Category: Phishing/Spam

Hotmail Accounts Hacked: New Trojan doing the rounds.

New variant of Trojan via Hotmail Instant Message

Be warned and on the lookout for a new round of Hotmail accounts being hacked
and suspicious links being sent to you from your contacts.
You might receive a message from a known contact that will contain a link to
what initially appears to be a to a profile picture.
What it is actually doing is trying to get you to download a windows Trojan.
Hotmail Message from Hacked Account

The message you will receive could look something like the following:

Hacked Hotmail Account Message | Trojan Dropper

The text will say something similar to the above: "ahha is this you??
hxxp://images-id.com/profile.php?=yahoo:shinerweb@yahoo.com"

How does the attack work?

If you receive the above message or similar, because it has come from a "trusted
friend" in your Hotmail contact list, you are probably likely to believe
the link to have come from them.
Most people will just click on the link, but don’t worry, you haven’t been
hacked just yet. In this case of this attack it actually requires you to install
it, but believe it not, many people will do just that.

In this instance, clicking on the link above will download a self-extracting
zip file to your PC. (Yes, we are talking a Windows Trojan here).
But you still haven’t infected your PC. You now have to actually run the self-extracting
zip file by navigating to the location where it was downloaded and clicking
on it. (Some chat programs allow you to open the downloaded file by simply
clicking on it from within the chat program).
But you still haven’t been infected if you do just that. All you have done
is to extract the actual virus to your PC.
It still requires you to now navigate to where the file was extracted and open
it.
Only now will you have infected your machine.

At the time of writing, only one anti-virus vendor was giving a warning, with
two other vendors marking the file as suspicious.
It will take most of the leading Anti-virus companies up to another 6-12 hours
before they release new definitions to catch this one.
It will probably be a few days before the rest of the bunch catch up with some
taking up to a week.
So even if you have the most up-to-date virus definitions, you are not going
to detect this trojan just yet.

Despite the number of manual steps involved in order to become infected, many
hundreds of thousands of users around the globe will still do just that.
Some will do it primarily because the link and the files came from someone
in their Hotmail contact list that they probably trust.

So why did my Hotmail contact send me this link?

Actually, your contact didn’t. The bad guys have gained access to
your contacts username and password and have control of their account.
There are a number of ways that the bad guys can gain access to these details.

Trojan: The payload in this instance is a trojan that installs
other software to capture personal information from the infected machine. The
user could already have been infected with this trojan or another similar
and the Hotmail account details stolen (via a Keylogger for example).

Phishing: There have been a number of incidents already this
year whereby legitimate sites have displayed adverts or malware inserted by
the bad guys. This presents the visitor with a dialogue box very similar (almost
an exact copy) of the Hotmail Login screen. The user then blindly enters their
Hotmail Username and Password. The bad guys scripts will then usually display
a failure message before redirecting the visitor the genuine Hotmail Login
screen. But by this stage it is too late, they already have your Hotmail account
details.

In this instance, this is what I suspect to have happened in that the user
has fallen foul of a phishing attempt on a site they have recently visited.

The short answer is that your Hotmail contact did not send
you the message. In fact, they probably have no knowledge what-so-ever of any
messages being sent to you.
They will probably tell you that they didn’t even have their computer switched
on at the time so it could not have come from them.
The bad news is that it didn’t need to be. The bad guys already have their
username and password and they use a program of their own to login and send
the messages from any computer they like.

At a later date, I will post an update on how to prevent or reduce the chances
of falling foul of these types of attacks.
Some quick advice though is:

  • Never to trust any files sent by friends
    no matter how much you trust them. It might not be them sending it in the
    first place.
  • Always have your chat program configured to run an anti-virus scan of
    ALL downloaded and transferred files. (Though this would not have protected
    you in this instance).
  • Any file you are not sure of, upload it to Virus
    Total
    and see what they have to say about it.

The information below is the technical information about how the virus works.

Continue reading

Random calls from overseas telephone numbers (03598815400011)

It happened to me last night around 12.30am.

It was my mobile number this time.

The phone rings twice, and then the call drops.

By the time I get to the phone, there is a missed call from 03598815400011

That is a number from Bulgaria and more than likely, a premium rate number.

I had a quick check online to see if there are any other reports on this number and low and behold, there are plenty. It does however appear to be a new number in use.

I was amazed to read some of the comments on one site and a few of the questions
I have listed below:

“How do they get my number?”

“Why are they ringing me at that time of the morning? I’m not likely to answer”.

“Why do they only let it ring once, I will never be able to answer the phone that quick”

Some people just don’t seem to understand when they are about to be conned even when it jumps up and bites them on the nose.

