Credit card phishing – Iphone campaign

A new phishing campaign targeting fans of free Iphone.
The campaign targets the victims’ credit cards with a wonderful promise to win a Iphone.
Everything is visually prepared and it only remains for the victims to add their personal data.
Domains involted:

• uploadocean.com/ – Adverts campaing
• adminlady.info – Redirection
• awarded.pw – Promoter
• radiuniverse.com – hacked domain hosting the phishing page (or just owned by the hacker)

h**p://browser.awarded.pw/todays-winner/?winner=xx.xxx.xxx.xx&cc=RO&brw=Firefox&voluumdata=deprecated&eda=deprecated&cep=******&sourceid=57a5012f14822bf716721506&match=ron&carrier=wifi&mob_pf=windows&country=RO&cpc=0.0015

h**ps://ff.radiuniverse.com/n/iphonex/?transaction_id=102704cb8f7cc8e75a5a5705197330

This is all!!!
“Soon your card will be shopping without you!”
Have fun & Stay safe!

OneDrive phishing campagne

They need OneDrive accounts now...

Apple ID and Credit Card Phishing – Cybersecurity research

 http://www.prodefence.org/apple-id-and-credit-card-phishing-cybersecurity-research/

Hello.
Today we will be investigating a phishing case.
Usually the attack of this type comes by email.
An email in which there is a text, a problem or a win and a link.
The text is made to make you go to the prepared website.
The link is usually hidden so you can not figure out where you are going and the hoax is easier.
Let’s start with the email I received so you can understand how you can protect yourself.

1. Re: to what? Is this a response to an email that I sent to Apple? NO! … It’s a trick used to make you open the email believing it’s a response to an email sent by you.
2. Apple support…. He caught your attention.
3. Yandex?!? Yandex Browser is a freeware web browser. But it is still important. The Apple CEO sent you an email after he hired Yandex … that’s why he’s CEO .. to send email to users…

A link is hidden behind the button.
t.co is a Twitter shortener URL and behind this link is the true address we reach.

h**ps://t.co/BeOT0WkjXn =>

h**ps://twitter.com/safety/unsafe_link_warning?unsafe_link=https%3A%2F%2Fwia.email%2F =>

h**ps://apple.com.confirmation.account.centre.rin5de.center/

The good part is that when you are redirected …Twitter and Firefox warn you about the link you want to reach.

Let’s ignore everything this time …

What you see is a clone of the Apple website.

I’m not on some  cyber unit… yet….
Data entered on the fake page will be stored in the server.
So the hacker will know I’ve been around here.

Even if you log in with real data you will receive the same message to move on.

It will ask you to enter bank details to unlock your account and a identification document.

After all, it redirects you to the real Apple website and you’ll sign in to your unlocked account.
At this point you will be glad you did not lose your account, but in reality you gave to the hacker all your banking data + identification documents.
Still let’s see what’s in the main domain.
h**ps://rin5de.center
Index of/ … apple.com.confirmation.account.centre  here it’s the clone page created( old and still online 24.02.2017).

A cpanel and a hint for recover the password.
153.92.209.145:2083
Username: admin
Password: ?
Email: m—d@m—v.com
Name Servers:
ns7.wixdns.net
ns6.wixdns.net

And today…after 10 months online…

The Cpanel(153.92.209.145:2083)

I think the data I’ve entered was also convincing (Insider, cyberunit)

Have fun & Stay safe!!!

Cyber attacks: Not a matter of if, but when

http://www.prodefence.org/index.php/topic/3946-cyber-attacks-not-a-matter-of-if-but-when/

Proofpoint polices email for 'spear phishers'

http://www.prodefence.org/index.php/topic/3942-proofpoint-polices-email-for-spear-phishers/

Cybercrime 'Much Bigger Than Al Qaeda

http://www.prodefence.org/index.php/topic/3941-cybercrime-much-bigger-than-al-qaeda/

Spam Report: April 2012

April in figures

• The percentage of spam in email traffic was up 2.2 percentage points from March and averaged 77.2%.
• The percentage of phishing emails remained unchanged from March and amounted to 0.01%.
• In April, malicious files were found in 2.8% of all emails — the same amount as in the previous month.
• Over 20% of phishing attacks in April targeted Facebook users.

Spam in the spotlight

New tricks spotted in fraudulent and malicious spam

Spammers who spread malicious code and phishing emails are still looking for the best shortcut to reach computer users. Malicious spam is developing quickly, and malicious users are systemically adding to their arsenal of tricks, both with technical innovations and with new tactics involving social engineering.
Wikipedia and Amazon — bad experience?

In April, we detected spam that at first glance looked just like your typical malicious mass mailing designed to look like an official Facebook notification. The email, allegedly from the social network, announced a new Friend Request on Facebook. Like most of the emails made to look like Facebook notifications over the past year, this mailing was well done and looked like the real thing, at first glance. According to the plans of the malicious users, if the user clicked on any of the links in the email, he would be taken to a website infected with malicious code, rather than Facebook. Sounds familiar, doesn’t it? There is just one difference here — the links in the emails didn’t take users to hacked domains or to sites registered in the .in or co.cc domains, but to pages on Wikipedia and Amazon.


Apparently, malicious users seeded malicious script on their newly created Wikipedia pages as well as on pages made to look like advertisements for pre-owned goods on Amazon.com. Why “apparently”? Because this tactic was not the most effective, as the teams on both services responded promptly, and by the time the links were spread, the pages were already disabled.


Diablo III – pre-release phishing

In early June, the long-awaited game Diablo III is expected to hit the shelves. IT security professionals have some concerns associated with this particular game, and Blizzard has officially permitted the trade of in-game items in this new MMORPG. It is reasonable to expect that phishers will quickly set their sights on Diablo III players. But no one expected malicious users to start using this game even before it was released.
Phishing emails appeared in spam traffic playing off of the impatience of gamers anxiously awaiting Diablo III’s release. The emails stated that they would be given the opportunity to play a beta version of Diablo III for a specific period of time. In order to do so, they would need to enter their battle.net account information (a resource where Blizzard account information is stored). Of course, the link in the email did not lead to the specified site, but to a phishing webpage. Each email was slightly different, but the basic features were ultimately the same.


After obtaining the registration data from a battle.net user, malicious users would then have access to that user’s accounts for popular games like World of Warcraft and Starcraft, which are still in high demand on the black market.
Political spam

Political spam got back in action in April, primarily targeting US and French readers. Mentions of Barack Obama in spam emails were as frequent as they were during the first year after his election. Furthermore, his name is used not only in political emails “exposing his political course” or pointing to the allegation that the President of the US “is afraid of losing the upcoming election,” but also in emails advertising a variety of traditional spammer products. For example, his name is mentioned in one mass spam mailing offering Viagra.


With the upcoming elections in the US, Internet user interest in the battle for the presidency and the personalities of the candidates and the current president will only grow. Spammers will doubtless fan the flames of this interest by spreading propaganda, in addition to continuing to take advantage of this interest for their own purposes. In the months to come, we expect an increase in the number of emails with links allegedly leading to web pages with scandalous information about the candidates and the elections in general. Furthermore, the links will likely take users to advertisements for libido-boosting medications in the best case scenario (as in the example above), or to a malicious program in the worst case scenario.
French political spam is also more active these days, although we did expect a larger volume of political spam mailings in France during the frenzy of the recent presidential race there. The spam emails that we detected were few in number. They included advertisements for T-shirts with pro-Sarkozy slogans.


Other hot topics

The complex situation in Syria has also become the subject of spam emails. “Nigerian” spammers are actively mailing out messages from “lawyers and bank clerks working in the country.” At month’s end, we had also detected emails from “Assad’s wife.” We regularly encounter emails from the “family members of leaders” of a variety of countries facing unstable conditions. Sometimes Nigerian spam emails are even presented as having been written by these very leaders. So it is altogether possible that in the future we will see emails allegedly written by Bashar al-Assad himself. The Assads’ children are still quite young, so we are unlikely to see any of these emails allegedly written by them, although you never know. After all, nothing is sacred to spammers, and a crisis in any country is nothing more than an opportunity to rake in some cash.
We are also seeing a surge in the amount of spam exploiting the European football championship. This event is due to start in June, and Internet users are increasingly interested from day to day. Many spam mailings offer rooms to football fans that haven’t yet made hotel reservations in Poland and Ukraine. However, the accommodation offered by the spammers is bare-bones at best, while the prices have been greatly inflated.
The Summer Olympics in London are currently the focus of attention among “lottery” scammers. Just about every week we see emails announcing lottery winnings, allegedly from a lottery held by the Olympics Foundation.


