Security News Collected by AWSODA-SYSTEMS: 2008-05-18

Here are the latest updates for security-news@awsoda.net

A few hours ago we discovered a spam run in Brazil that uses a trendmicro address in its From field:

Figure 1. Sample of Brazilian spam first seen evening of May 22 by our honeypots.

Our support team in the Latin American region observed some 6,000 samples of this spam since it was first identified. The blast seems to be coming down to approximately 15 samples a minute, according to one of our analysts from the region.

When translated it reads as follows (grammar lapses intact):

Subject: you may loose all your information as well as your e-mail

Our servers have detected a security failure in your email account. for more security without the loose of data or vulnerabilities on your email box we remind you to active your mailbox

or you will loose all your information as well as your email

to activate your mailbox is very easy

1 click on the link below
2 you will see a window with the button execute press execute
3 after that click on the button open and you will be redirected to your activated mailbox
4 write your complete email - full name - city - state - zip.

[link] Activate your email mailbox

remember that you have only from 12 to 24 hour To activate your mailbox
otherwise our system will block your E-mail account.

to obtain more information you can get in touch with our services team through our E-mail
[email address]

This "security failure," ironically, is what happens when the recipient falls for the ruse and clicks on the link to "activate" his/her email inbox.

The link actually leads to hxxp://{BLOCKED}security.bravehost.com/protecao.exe (where hxxp is http). Protecao.exe is detected as TROJ_BANLOAD.FAF. Its main purpose is to connect to another URL in the same domain to download a file named plugin-security.exe. (It also accesses another URL which is inaccessible as of this writing.)

This 3MB file is a Trojan spyware detected by our patterns as TSPY_BANKER.OIZ, and is a bank account info stealing malware. Note that upon clicking the link in the spam, a dialog prompt appears asking the user whether to Open, Run or Save the file. However, upon accepting the file, it goes on to download the spyware without informing the user.

We advise Latin American users to be especially wary of this attack. Sometimes users are more likely to trust an email message written in their native language, but in this case we must chalk this up to targeted social engineering and should, as always, immediately delete such threatening mail. Note that Trend Micro will NEVER send email such as this.

Legitimate communications typically come with the appropriate headings, company logos, and proper language. Another possible tell-tale sign that the email is not legitimate is that the link is connected directly to an executable.

Trend Micro users, on the other hand, need not worry, as our Web Threat Protection technology cuts off infection by both detecting the attack-related files and blocking the malicious URLs. Our antispam definitions already filter this threat.

Thanks to Threats Analyst Jose Lopez Tello for alerting us to this attack.

ShareThis

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Trend Micro Spoofed in Brazilian Info Theft Attack'

Then Subpoenas, Now Tax Petitions

The Content Security (CS) team of TrendLabs has come across a new spear phishing incident that’s reminiscent of the whale phishing incident documented last April, wherein bogus subpoenas were sent to CEOs.

The new spam run involves email messages sent to specific organizations as notices of deficiency or tax petitions supposedly coming from the United States Tax Court (refer to Figure 1).

Spammed Email

Figure 1: Sample screenshot of the spammed spear phishing email

Once members of a targeted organization click on the link in the message body, they are directed to the site www.ustax-courts.com—the purported US Tax Court site—and asked to download a higher version of Internet Explorer (IE) onto their system to further view court details (see Figure 2). By string manipulation (in this case, adding a dash to the actual domain name of the actual site), unknowing users are easily made to believe that the bogus site is legitimate, making them most likely to click on the link.

The legitimate US Tax Court site is www.ustaxcourt.gov.

Figure 2: Sample screenshot of the bogus US Tax Court Web site

Trend Micro advises users to be cautious in viewing emails and warns against clicking automatically on given links within these messages. As we have advised before, consult with lawyers in case important-looking emails may be valid. But in this case, the concerned Court has declared that it does not send email notices to those with cases before it: