This morning we began seeing a malicious email campaign that attempts to lure victims using fraudulent invoices from Walmart.com. The attacker utilizes real Walmart graphics and employs some legitimate looking banner ads to add to the facade.
Here is a look at the messages:
The messages all report the purchase of an HDTV and are littered with links to one the numerous URLs being used in this attack. These URLs serve as a re-direct to other malicious websites that infect your machine via a drive-by download. Finally, you end up on a Google search results page for the term “Walmart”. All of this happens within a few seconds and if you are not paying close attention you would likely not realize that it has happened at all. However, in the background the attacker utilizes a java exploit(a common attack vector that we have been seeing used quite a bit as of late) to install a backdoor onto the victim’s machine. From here the attacker can upload more malicious code that is most commonly aimed at stealing your financial and personal data. We are currently blocking all variants of this threat.
The Blackhole toolkit, like all exploit toolkits, is an easily configurable piece of software that is meant to deliver automated exploits against vulnerable websites. After a successful exploit, the kit then drops malicious payloads on the sites which are then intended to be passed on to victims who are directed to the exploited sites in a “drive-by” fashion. These toolkits make it extremely easy for those with mal-intent and minimal technical knowledge to plug in some basic information and click “Go” to infect thousands if not tens of thousands of websites at a time. Of the many malicious toolkits available on the underground market, Blackhole has certainly been the most prevalent, and has thereby received the most attention. That is until recently when we’ve seen a sudden stirring from a pack called RedKit.
The RedKit Exploit Kit isn’t a newcomer on the scene; in fact we’ve been seeing malware linked to this particular kit since early last year. It has gained a good amount of press recently for being responsible the NBC.com hack back in February, and most recently for malware campaigns pretending to be news stories about the Boston Marathon Bombings and the Explosion at the Texas fertilizer factory days after.
RedKit utilizes Java exploits as well as Adobe Reader exploits in order to get its way onto vulnerable websites. Once there it can leave any payload it wants, most often a banking Trojan that steals account credentials, passwords, browser histories, cookies, etc. from its victims. Exploit kits and their associated banking Trojans are responsible for millions upon millions of dollars of stolen money every year and are something to be avoided at all costs. In fact, I venture to say that the intent of 99.999% of malware active today is geared toward stealing your money. It’s important to stay protected.
Last month RedKit came in as #5 in our top ten web threats as seen by our SecureSurf Web Filtering Engine with nearly 20 thousand occurrences last month alone. SecureSurf is able to detect RedKit’s signature move, among other things, a hidden iframe that points its victims to a secondary landing page where the malicious payload resides. RedKit also utilizes a randomized four character .html or .htm document that it appends to the root folder of the exploited site. e.g. /hcwf.html,/ ocir.html, /hoiq.html, oxuu.html, etc.
If someone were to get to these pages they would likely see the infamous Java loading window as their machines were being taken over by the malware. Luckily enough though for our SecureSurf clients, all they would see is one of these -
Earlier today we announced we have released an agent for SecureSurf web protection from AppRiver that will give organizations more flexibility and visibility while protecting them from the latest malware threats. In addition we have also updated SecureSurf block pages to better describe why a block occurred.
The agent is designed to protect users that are on the go, and provide businesses with more granularity for policy enforcement. The agent can be installed on Windows Vista, Windows 7, and Windows 8 workstations and once installed can enforce a computer or user policy as set by an administrator.
Administrators also have new tools that give them greater insight into network behavior. From the Web Protection tab in the AppRiver Customer Portal you can still view your company dashboard with information about threats and categories that were blocked. Now you can also view a policy or user level dashboard on the same page.
We've also added a deeper look into the logs. You can now view all network activity in the SecureSurf log, or segment the logs by policy, computer, or user.
In addition to the new features enabled when using the agent, we've made a few other updates to simplify the admin interface to make it easier to manage multiple policies and users.
Block Page Update
Over the last year we've received a lot of recommendations on how we could improve SecureSurf, and one area that came up again and again was the SecureSurf Block Page. Many SecureSurf users mentioned they'd like to have more specific information on why a page was blocked.
Last week we launched a set of updated block pages that incorporated these changes. Here are examples from this update.
Category Block Page
Malware Block Page
Domain Does Not Exist
Domain Cannot Resolve
We're continuing to develop new features for SecureSurf and will keep you updated here as those updates are released.
Just like yesterday, cybercriminals are jumping on the capitalization of tragedy train. As I'm sure you're well aware of by now, Wednesday evening a fertilizer factory in West, Texas exploded after it had caught fire shortly before. Police are unaware as to whether or not this was a criminal act, terrorist act, or an accident, however the malware campaigns we're seeing today certainly do contain criminal intentions.
