Computer News & Safety – Harry Waldron Rotating Header Image

October 17th, 2011:

Facebook – Avoid McDonalds Happy 44th Birthday link

Below is another attack that is circulating which should be avoided by Facebook users.  It even offers prizes and as noted in the past, “there are no free lunches on the Internet” 

Facebook – Avoid McDonalds Happy 44th Birthday link
http://sunbeltblog.blogspot.com/2011/10/mcdonalds-facebook-scam-happy-birthday.html

QUOTE: I’m sure a McDonald’s themed Facebook scam seemed like a good idea to somebody at the time, but wow is this one all over the place. It’s your typical “Click here to Like”, “Post a spam comment saying how good this is” then “do one of these offers” affair. “Happy 44th birthday to Donald“, they say. Except his name is Ronald and he was created in 1963, which means he’s actually 48. However, things quickly become confusing at this point. This scam targets Facebook users in India, yet as far as I can tell he’s called Ronald there.

Facebook email scam – You have three lost messages

The new email scam is circulating and it is intended to deceive users into clicking on a non-Facebook link that could potentially be malicious

Facebook email scam – You have three lost messages
http://sunbeltblog.blogspot.com/2011/10/you-lost-your-facebook-messages.html

QUOTE: Or, to put it another way, you didn’t. However, spam mail doing the rounds wants you to think otherwise. “You have three lost messages on Facebook, to recover the messages please follow the link below.”  The links just go to the usual advert / viagra junk. What’s kind of funny here is that an older version of this campaign claimed you were missing one message. Obviously the spammers decided to up the ante so now you have a whole three messages lost to the void.

BlackHole Exploit Kit – Used in new SPAM and Exploit attacks

Trend Labs shares some informative links related to malicious new SPAM attacks

BlackHole Exploit Kit – Used in new SPAM and Exploit attacks
http://blog.trendmicro.com/a-refresher-on-spam-and-exploits/#more-37481

QUOTE: Lately, we have been seeing a renewed increase in the volume of spam attacks that utilize an exploit kit, specifically the BlackHole Exploit Kit to trigger a malicious payload. We have seen this in the latest slew of Automated Clearing House (ACH) spam attacks and the more recent spam run related to Steve Jobs’s death.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.  Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.

In-Depth look at SPAM in today’s business world
http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/spam_trends_in_today_s_business_world.pdf

New Zeus Variant claims to be from Australian Taxation Office

The significant aspect of the new Zeus attack is it’s creation from the special exploit kit . While it currently only targets Australian users, there is a potential for it to be used in other locations as well.

TREND LABS – Another Modified ZeuS Variant Seen in the Wild
http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/

QUOTE: This new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from ATO (Australian Taxation Office). The spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version.

Like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.  Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign.