Security News Collected by AWSODA-SYSTEMS: 2008-06-29

Here are the latest updates for security-news@awsoda.net

Trend Micro Content Security engineers just received a timely Apple Store phishing email. This attack comes well after Apple introduced the 3G iPhone to the consumer market early last month—and conveniently nestled the week before it actually becomes available in stores (in most countries) next week.

Figure 1. Hovering your mouse above the link shows its real destination.

The URL loads the following phishing page which asks the user for personal information such as the user's credit card type, credit card number, expiration date, security code, billing address and social security number:

Figure 2.The phishing page features the same sleek Apple Store interface, but don't be fooled.

This phishing page, like most other phishing attacks we've detected and filtered out, use an insecure protocol (exhibited also by the lack of the lock icon). Knowing this useful tidbit can save target victims from losing their online identities to cybercriminals. Phished Apple credentials give fraudsters access to the Apple store, iTunes store, iPhoto, Apple product registration, and AppleCare services, and most important, the account holder’s credit card information.

Trend Micro users are already safe from threat. The rest, especially Apple customers, are likewise advised to use only their clean bookmarks when visiting sites where sensitive information are likely to be given out.

ShareThis

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Phishers Pose Fake Apple Billing Woes'

Social Engineering Watch: Happy Fourth of July

Security analysts mark a secret social events calendar in their heads for good reason. Malware writers have been known to launch offensives using timely celebratory-themed email messages to get users to click on links or open files. Nifty social engineering tricks like these also effectively distract users from the real action: Trojans getting a foot in the door (of target PCs). Independence Day, which is a day of fireworks, floats, picnics and summery festivals for the United States, is no different.

On the Storm-chasing front we were able to capture spam leveraging the Independence Day festivities, a few of which are shown below:

Subject: Spectacular fireworks show
Body: The best firework you’ve ever seen

Subject: Independence Day firework broke all records
Body: Fabulous Independence Day firework

Subject: Long Live America
Body: Celebrate with Pride

Links contained in messages connect users to the following IP addresses:

hxtp:// 66.{BLOCKED}.{BLOCKED}.222/
hxtp:// 24.{BLOCKED}.{BLOCKED}.159/
hxtp:// 67.{BLOCKED}.{BLOCKED}.202/
hxtp:// 68.{BLOCKED}.{BLOCKED}.252/
http:// 24.{BLOCKED}.{BLOCKED}.92/
http:// 68.{BLOCKED}.{BLOCKED}.164/

All except the last two of the listed IP addresses are unavailable as of this writing. Investigations by our threat researchers reveal that clicking on the links trigger the download of the files fireworks.exe-1 and fireworks.exe-2, both detected by Trend Micro as WORM_NUWAR.VQ.

However, it seems not only Storm is keen on leveraging the July 4 celebrations. Our threat researchers have seen a spammed email message that reads like so:

From: E Greetings
Subject: You just received an E-Greetings for the 4′th of july

Body:
Greeting

Hello ,
A Greeting Card for the 4′th of july is waiting for you at our virtual post office! You can
pick up your postcard at the following web address:

ptth:\\www.{BLOCKED}ngs.com/u/view.php¿id=a0190313376667

visit E-Greetings at ptth:\\www.{BLOCKED}ngs.com//
and enter your pickup code, which is: a0190313376e667

(Your postcard will be available for 60 days.)

Compulsive clickers will find themselves downloading a 800+ Kb Trojan named july.exe from malicious domain l-g.ro instead of the e-greet.
We detect this file as TROJ_DROPPER.OAC. When this file is opened, it drops and extracts a temporary CAB file in the temp folder. The CAB contains dr.mrc and mirc.ini which are likewise malicious (IRC_ZAPCHAST.BI and Mal_Zap, respectively).
It also dumps several non-malicious files in the same location. IRC_ZAPCHAST variants are a type of script that executes within an mIRC environment where a remote malicious user can issue certain commands on an affected PC, thereby compromising it.

Users in the United States are advised to be wary of similarly-themed email messages they receive in their inboxes within and around the week of Independence Day celebrations. Trend Micro users are already protected from this threat because of the Smart Protection Network.

Stand by. We’ll give you updates on these malware’s final agenda. So far we already block the malicious URLs and detect the dropper and IRC malware. Mal_Zap is a heuristic detection that flags files behaviorally and characteristically similar to IRC_ZAPCHAST variants. This is a proactive detection that protects our customers even before we receive an actual sample of the file. Our threat engineers are also currently investigating on the routines of WORM_NUWAR.VQ.

ShareThis