Typically, one associates phishing schemes with online banking passwords and related issues. Commtouch Labs recently reported on a brand new scheme involving the popular online role playing game, World of Warcraft (WoW). Apparently once an account is hacked, there is money to be made by selling a user’s “gold,” equipment, and even the account itself. There are several different sites set up for WoW players to buy and sell their wares; level 80, for example, can go for more than $170 US.

The attack includes an email with subjects like: World Of Warcraft-Account Instructions, World of Warcraft Account Management, World of Warcraft Account Trade Dispute Notice and of course, World of Warcraft – Account Password Change Notification.

The links within the emails all lead to mock log-in screens at various URLs that are similar to “wolrdofwarcraft,” but not quite. An example landing page is pictured below; entering ANY email and password in the fields redirects to the real WoW community site.

Read more about this new phishing scheme on the ComputerWorld blog of Amir Lev, Commtouch president and CTO.

In continuing with the tradition we began last  year, Commtouch has made a donation to a charitable organization in the spirit of the holidays. With the help of Charity Navigator, we chose four 4-star organizations and asked our partners and friends to help choose the organization (or organizations) to which we would make our contribution. After tallying the votes, this year’s donation is going to  The V Foundation for cancer research.

Since 1993, the V Foundation has raised more than $80 million and awarded cancer research grants in 38 states and the District of Columbia. Funds raised by The V Foundation have helped researchers develop their laboratories and take their science from the labs to the clinics.

According to their Web site, The V Foundation:

• Awards 100% of all direct donations and net proceeds of events directly to cancer research and related programs
• Received a 7th consecutive top 4-star rating from Charity Navigator, placing them in the top 2% of all charities evaluated
• Has raised more than $90 million to fund cancer research
• Has awarded grants to 92 institutions in 38 US states & DC

Commtouch wishes all of our partners and friends, and everyone around the world, a happy and healthy new year.

Commtouch Labs reported a recent attack involving MP3 messages. The email body and subject line were blank, as seen below, and each message had an MP3 attached to it. The MP3s are all very short and only about 16KB per message in order to trick traditional spam filters.

While the emails were all subject-less, the MP3s were creatively named. File names include: beauteously, unsecularise, sporicide, cookshack, teentsier, muftis, zoogeography and squishiness.

When played, the MP3s were all the same message…someone reciting a URL and a woman moaning in the background. It’s creatively packaged Viagra spam from our Canadian Pharmacy friends.

This attack is unique because it is not an image, it’s not URLs embedded in a message. It isn’t any of the more traditional approaches to bypassing spam filters…the MP3 message could go completely undetected by traditional engines. Filters that rely on pattern detection, recognized the outbreak and blocked the messages before they hit networks.

I checked out the link and found this:

Guess they really want us to stock up on our “personal enhancement” needs before the holiday!

Commtouch Security Alliance partners Sunbelt Software, RSA, the Security Division of EMC, and Commtouch held an informative webcast this past Thursday discussing the latest in web security threats. The webcast, entitled “Stormy Web Ahead: A Forecast of Web Security Threats in 2010,” provided essential information needed to understand the web security threats that organizations and individuals face.

The Speakers, Sean Brady of RSA, Chad Loeven of SunbeltLabs and Asaf Greiner of Commtouch, each described the threats their organizations tracked in 2009. They then went on to provide a forecast for the types of web security threats each believes companies and individuals will face in 2010.

At the end of the webcast the three speakers took part in a live Q&A session. Viewers were asked to send in questions via e-mail and Twitter, with all responses provided over Twitter. Below is a log of the questions that the panel was asked along with their responses.

Question: What impact will Windows 7 Microsoft Security Essentials (free AV) have on the threat landscape?
Sunbelt: While Win7 is certainly the most secure OS yet from MS, no OS can completely protect from social engineering or vulnerabilities in the applications.

Question: Where is most of the fraud originating from these days?
RSA: While it looks like fraud comes from all over, most of the key drivers are still believed to be out of Eastern Europe.

Question: How do you know these zombies aren’t just a myth?
Commtouch: Commtouch has been monitoring zombies sending spam. We have a list of over 10 million at any given moment.

Question: What do you think fraudsters are going to do with Enterprise data?
RSA: Once they figure out how to turn it into cash – extortion, resale, stock manipulation – you’ll see them put it to use.

Question: Do you see Mac or mobile malware reaching a critical mass in 2010?
Sunbelt: Yes. In particular, with the mobile market continuing to increase the # of nodes, the growth in mobile payments, increased mobile bandwidth and the consolidation of smartphones around a few platforms, all the pieces are in place to present a compelling target for malware authors. Same for Mac. As its total user base grows, it’s new territory for the bad guys.

