- Spam -

Last update 09.10.2017 13:18:18

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 

Experts warns of a new extortion campaign based on the Breach Compilation archive
6.10.2018 securityaffairs 

Cybaze ZLab spotted a new scam campaign that is targeting some of its Italian customers, crooks leverage credentials in Breach Compilation archive.
Security experts from Cybaze ZLab have spotted a new scam campaign that is targeting some of its Italian customers.

Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market to target unaware netizens in a new extortion scheme.

The number of spam messages associated with this campaign is rapidly increasing, the attackers behind this campaign used the credentials collected in the infamous database dubbed ‘Breach Compilation’.

This Breach Compilation archive contains about 1.4 Billion of clear text credentials gathered in a series of data breaches.

At the time it is still unclear if the attackers have created a pool of emails used in the spam campaign or are exploiting credential stuffing attack to attempt to access email accounts of unaware users and use them to send out spam messages.

The credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

In the following image is reported as an example, one of the messages used in this campaign.

The message is a classical email scam used by cyber criminals to threaten the victim to reveal to the public that he watches porn videos. Crooks claim to have the recording of the victim while watching the videos, but it is absolutely false.

Crooks blackmail the victims and request the payment of a fee in Bitcoin to avoid spreading the video.

To be more convincing and trick victims into paying the fee, the hackers include in the body of the email the password used by the victim as a proof of the attack. This password was extracted from the Breach Compilation archive.

Experts from Cybaze have analyzed several samples of email belonging to this campaign, most of them in English. One of their customers received a scam message in a poor Italian-writing.

Crooks ask the victims to pay a fee of $3000 worth of Bitcoin, while the message written in Italian ask for $350, a circumstance that suggests that other threat actors are using the same technique.

The attackers may have implemented an automated mechanism to send scam emails to the addresses in the archive and create for each of them a Bitcoin wallet.

Experts from Cybaze have analyzed a couple of wallets associated with the scam messages, in one case they found a number of transactions that suggest victim made the payment.

The Bitcoin address with associated 9 transactions is 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk

It is essential to share awareness about this campaign to avoid that other victims will fail victims of this type of extortion.

As usual, let me suggest to avoid use same credentials across multiple web services, you can check if your email is involved in a data breach by querying the free service

Homebuyers Being Targeted by Money Transfer Scam
21.9.2018 securityaffairs

Money Transfer Scam – Scammers hack the victims’s email accounts, monitor conversations between the buyers and title agents, send instructions on where to wire the money.
A new homebuyer moves through a period of vulnerable transition as they invest in their future. This sensitive stage — a confusing flurry of representatives, documentation and planning — represents an attractive target for con artists with ill intentions. Some choose to capitalize on homebuyers’ ignorance.

The con in question is a money transfer scam with all the likeness of a typical transaction. Scammers hack the email accounts of their victims and monitor conversations between the buyers and title agents. Toward the close of the interaction, the scammers will send false instructions on where to wire the money.

After the wrongfully transferred money reaches the criminals behind the money transfer scam, they disappear, thousands of dollars wealthier. The practice is so whisper-quiet and challenging to catch that it’s given the FBI considerable trouble. For all intents and purposes, the scammers appear real.

Bryan O’Meara was hoping to expand his business with the addition of a parking lot for his new restaurant. He intended to wire upward of $1 million to the seller of the property but was unaware that his conversations were under surveillance by scammers. His business partner was equally unaware.

Fortunately for O’Meara, he didn’t follow through with the transaction — a decision that saved him an enormous sum of money. A loss of that caliber might have upended his business, and it’s a risk that many moving forward in real estate transactions should consider.

money transfer scam
Image by Soumil Kumar

FBI Involvement
The Federal Bureau of Investigation has offered the American public advice on how to better safeguard their money from scammers and hackers. After reporting $5 million in loss from Utah residents in 2017, every citizen is encouraged to take preventive measures to protect themselves from scams.

These measures include a frequent change in passwords, using mismatched and uncommon characters to avoid predictability. They also include a final follow-up with your partner or agent to confirm the wiring instructions are correct. Finally, in a worst-case scenario, people should contact their bank for immediate recall.

It’s an unfortunate truth that, even in the event of a recall, the victim loses most of their stolen money. Scammers will often bounce-wire the money through several international accounts at a high pace, blurring the trail that’s left behind in the event their target tries to reverse their transaction.

No security is 100 percent reliable. Even in following all the steps and taking every precaution, scammers and hackers will always innovate new techniques to steal money from their unwitting victims.

Protecting Home Purchases
While the FBI is a helpful resource when combating scammers, homebuyers are encouraged to take additional measures before they purchase their property of interest. For many, changing a password and making a phone call will not be enough. They should also consider the following advice.

In the final stages of communication between an individual and a company, a comparison of early emails and those received later can reveal differences. These differences indicate a scammer has entered the conversation under the guise of a professional. Verification through multiple channels is the safest route.

A scammer will also place a high amount of pressure on a homebuyer to wire their money. Homebuyers in the final stages of transfer are advised to look closely at the information exchanged between them and the vendor to ensure its validity. A lax attitude toward detail can leave a person open to attack.

However, these innocent people don’t have to fall into the same old traps. Everyone should commit themselves to an awareness of common scamming techniques and illegal practices. Before purchasing a home, potential buyers would benefit by educating themselves about the latest scams in circulation by criminals.

Assessing the Danger
According to a 2017 report by the FBI, almost $1 billion was diverted or nearly diverted from real estate transactions — up by a significant margin from the year prior. This enormous sum of money speaks to the severity of the problem and its relevance to homebuyers today.

As they work through the final stages of a real estate transaction, buyers must remain diligent. A lack of interest in the proceedings can spell the difference between money lost and money saved. With a transaction as important as property exchange, anything less than total attention is inviting trouble.

It’s only through awareness and caution that citizens can protect themselves and their loved ones from the dangers of fraudulent activity.

Google Fights Tech Support Scams With New Ad Restrictions
4.9.2018 securityweek 

Google announced late last week that it’s preparing a new verification program designed to keep tech support scams off its advertising platform.

Tech support scams still represent a major issue and while these types of schemes are often unsophisticated, fraudsters have been known to use some creative methods to achieve their goals.

Tech support scammers can lure their victims through online ads, and Google’s advertising platform has been increasingly abused for this purpose. That is why the tech giant has decided to introduce some restrictions for tech support services.

“We’ve seen a rise in misleading ad experiences stemming from third-party technical support providers and have decided to begin restricting ads in this category globally,” said David Graff, director of Global Product Policy at Google.

“As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers. That’s why in the coming months, we will roll out a verification program to ensure that only legitimate providers of third-party tech support can use our platform to reach consumers,” Graff explained.

While Google is aware that the introduction of the new verification program will not block all attempts to “game” its advertising systems, the company is confident that it will at least make it “a lot harder.”

Google previously banned ads for bail bonds services and payday loans, and introduced verification programs for locksmith services and addiction treatment centers.

The company said it had paid out $12.6 billion to publishing partners in its ad network last year. On the other hand, it removed 320,000 publishers, and blacklisted roughly 90,000 websites and 700,000 mobile applications.

Google also said it took down 3.2 billion ads that violated its policies in 2017, which represents roughly 100 bad ads per second.

“We blocked 79 million ads in our network for attempting to send people to malware-laden sites, and removed 400,000 of these unsafe sites last year. And, we removed 66 million ‘trick-to-click’ ads as well as 48 million ads that were attempting to get users to install unwanted software,” the company said in its report for 2017.

Email Impersonation Attacks Increase by 80%
29.8.2018 securityweek

The latest ESRA report from Mimecast indicates just why email attacks are so loved by cybercriminals, and why organizations need to take email security more seriously.

ESRA is Mimecast's ongoing Email Security Risk Assessment quarterly analysis. Working with 37 organizations across 20 different industries, Mimecast compares the email threats it detects to those detected by the organizations' incumbent email security technologies. The results provide two major sets of statistics: the volume of threats that go undetected by the incumbent technologies; and the sheer size of the email threat.

