF reader in the browser is quite convenient.

Click to Play

Browser vendors have been looking for ways to secure browser plugins. One way to achieve this involves sandboxing the plugins, i.e. running plugins in a more restricted environment than the browser, with fewer rights. Unfortunately, many exploits have demonstrated that it is all too often possible to break out of the sandbox.

Another idea involves disabling plugins by default and enabling them only when they are actually required by the user. "Click to Play" means that users must take action to enable a plugin by clicking on the area of the page that is handled by a plugin, like a Flash animation.

The vast majority of exploits, including Blackhole, use invisible elements to run the malicious code: an invisible applet, invisible Flash animation, etc. Since Click to Play requires the user to actually notice elements on he page that require a plugin in order to activate it, these exploits would not run.

Click to Play in Firefox - 2 clicks are required to enable the 2 Flash animations

Some inconveniences

Click to Play seems like a great security improvement. Unfortunately, there are legitimate cases when a plugin might be required to run without having to display anything. For example, Flash is commonly used to copy text to the clipboard (a shortened URL, for example).

There are also JavaScript frameworks that use invisible Flash or Java applets to get access to the webcam or microphone (this is not possible through JavaScript only).

There also UX challenges when asking users to click YouTube videos over and over, for example, or to ensure that users understand why they may not want to enable all plugins by default, etc.

Today, only two major web browsers support Click to Play - Chrome and Firefox, but this feature is disabled by default in both browsers.

Chrome

Click to Play was introduced as an option in Google Chrome in March 2011 with Chrome 10. Because it is disabled by default and Chrome rarely requires users to navigate through the settings to enable it, most users are likely not aware of this security feature.

In the latest versions of Chrome, Click to Play is well hidden! To enable it one must go to the Wrench Icon - Settings - Show advanced settings - Content settings...then scroll down to Plug-ins and select "Click to Play". That's five clicks to access the option. This is definitely restricted to power users! If you do not know what "Click to Play" means, you are out of luck because there is no mouse-over or popup to show more information.

Click to Play option in Chrome 20

While the screenshot of Chrome 10 showed placeholders explaining that users had to click to enable the plugin, the current placeholder are quite obscure, with no information about what they are.

Click to Play placeholders - What should I do?

It looks like the Click to Play feature is pretty much dead in Chrome, restricted only to power users. Not much has happened since it was released over a year ago.


Firefox 14

Finally, a year after Chrome, Click to Play is making it first appearance in Firefox 14. Like Chrome, it is disabled by default, and restricted to power users. There is no UI option to enable the feature. You have to go to about:config, search for click_to_play, and change the option to true.

Enable Click to Play in Firefox 14

Firefox's placeholders are better than Chrome's, as they clearly state "Click here to activate plugin". I wish however that they would indicate which plugin is going to be activated (Flash versus Java, for example).

Click to Play placeholders in Firefox

I'm afraid that the current implementation does not play well with Flash embedded in an IFRAME. On  a website that embeds a YouTube video, I get a black box, with no option to enable Flash to see the video.

To Mozilla's credit, this is just the first iteration of Click to Play. Full support for Click to Play is scheduled for Firefox 16. Looking at their website, they seem to have a good plan to tackle the UX issues.


I hope Mozilla and Google are working on making Click to Play the default setting. This would result in a big improvement in securing users online. Right now, only a few users are aware of it and even fewer benefit from the added security.

Wednesday, July 11, 2012

Visualize the top blacklisted sites

In the past month, I've been looking at the websites blacklisted websites by Google Safe Browsing from the Alexa top 1,000,000 sites. There are between 300 and 500 of these sites blocked everyday, mostly legitimate websites that have been compromised.

I was interested in the geographical distribution of these sites. Here are the number of blocked (malicious and hijacked) sites per country (based on the website IP address), in absolute numbers. Note that to make the map useful, I decreased the number of blocked sites hosted in the US from 146 to 42 on the map because it was over 4 times that of the #2 (China).

Country hosting popular websites blacklisted by Google Safe Browsing
As shown before, the US is hosting the biggest number of blacklisted sites (146), followed by China (45), followed by Germany (32) and Russia (26).

It is not surprising to see the US be #1 since they host more popular sites in general. Germany is also a popular hosting country, with lower prices than its neighbors. So I decided to show the map of blacklisted sites in relative numbers: number of blacklisted sites / number of sites hosted:

Country hosting popular websites blacklisted by Google Safe Browsing in relative numbers
The distribution is pretty even amongst countries with a big Internet user population. The reason why a few small countries (Sri Lanka, Venezuela, Georgia, etc.) stand out is that they host very few sites (small sample size), so having just one or two sites blacklisted increase their percentage a lot.

Most of these blocked websites are legitimate sites hijacked as part of massive attacks spanning thousand of websites. Attackers constantly scan websites for known vulnerabilities, and they can be highly successful by finding vulnerabilities on popular websites. Blocked Chinese sites host malicious content that is very different from what I've seen in other countries (see examples in the last paragraph of this post).

Do not think your personal website is safe because is has too little web traffic to attract attackers. Scans and attacks are done automatically, targets are compromised with very little resources. No website is too small to be left uncompromised.

Monday, July 2, 2012

Mass Compromise includes ComputerWorld MX

We were alerted to this from a customer reporting that Zscaler was blocking pages on www.computerworldmexico.mx

And as evidence of this, was our Zulu report - which when we looked at it showed that the page itself did not have any malicious content / reason
But the site's own internal JS files were being flagged as malicious, e.g., tabber.js as a result of Zscaler's threat fingerprinting.


Looking at the JS files, there was the addition of obfuscated JS at the end of the flagged files:
The JS makes use of the DOM to avoid automated deobfuscation, e.g., JSUnpack failed for me.  Deobfuscating, shows a number of things
  • For one, the author of the malware used Windows (you can see the carriage-return newlines as ctrl-v ctrl-M in my vi editor)
  • The malicious JS utilizes the setTimeout function, so that the malicious injection only occurs after being on the page for 500 miiliseconds - which can help evade rapid, automated analysis of pages
  • The malicious JS injects an IFrame using a domain generation algorithm (DGA) based on time (changes about every 40,000 milliseconds or so)
Looping through the DGA, these are some of the domains:

ppsvcvrcgkllplyn.ru
ruhctasjmpqbyvhm.ru
bdvkpbuldslsapeb.ru
eilqnjkoytyjuchn.ru
npxsiiwpxqqiihmo.ru
qtmyeslmsoxkjbku.ru
adbjjkquyyhyqknf.ru
ciqmhuwgvfsxdtrw.ru
mocrafrewsdjztbj.ru
otruvbidvikzhlop.ru
yafzvancybuwmnno.ru
yafzvancybuwmnno.ru
bhujzorkulhkpwob.ru
lohnrnnpvvtxedfl.ru
ntvrnrdpyoadopbo.ru
wakvnkyzkyietkdr.ru
zfyafrjmmajqfvbh.ru
jnlkttkruqsdjqlx.ru
lsbppxhgckolsnap.ru
vznrahwzgntmfcqk.ru
xeeypppxswpquvrf.ru
inqgvoeohpcsfxmn.ru
ksgmckchdppqeicu.ru
uyrorwlibbjeasoq.ru
uyrorwlibbjeasoq.ru
wejungvnykczyjam.ru

Many of the pages are already blocked by Google SafeBrowsing:

Looks like this is all tied to an on-going campaign from mid/late June (e.g., Pastebin paste with some of the domains on June 21) and an earlier blogpost suggesting that these compromises came from the Plesk File Manager.