The Big Business of Spam: Adulterers beware, scammers may be targeting you

As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from AshleyMadison.com. The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own. To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users. Here’s how this particular scam works: An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below) Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below) After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below) What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers...

read more

The Big Business of Spam: What Caitlyn Jenner Uses to Prevent Wrinkles and Stop the Aging Process

The cover for Vanity Fair’s July 2015 print issue was publicized on the Vanity Fair website June 1, and revealed the newly transformed, Caitlyn Jenner. The cover photo went viral reaching over 46 million people across Vanity Fair’s website and social media – with the internet virtually exploding. Jenner even beat President Obama’s record for reaching 1 million Twitter followers in just under five hours. With Jenner’s name in the headlines this week, it’s no surprise that spammers have jumped on the opportunity to try and use her likeliness to trick users into visiting sites to push beauty products in hopes to gain monetary value. So far, we’ve seen over 100K samples and variants of spam emails using Caitlyn Jenner as the lure to get people to click on compromised links. The emails all have different subject lines, but include the same content in the email body. The spam appears to be coming from possible compromised machines, most of which trace back to IP addresses in the United States. Figure 1 below is an example of the emails that are being sent out in large quantities, hoping to entice users into clicking on spammy links. The embedded links in the email titled “Caitlyn swears she just used this” and “Here is what went down” redirects users to the following website – http://www.goodbodyhealthtips.org/index.php?aff_sub=1394&aff_sub2=190076&aff_sub3=1021342e9d6b955d9a9c66e5ed3293 (labeled “wrinkle miracle”) – that pushes an anti-aging facial cream to prevent wrinkles, revealed by Dr. Oz called Dermakin Anti-Aging Cream. Figure 1 As shown in Figure 2 below, once on the page, the user will see the headline “Revealed by Dr. Oz! Jen’s Closely Guarded Secret For A Wrinkle Free Face” that is said to be featured in Yahoo!, Woman’s Day, VANITY FAIR, TIME, People and Aol. Figure 2 Figure 3 below shows that while on the page, the user will see “before” and “after” photos of stars like Ellen DeGeneres, Katie Couric, Goldie Hawn and Barbara Streisand who have allegedly used the wrinkle cream. Figure 3 At the bottom of...

read more

Better Call Saul… New Crypto Ransomware using Breaking Bad Theme Emerges in Australia

According to reports from ABC Australia (http://www.abc.net.au/news/2015-05-11/new-computer-ransomware-encrypts-files-asks-for-up-to-1000/6461606) a new crypto ransomware threat is circling Australian’s email inboxes. You probably remember the Cryptolocker Trojan, as it is one of the scariest bits of malware we’ve seen in a while. Cryptolocker is ransomware that restricts access to a victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files. Read more about Cryptolocker in this blog post, http://blog.barracuda.com/2014/01/09/are-you-prepared-for-cryptolocker/ This latest version of Cryptolocker takes on the branding of the late, great, popular tv show, Breaking Bad. It uses the “Los Pollos Amigos” name, which is the restaurant that provided money laundering and was the base for other functions on the show. The ransomware also links to a video that shows victims how to use bitcoin, which was likely included to help the victims pay the ransom. Researchers believe that the ransomware is spread via email, and downloaded through an infected zip attachment. Barracuda Email Security Service and Barracuda Spam Firewall customers are protected from these types of emails. Ransomware a is particularly sinister attack, because it forces you to interact with the criminals in order to get access to your data. This particular version even includes the phrase “the one who knocks” in the email address, which is just insult added to injury for those who are familiar with Breaking Bad. Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker.  This Breaking Bad version gives you a good opportunity to revisit your Cryptolocker defense plan, including security software, your backups, and the overall state of your network. Are your users protected from malware, and ransomware in particular? Is there anything more you can do? If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points: Even police departments and governments are paying the ransom Untraceable...

read more

The Big Business of Spam: Scammers once again, looking to capitalize on a tragic natural disaster