They didn’t “get your number”.

And the reason why it only rings once is because they don’t want you to pick it up and answer it.

(If you do, that costs them money and they don’t want to actually spend any money, they just want to make as much as possible).

Here is a copy of my reply I posted in reply to one comment.

Continue reading

Paypal Phishing Spam with a twist…

This post was inspired by some work on one of my other sites but made me laugh so much it was worthy of being discussed here to.

We all get them, Paypal phishing emails that look like a mail from Paypal. When you click on them, they then take you to a site that looks like Paypal and when you enter your Paypal information, it gives you an error and redirects you back to the real Paypal site with you hopefully none the wiser… Except that you’ve now given the Phisher’s your Paypal details…

So before I go any further, never ever click on a link in an email that subsequently is going to ask you to log in.

1. You get en email from "Company ABC".
2. Open your browser of choice.
3. Navigate to "Company ABC’s" website.
4. Log in.
And you’re done.

If you get into the habit of doing this, you can never ever fall prey to a phishing email.   
 
I’ll say it once more just for effect, Never ever log in to a site that you have arrived from after clicking a link in an email.

Ok, warning out of the way, back to the main point for this post.
Earlier on today, I got a new format of Paypal phishing email.
The contents of which are quoted below:

Due to our recent database update we require that you confirm your PayPal account. The confirmation process takes 3-5 days.

So far, nothing new I thought…Here we go again and I look down for the usual phishing link, except I couldn’t see one, so I read on.

We have taken this measure to reduce the number of the unused PayPal accounts in our database.

To confirm your PayPal account you must make a deposit in the bank account of our PayPal agent in charge with account management. The deposit amount of  $ 50.00 USD will be uploaded into your PayPal account.

So hold up…They want me to deposit $50.00 USD into their account and then they will pay it back to me.
hmmm, I’m starting to see a slight flaw in their plan already…

The details needed for the deposit are:

Amount to deposit: $50.00 USD
PayPal agent name: <details deleted>
Bank name: <details deleted>
Bank address: <details deleted>
IBAN: <details deleted>
SWIFT/BIO: <details deleted>

For security reasons, I’ve deleted various details from above, but in this case, they were all valid and did point to an existing foreign bank account with a valid name.

So just how exactly do the phishers collect their money?
Either someone else has been scammed and the bank account details belong to someone who has had them stolen or, the details actually belong to the phisher.

Now I know these people can be stupid, but I can’t believe they would openly send out their own bank account details. Or are they that stupid? I’d like to think so, because that means by the time you read this, they are already hopefully locked up in some Gulag camp (now there is a clue as to where the bank account details were based which shouldn’t surprise most of you).

But even if they weren’t that stupid and the bank account belonged to some other poor soul who was totally unaware, surely there aren’t enough people in the world dumb enough to fall for this for them to get enough money before the account was shut down.
The account is also in a country where I don’t know what sort of relations the authorities in the west has.

Unfortunately, a great number of people do fall for these types of scams.It just beggars belief at the number of different methods that spammers and phishers will try in order to extort money from people.  What is more disheartening is that real people will fall for tricks like this.
So never ever click on a link from an email that subsequently wants you to log in.

For the techies out there: The email was sent using a compromised computer based in the US and the phishing website was being hosted on a Spanish server in Madrid. (They were probably distracted watching Spain at Euro 2008 or Nedal at Wimbledon).

The quick way to shut down a phishing website!

Ok, so I open up today’s spam mail folder and there at the top of the queue is a phishing email ‘from’ the NatWest Bank.

Clicking on the "log in" button takes you to a perfect replica of the NatWest site with a page for visitors to enter in their information to ‘verify’ their account.

The dead give away was the URL contained a non-NatWest looking domain.  What caught my eye this time, was the fact that I recognised the website that had been hacked.

http://www.companyA.com/folder/folder/natwest.com
rather than 
http://www.natwest.com

Rather than set up their own web server to ‘host’ the target bank web sites, one method the bad guys employ is to use a ‘hacked’ website.

In this case, the bad guys had obviously hacked their way into "Company A’s" web server (who being an innocent party here, will remain anonymous).

They then uploaded their imitation "NatWest" bank site to which they would direct users from within the phishing email.

In this case, the phishing website would email any data entered into the fake form back to a central account which would be read by the attackers.

At the time of opening this email this morning, it already being detected by several anti-phishing filters, so at least those users would have been protected. (Note: If you haven’t installed McAfee SiteAdvisor toolbar for Firefox or IE, then go do it now. It’s free and it works).

Continue reading