The latest report (PDF) covers more than 142 million emails received by almost 261,924 users. The incumbent email security was Office 365 and Proofpoint.

ESRA's analysis shows that a total of more than 19 million spam emails; 13,176 emails containing dangerous file types; and 15,656 malware attachments were missed by the incumbent security and delivered to users' inboxes. It also discovered 203,000 malicious links within just over 10 million emails that were delivered to inboxes -- a ratio of around one unstopped malicious link in every fifty inspected emails.

This doesn't mean that the bad emails were effective, only that they were delivered to their destination. Other security controls might detect malware and inhibit users from clicking on malicious links -- but it does imply that these additional controls need to be 100% effective against threats that could have been blocked before delivery.

One figure that stands out in the analysis is an increase of 80% in impersonation attacks over the last quarter's analysis. Mimecast detected 41,605 cases that had been missed by the organizations' existing controls.

“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Matthew Gardiner, cybersecurity strategist at Mimecast. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter. These are difficult attacks to identify without specialized security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them.”

Mimecast was founded in 2003 by Neil Murray (CTO) and Peter Bauer (CEO). It went public in 2015, and its share price has risen steadily from an initial $10 to its current value at just over $41. During 2018 it has acquired both Solebit (a threat detection firm) and Ataata (a security training firm)

Spam and phishing in Q2 2018
18.8.2018 Kaspersky Analysis 
Spam  Phishing

Quarterly highlights
GDPR as a phishing opportunity
In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.

As required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies’ customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.

Phishing emails exploiting GDPR

Malicious IQY attachments
In the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.

Harmful .iqy files

When the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim’s computer, steal files and personal information, and send spam.

It is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.

It must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet’s operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.

Data leaks
The wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:

Hacking and theft of personal information of 27M Ticketfly customers;
92M MyHeritage genealogy service users’ personal information was discovered on a public server;
340M individual records were lost by Exactis, a marketing company;
An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.
As a result of such leaks, cybercriminals get a hold of users’ names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.

In the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim’s accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.

Ethereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by ICOs on the Ethereum platform. According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs managed to make $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.

Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site

World Cup 2018
Cybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims’ bank and other accounts, carried out targeted attacks, and created bogus fifa.com account sign-in pages.

As mentioned in the 2017 report, more and more phishing pages are now found on certified domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to announce future efforts aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as “Secure” in the URL bar. Instead, starting in October 2018, Chrome will start displaying the “Not secure” label when users enter data on unencrypted sites.

When Chrome 70 comes out in October 2018, a red “Not secure” marker will be displayed for all HTTP sites where users enter data.

Google believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.

An example of a certified phishing website marked as “Secure”.

At the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.

Vacation season
In anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, from airplane ticket purchases to hotel bookings. For instance, we’ve found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.

An example of a fake hotel booking website

A similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.

An example of fake airline ticket websites

Distribution channels
In our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.

Cybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of popular retailers such as Pyaterochka and Leroy Merlin, and also McDonald’s. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.

Users share messages about ticket raffles with their contacts via a messenger since it’s one of the conditions for winning

Once a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim’s location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.

An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions.

Twitter and Instagram
Cybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.

Fake account for Pavel Durov

The most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see “updating” in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason — Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list published by Fortune.

An example of a website advertised on Elon Musk’s fake account

News sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from “Pavel Durov” promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities’ authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.

Twitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user’s name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon’s name or change it to anything they want— the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.

Another measure taken by the social network is blocking accounts that post links to Elon Musk’s account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.

This scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.

Vitalik Buterin’s fake Instagram account

On Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.

Fraudulent website ad on Facebook

After clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.

Search results
Ads with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.

Users do not always notice the “Ad” label next to the ads

Spammer tricks
Last quarter, spammers tried to use the following new tricks to evade filters.

Double email headers
When generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.

Subscription forms
In these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.