Statistical summary

Sources of spam



Sources of spam in April 2012 (TOP 20)

In April, the Top 20 sources of spam underwent some major changes from prior months.
The most noticeable change over the month was the US jumping from 20th to 2nd place in the rankings. The proportion of spam originating in the US surged by over 7 percentage points. The amount of spam coming from China also increased – by 5 percentage points – and that country is now ranked 5^th among the world’s top sources of spam. Meanwhile, the percentage of unwanted correspondence originating in Indonesia fell by 5.2 percentage points. This Asian country fell 10 places and ended up in 12^th place last month.
We presume that this change in the spam landscape correlates with the redistribution of powerful spammer-run botnets and their relocation from regions where spam operations have been low-level over the past year. Note that both the US and China (and Hong Kong in particular) were some of the top targets in the first quarter of 2012 for spammers spreading malicious mailings. The infection of new computers in these countries has clearly led to the growth of new botnets.
The other changes in the ratings among sources of spam were limited to no more than 2.5 percentage points.
Malware in mail traffic

In April, malware was found in 2.8% of all emails, which more or less matches the levels detected in March’s mail traffic.
The distribution of email antivirus detections by country


The distribution of email antivirus detections by country, April 2012
Just as it was in the first quarter of 2012, the US has taken the leading position in terms of the number of email antivirus detections. The percentage of Kaspersky Mail Antivirus detections in the US rose only slightly, by just 0.64 percentage points.
Australia (-3.9 percentage points) and Hong Kong (-2 percentage points), countries that had been ranked second and third, respectively, in March, conceded their places to Vietnam in April, which climbed up from 4^th to 2^nd place. The proportion of mail antivirus detections in Vietnam increased by 2.4 percentage points.
The percentages of detections in other countries fluctuated within a range of 2 percentage points.
Top 10 malicious programs spread by email


Top 10 malicious programs spread via email in April 2012
Some 13.7% of all Kaspersky Mail Antivirus detections are for the traditional leader in our Top 10: Trojan-Spy.HTML.Fraud.gen. Detections of this Trojan were 1.6 percentage points higher in April than in March. This malicious program is designed to look like an HTML page serving as a registration form for a financial organization or an online service. The registration data entered on the page are then sent to malicious users.
The usual suspects in our Top 10 — the email worms Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Mydoom.m and Email-Worm.Win32.NetSky.q — are in third, fifth, and ninth place in this month’s ranking respectively. Readers may recall that the functions of the Mydoom and Netsky families of worms are limited to the harvesting of email addresses from infected computers, and sending themselves to these addresses. Bagle.gt is the only worm in the Top 10 that is also capable of sending requests to online resources and then downloading malicious programs.
We should draw attention to the appearance of the script Trojan — Trojan-Downloader.JS.Iframe.cvq — in April’s Top 10. It accounted for nearly 2% of all mail antivirus detections. Another 10% or so of all mail antivirus detections in April were represented by script-based malicious programs that were detected using proactive methods. This is relatively worrisome, as script-based threats in HTML emails launch destructive actions as soon as a recipient opens the email.
Phishing

The percentage of phishing emails remained unchanged from March and amounted to 0.01%.


The distribution of the Top 100 organizations targeted by phishers, by category — April 2012

This rating is based on our anti-phishing component detections activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
In April, we saw a major change in the top phisher-targeted organizations: for the first time in four months, financial organizations (23.61%) left first place, and were replaced by social networking sites (28.8%). The percentage of social networking sites targeted in phishing attacks increased by almost 6 percentage points. The main contributing factor to that rise was due to the numerous attacks on Facebook: over 20% of all phishing attacks in April targeted Facebook users.
Compared to March, the percentage of attacks against financial organizations fell somewhat, as did the percentage of attacks against online stores and search engines, IT vendors and organizations in the “other” category. All of these changes were within a range of 1.5 percentage points.
As a result, one can see a slight change in the focus of phishing attacks increasingly toward the users of social networks.
Spam by category


Spam by category in April 2012

The percentage of the traditional leaders in the top spam categories — Computer Fraud and Personal Finances — changed only slightly in April. The former fell by 2.2 percentage points, and the latter rose by 0.8 percentage points.
The share of advertisements for online casinos remains high at just over 6%.
Most spam emails advertising online casinos clearly show signs of fraud, malicious code, or something else. The Personal Finances category is more often than not made up of dubious offers for cheap loans or fast cash, and there is usually something fishy about them.
Having reviewed these data, one can confidently say that more than half of all spam in April aimed to steal financial or personal information from computer users, as well as indirectly steal their money and install malicious code on their computers.
Incidentally, the most substantial change that we noted from March to April was a rise of 4.75 percentage points in the Interior Design spam category. In April, Kaspersky Lab noted several mass mailings in this category. Apparently, this surge in interior design-themed spam is connected to the “spring cleaning” advertising campaigns pushed by many furniture and renovation companies.
The percentages of other spam categories fluctuated only slightly in April, within a range of 1.5 percentage points.
Conclusion

