We’ve had loads of phishing directed at Google Adwords customers.  Today we present the equivalent phishing attack directed at Microsoft adCenter users.

The phishing page is a completely convincing replica of the actual Microsoft login page.  We had to be amused though by the domain set up for the phishing site:

“adcenter1.microsoft-bs.com”.

Email text:

Dear adCenter customer,

For quality services and running your ads without any problems (Innactive account meaning Pausing your Ads) check the status of your adCenter account regularly.

Check your Microsoft adCenter status now.

Sincerely,

The Microsoft adCenter Team

If you were to summarize 7.2 million spam subjects from a single day into a tag cloud – what would it look like?

er…  like this!

As you can see the main products being pushed today are fake watches, pharmaceuticals, enhancers and ….  Xerox machines??  No – those belong to a large outbreak of emails with malware links that present themselves as “scans from your xerox machine”.  The xerox theme is not new – see our post from last year

Thanks to Eyal from the Detection team for concept and creation.  We will post more of these.

It sounds like a fun application – scanning your friends profile photos and then matching them with the celbrity that they most closely resemble.  If only it actually worked…

It starts with a friend’s post:

Post text (in Spanish):

Descubre a que famosos se parecen tus amigos en esta divertida y sorprendente aplicación. Analizaremos el perfil de tus amigos, sus gustos, aficiones y su foto, ¡y te diremos a que famosos se parecen!.

Translation (more or less):

Discover which celebrities look like friends and have fun in this amazing application. Analyze it profile of friends, photo, to say that you look like celebrities!

Clicking on the links opens an application approval page:

Notice the all-important “Post to Facebook as me”.  This ensures the further spread of the application which will now let all your friends know that you are searching for their celebrity lookalikes.  The app also posts pictures which “show” the celebs that match your friends.  How do we know it doesn’t work – well firstly the matches weren’t all that good, and secondly the celeb photos seem to be limited to the same collection of 15 or so photos that simply repeat over and over.

So what’s the real purpose of this app – it leads to a dating app (as soon as you click on “allow”)

Variants of this malware have appeared on Facebook in the last few months.  Today’s version of the attack starts with a friend’s post that looks something like this:

The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player.  (none of the Facebook elements on the top of the page are actually clickable).  Visitors are informed that they need the Divx plugin/Youtube Premium plugin.

Clicking on the download link runs a script that performs several misdeeds:

1) A link is posted on the user wall – Facebook extracts the content for the post from the page itself which includes data specifically formatted for this purpose:

• <title>95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds</title>
• <meta property=”og:title” content=”95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds” />
• <meta property=”og:image” content=”http://i.imgur.com/0F–s.jpg” />
• <meta property=”og:description” content=”i dare you to get past the 25 seconds.Just click play” />

2) The script then installs Firefox or Chrome extensions depending on the browser used.  These extensions are used to redirect users to several further scams. The redirections happen no matter what sites the user actually intended to go to.   One of the redirections is to a scam offering a $50 Starbucks gift card.  This is similar to the attack we described in December.  After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site.

How to spot that this is bad stuff before you click too much:

• The spelling and grammar errors – “Cant”, “wow checkout this”, “FOr”,
• The blogspot page that is based on a number
• The blogspot page that looks like a Facebook page
• The “download plugin” requirement to see a video (a long-running trick to get people to willingly install malware).

Check out our infographic where we break down attacks such as these that occurred in 2011.  Follow us on Facebook to keep updated about threats like these.

Our latest Internet Threats Trend Report is now available.  The report covers Web threats, phishing, malware, and spam. The January 2012 Internet Threats Trend Report and accompanying infographic present a comprehensive analysis of scores of malicious Facebook activities during the past year.  The report investigates the three stages of Facebook attacks:

1) Social engineering tricks,

2) How attacks spread between friends (see graph below)

3) How cybercriminals benefit from the attacks.

Other info in the report: In the fourth quarter of 2011 email attached malware levels dropped significantly from the billions of messages observed in Q3.  These were replaced with numerous outbreaks of emails with malicious links.  Most of these links led to compromised websites that were used to host malware scripts.  Spam levels increased marginally in December but remained at a three year low.

Average spam for the quarter: 101 billion emails per day

Country with the most spam zombies: India (23.5%)

Website categories most likely to contain malware: parked domains, free websites, and pornography sites

If you believe the email below, the recently-resigned Italian PM has paid a large amount of money to prevent the publication of “images”.

Translation:

Berlusconi has proposed 2 million to hide the images.

Look at this:

<malware zip link>

This photo has been viewed 8 999 times. Share this link with your friends.

The zipped file is of course malware and we hope recipients didn’t open it or share with their friends as suggested.  The emails are delivered with differing text to make them harder to block.  One of these variants caught the eye of our alert analysts:

The translation:

Paparazzi finally vpoymali Berlusconi.

Reference:

http://www.exclusiv———/DC009.zip

This photo has been viewed 923 999 times. Share this link with your friends.