An example of spam mail sent using the subscription service on a legal site

Statistics: spam
Proportion of spam in email traffic

Proportion of spam in global email traffic, Q1 and Q2 2018 (download)

In the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.

Sources of spam by country

Spam -originating countries, Q2 2018 (download)

The leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).

Spam email size

Spam email size, Q1 and Q2 2018 (download)

The results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.

The percentage of 10-20 KB spam messages was practically unchanged — it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.

Malicious attachments: malware families

Top 10 malware families, Q2 2018 (download)

According to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggers by country, Q2 2018 (download)

The first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).

Statistics: phishing
In the Q2 2018, the Antiphishing prevented 107,785,069 attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.

Geography of attacks
The country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).

Geography of phishing attacks, Q2 2018 (download)

Country %*
Brazil 15.51
China 14.77
Georgia 14.44
Kyrgyzstan 13.60
Russia 13.27
Venezuela 13.26
Macao 12.84
Portugal 12.59
Belarus 12.29
South Korea 11.66
* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country.

Organizations under attack
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.[/caption]

In Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).

Distribution of organizations affected by phishing attacks by category, Q2 2018. (download)

The percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.

Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.

Exploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).

Tech Support Scams improved with adoption of Call Optimization Service
6.8.2018 securityaffairs

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.
Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

Tracking the source of inbound calls
Creation and management of phone numbers
Call load balancing
Call forwarding
Call analytics
Call routing
Call recording
Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.
The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.
“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec.

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

The Disconnect Between Understanding Email Threats and Preventing Them
2.8.2018 securityweek

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

The study (PDF) was conducted the Ponemon Institute for Valimail, an email security automation firm. Ponemon surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats. It found, according to Ponemon, a "disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study."

Findings suggest that 80% of respondents are very concerned about their ability to counter the email threat, but only 29% are taking significant steps to counter the threat. The greatest concerns are that hackers might spoof their email domain "to hurt the deliverability of legitimate emails" (82%); the overall state of their current email security (80%); and that they could be hacked or infiltrated via a phishing email (69%).

The threat from email phishing, spoofing and impersonation attacks is understood and acknowledged. Seventy-four percent of respondents are concerned about phishing emails directed at employees or executives; 67% about email as a source of fraud against the company (such as BEC attacks); 66% about email as a vector for infiltrating malware and/or exfiltrating data; and 65% about hackers impersonating the company in phishing attacks against others -- that is, other firms and non-employees.

The disconnect comes from the company response to the concerns held by their own professionals. Only 29% of the respondents believe their firm is taking significant steps to prevent phishing attacks and email impersonation, while 21% say they are taking 'no steps' -- despite the DBIR's evidence that email is the source of almost all data breaches.

Only 41% of the respondents say their organization has created a security infrastructure or plan for email -- but of these, almost half say there is no schedule for reviewing its effectiveness (39%), or are unsure of any review schedule (10%). Only 11% of respondents said their organization reviews the effectiveness of its email security plan quarterly.

Part of the problem may be down to the traditional relationship between OT and IT. While email is firmly a part of information technology rather than operational technology, nevertheless it has an operational business function. As such, operational ease and continuity might be receiving a higher priority than security. This is possibly supported by managerial responsibility.

Asked, 'Who within the organization is primarily responsible for the security of email and services/applications that use email?', only 15% of the respondents said it was the CISO/CSO. Twenty-one percent said it was the CIO/CTO, 20% said the line of business management, 9% said the head of messaging services, and 9% said the head of IT Operations. Somewhat surprisingly, the majority of organizations do not have their head of security responsible for the security of emails.

Impersonation attacks are an acknowledged and growing email threat. The top five currently-used technologies to prevent these are anti-spam/phishing filters (63%), secure email gateways (53%), SIEMs (44%), DMARC (39%), and anti-phish training (30%). Use of all of these is expected to grow over the next 12 months: filters by 2%, SEGs by 10%, SIEMs by 3%, DMARC by 9%, and phish training by a colossal 27%.

