Report of Computer Security No.3

Bookmark and Share

A. Summary

The main contents of newsletter is about the newly discovered phishing scams and the new security policy of Sax2.

B. Policy Update of Sax2

1.   Facebook subject to campaign that combines phishing and malware

         Name: POP3_Facebook subject to campaign that combines phishing and malware

         Type: POP3

      Severity: Warning

         Description: This event is generated when the Sax2 detects that sender of email is update+umxlabvkqxqrig@facebookmail.com.

2.   MySpace subject to phishing campaign

         Name: POP3_MySpace subject to phishing campaign

         Type: POP3

      Severity: Warning

         Description: This event is generated when the Sax2 detects that sender of email is message-*********@message.myspace.com - where * stands for random letter

3. PayPal phishing in attachments

         Name: POP3_PayPal phishing in attachments

         Type: POP3

      Severity: Warning

         Description: This event is generated when the Sax2 detects that sender of email is "“www.paypal.com" <service@paypal.com>.

C. Newly Discovered Phishing Scams

 

1. Facebook subject to campaign that combines phishing and malware

The Phishing techniques with the download of malware and a PDF exploit from the web site are the parts of the campaigns.

The message is being sent from the fake address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and it has various subjects:

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site will guide you to update your account.

               In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

You need to make sure your old and new password on this web page and update tool.exe through the download link to the file, that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

The file pdf.pdf was executed by the automated download when we visited the first time the phishing site.

As might be expected, an exploit is contained in this PDF.When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief. FV (Antivir), Exploit.PDF-JS. Gen (BitDefender), Exploit. PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc. CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

 

2.MySpace subject to phishing campaign

Social networks are often subject to phishing and today MySpace is the aim. A lot of messaged from Myspace are intercepted by Ax3soft.<message-*********@message.myspace.com> –where * represents random letter and number combination. The from address is apparently spoofed.


Content of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.


In order to avoid Intent Analysis, fast-flux domains are included in the domains. The domain is registered with details as followings:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009


Some irregularities happened when we performed WHOIS searches for other domains contained. Every time the registrant name is different from last time but the address doesn't fit completely. Because the zip codes in Belgium are based on 4 numbers, it doesn't match the country. For the purpose of avoiding detection by the registrar, the registrant actually used different details for registration.
 

3.   PayPal phishing in attachments

A phishing email was reported yesterday by Ax3soft that has no URL but it has an attached HTML document with a web form inside. From that moment we find more semblable cases and PayPal is subject to this technique. the sender address gives us a spoofed web site“www.paypal.com” <service@paypal.com> .69.128.90.226, an IP address in the US sent this email.pointing to mail.dandlequipment.com.

The body of the email:

To make sure everything is in order,please download the PayPal Security Account Verification and fill in all the required data for verfication.

The actual webpage:


The webform makes a POST to hxxp://0xD5.0xC3.0xDF.0xA9/paypalverification.php/.

D.  Appendix

1. What is Phishing?

Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent web site that appears legitimate. The user then may be asked to provide personal information such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent web sites may contain malicious code.

2.  Report a Suspected Phishing Site

Ax3soft is collecting phishing email messages and web site locations so that we can help people avoid becoming victims of phishing scams. One easy way to do this is to simply forward the suspected phishing email to reportphishing@ids-sax2.com. To better help our back-end system process your submission, you can click the url (http://www.ids-sax2.com/ReportPhishing.asp):