Question: What is the impact of 64-bit OSs and apps on the threat landscape?
Sunbelt: There’s currently virtually no 64-bit malware, but we can expect that to change.

Question: Do people actually fall for these scams?
Commtouch: Yes. Actually every once in a while people complain that we mark these attacks as malicious. They don’t get that it is a scam.

Question: Would web reputation solve these types of attacks?
Commtouch: Reputation is an important part, however many attacks are done via compromised and UGC sites.

Question: How do you three companies work together to prevent attacks?
Commtouch: Commtouch specializes in identifying attacks across the globe. Sunbelt and RSA are leading experts at analyzing attacks.

********

If you would like to watch the webcast, a recording is available for viewing on-demand.

Commtouch Labs has seen a new trend in personal enhancement spam. Where in the past, these messages have been directed at men with subjects like Let your ‘gun’ be steel and The more inches you have the more times your lady will hit the point, this new variation is directed at women whose men have lost that spark.

The messages look like a personal letter between two friends and most samples, like the one below, includes a line announcing that the sender and her partner are about to get married after solving their problems.

The body of the email is much more subtle than what is seen in typical enhancement emails. The email reads more like a confidential chat between two close girlfriends, and less like an advertisement for men. The language here is very shy and subtle, stating that “it’s so difficult to talk about these things…” The typical, more “manly” approach urges the recipient to “be a champion in bed,” etc.

Perhaps the spammers are banking on the fact that female consumers spend more than men. Trying a new angle, targeting the women who “suffer,” the spammers hope to make a larger profit.

Clicking on the link in the message leads to a landing page like this:

The spammers have exploited pages on profiles.yahoo.com, similar to exploitations we’ve seen with live.com and others. Using legitimate sites like Yahoo! and Live.com, the spammers hope to bypass traditional content-based spam filters. More advanced, content- and language-agnostic spam filters will prevent such messages from reaching inboxes.

Commtouch Labs has run across a brilliant blended threat campaign organized by a body pretending to be the Centers for Disease Control. The attack, originating from Chinese botnets, began on the morning (EST) of 1 December 2009 and is still going strong. By the time of this publication, the attack had been flagged as “massive” by Commtouch Labs.

The email looks like this:

Note the “From” address ends in .gov; spoofing the address in this way makes the message appear to be from a government body. The .gov ending may trick some traditional spam filters as well as tricking the unknowing recipient of such a message. With everyone in a panic about Swine Flu lately, the message is definitely trying to hit a soft spot. Cyber criminals tend to use social engineering methods to distract us from the dangers that lie within the links and files.

The body of the message describes a Vaccination Profile program to lure readers to a site that was laden with malware. A recipient who clicked on “create personal profile” at the bottom of the email was directed to this link:

Including cdc.gov in the URL is designed to trick users into thinking that CDC is the domain, but the actual domain name is included AFTER the .gov, as pictured above. We blurred out the actual domain here, but it comes immediately after the .gov in the address.

The questionable link led to a landing page that appeared legitimate at first sight, but after examining the code behind the page, it was determined that the malware distributors added an iFrame of width “0” on the page. The iFrame leads to a php script which pointed to two additional iFrames – one built on the vulnerability of PDF nested viewers, and one built on PHP Javascript code:

The PDF contains this obfuscated Javascript code within the PDF itself:

In addition to the fact that Javascript inside a PDF is an interesting method of transport, the code is, as suspected, malicious.

The second file, sNode.php, also contains obfuscated code:

This file is also malicious.

Unfortunately, online crooks will use any tactic they can think of to bypass spam and virus filters. Commtouch RPD technology is based on massive pattern analysis, and thus blocked this blended threat in most of our partner implementations. But for those who rely on traditional spam filtering, the outcome may not have been so sweet.

If an email slips into your inbox, be sure to check link domains – in their entirety – before clicking. Don’t assume that if you see a .gov in the middle that it’s actually from a legitimate source. If you are unsure about the origins of an email, try to verify the details before you fall victim to the next great malware scheme. And never click on links or download files from unverified sources.

For the REAL Centers of Disease Control and everything you ever wanted to know about Swine Flu, visit the official CDC Swine Flu information page.

As a messaging and Web security company, we see our fair share of spam in helping our customers get rid of theirs. Recently, I got curious and went poking around to see what new things spammers are trying to sell or announce and I found myself laughing hysterically. Some of the subject lines were just too priceless. I’ve put together a collection of my favorite, most ridiculous spam subjects…and of course I had to add a little commentary.

10. Viagra Soft Tabs
Isn’t that an oxymoron?

9. Your social status will grow with a more serious watch
So the mullet won’t matter much, eh?

8. Equip your battleship with main caliber!
E6? Hit!

7. With our watches, boring time will go faster
Time travel!? Does it make dinner too?!

6. Try this crap!
With that marketing, it’s a wonder you can sell ANY crap!

5. It’s over!
So why are you still emailing me!?

4. You know where we are?
Yeah! In my junk mail folder…where you belong!

3. Crazy about bling
Or just blingin’ crazy!

2. Answer your phone!
Dude, you’re in my junk folder. You think I’d take a call from you!?

And our all-time favorite…

1. I’m Batman, I demand reply.
Well, I’m certainly not one to argue with Batman…

Like these? Want to see more? Follow us on Twitter, where we post new hilarious spam subjects (search for #sillyspam) plus industry news, important company announcements and more…

Seen some funny spam in YOUR junk folder? Share with us in the comment section!

Commtouch is a proud sponsor of BizTec, an entrepreneurship competition organized by the Haifa Technion for university and college students (undergrad & graduate) from all over Israel. It is a yearlong competition for students to build startups in various areas such as SW, HW, Bio-tech, etc., designed to ultimately produce the nation’s next generation of successful ventures.  This year is the 5th annual competition, and from previous years, nine “real” start-ups were born as result of Biztec.

Earlier this week, Commtouch’s CTO Amir Lev represented Commtouch in the opening ceremony for BizTEC 2010. Commtouch executives will also be involved in mentoring the BizTEC contestants throughout the year in various business-related subjects, and in judging the competition.

The 2010 prize will be in honor of Nahum and Nava Sharfman, who died in a tragic airplane accident earlier this year; Nahum was a co-founder of Commtouch.

To register as a participant in the BizTEC competition, please visit the registration page on the BizTEC site.

Several of us recently returned from various hosting-oriented events, including Parallels EMEA Roadshow and cPanel in Texas. We talked to lots of people there that have developed their own homegrown solutions for email filtering, often based on open source; here are the top 10 reasons we heard for keeping their existing email filtering systems:

1. They love Spam about poorly written and badly spelled offers for sex, drugs, and that new PhD they wanted to get, but couldn’t be bothered to go to school for.

2. They simply can’t get enough of those cute viruses.

3. They love being interrupted during breakfast, lunch, and dinner to troubleshoot a customer’s infected computer that in the end they have to tell them to reformat anyway.

4. The happiest moment in their day is when a customer clicks on an .EXE file from someone they don’t know and then calls sounding genuinely surprised.

5. Their fingers get a great workout from the hours and hours of writing filter rules and adding people to the blacklist.

6. They still believe deep down that poor widowed Carlonia Jobabie Johnson from Nigeria will finally stop mourning the loss of her late husband/general/president/priest/doctor long enough to send the millions they helped her get.

7. Actually getting real work done is just plain boring.

8. They don’t mind spending most of your day sifting through thousands of their client’s inboxes to find that one email.

9. They have a bet with Joe in sales that this month’s server electric bill won’t be higher.

10. They get that warm and fuzzy feeling when clients call you to cancel and demand a full refund after 95% of their email is spam and/or viruses (they’re so silly what were they thinking).

And since this is not really a top ten list…NUMBER…

11. Watching the servers run above maximum, overheat, and crash helps them sleep at night.

OK OK – you want to read the top 10 reasons to SWITCH to commercial email filtering? There’s a real document you are welcome to download and share.

Unbeknownst to computer owners, malware infects millions of computers around the world. Many times, these malicious software programs create “zombies,” or “bots” where the computer is taken over by an outside party and used to send spam or perform other notorious processes. An army of zombies makes up a “botnet,” which is a network of zombies that are triggered to send spam or denial of service attacks en masse.

One extreme example of the dangers of zombies was recently reported in the Washington Post. The article examined how some people who claim innocence were convicted of involvement with child pornography after their computers were infected by a virus and used to store and sometimes distribute horrific images.

The article goes on to explain:

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

Whatever the motivation, you get child porn on your computer – and might not realize it until police knock at your door.

In one case, Michael Fiola was fired in 2007 after his company found child pornography stored on his work computer. He spent hundreds of thousands of dollars in legal fees while his reputation suffered…and after nearly a year, it was in fact proven that a virus had infected his computer, causing it to systematically visit pornographic Web sites while he was nowhere near the computer. In other cases, the defendants were not as successful in proving their innocence, and many of them are now serving time in prison.

There are organizations (e.g. Association of Sites Advocating Child Protection – ASACP and Internet Watch Foundation – IWF) that have banded together to try and eliminate child pornography from the Internet. The IWF manages a list of Web sites containing child abuse images, which can be incorporated into Commtouch’s anti-spam solution to screen emails containing child abuse and exploitative content and flag them as non-compliant. Many Commtouch partners have implemented the IWF material to protect their customers.

For real-time Zombie statistics and information, check out the Zombie Lab in our Online Security Center.