A Scotiabank phishing scam with a bit of Santander sauce
That phishing scam targets RBC customers by tricking them into the classic “illegal transaction” scheme.
Wasn’t me…Wasn’t me… Some good memories of Shaggy’s song ;-)
Doesn’t matter what you click, you get redirected to the same page.
Fortunately, the page (cindynique.org/wp-includes/js/jcrop/index.php) has been suspended:
A couple of variations for this US Bank scam:
Payload arrives from:
a French site using Parallels’ Plesk interface:
And same final payload as previous post:
A phishing scam from Amex is loading malware onto PCs.
“Dear Customer, Our response is ready for you. Please login to the Secure Message Center to read it.”
The link points to:
This is the final exploit code:
It comes from a server located in Roubaix, France (220.127.116.11).
Here is a spam email pretending to be from US Airways:
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying abroad). Then, all you need to do is print your boarding pass and head to the gate.
Confirmation code: 755536
Check-in online: Online reservation details
Clicking on the link to view flight 8160 takes you to a malicious webpage that loads the BlackHole Exploit Kit where you can expect some turbulence:
Here is the traffic log:
And here is the BlackHole login page:
IP: 18.104.22.168 (Switzerland).
This is where the bad guys keep track of how many PCs they have managed to infect, where they can update the malicious payload, get stats etc…
The email campaigns are getting better and better at circumventing spam filters and the emails use themes that keep on changing. Remember to be very cautious when clicking any link or picture from an email, even if you think it is just an advert.
It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.
Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.
Like I said, this is quite old (Feb 2011). I clearly remember redspacetube.com, it used to do redirections to various sites using Dynamic DNS.
Guess what? It’s still working!
The DNS service is provided by changeIP.com (click to enlarge):
This page is quite familiar but looks ancient by now…
The file takes forever and a day to download…:
The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).
Next, I checked whether the file was half broken… but clearly it was working just fine:
It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO )
A quick search confirms this is not an old rogue AV, but rather the new kid on the block:
This is one tenacious fake porn tube… Can someone unplug redspacetube.com for good?
Yesterday I cleaned up a site hosted on bluehost. I will show you how I proceeded from malware identification to removal.
First, I did a quick look up on StopBadware’s Clearing House:
It reported three different links containing malware. I opened them in a VM, looked at the source code and confirmed the problem:
It was time for a full website inspection and clean up.
I got access to the cPanel admin account, unfortunately SSH was not enabled (it isn’t by default, and you need to contact customer support). So, I went with FTP instead.
The thing with FTP is that you need to browse each folder by hand and you can’t run a script.
The site being relatively small, I downloaded a local copy. This makes it easy to do all the work with whatever scripts and tools you have installed.
The code was found in almost all the ‘.php’ files (and there were a lot of them!):
A grep command was able to find all the files containing these pieces of code:
Before making any changes, I backed up each file with a ‘.bak’ extension. Each file was then disinfected using a sed command.
Website infections are very common. Because it is easy to set up a website but difficult to maintain it (from a security point of view), most websites fall to automated scripts exploiting vulnerabilities.
This particular website was affected by a XSS vulnerability:
At SparkTrust we look at both ends of the spectrum: We protect your site by doing regular security checks to make sure script kiddies can’t hack the site with readily available tools. But for our new customers that are already infected, we also provide disinfection services.
To learn more about our services please visit SparkTrust.com.
LinkedIn has always been target by the bad guys. I remember back a few years ago fake profiles by the thousands were used to load malware onto unsuspecting users’ computers.
Well, spammers have been launching email campaigns with fake LinkedIn invites or notifications:
Clicking on the link means trouble:
Here is one particular domain that was live when I did this bog entry.
This server’s IP is from South Africa, I was expecting more like Ukrainian or Russian based hotspot…
I recently wrote a spider that crawls a site for malicious code. While testing it, I ran into a particular issue that I thought would be worth sharing.
The first thing this spider does is download the content of the site using a specially crafted wget command passing parameters such as user agent, number of tries, recursion level etc…
Then I came across a domain that had been hacked (as the picture below shows) but the page was so incredibly long that the spider got caught into downloading a huge file. The length of the file being unspecified, you cannot know in advance what you are up against…
This method could allow an attacker to fool security tools that try to parse a site’s source code in real-time, while still executing a malicious payload.
The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.
Here is the traffic log when connecting to their site:
As far as I can tell, there is no malicious code.
The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).
The hackers also embedded a YouTube soundtrack:
This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.
It’s quite easy to find out what this web server is running by looking at the HTTP header response:
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/22.214.171.12435
Both Apache and PHP are out of date!
The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).
The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).
As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).
Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.
Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!