Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« March 2010 | Main | May 2010 »

April 22, 2010

Medz Spammer Amazons Permalink

Yesterday (continuing today) it was Twitter. Today it's Amazon.com getting the medz spammer treatment. Under the guise of a "Deal of the Day" email message, the HTML version of the email looks all amazon.com, and even fetches images therefrom. Every link, however, eventually leads to a medz site (with the same content as the destination of the phony Twitter messages).

The message begins thusly:

Fake amazon.com medz spam message

The spammer goes to sufficient detail as to replicate the fine print of what may be actual messages from Amazon (although the email address doesn't match the recipient's):

Fake amazon.com medz spam message footer

Some additional copies of the spam message arrived, but there is a curious substitution of the featured product headline and image:

Odd substitution showing pills

All other product images in the message are the same as the original one. It's inexplicable and illogical. I mean, it's not like the spammer threw in a photo of a medz bottle to satisfy anti-deception practices. Weird.

Posted on April 22, 2010 at 09:19 AM

April 21, 2010

Medz Spammer Twits Permalink

The medz spammers have been trying additional social engineering tricks lately, including the fake Apple Store order advisory and such. Today I saw them using a phony Twitter come-on:

Phony Twitter message

The message uses Twitter's own images to give a sense of legitimacy. Multiples of this message have shown up with different Subject: lines, such as "Undelivered Message 665-88."

If you scan through the message quickly, you may miss the horrible grammar mistake: unreaded.

UPDATE: Apparently the Chinese spammer had someone with a second semester of English under his belt proofread the message. The mistake has been fixed by changing the phrase to: "You have 3 information message(s) from Twitter".

Hidden links in the messages go to hijacked web sites, where the inserted pages use a JavaScript redirect to reach the actual spamvertised medz web site.

Posted on April 21, 2010 at 09:12 AM

April 14, 2010

Bogus Microsoft Infection Alert Permalink

I wanted to write about this yesterday, but had my head up my computer for the past 48 hours working on one stinking bug. Speaking of squashing bugs, the author of the malware delivery vehicle described here deserves a big ol' stompin'.

Here's the message:

From: "Microsoft Team" <support@microsoft.com>
Subject: Conflicker.B Infection Alert

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The message included an attachment named start.zip (identical in the two samples I saw).

Microsoft, of course, doesn't send out email messages like this — especially with an error in naming the worm in the Subject: line. Also, a very similar message without an attachment circulated last week. It featured a link that led to a scareware page (a page that tries to make you think your PC is infected so you'll buy a PC cleaner package to be safe). If you fall for this trick, the cleaning software is actually a massively invasive Trojan. You might as well ship your PC and all login credentials to Eastern Europe to save time. I'm sure the attachment included with the messages I saw lead to the same end.

Posted on April 14, 2010 at 03:42 PM

April 09, 2010

More Faux-Amazon Malware Delivery Permalink

I really hate seeing these because they will trick lots of unsuspecting users into opening the malware-laden attachments:

From: "Amazon Support Lilia Ruiz" <help.services@amazon.com>
Subject: Your order has been paid! Parcel NR.2086.

Hi!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered " Apple Refurbished MacBook Pro "

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.


We hope you enjoy your order!
Amazon.com

The attachment on the sample I saw is named Print_label_2387.zip. In the past, the attachment name has been variable from message to message, as is the item being ordered (various computer or other electronics items).

Even more unfortunately, the attachment fares very poorly at this hour in a VirusTotal scan: only 10% coverage. Yikes!

Posted on April 09, 2010 at 09:56 AM

April 02, 2010

March of the Money Mules Permalink

A money mule recruiter is flooding the intertubes with job offers left and right. The sending bot appears to have a template to follow, complete with a variety of plug-in sentences and phrases. Mule Libs?

Look at this group of four (and refrain from giggling at things like "United Statesan" residents):

Number 1:

Subject: Regional Representatives Needed

Compliments


I'm addressing you on behalf of the HR department of a large company. Our company is engaged in different areas of activity, such as:
- consulting services
- bank accounts opening and maintenance
- private undertaking services
- etc.

We have vacancies to be filled by United Statesan residents only:
- salary 2.300 dollars + bonus
- partial employment
- flextime


If you would like to work with us, please provide us the following information: Rusty@us-consalt.com/a>
Full name:
Country:
City:
E-mail:
Mobile phone-number:


We are looking for the people who have a right to work in United States

Please mention your name and write the phone number. Our manager will contact you to fix an interview.

Number 2:


Subject: Make $3771 per month no experience needed!!

Greetings


I am a representative of the HR department of a large international company. Our company covers a wide range of businesses
- consulting services
- bank accounts opening and maintenance
- private undertaking services
- etc.

We are searching for partners in United States:
- salary 2.400 dollars + bonus
- partial employment
- flextime


If you are interested in this job, please, send us your contact information: Susan@us-consalt.com/a>
Full name:
Country:
City:
E-mail:
Mobile phone-number:


Attention! We need United Statesan residents only

Please, write your Telephone Number and our manager will contact with you and answer all your questions.

Number 3:


Subject: Help Wanted

Hello


I am a representative of the HR department of a large international company. Our enterprise is connected with a great number of various activities, like:
- consulting services
- bank accounts opening and maintenance
- private undertaking services
- etc.

There are vacant positions of regional managers in United States:
- wages 2300dollars+bonus
- partial employment
- free timetable


If you are interested in this job, please, send us your contact information: Magdalena@us-consalt.com/a>
Full name:
Country:
E-mail:
Mobile phone-number:


We are looking for the people who have a right to work in United States

Please, write your Telephone Number and our manager will contact with you and answer all your questions.

And number 4:

Subject: Position available for American people

Hello


I am a representative of the HR department of a large international company. Our company is met in many departments, such as:
- real estate
- companies setting-up and winding-up
- supporting business in United States and other countries
- etc.

We have vacant positions to be offered for United Statesans:
- payment 2300euro+bonus
- partial employment
- optimal timetable


If you have a wish to become a part of our team, please inform us the following: Mitch@us-consalt.com/a>
Full name:
Country:
City:
E-mail:
Mobile phone-number:


We are looking for the people who have a right to work in United States

Please provide you name and contact information in order we can find you for further communication.

The From: addresses are all bogus, but the account names (tacked onto familiar email domains, such as msn.com and verizon.com) match the email contact account names.

Normally I obscure the domain name in spam, but this one is (so far) harmless. The domain name was registered waaaay back earlier today, and the record has a Moscow address (doubtful that it's real). While there is a web server active for that account, it so far just shows an active Apache server with no content.

The spammer also made an HTML goof, which caused the email link to include part of the link end tag (he forgot the left angle bracket for the </a> tag). Thus, unless the recipient is smart enough to know the difference, a click on the link creates a new outgoing email message with an invalid email address. Oh, boo hoo.

Here's hoping the crook's ineptitude will yield a poorer than normal return for his botnet rental investment.

Posted on April 02, 2010 at 10:26 AM