Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 21 December 2009

Some updates . . . Visa/Zeus and Google Jobs

Posted on 11:48 by Unknown
On December 12th we covered a new "Visa.com" version of the Zeus distribution spam.
(See story: Ongoing Visa Scam Drops Zeus Zbot.

There are at least forty domains seen in today's spam. Please see the story above for more on the URL pattern, (the machine name may begin with "alerts", "reports", "statements", "transactions", or a "sessionid" with random characters after the "sessionid" version, but here is one sample URL for each domain:

alerts.visa.com.111ttillil.co.uk
alerts.visa.com.11fttillil.co.uk
alerts.visa.com.11tttillil.co.uk
alerts.visa.com.1jfttillil.co.uk
alerts.visa.com.yjfttillil.co.uk
reports.visa.com.dirpote1.be
alerts.visa.com.dirpote2.be
alerts.visa.com.dirpote3.be
alerts.visa.com.dirpote4.be
alerts.visa.com.dirpote5.be
alerts.visa.com.dirpote6.be
alerts.visa.com.dirpote8.be
alerts.visa.com.dttflji.be
alerts.visa.com.itdflji.be
alerts.visa.com.ittdlji.be
alerts.visa.com.ittfdji.be
alerts.visa.com.ittfldi.be
alerts.visa.com.ittfljd.be
alerts.visa.com.ittflji.be
alerts.visa.com.ittfljx.be
alerts.visa.com.ittflxi.be
alerts.visa.com.ittfxji.be
alerts.visa.com.itxflji.be
alerts.visa.com.ityxlji.be
alerts.visa.com.ixtflji.be
alerts.visa.com.xttflji.be
alerts.visa.com.ydtflji.be
alerts.visa.com.11t1jtiil.com
alerts.visa.com.11t1kt1il.com
alerts.visa.com.11t1kt1pl.com
alerts.visa.com.11t1ktiil.com
alerts.visa.com.11tfjtiil.com
alerts.visa.com.i1tfjtiil.com
alerts.visa.com.ictfjtiil.com
alerts.visa.com.ivtfjtiil.com
alerts.visa.com.11t1jtiil.net
alerts.visa.com.11t1ktiil.net
alerts.visa.com.11tfjtiil.net
alerts.visa.com.i1tfjtiil.net
alerts.visa.com.ivtfjtiil.net

Its too early to know for sure what malware this is, because currently only 4 of the 41 anti-virus products at VirusTotal detect it as anything at all. Sunbelt calls it Bredolab, the three others all say only that it is "suspicious". I'll try to run it through our malware VM later today and make a more definite judgement.

VirusTotal Report here

cardstatement.exe
File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

Google Jobs Update


We warned about a Google Jobs scam back on December 1st (see article: Google Jobs Scam -- Read the Fine Print!!). Google actually sued the scammers who were running that scheme on December 9th (see article: Google v. Pacific WebWorks. Unfortunately the spam, and the scamming, continues unabated.

One example would be the spam messages for this "spaces.live.com" blog:

http://cid-3d8eb92dd2d67dba.spaces.live.com/

which leads to the website "biznews7.org", which forwards to the website "news2010letter.com", which recruits people to join the scam by sharing their credit card number on the site "http://www.safetrialoffers.com/searchsecretsystems/le5/".

On that site, the same scam is still being run by this organization:

Search 4 Profit, LLC.
7614 Arvilla Avenue.
Sun Valley, CA 91352

The Fine Print still reads:

Terms and Disclosures. Billing authorization obtained pursuant to the Uniform Electronic Transaction Act and the Electronic Signatures in Global and National Transactions Act. By submitting this form, I am ordering Search Secret Systems for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy Search Secret Systems, simply do nothing. On the 7th day my credit card will automatically be charged an easy payment of $89.26 once a month for three months. After the three months you will not be billed again. You will then maintain unlimited access to our member site. During your three month program you may cancel anytime by calling 1-877-361-8622 M - F, 8am-8pm MST.




Amazingly, the phone number was answered and a person actually asked how they could help me! When we wrote the first article, the phone rang and rang, but no one ever answered.

Of course, there are still quite a few ways this is illegal, even if they do now answer the phone, including the CAN SPAM violations. The email "from" address is forged and there is no "unsubscribe" link of any sort, nor is there a physical mailing address, despite this being a commercial offer. Here's an example spam message:

Never work in an office again! I've been working for someone else my entire life. A few weeks ago I found out about working for Google online so I decided to check it out. I signed up and read a few articles and tried a few different things and within 6 weeks I was making enough to quit my full time job to work at home! If this sounds like something that interests your, check out URL
http://profiles.yahoo.com/blog/MVO2GFP4W7AEJ42YOXCPAVOTU4
A song, a song, high above the trees




Work for the world's largest employer today lori has Earned $2,069 This December Alone! Check it out here:
http://cid-5ccbbcb19ba7028f.spaces.live.com
O tidings of comfort and joy.


Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Digital Certificate Spammer Goes for Google Adwords
    From late May until last week, the Digital Certificate Malware spammer has been targeting banking brands. That has changed with last week...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Beware Weekend Facebook Scam!
    The cybercriminals seem to have completed their Black Friday shopping and returned to work this morning with a new Facebook scam. Its proba...
  • What does a National Cyber Range do?
    This week Aviation Week ran a story called DARPA Unveils Cyber Warfare Range . The article quotes Rance Walleston, the director of BAE Syst...
  • 2008: Looking back on a Year of Spam and Malware
    Happy New Year! As we get ready for the New Year, there are quite a few security folks making predictions for 2009. I think my friend Dan...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (93)
    • ▼  December (12)
      • New Year's Waledac Card
      • 2009 Year in Review
      • A donde se va Avalanche? BBVA! y United Bankers ...
      • Some updates . . . Visa/Zeus and Google Jobs
      • Who is the "Iranian Cyber Army"? Twitter DNS Redi...
      • China changes registration rules - will spam chang...
      • Ongoing VISA scam drop Zeus Zbot
      • Minipost: Google v. Pacific WebWorks
      • Yet Another Facebook spam - New Zeus / Zbot threat
      • Webmasters Targeted by CPANEL phish
      • Minipost: CDC Version of Zeus?
      • Google Jobs Scam: Read the Fine Print
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile