Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email.  Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss.

The phishing pages are very authentic looking.  Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail.

A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress.  In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites.  In the example below a Romanian photographer’s website continues to function normally while the phishing page is hidden in the blog section.

A series of emails with malware attachments have been widely distributed in the last few days.  The emails alert the recipient about a picture of themselves (or an ex-girlfriend) that has been circulated online.  The text from three of the messages is shown below:

Sorry to disturb you , – I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man

Hi there ,But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter…The question is is it really you???.

Sorry to disturb you , – I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.

The “image” is attached to the emails for convenience and the filename in all samples was identical: “IMG0962.zip”.  The unzipped file displays a PDF icon – which may confuse recipients whose computers do not display file extensions (the extension in this case is .exe).

Commtouch’s Antivirus for Email detected the attached malware within seconds of the start of the outbreak.

The graph below shows the scale of the attack on Saturday – from 4am (Pacific Time) till 3am on Sunday morning.  The black line tracks this particular outbreak.  At its peak the attack averaged around 100,000 messages per second.  The top blue line represents spam received per second by Commtouch’s GlobalView Cloud.

Phony LinkedIn invitations are not a new phenomenon.  What tends to change is the underlying delivery method used for the malware distribution – In this case compromised websites that unknowingly host malicious scripts.  The LinkedIn reminders that are included in the attack include several variables such as names, relationships, and the number of messages awaiting response.  As usual the giveaway that something strange is occurring is the link (see after mouseover).

Recipients that click on the link reach a rather bland looking “notification” page that provides no further links or instructions.

In the background, several scripts seek out software with vulnerabilities that can be exploited including:

• Adobe reader and Acrobat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188
• Microsoft Windows Help and Support Center in Windows XP: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885

The fully functional host website is shown below.

Of course the malware is hugely problematic – but another issue emerges from all of these phony LinkedIn invitations – they cause malware-aware users to be suspicious about genuine invitations!  Following the outbreak described above, I nearly deleted this actual invitation to connect..

Less than 2 weeks ago we reported the use of perfectly formatted AT&T Wireless emails that included multiple links to malware infested sites.  These have now been followed up with similar emails – but the “carrier” has switched to Verizon Wireless.

The Verizon emails also lead to sites hosting malware – although there are far fewer links in the email – and the same compromised site is used repeatedly in each email (in the AT&T attack, up to 9 different sites were used).  The same gang appears to be behind both attacks since the link structure is identical:

<compromised domain>/<8 random numbers and letters>/index.html.

The same vulnerabilities are once again exploited via the scripts on the sites.

The fully functional homepage of the compromised site is shown below.

Airlines are the current darlings of malware and phishing gangs, with several campaigns using airline-related themes.  The most recent attack attempts to extract the username/password combinations of Brazilian airline TAM frequent flyers.  The email promises free miles upon entry of a promotional code.  Email and translation follow:

Email text

TAM Fidelidade.

Parabns você acaba de ser sorteado com 10.000 pontos milhas TAM Fidelidade.

O seu código promocional é:

602H4NBS884588203

Insira o código no link abaixo para confirmar o crédito de 10.000 milhas em sua conta fidelidade

Translation:

Congratulations you’ve just been drawn with 10,000 miles TAM Loyalty points.

Your promotional code is:

602H4NBS884588203

Enter the code on the link below to confirm the credit of 10,000 miles in your account loyalty.

After the operation, wait for 48 hours for credit.

We are available to answer any questions.

Sincerely,

The links lead to a very colorful, animated site where the promotional code can be entered:

Once the code is entered, victims are asked for their genuine username and password as confirmation.  The Phishers can then use the Star Alliance points to purchase airline tickets and other goodies worldwide.

The phishing attack follows (unrelated – except for the airline theme)) continued use of phony American Airlines tickets to distribute malware.

The links in the follow the pattern of the phony AT&T wireless emails distributed last week.  One example:

http://authorsinn.com/9ZT4-YfA/index.html

The elaborate scripts on the destination sites are reportedly aimed at downloading the Zeus Trojan.

Large outbreaks of phony AT&T wireless emails have been distributed in the last 2 days.  The emails describe very large balances ($943 in the example below), that are sure to get aggravated customers clicking on the included links.

Every link in the email leads to a different compromised site that has malware hidden inside.  In the example below this means nine (!) different URLS – most emails with links to email limit themselves to one or two links.

The links all follow a similar pattern as shown below:

• http://angelicascakes.com/mem-Jj4e/index.html
• http://decoragyn.com.br/mem-Jj4e/index.html
• http://www.databytez.com/Zyfyo-oh/index.html
• http://www.ncusinagem.com.br/Zyfyo-oh/index.html

The pattern is: <legitimate domain>/<recurring set of random letters>/<index.html>

The index.html file tries to exploit at least the following known vulnerabilities:

• Libtiff integer overflow in Adobe Reader and Acrobat – CVE-2010-0188
• Help Center URL Validation Vulnerability – CVE-2010-1885

Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links.  Genuine emails from AT&T will include AT&T website links.  For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses 2 very different URLs.

The fully functional homepage of one of the compromised sites is shown below.  For more information about compromised websites see Commtouch’s report compiled in association with StopBadware.

Email Text:

Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $943.01

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment – it’s free.

Smartphone users: download the free app to manage your account anywhere, anytime.

Thank you,

AT&T Online Services

I’m very excited about this email I received:

“We have 3 male(Willy) (Ben) and (Max) and 3 Female ((Mimi) (Kiki) and (Baby Tina)ready for re homing to new homes .There are Outstanding AKC registered Siberian husky from multi-championship bloodlines with an awesome pedigree. Gorgeous wrinkles, nice rope across their nose, massive bones structure, compact and muscular. Home-raised, family socialized puppies with sweet, loving and playful temperament, loves children. Ready to be a family companion or your best friend. Current vaccinations, De-worming, new crate, veterinarian health check and health certificate. Health guaranteed. Awesome puppy packet, the baby Siberian husky will come alongside with the following 1 Year health Guarantee, Health Certificate, Shot Records Create (w/shipping),.”

Sounds fantastic! – and look at those pictures!  Aaaaaaahh Sweeeet!

“    I am  giving them out because they were always cared and looked after by my father but with a heavy heart i lost him and he was all I got ,i work with a global,broad-based health care company devoted to discovering new medicines, new technologies and new ways to manage health. My father  died in an accident last month on his way back from work and i have very bad memories when i see these puppies around me,because they were always together with him since i am always busy in the laboratory..  “

Wow – that’s quite a story.  And all told in two run-on sentences!

“    i really need to give them to someone who can really care and love them just the way dad used to..These puppies have been very lonely since dad passed away so the best thing i decided on as my colleague advised me was to send them to a loving home.   “where are you located  ?”

An Internet Security company

“are you married  ?, do you have kids  ?, do you promise to take very good care of the puppies  ?, have you ever owned a puppy  ?, how soon do you need the puppy  ?, which off the puppies do you need  ?, how soon do you need the puppies  ?, your mobile number  ?”

Gosh – that’s a lot of questions…

“    i really count on you if you can be there for them.. all you are going to pay is just for their change of ownership papers  which will cost you only $ 140 each . “

Amazing – that’s a saving of at least $860 per dog – not including shipping.  You must be really generous, or maybe this is one of those puppy scams.  You know – the ones where you send the $140 via Western Union and never see any dog (or your money ever again).

In the swirling seas of spam emails that our analysts come across every day, the anti-stomach-fat/six-pack-abs theme repeats itself quite regularly.  Unless they are tricked by some fiendishly clever social engineering (see here and here), most email recipients know better than to follow links to sites promising ultimate-waistline-thin-ness.  But what happens when these links are delivered by Twitter:  The distribution rates might be lower but we suspect that the click-through rates are much higher.

How Twitter mentions work: Anyone can create a tweet and “mention” another Twitter user by adding the “@” symbol and the Twitter username.  As an example, consider our colleagues at StopBadware who mentioned us in their tweet about our joint report on compromised websites.

We saw this tweet on our Twitter page because we were “mentioned” – and we assume the shortened link leads to the report itself.

Using Twitter mentions to send spam: This method can also be used to send spam to any Twitter user as shown in the tweet below:

Evil (or compromised) user “Ford—-“ has created a tweet mentioning user Pulp—- and included a link “vg4fi.co.cc/q—“.  Clicking on the link results in several redirects that ultimately lead to a website promoting “a more sublime waistline”.

Why this spam-sending method works:

• The short-message nature of Twitter results in tweets that contain short links and very little else. So when Twitter users see a link with no explanation there is a good chance they will click to see where the link leads.
• Users with smaller Twitter accounts (10s of followers as opposed to thousands) will likely be interested that they were “mentioned”, and will follow the link to see where.
• The spammer is sending a limited number of messages per day per account – thus staying below the radar of Twitter’s automated spam detection algorithms. The screen below shows a collection of messages sent per day using the “mention” technique:

In this case the destination is a spam site – but it could just as easily be a site hosting malware.  Twitter users should avoid links without even the slightest description from users that they obviously have no connection to.

Update – the links now redirect to a work-at-home scam.

Maybe recipients of these emails ordered from Amazon recently – or maybe not.  Either way we’re betting many people will click on the links out of curiosity or maybe to protest their order cancellation.  The outbreak took place earlier today and was quite large (in the high millions).

The name of the book that was supposedly ordered is changed per email – some examples:

• The Recomputed Deluxe Edition By: Sally Richardson
• The Basically. By: Peter Armstrong
• The Overdraft Second Edition By: Nigel Bennett
• The Recompute Deluxe Edition By: Sarah Roberts
• The Arlington Second Edition By: Janet Watson

Both the “order reference” link and the amamzon.com lead via intermediate sites to the pharmaceuticals site (Canadian Family Pharmacy) with special Valentine’s Day offers.

During the outbreak our trusty spam cloud was severely altered due to the amount of samples received:

Email text:

Your order has been successfully canceled. For your reference, here’s a summary of your order:

You just canceled order #141-1617273-679978 placed on February 16, 2012.

Status: CANCELED

_____________________________________________________________________

1 of The Recomputed Deluxe Edition

By: Sally Richardson

Sold by: Amazon.com LLC

_____________________________________________________________________

Thank you for visiting Amazon.com!

———————————————————————

Amazon.com

Earth’s Biggest Selection

http://www.amazon.com

———————————————————————