Invitation card means trouble
Our Director of Marketing got this nice piece of spam today:
Subject: Jessica would like to be your friend on hi5!
I set up a hi5 profile and I want to add you as a friend so we can share pictures and start building our network. First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.
Attachment: Invitation Card.zip
Forgive my lack of interest for social networking sites, at first I though hi5 was a highway down in the States 
But no, it actually is a (virtual) place to hang out with your friends.
Back to the spam, the invitation card from Jessica comes as a zip file attached to the email.
When unzipped you will see this:
Why the Chrome icon? Not sure? But what the bad guys want you to believe is that this is a PDF file.
In reality it is an executable (.EXE); they added a lot of blank spaces in the file name to make it less obvious:
This file is malware (full VirusTotal detection here).
Spam campaigns can be very targeted or just a large attempt – en masse – with the hope of getting a few innocent people fall for it. Whether it’d be a file attachment or a URL in an email, the bad guys want you to open that file or click on that link. They know their sole chance of success relies on the end user making the bad decision.
Emails coming even from people you may know can be spoofed easily. For example the sender in that case is: invitations@hi5.com, which looks totally legitimate. Despite good spam filters and AV protection, such emails can make it through, so please exercise caution and report them immediately to help protect other users.
Jerome Segura
|
Xbox forum spam leads to malware, drugs
Did you get an Xbox for Christmas? Have you been going on forums to share stuff with other users?
Well, beware of fake accounts posting links to external sources.
The following XBOX site (xbox360achievements.org) contains a lot of spam:
Here is an example of social engineering: it has nothing to do with the XBOX but it’s a ‘nude video’. Lots of people are going to click on that one.
You are redirected to another site: {removed}sextape.blogspot.com
(By the way, blogspot does redirect to an awful lot of malware hosts)
Which opens another page: the{removed}vid.cn/broadcast/no.php?v=Sex+Tape
The ‘flash player’ is in fact a Trojan.
Virus Total report here.
When those spam posts in the XBOX forum are not redirecting to malware, they link to ‘pharmaceutical’ websites:
Forum webmasters have a responsibility in the content that is being posted. Advanced Google searches can identify a lot of spam. That is how a lot of security researchers find malicious links, simply by googling!
Below is an example of a search to display all pages containing the word ‘nude’ on that particular site. Feel free to use any keyword that is typically used in spam (it involves porn, drugs etc.)
Below are some of the bogus accounts posting links to malicious sites:
It should be easy to terminate them and prevent innocent users from being exposed to malicious content.
Jerome Segura
|
Anatomy of Twitter social engineering
I can immediately tell when someone who is following me on Twitter is not genuine (especially if it’s a hot girl half naked).
The social engineering on Twitter is getting much better these days. It used to be a profile with just one tweet: a spam URL. Now, the profile actually looks legit with regular updates that give you the feeling this is a real person there.
Such as “Lucia756 is making pancakes!! 
”
You could not be any more wrong. These profiles are automated, they are fake, and their sole purpose is to make you click on a link that redirects to either exploits, phishing pages, or Adware.
In this case, it is Adware with the webfetti toolbar, AKA FunWebProducts, MyWebSearch, CursorMania, SmileyCentral, Zwinky, MyWay Searchbar, etc… is that a long list or what?
I think I’m going to keep my Twitter profile public… Such things are very annoying… but they allow me to blog about malware practices that will affect many users out there.
Jerome Segura
|
More XXXblackbook spam on Twitter
There has been a wave of automated followers on Twitter promoting the adult dating site xxxblackbook.
Social engineering tricks are used, such as your regular newspapers’ headlines.
The link redirects you to an adult site, as mentioned above. Not sure this will help you if you are unemployed….
I’m seriously considering locking up my Twitter account now…
Jerome Segura
|
Twitter raids
You know sometimes I forget how much hatred there is in our world.
There are people out there that plan attacks against individuals, companies, or popular websites as part of their daily activities.
They get together and plan ‘raids’ on IRC channels. In the pic below, if you click on the ‘visit this page’ you get redirected to a horrible rickrolling page. Why are there such sick people out there?
This site aims at attacking Twitter. It teaches you how to create Bots and other things to become a hacker.
(Warning! offensive language)
This screen below shows a Bot written in Perl which purpose is to retweet every tweet mentioning a certain keyword.
What can I say? I’ve noticed Twitter has been very slow at times lately and I’m sure it gets abused a lot on a daily basis.
I think such reminders are good every once in a while to keep your guards up.
Jerome Segura
|
A rather raunchy linkedin profile
The popular social networking site linkedin is constantly the victim of fake profile pages.
Check this one out though, and tell me there truly is nothing you can do to weed out a ‘fake’ profile.
Warning! Offensive language.
And the free sex clips redirect to this page which serves both Windows and Mac Trojans.
sitestube.com/xplaymovie.php?id=45145
File detection on Virus Total:
Jerome Segura
Malware ID: 621696054e4d31d03ce13467ba22b53d.zip
|
