Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon. Over the past two weeks, several Twitter [...]
Post from: TrendLabs | Malware Blog – by Trend Micro
Backdoors in Twitter, Now in Arabic
What do the FIFA World Cup and Gaza attack have in common? They are both currently being used for social engineering by a couple of malware campaigns seen on Twitter. TrendLabsSMSenior Threat Researcher, Ivan Macalintal, spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of these noteworthy events [...]
Post from: TrendLabs | Malware Blog – by Trend Micro
FIFA and Gaza Attack Tweets Dump Backdoors
The only thing worse than receiving a spammed greeting card is a one that comes with malware. TrendLabs SM senior advanced threats researcher Loucif Kharouni recently acquired a sample spam in the form of an online greeting card. The said card urges recipients to check out the greeting card by clicking the image. Users who [...]
Post from: TrendLabs | Malware Blog – by Trend Micro
Spam Greets Users with a Backdoor
In their latest “Weekly Threat report”, VeriSign’s iDefense Intelligence Operations Team has profiled the underground market proposition of someone claiming to have 1.5 million compromised Facebook accounts available for sale.The pricing method is based on the number of contacts per compromised account, presumably with the idea to allow easier spreading of related malicious content across Facebook.Here’s an excerpt from the report, and a brief FAQ on the underground ad.“On Feb. 10, 2010, (cybercriminal) stated that he or she is selling 1.5 million compromised Facebook accounts, in bulk quantities, belonging to users in various countries. The price per 1,000 accounts varies based upon the number of friends and contacts that each account possesses. For a purchase of compromised accounts containing 10 contacts or fewer, a buyer must pay $25 per 1,000 accounts. A purchase of compromised accounts containing 10 or more contacts requires a buyer to pay $45 per 1,000 accounts. Accounts containing zero contacts are also available for bulk purchasing from (cybercriminal), at the cost of $15 per 1,000 accounts. The prices of these accounts are presumably in USD or the equivalent amount in some form of electronic currency.”Sometimes, there’s no honor among cybercriminals (Phishers increasingly scamming other phishers), just like there isn’t among “real life” thieves.From the distribution of backdoored web interfaces to web malware exploitation kits, to the actual “binding” of additional malware to the original release, sophisticated or at least cybercriminals with experience, have realized that there are thousands of potential cybercriminals that could unknowingly start working for them. The process of “cybercriminals attempting to scam novice cybercriminals” demonstrates just how vibrant the ecosystem has become these days.With a huge percentage of the underground marketplace driven by reputation, this is exactly what this particular seller of Facebook data is missing. Moreover, with quality assurance now an inseparable part of the cybercrime ecosystem, the seller is not just skipping the time frame in between which the accounts were compromised, he is also not mentioning have many of them are actually verified as working.These, and several other factors make me skeptical on the quality of this underground proposition.If we consider that the cybercriminal’s claims to be true, how did he manage to obtain 1.5 million Facebook accounts?The ad is clearly stating that they are accounts with contacts, meaning they’re compromised, and other which have zero contacts, meaning they’ve been automatically generated by outsourcing the CAPTCHA-solving process to international teams specializing in the process.Related posts: Inside India’s CAPTCHA Solving Economy; Report: Google’s reCAPTCHA flawed — 1 million solved reCAPTCHAs for $800 through outsourcingThe compromised accounts could have been obtained through the emerging Cybercrime-as-a-Service (CaaS) market model. For instance, if he has paid $100 for 3GB of raw crimeware data, and the data mining allowed him to compile a list of 1.5m Facebook accounts, based on the current price, he’ll automatically break-even.Phishing campaigns shouldn’t be excluded as a possibility, however, it remains unclear whether the seller has launched them personally, or managed to purchase the raw data from someone else.What kind of a business model within the cybercrime ecosystem would allow him to sell the data so cheaply, and still make a profit?It’s a business model with an ever-decreasing cost of supply, based on the currently active “malicious economies of scale” phrase. This efficiency-driven cybercrime model is in fact so successful, that whether consciously or subconsciously, cybercriminals are realizing the basics of market liquidity, and the time value of “underground goods”, in particular the decreasing future value of assets like the Facebook accounts — the value becomes zero when the affected user changes his password from a malware-free host.Related posts: Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime; Report: Malicious PDF files comprised 80 percent of all exploits for 2009; Microsoft study debunks phishing profitability; Microsoft study debunks profitability of the underground economyWhy would a cybercriminal want access to your Facebook account?For a variety of fraudulent reasons, all of them exploiting the already established trust relationship between the compromised account’s holder and his network of friends.From “money transfer schemes” where the fraudster is supposedly stuck somewhere and requires cash, to a malware campaign relying on nothing else but a status message leading to a client-side exploits serving site. Your network of friends, turns into his network for propagation of fraudulent/malicious schemes and campaigns.VeriSign’s iDefense also makes an interesting observation.With Facebook’s user base growing to 300 million people across the globe, this indispensable marketing platform can be easily integrated into the cybercriminal’s arsenal, with localized and targeted social engineering attacks relying on basic market segmentation, launched with the idea to achieve a higher conversion rate, compared to mass marketing approaches.Fact or fiction, based on the ad’s content, this is perhaps the perfect time to change your Facebook password from a malware-free host, since a strong password is just as weak as the weak one in general if there’s malicious code present on the system.
Trend Micro senior advanced threats researcher Paul Ferguson received a spam claiming to be from the Bureau of the Shanghai World Expo, which is coordinating “Expo 2010,” (taking place in Shanghai from May to October of this year), was provided to senior threat researcher Paul Ferguson by a technology news group journalist who actually received it:
The [...]
Post from: TrendLabs | Malware Blog – by Trend Micro
Shanghai Expo Spam Carries Backdoor