These campaigns are very obviously from the same group responsible for Tuesday's malware campaigns that attempted to entice recipients with headlines about the bombing at the Boston Marathon. This time they're using headlines such as "West TX Explosion", "Waco Explosion HD", "Texas Plant Explosion", and "Texas Explosion Injures Dozens".
The links simply contain an IP address that points to a remotely hosted page that displays actual YouTube videos about the incident. It also contains a hidden iframe that points towards woodensticks[dot]com/ocir.html where the malware is pulled from.
Just like yesterday, it is possible that we will begin seeing the same attempt at fake CNN headlines about this topic as well, so be conscientious of your news source, and avoid these unsolicited emails pretending to bring news. We at AppRiver have a handle on these and are awaiting the next wave.
We posted earlier today about a malware campaign that was exploiting public interest over the recent bombing in Boston and we did not expect it would take long for other Cybercriminals to join suite. Since just around mid-day today that is exactly what is happening… We have been monitoring a second email campaign that is piggybacking on the tragedy in Boston.
This campaign poses as emailed news alerts from CNN. This particular campaign is identical to other ones we have seen circulating in recent months. However, the news “headlines” being used in this iteration all have some shocking conspiracy type of angle to them:
- Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
- Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
- Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
As you can see the messages look nearly identical to real CNN news alerts:
These messages all contain a link that leads to a drive-by malware download. The malware installed on the victims machine appears to be a family popularly referred to as Cridex. We observed the malware: hiding itself in common running processes, deleting the original dropper, modifying browser settings, adding itself to startup areas and inserting itself into the browser. Cridex also opens a “backdoor” to your machine where additional malware can be installed. This often leads to the exfiltration of your personal data such as bank account credentials and other login information.
As we have seen countless times in the past, nothing is faux pas for cybercriminals when it comes to spreading their malware. A malicious spam campaign that began last night is a glaring example of their brazen designs. Yesterday evening, we began seeing a large message campaign attempting to exploit the recent tragedy in Boston.
All emails were similar to the following:
The email campaign utilizes various “headline” type of subjects like: Video of Explosions at the Boston Marathon 2013, Explosions at Boston Marathon, Runner captures. Marathon Explosions, 2 Explosions at the Boston Marathon, (etc..). This campaign was being distributed via botnet as the messages were originating from machines from all over the world. The messages are simple, containing only a link. These links utilize varying IP’s in the URL as opposed to a domain name. The link directs you to a malicious web page that contains actual videos as well as a malicious payload. During the course of our analysis of the specifics of this infection, many of these payload pages were starting to be taken down. The malware seems to be some Trojan horse capable of intalling a backdoor to the victims machine. While this round of messages may be marginalized, there is sure to be more.
Anytime there is widespread attention to a single event in the media and public interest, you will see parasitic cybercriminals coming out of the woodwork and attempting to capitalize on the event. While most people know by now not to click on links in unsolicited emails, human emotions still get the better of us at times and these types of attacks prey on that human element. Stay safe and take a second to think before you click on any link. As usual, our customers can rest assured that they are protected from this attack.
Well, it’s tax day once again and unless you filed an extension, you have likely already filed your taxes for 2012. This tax season, the same as in many years past, we have seen no shortage of tax related phishing and malware attacks. These messages come in many variations, often posing as legitimate email from the IRS or popular tax preparations services(such as TurboTax, H&R Block, Etc.). These messages always include some “call to action” often either the threat of negative action from the IRS or the promise of additional refund dollars. What’s on the agenda for the cyber criminals sending these messages? It could be to steal your tax refund itself, infect your computer with malware that can be used for financial theft or to steal your identity. One thing is certain, cybercriminals will utilize any and every opportunity to steal from you whatever they can and however they can. Here is an example of one of these messages I pulled from our Spam Filter just this morning:
In this case the cybercriminals have forged the “from” address to make it appear that the message has come from the real IRS. However, upon closer inspection, you might notice that the “from” address uses a .com instead of the correct .gov. This could be an oversight on the attackers part or an attempt to elude certain types of spam testing. As you can see, they always utilize actual IRS graphics to make the messages appear legitimate. The link in the message leads to a very official [looking] page, aimed at stealing your Personally Identifiable Information or PII. Once they have obtained your PII it could be used for many purposes including, diverting your tax return funds to one of their money mule accounts.
While today marks the end of tax season for most of us, these scams do not go on hiatus until next year. We will continue to see these threats at heightened levels for the next few months while many are still awaiting refunds and many of them will continue year round. Remember, the the IRS will never send you an email asking for any personal information or requiring you to follow a link.