Notice that the ever-reliable Google Translate got stuck on the 3^rd word.  That’s because it’s not Italian but Russian – “Поймали“ means “caught” as in “Paparazzi finally caught Berlusconi”.  In other words, those behind the malware outbreak wrote the text in Russian and translated it to Italian – but obviously didn’t review all of the results.  Pretty sloppy work guys.

Email text (Italian)

Berlusconi ha proposto 2 milioni di euro per nascondere quelle immagini.

Guarda qui:

Questa foto e stata vista 8 999 volte. Condividi questo link con i tuoi amici.

Or…

Paparazzi infine vpoymali Berlusconi.

di riferimento:

Questa foto e stata vista 923 999 volte. Condividi questo link con i tuoi amici.

What did we do before Angry Birds? (Halo, Tetris and Rubik’s cube I guess).  Angry Birds has become the benchmark by which any serious operating system is now judged (“no it doesn’t support email but Angry Birds will work on it”).   This sort of popularity is guaranteed to make anything a useful vehicle for spam, scams, malware distribution, and of course marketing affiliates.

And so we encounter the “Angry Birds Survey” which arrives with minimal text and a linked image that presents the question: Kamikaze Killers or Swine Snipers?  Er…  I just don’t know.

In the interests of public safety we entered the survey to see whether we might get a $20 iTunes gift card.   After providing our (fake) email address and other details (address, birthdate, phone numbers), we responded to 12 questions posed on subsequent screens including:

• Did we or anyone we know have a baby recently?
• Do we own a cat?
• Do we want lower auto insurance?
• Do we plan to lose weight in 2012?
• Do we get drowsy during the day?
• Do we want an exclusive offer on furniture?

At the end of it all we were redirected to a premium SMS service sign-up page.

No iTunes gift card. – oooooh that makes me soooo angry…

Sometimes Facebook attacks are quite easy to find – like when an American friend posts in Arabic.

The text:

موقف محرج خلال البث المباشر مذيعة قناة الرياضية

translates to: “An embarrassing situation during the live broadcast TV sports broadcaster”

Clicking on the link leads to a Web page with an embedded video player.  Clicking pretty much anywhere on the page (including the play button) generates a share confirmation or a like, ensuring the spread of the attack.  The attack seems designed to draw Facebook users to the advertising on the page which generate revenues for the webpage owner.

The January 2012 Internet Threats Trend Report and accompanying infographic present a comprehensive analysis of scores of malicious Facebook activities during the past year, as identified by Commtouch Labs. The report investigates the three stages of Facebook attacks: Social engineering tricks, how attacks spread between friends, and how cybercriminals benefit from the attacks.

The not-all-that-funny video can be viewed safely on Youtube.

A series of massive email outbreaks have been intercepted and analyzed by Commtouch Labs over the last several days with subjects like “Need your help!” and “I’m in trouble,” containing links that lead to malware downloads. They are being spammed around the world at rates of hundreds of thousands of messages per day.

Many Facebook and email scams in the past have used the “help I’m in trouble” theme to induce recipients to send them money, and now malware distributors have apparently decided to try a similar tactic. This time, however the risk of answering the call of the damsel in distress isn’t that you will send a complete stranger thousands of dollars, but that you will infect your computer with malware.

The messages vary, but the goal is the same, to distribute more and more malware to unsuspecting end-users through a hyperlink within the email message. These URLs are primarily hosted on sites that are legitimate but have been compromised. The vast majority of the sites use WordPress, an open source blogging and Web site content management solution (sorry WordPress, we love you…). WordPress has a vast ecosystem of plugins that enable various additional functionalities on sites, which makes it highly user-friendly for even the least experienced Webmaster. However with these plugins comes a certain amount of risk – each plugin is developed by an independent developer, with no centralization; each plugin has its own security updates, and its own vulnerabilities. Inexperienced Web site owners may not update all of their plugins (or WordPress itself) on schedule, leading to holes that can be exploited to place third-party content on unsuspecting Web sites. Often the content placed on the site is not malicious in and of itself, so it may be difficult to detect even when doing a scan of the site. Typically the link within the email will lead to a script hidden on the compromised site that simply redirects to the malicious web page.

Yesterday’s top subject line in this outbreak was “Need your help!” and led to a message with this content:

——-

Hello! Look, I’ve received an unfamiliar bill, have you ordered anything?
Here is the bill [malware link]

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer

——-

However today the message evolved to a new subject line: “Fwd: I’m in trouble!” with the body text sounding even more urgent than the previous one:

——–

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo [malware link]

I need to find him urgently!

Thank you

[sender's name]

———

The messages look innocuous enough, and even have what looks like a security code (or hash) at the bottom of the message, which makes it look even more real. A recipient might think this indicates it was scanned by an antivirus engine.   But if you mouse over the hyperlink, you can see that it’s a long, ugly link with lots of random characters, which should be a big red flag indicating DON’T CLICK!

Incidentally, it’s the same family of malware outbreaks as recent celebrity James Cameron outbreak, and  that yummy pizza malware, both of which we reported on