For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)
How did they do it? Let’s take a look at both of these techniques.
Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters...
W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.
For legitimate applications
W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.
Figure 1. Threat injects itself into certain applications and...
Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.
The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.
We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.
The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the...
Android.Opfake is malware used to scam mobile device owners into paying a small fee for apps by sending out premium-rate SMS messages from Android devices. It has continued to grow and evolve into a threat that potentially affects a large population of Russian-speaking Android device owners. A quick Internet search will show over a hundred sites, including dedicated sites for popular apps and other sites, pretending to be app market sites with various apps available. There are several variants of Android.Opfake hosted on these sites with different methods to lure victims there initially, and different steps involved in each scam.
We recently came across one variant that carries out its actions in an interesting fashion. The end result makes it so obvious that Android.Opfake is fraudulent because it directs the device owner to Google Play to install the app even though installation...
Pre-dating many of the mobile platforms it currently targets and outlasting several of the mobile platforms where it originated from, Android.Opfake has a tendency for survival on the mobile threat landscape not unlike roaches in the aftermath of a nuclear holocaust. Combing business savvy through a strong black market affiliate network and quick reaction time to adapt itself to thwart efforts by security vendors, Opfake has not only managed to stay in business for several years, the Opfake family has come to define the evolution of mobile malware.
Like many traditional Trojan horses, on the surface Android.Opfake purports to be a legitimate application. In fact, we have observed several variants of the Trojan masquerading as various apps and content, including an installer for the Opera Web browser and a pornographic movie. Analysis of the code behind the malicious program,...
Phishers have enveloped the globe mimicking brands across a variety of industries and using many languages. From April 2012, phishing attacks in Korean gained momentum, comprising of 0.5 percent of all non-English phishing sites. The increase was in particular targeting banks based in South Korea. The primary motive in these attacks is financial gain, as it is in most phishing attacks. Let’s explore some of the phishing sites we have observed.
In the first example, the phishing site asked for the customer’s name, social security number, cell phone number, account number, account password, and transfer password. After the information was entered, the customer was redirected to a page that asked for the security card serial number. The phishing site then redirected back to the legitimate site.
Further analysis of the OSX.Flashback botnet has shed more light on how profitable such a botnet can be. Previously, we wrote that OSX.Flashback was generating money for its authors by displaying advertisements on compromised computers. We now have a much clearer idea of how many ads the attackers were displaying and how much those ads earned for the attackers.
From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle—actually...
The Opfake gang can be called many things but “lazy” isn't one of them. In the digital age we live in, they are taking the analog art of social engineering to new heights. Several dummy sites have been established, acting as a front for the distribution of popular game titles.
All of the front-end sites connect back to a central back-end site that acts as a file generator or repository. The following list includes some front-end sites we have identified so far:
Symantec has observed an increase in spam messages containing URLs using the country code top-level domain (ccTLD) for India. This chart shows percentage of spam containing .in URLs:
While there were few daily spikes last year, clearly there has been more activity in the last two months.
Looking back at last year, the ccTLD for India (.in) ranked tenth on our TLD distribution list:
Join Symantec security experts on Twitter (using the #ISTR hashtag) on Tuesday, May 15, at 10 a.m. PT / 1 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report, Volume 17.
This year’s report, which covers the major threat trends observed by Symantec in 2011, highlights several troubling developments. For example:
Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year.
The number of unique malware variants increased to 403 million and the number of Web attacks blocked per day increased by 36 percent.
Targeted attacks are growing, with the number of daily targeted attacks increasing from 77 per day to 82 per day by the end of 2011. The targets of these attacks are also becoming more diverse, with SMBs being targeted in...
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
