Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« May 2012 | Main | July 2012 »

June 08, 2012

Malware Lures Today: Xanga and Kindle Permalink

Same crook, different social engineering approaches. All links lead to hijacked web sites containing obfuscated JavaScript leading to malware installation sites, while showing (briefly, anyway) a page indicating some kind of "Loading...".

First up is a phony alert claiming to come from social networking site, xanga.com. The message says "Shonta" (probably a different name with different messages) has accepted my friend request. It invites me to click all kinds of links, including a change of my profile setting for real-time alerts. In my case, it's easy to spot the fake because I don't belong to Xanga.

Next comes an order acknowledgement/receipt for a very expensive Amazon Kindle ebook. The HTML layout of the message is a pretty good amazon.com knock-off, so I suspect many recipients will believe it came from amazon.com. Being charged $50-$100 for an ebook you didn't ever order can get your adrenalin flowing, driving you to click the links to contest the charge. And that's when malware downloading trouble begins.

Don't fall for these tricks. Always check the URLs of the links or visit the sites via previously-saved bookmarks to check your account activity, no matter how legitimate the email looks.

Posted on June 08, 2012 at 10:22 AM

June 06, 2012

Craigslist Malware Lure Permalink

The message claims to originate from craigslist.org...but it doesn't really. It's just another variation of the malware lure that's intended to raise your adrenalin level to the point of automatic clicking on the link. Here's the message (Subject: line details vary with each message):

From: craiglist - automated message, do not reply <robot@craiglist.org>
Subject: POST/EDIT/DELETE : "Great poker action" (antiques)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:


  • PUBLISH YOUR AD

  • EDIT (OR CONFIRM AN EDIT TO) YOUR AD

  • VERIFY YOUR EMAIL ADDRESS

  • DELETE YOUR AD


If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

The link is to a hijacked web site, where the user sees the "Loading... Please wait..." message referenced many times in this blog. Behind the scenes, the page is running some obfuscated JavaScript that sends your browser on its way to malware hell. Although these lures typically affect only unpatched Windows machines, the social engineering is good enough to lure anybody to potentially zero-day Windows and/or Mac infections. In other words: Don't Go There!

Always verify the actual link addresses (roll your mouse pointer atop the link, or, for touch screens, touch and hold on the link) of any unusual or unexpected email message.

Posted on June 06, 2012 at 01:00 PM