These figures simply indicate that use of existing technologies that have currently failed to prevent the email start-point in 96% or all security breaches will be increased. This doesn't mean, however, that the respondents have abandoned hope in their ability to improve things. Asked what effect a 20% increase in their email security budget would have, the reply was a 45% improvement in the detection rate with a 33% improvement in the prevention rate.

"With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail.

“While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks. Companies can strengthen their security against email fraud with automated solutions and close that disconnect between email threats and preventive action," he added

What surprises Ponemon, however, is the current lack of adoption of such automated solutions. "We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users."

DMARC Fully Implemented by Half of U.S. Government Agencies
30.7.2018 securityweek

More than half of U.S. government agencies have fully implemented the DMARC email security standard in response to a binding operational directive from the Department of Homeland Security, according to email threat protection company Agari.

The DHS issued the Binding Operational Directive (BOD) 18-01 in mid-October 2017, instructing all federal agencies to make plans and start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

Agencies were given one year to fully implement DMARC (i.e. set their DMARC policy to “reject”).

Agari has been monitoring more than 1,000 government domains to check their status. Shortly after the DHS issued the BOD, only 18% had implemented at least a minimal DMARC policy. By December 2017, nearly half had rolled out DMARC, but only 16% had set a “quarantine” or “reject” policy.

Agari’s latest report shows that 922 government-owned domains, representing 81% of the total, had enabled DMARC as of July 15. Nearly 600, representing 52%, have set a “reject” policy.

DMARC status in U.S. federal agencies

While this may seem like significant progress, Agari pointed out that two-thirds of the domains with a “reject” policy are “defensive domains,” which are not configured for sending email.

“Moving defensive domains to a DMARC enforcement policy is generally an easier process than moving active domains that send email, and also need to account for 3rd parties sending email on the agency’s behalf as well as specific mail servers permitted to send email,” Agari said in its report.

The company has determined that 28 agencies have fully protected all their domains. Some government organizations still have some unprotected assets, but they have secured a significant number of domains.

For example, the Department of Health and Human Services has enabled DMARC with a “reject” policy on 92 of its 118 domains, while the Department of Justice has done so for 65 of its 75 domains.

“To fully reach compliance with BOD 18-01, and to protect the federal government from phishing attacks, many more executive branch agencies must still implement ‘p=reject.’ But in comparison to the private sector, the U.S. Government should serve as a shining example for the implementation of common security standards,” Agari said.

FELIXROOT Backdoor is back in a new fresh spam campaign

30.7.2018 securityaffairs Virus  Spam

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.
The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,”

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry, remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

Deletes the LNK file from the startup directory.
Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
Deletes the dropper components from the system.
Further details, including the IoCs are reported in the analysis published by FireEye.

Spambot aims at targets WordPress sites in World Cup-Themed spam scam
19.7.2018 securityaffairs

Imperva observed a spambot targeting WordPress sites aimed at tricking victims into clicking on links to sites offering betting services on FIFA World Cup
Security experts from Imperva recently observed a spike in spam activity directed at WordPress websites, attackers aimed at tricking victims into clicking on links to sites offering betting services on the 2018 FIFA World Cup games.
Imperva monitored the activity of a botnet used to spread meaningless text messages generated from a template to comments sections in blogs, news articles, and other web sites that allow people to comment.

“Turns out the attack was launched by a botnet and implemented in the form of comment SPAM – meaningless, generic text generated from a template and posted in the comment sections of blogs, news articles etc; linking to pay-per-click commercial or suspicious sites looking to scam you or phish for your passwords.” reads the report published Imperva.

The spambot was used to post comments to the same Uniform Resource Identifier (URI) across different WordPress sites indiscriminately and without regard for whether the site is has a comments section or is affected by exploitable known issues.

The comments are generated starting from this template that is known since at least 2013. The template allows to automatically create slightly different versions of the same message to use in spam campaigns.

“Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites. Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.” continues Imperva.

World Cup betting sites

“We found that the botnet advertised over 1000 unique URLs, most of them appear multiple times. In many cases, the botnet used different techniques such as URL redirection and URL-shortening services to mask the true destination of the advertised link.”