Currently we're seeing a malware campaign coming through that uses the now rather familiar technique of dressing up like an email notification of a CNN breaking news headline. Although this one uses a graphic that may be a bit too risque for the news giant. It also uses headlines that may not be considered necessarily newsworthy either. Though they are strangely a peek at what's in store for the unlucky person who just may be curious enough to click their links. The various headlines read "TOP 10 XXX sites lead to malware - CNN.com", "TOP 10 adult sites lead to malware - CNN.com", or "Top Dating" among others.
Once one of these links are clicked, malware hosted on one of the 20+ sites, goes right to work with a Java exploit in order to gain access to the victim's computer. Once inside, the trojan begins creating and hiding new malicious files, makes a call to illnessofthesociety[dot]ru, and injects code into running DLLs in order to maintain control. Additionally, it searches the mark PC for network share credentials and modifies Tcp/IP parameters to better suit its needs.
After the spinning Java loading sequence that the victim sees in their browser, the malware redirects the browser to Google prefilled with the search terms "cnn porn". Google displays all of the results it can find where the news site has discussed pornography adding a sort of credible looking ending to the somewhat silent chais that had been taking place beneath the surface. Pro Tip: If Java tries to load simply to go to Google, something very bad is happening.
So far we have seen around 10,000 of these coming in at an average rate of 50/minute. SecureTide and/or SecurSurf customers are protected from this threat.
Often times on here we like to discuss specific malware campaigns as we see them in an attempt to help people to keep their eyes peeled and their networks safe. This time though I’d like to step back a little and discuss an attack method used by many different campaigns most often under the guise of a Trojan of some kind. This particular attack is called a Man-in-the-Browser attack or MitB or MIB, etc. This is similar to a Man-in-the-Middle attack where an attacker inserts themselves in between their victim’s computer and their original intended destination acting as a proxy for the communication, all the while intercepting every bit of sensitive information that may go by, similar, but not exactly the same.
In a MitB attack the victim’s browser becomes infected usually by some sort of Trojan acting as a browser extension or browser helper object (BHO). Once installed into the browser environment, the Trojan now has free reign to monitor all activity done within the browser. It can collect account numbers, passwords and all of the usual things, but it can also perform more specific targeted activities. The Trojan can sit and wait until its target logs into any one of the many bank accounts or money market accounts it’s preconfigured to look for and is able to interact with. Once the victim logs in and performs what appears to be a normal transaction such as a transfer of funds, the Trojan will intercept the values typed into the forms such as the amount and account number and silently replace these with a much larger amount and the attacker’s account number. Once the transaction is approved and goes through, the malware will return the original amount and account numbers back to the browser just as the victim had typed them in appearing as though nothing was wrong. Meanwhile, the stolen funds are transferred through several other accounts and possibly a money mule or two, eventually ending up into the attacker’s hands.
As I mentioned, this has become a popular attack vector used most notably by Zeus since 2009, and most recently by a family of banking Trojans known as Shylock. Shylock most recently upped its game by adding functionality that allowed itself to spread from one victim machine to another through the use of Skype’s chat function back in January.
These attacks are difficult to detect as they’re happening, the best way to stay out of trouble is to avoid them altogether by making sure they never get the chance to install and gain a foothold. This is done by making sure all operating systems, software and firmware remain up to date, by utilizing reputable anti-virus that is also up to date, firewalls, as well as a good email filter such as SecureTide by AppRiver and a good web filtering product such as AppRiver’s SecureSurf (shameless plug). Many of these attacks first get on to a system via malicious email attachment or a link to a malicious website, with the proper filtering in place you’ll have far less to worry about.
As more people purchase BlackBerry 10 devices, we are seeing some synchronization issues that may impact AppRiver customers on this new platform.
First, there is an issue involving the synchronization of notes (memos) when using any Exchange mailbox with ActiveSync. Account data will disappear and then reappear on the device at random. This is due to a status error being generated by the Exchange server which causes the Blackberry to delete and then recreate the account on the device. BlackBerry has acknowledged the problem and is working on a solution. Disabling memo synchronization is the best way to workaround this issue for now. You can find more about this issue here
The other issue involves deleting items when using ActiveSync, POP, or IMAP. The problem has not been acknowledged by BlackBerry, but many users are reporting that deleting an item from an account using one of these connection methods results in a "hard delete" instead of moving the item to the Deleted Items folder.
BlackBerry 10 users with Exchange mailboxes are unable to find these items in the Recover Deleted Items. Users have suggested "filing" messages to the deleted items folder as a work around. More about this issue can be found in these forum posts.
If you have an AppRiver mailbox and encounter any additional issues after upgrading to a BlackBerry 10 device, please let us know by calling 866-223-4645 or emailing firstname.lastname@example.org