It needs to be said that spam is posing more of a threat than ever: there is a high percentage of malicious code in attachments, and Kaspersky Lab is detecting a considerable number of spam emails containing malicious links. Furthermore, IT security professionals are seeing even more spam containing script-based threats, which means that even just opening an email could put users at risk. The fact that these mailings continue to spread from month to month demonstrates that Internet users are not sufficiently informed; spam would not be such an attractive means of proliferating malicious code if it were not so lucrative for cybercriminals. Internet users often do not even suspect that their computer’s performance faces any threat at all, not to mention their personal data or cash, when they open a spam email.
In the months to come, we expect a return of the all-too-familiar spam mailings with scandalous news items about current US President Barack Obama. Furthermore, phishing attacks will likely focus more on social networking sites, and possibly online games — as summer vacation is upon us, students on break from school will be more active online. While these users tend not to have bank accounts, they do spend a lot of time on social networks and other online entertainment.

securelist.com

Fake Angry Birds app makers fined £50k for shock cash suck

A firm that disguised Android malware as Angry Birds games has been fined £50,000 ($78,300) by UK premium-rate service regulator PhonepayPlus.
A1 Agregator posted mobile apps posing as smash-hit games, including Cut the Rope, on Android marketplaces and other outlets. Rather than offer free entertainment, the software silently sent out a text in order to receive a string of premium-rate messages, costing victims £5 per SMS. Users would have to uninstall the counterfeit apps from their phone to prevent further messages and charges.

The malicious code also covered up evidence of the message swapping which might have alerted punters to the whopping charges on their upcoming bills.

A total of 34 people, perhaps only a small percentage of those affected, complained to PhonepayPlus by the end of last year. In a ruling this month, the watchdog found A1 Agregator guilty of multiple breaches of its code of conduct and levied a fine of £50,000, estimated as the upper limit of the illicit profits made through the scam. A1 Agregator, which wasn't even registered with PhonepayPlus at the time of its offence, must refund defrauded victims in full within three months, whether they've complained or not.
It is understood the firm trousered £27,850 ($43,600) from the scam.

A1 Agregator - which was "formally reprimanded" over its behaviour - must also submit any other premium-rate services it develops to PhonepayPlus for approval over the next 12 months.
Premium-rate SMS scams account for 36.4 per cent of malware on smartphones, the second largest type after spyware, according to analysts Juniper Research.
And Carl Leonard, senior security research manager of EMEA at Websense, added: "Mobile apps are a powerful malware delivery technique as most users are willing to allow apps to do anything to get the desired functionality. Cyber criminals are beginning to use these malicious apps not only to make a quick buck but to also steal valuable data."
"For example, a malicious app could access the data on your phone, or access all of your contacts. This is particularly bad news for businesses that allow bring your own device (BYOD) schemes but don’t have the right security to protect their mobile data," he added.

Android virus evolution

Mobile malware scams first emerged in Russia and China several years ago. Fraudsters are beginning to turn to the West for victims, Kaspersky Lab warns.
"The mobile threat landscape is dominated by malware designed to run on Android – 65 per cent of all threats are aimed at this platform," said David Emm, senior security researcher at Kaspersky. "The platform is popular, it’s easy to write apps for it and it’s easy to distribute them via Google Play – so it’s little wonder that cybercriminals are making use of Google Play, where malware masquerades as a legitimate app."
"SMS Trojans, of the sort mentioned in the [PhonepayPlus] report, are currently the biggest category of mobile malware. And it’s important to understand that it’s not just a problem in Russia or China. Cybercriminals seek to make money from them across the globe, including here in the UK," he concluded.
In the past mobile malware often offered a free application as bait. During installation, the Trojan would display some kind of decoy error message. This prompted victims to search for answers on web forums and elsewhere - which was the last thing scammers want because it could lead marks to the realisation that they'd been suckered.
More recently cybercrooks have begun offering a bait that actually works. A blog post by F-Secure, published with a helpful video, describes an unrelated case of a Trojan installing a working copy of Rovio's Angry Birds Space as it compromises the phone.

theregister.co.uk

Hacker Behind “Call of Duty” Trojan Sent to Prison for 1.5 Years

Many gamers may have noticed the Trojan-infected file that’s being advertised as a patch for the popular Call of Duty game. As it turns out, the mastermind behind this scheme is a 20-year-old student from the UK who has used the malware to collect credit card details from the affected computers.

Kent Online reports that Lewis Martin was apprehended by police while trying to steal computer equipment from colleges in Dover and Deal.

When investigators searched his house, they uncovered documents containing 300 credit card credentials, along with passwords. The details of a fraudulent bank loan were also found.

Prosecutors accused him of using the Trojan to collect credit card details, passwords and credentials to websites such as PayPal, which he sold on the underground markets for sums between $1 (.76 EUR) and $5 (4 EUR).

Now, he has been sentenced to serve 18 months in prison for fraud and burglary charges.


Apparently, Martin was known by law enforcement representatives as a burglar, since he was caught on numerous occasions breaking into educational institutions. However, we’re more interested in the part in which he used the piece of malware to commit his crimes.

This incident shows that users subject their digital assets to numerous risks when downloading games from untrusted sources.

We’ve recently seen how most “Diablo 3 free download” searches point to malware-laden websites. With patches and key generators the problem is even more serious because most of the malicious files actually work, making users disregard the warnings displayed by their antivirus software.

What they don’t know is that while they’re happy to be playing the game, a nasty Trojan is logging their every move, stealing every bit of valuable information it finds.

“Game players would be wise to pay attention to the technique used by Lewys Martin to infect computers,” Graham Cluley, senior technology consultant at Sophos, advises.

“It's not uncommon for malware to be distributed in the form of cracks and hacks for popular computer games - if you run unknown code on your computer to meddle with a video game, you might well be allowing malware to insidiously install itself too.”

softpedia.com

Avast Warns About “FakeInst” and Alternative Android Markets

The large number of malicious websites designed to infect Android devices with the well-known Android:FakeInst SMS Trojan have made Avast security experts issue another warning to alert users of its presence. They also advise smartphone owners to beware of shady-looking alternative Android app markets.

Researchers have found several domains, such as t2file.net and uote.net, which store at least 25 new apps that mask the piece of malware.

After users are lured onto these websites, they’re presented with a phony Downloader program. The truly evil thing about this app is that it tells the victim that the operation may cost money, but the Quit button doesn’t work.

Once the installation process begins, there’s nothing you can do, but click on the Agree or OK buttons. Of course, there are methods to stop the task, but to the untrained user it appears as he/she has no other choice.


What is even more worrying is the fact that once one of these buttons is pressed, an SMS to a premium rate number is already sent out. To make matters worse, the Trojan contains premium numbers for around 60 different countries worldwide, which means that if the victim isn’t located in Antarctica, he/she will most likely end up with an inflated phone bill.

In order to prevent experts from analyzing the malware, its creators have used AES encryption to make the file inaccessible.

Each SMS sent out by Android:FakeInst costs around $4 (3 EUR), which means that the cybercriminals behind this operation can earn considerable amounts of money from users who make the mistake of downloading software from alternative markets.

“Never trust weird looking alternative markets and always check the app permissions. If you’ve downloaded a game that asks for SMS and Phone calls permissions, it probably means that someone is about to “play you” instead,” Avast’s Alena Varkočková explained.

softpedia.com

Fake Android Antivirus Served via Twitter Spam

Security researchers warn that Twitter is being flooded with shady looking posts that contain links to websites hosted on .tk domains. These websites hide malicious elements that target not only PC users, but also Android owners.

GFI Labs experts report that while PC users are served broken .jar files, Android customers are tricked into installing a fake antivirus application whose icon replicates the one of products provided by Kaspersky.

So let’s take a look at how these schemes work.

First, the cybercriminals post tweets in Russian or English that advertise all sorts of materials, mainly adult content. All the tweets contain a link to a site such as “good-graft.tk.”


Once clicked, the links open a Russian site that’s designed for both smartphone and computer owners. Depending on the device from which the website is accessed, the potential victim is served a file called VirusScanner.jar (for PC), or VirusScanner.apk (for Android).

As mentioned before, experts revealed that the .jar file seems to be broken, since an error is displayed when it is executed. However, this may change at any time, so internauts should be wary when presented with such an element.


VirusScanner.apk is a rogue antivirus application which displays the Kaspersky logo when it is installed.

Identified as Trojan.Android.Generic.a by GFI’s VIPRE Mobile Security, the piece of malware reveals its true purpose during the installation process when it asks permission to access phone calls, messages and even services that cost money.

We strongly advise you to refrain from clicking on links contained in Twitter posts if they look suspicious. Furthermore, site addresses that end in .tk are usually a good indicator of a malicious plot.

On the other hand, even if you do end up on a shady site, at least make sure you don’t install anything that’s pushed to your device.

Finally, although many argue that mobile threats are not yet so popular, users should learn to treat their smartphones just as they do their computers and install antivirus solutions from legitimate and reputable companies.

softpedia.com