According to the experts, the spambot is still small, it is composed of just 1,200 unique IPs with up to 700 daily unique IPs. The experts discovered that botnet has also been using URL-shortening, URL redirection, and other techniques to masquerade the landing sites of advertised links in its spam messages.

In the weeks before the World Cup, the spambot was being used in remote code execution attacks and other non-SPAM attacks on WordPress sites

Spambot World Cup

Just after the beginning of the 2018 World Cup, the botnet activity was focused on comment spam, a circumstance that suggests the malicious infrastructure is available for hire.

“A possible explanation is that the botnet is for hire. The malicious activity we’ve seen at first was either paid for or simply the botnet’s attempt to grow itself. Then, it was hired by these betting sites to advertise them and increase their SEO.” continues the analysis.

Comment spam is a well-known activity in the threat landscape, the most common countermeasure it to blacklist IPs originating spams messages and also the URLs that they advertise.

WordPress also has several Plug-ins that cuold defeat this boring activity.

“Although comment SPAM has been with us for more than a decade — and doesn’t seem like it’s going away anytime soon — there are numerous solutions ranging from dedicated plugins that block comments that look SPAMmy, to WAF services.” concluded Imperva.

Recent spam campaigns powered by Necurs uses Internet Query File attachments
26.6.2018 securityaffairs

Trend Micro experts reported the Necurs botnet has been using Internet Query (IQY) files in recent spam campaigns to bypass security protections.
The Necurs botnet is currently the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.

Necurs is the world’s largest spam botnet, it is composed of millions of infected computers worldwide.

The Necurs was not active for a long period at the beginning of 2017 and resumed its activity in April when it was observed using a new technique to avoid detection.

In the campaign observed in April, botmaster leveraged .URL files with modified icons to deceive recipients and trick them into believing they are opening a different file type.

Necurs has now adopted a new tactic to avoid detection, operators now leverage text files with a specific format, IQY files that allow users to import data from external sources into Excel documents, and Windows automatically executes them in Excel.

The campaigns using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts.

“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.” reads the report published by Trend Micro.

Once executed, the IQY file queries to the URL in its code to fetch data and insert it into an Excel worksheet.

The data contains a script that exploits Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and launch a PowerShell process to execute a remote PowerShell script directory in the memory of the target system.

The script downloads a Trojanized remote access application and the final payload, the FlawedAMMYY backdoor. The backdoor borrows the code of the Ammyy Admin remote access Trojan.

In recent attacks, the script was used to download an image file before the final payload. The image is a disguised malware downloader that fetches an encrypted component file containing the same backdoor routines.

“The PowerShell script enables the download of an executable file, a trojanized remote access application, and its final payload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have been developed from the leaked source code of the remote administration software called Ammyy Admin.” continues the analysis.

“In a more recent spam wave, the script downloads an image file before the final payload. The downloaded image is a disguised downloader malware (detected as BKDR_FlawedAMMYY.DLOADR) that downloads an encrypted component file (detected as BKDR_FlawedAMMYY.B) containing the same main backdoor routines.”

necurs query files

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.

The extra layer of evasion implemented in Necurs make the botnet even more insidious as explained by the experts.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro concludes.

Experts highlighted that users receive two warning messages upon execution of the IQY file attachment, for this reason, it is essential to pay attention to any warning to neutralize the attack.

WannaSpam – Beware messages from WannaCry-Hack-Team, it is the last hoax
25.6.2018 securityaffairs
Spam  Ransomware

WannaSpam – Many users have received a mysterious message that claims their PC was infected by WannaCry Ransomware. Crooks ask victims to pay a ransom, but it’s a scam.
Many users have received a mysterious message from a group that called itself the “WannaCry-Hack-Team” that claims that WannaCry Ransomware has returned.

The mail informs the recipients that their computer has been infected and ask them the payment of a ransom to avoid their files being deleted.


This is a classic spam campaign that leverages the infamous notoriety of the WannaCry ransomware, for this reason, experts tracked it as WannaSpam.

The recipient’s computer is not infected so they only need to ignore the message and delete it.

On Reddit users reported to have received WannaSpam messages, the emails use different subjects to trick victims into pay the ransom.

Some of the subjects used are “!!!Attantion WannaCry!!!”, !!!WannaCry-Team Attantion!!!”, “Attantion WannaCry”, “WannaCry Attantion!”, or “WannaCry-Team Attantion!!!”.

Experts noticed a typo error in the word “Attention” that is reported in the email messages as “Attantion”.

The spammers ask victims the payment of a .1 bitcoin ransom, once the victims have made the payment will be instructed to send an email to support_wc@bitmessage.ch.
In case the recipients will not pay the ransom, the data will be deleted in 24 hours.

The expert Lawrence Abrams from BleepingComputer that reported the news also published a number of bitcoin addresses used by crooks behind WannaSpam campaign.

Below some of the bitcoin address used by crooks:

The good news is that at the time of writing there are users that were deceived by the WannaSpam, anyway, it is very important to spread the news of this new malicious initiative.

Below an example of WannaSpam message:

From: WannaCry-Hack-team [redacted]
Sent: 21 June 2018 10:36
Subject: WannaCry Attantion!

Hello! WannaCry returned! All your devices were cracked with our program installed on them. We have made improvements for operation of our program, so you will not be able to regain the data after the attack.

All the information will be encrypted and then erased. Antivirus software will not be able to detect our program, while firewalls will be impotent against our one-of-a-kind code.

Should your files be encrypted, you will lose them forever.

Our program also outspreads through the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices.

Deletion of your data will take place on June 22, 2018, at 5:00 - 10:00 PM. All data stored on your computers, servers, and mobile devices will be destroyed. Devices working on any version of Windows, iOS, macOS, Android, and Linux are subject to data erasion.

In order to ensure against data demolition, you can pay 0.1 BTC (~$650) to the bitcoin wallet:1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg

You must pay in due time and notify us about the payment via email until 5:00 PM on June 22, 2018. After payment confirmation, we will send you instructions on how to avoid data erasion and such situations in future. In case you try to delete our program yourself, data erasion will commence immediately.

To pay with bitcoins, please use localbitcoins.com or other similar services, or just google for other means. After payment write to us: [support_wc@bitmessage.ch](mailto:support_wc@bitmessage.ch)
If you receive a WannaSpam email delete it!

Miscreants hijacked the defunct SpamCannibal blacklist service
30.5.2018 securityaffairs

The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight.
The SpamCannibal was born to blacklist IP address of malicious servers involved in spam campaigns and DoS attacks.

SpamCannibal was using a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using services on a computer system that purposely delays incoming connections (aka TCP/IP tarpit).

The blacklist service was offline since last summer, but someone hijacked it on Wednesday morning, attackers changed the DNS name server settings for the website overnight.


The news was first reported by El Reg that was informed of the strange resurrection by a reader who told them that SpamCannibal was “pumping out Blacklist notifications for some of our servers and then when you go to spamcannibal.org, you get spam.”

“Visiting the site earlier today flung fake Adobe Flash updates at our sandboxed browser, downloads no doubt riddled with malware, so beware.” reads a blog post published by El Reg.

The DNS record for the blacklist service was changed to point at a rogue server controlled by attackers that likely used it to deliver malware and to alter the results of queries to the blacklist service.

Kevin Beaumont 🐈

If anybody uses spamcannibal's RBL, the domain has been taken over and has a wildcard response - so it returns everything as status spam. https://twitter.com/webme_it/status/1001731230264627202 …

12:51 PM - May 30, 2018
22 people are talking about this
Twitter Ads info and privacy
All the users that queried the service to check an IP address to see if it is blacklisted as a spam source received always a positive result with serious consequences.

The attackers set a wildcard domain so that any subdomain of spamcannibal.org returns an IP address, with this trick the domain was interpreted as blacklisted.
Researcher Martijn Grooten believes the attack wasn’t targeted.

“This really looks like a standard domain takeover by some dodgy parking service. Doesn’t appear particularly targeted to Spamcannibal,” Grooten concluded.