Tragic events such as the 7.8 earthquake that hit Nepal last week has brought a tremendous outpouring of help from countries all over the world. Unfortunately, it has also been used as a ploy to try and dupe users into falling for monetary scams. Spammers looking to capitalize on the best intentions of others have begun their campaign of deception by following a well-known scam known as “419,” a scam that promises a victim a significant amount of money, but only after a payment has been made to ‘verify the identity’ of a would be victim. Online versions of the scam originate primarily in the United States, the United Kingdom and Nigeria. The number “419” refers to the section of the Nigerian Criminal Code dealing with fraud. Once the information is given, the next steps of collecting the relief fund are then sent. The potential victim is instructed to send a wire transfer fee via Western Union to receive the funds that have been promised to them. Sadly, this isn’t the case and victims are left with their money and sensitive data in the hands of scammers. The FBI has set up a phone number (866) 720-5721 to report any such instances of this and more information regarding these types of attacks as well as good information to stay safe can additionally be found here: http://www.fbi.gov/sandiego/press-releases/2015/fbi-warns-public-of-disaster-scams. This is yet another example of how scammers are building a big business around the use of various spam techniques. Yesterday we shared with you a scam in which spammers are using the recent Bruce Jenner interview as a way to drive users to potentially malicious websites that sell weight loss drugs. As always, we recommend that no unsolicited donations be made or sensitive information be shared online with persons that are not familiar. As a natural rule of thumb, it’s probably best to keep in mind, that if it sounds too good to be true, it most likely is. For more in this Barracuda Labs blog series,...

read more

The Big Business of Spam: Bruce Jenner’s untold confession and allegations of abuse of the Kardashian Sisters

The rise in third-party affiliate spam that markets pharmaceutical products is one of the more alarming trends we have seen. In fact, we have seen pharmacy spam increase 20 percent so far in 2015 compared to what we saw in 2014. Although the products are legal for purchase and use, they have not been vetted or approved by the FDA. This presents a double risk for victims: the dubious business practice may result in financial loss and identity theft, while the use of the product may result in a serious health problem. In this blog series, The Big Business of Spam, Barracuda Labs will explore the various business opportunities created using different spam techniques. The media has covered the Bruce Jenner special with Diane Sawyer more than it has covered the recent tragedy in Nepal, where a magnitude 7.8 earthquake hit, taking the lives of over 4,000 people. That makes it a perfect topic for spammers, who are always willing to take advantage of a positive story about personal triumph and use it to steal from curious readers. Spam using various subject lines such as ‘Kardashians beaten by Bruce Jenner’ and ‘Bruce Jenner posts naughty photos of Kardashian sisters’ have been distributed with links that redirect consumers to a website for pills with the extract Caralluma, a plant from India that is often used in the suppression of appetite. [Spammers often use celebrities to promote products in hopes to make them look more legitimate to consumers.] Barracuda Central has detected over 750,000 instances of these emails being sent from botnets and individually infected hosts around the world. These emails lead to several different domains, which all lead back to a single purchase page for Caralluma. This attack is similar to the recent Pope / Neuroflexyn email, in that it uses sensational topics and spam to market what appears to be a legitimate product (https://barracudalabs.com/2015/04/the-pope-makes-shocking-admission-he-takes-pills-for-what/). In this case we have not yet observed infected attachments, phishing attempts, or drive-by downloads. However, spam is a big...

read more

The Pope Makes Shocking Admission… He takes pills for what??

Spammers around the globe continue to get creative with their stories in order to entice attention. There is a recent spam outbreak that claims Pope Francis has made a “shocking admission” about taking ‘Neuroflexyn,’ a new drug that purportedly enhances his brain power. According to the email, the benefits of this drug are “sinful.” These spam and social engineering tactics are not new; attackers will use whatever language or celebrity they can in order to entice users to click on a link or download a file. What makes this particularly interesting is that it deviates from the well-known pharmacy spam which has been seen for years promoting male enhancement. The drug in question is a ‘nootropic,’ or ‘Smart Drug.’ Nootropics promise cognitive enhancement such as improved memory and intelligence. While nootropics are not quite mainstream yet, they are moving in that direction, with young people showing the most interest in the product. The most rapid growth in use of nootropics seems to be concentrated on college campuses. Once a user clicks in these emails, they are directed to a page that discusses the benefits of taking a supplement that increases brain power and allows the user to click a button to receive a “discounted sample.” Then, readers are directed to fill out a questionnaire requesting personal information like their address and phone number. Once their personal details are entered, the readers are asked for payment information. While our research shows that the seller of Neuroflexyn may be a legitimate business, there are some things here that give us pause: The privacy policy of the Neuroflexyn site discloses that the company sells consumer information to third parties, and that it builds profiles of consumers using public information databases. This particular email reeks of deceit. The use of the Pope (or any celebrity) as well as the “confess your sins” link at the bottom of the email demonstrate that the email is relying on trickery rather than product credibility. This appears to have been sent by...

read more

New Cryptolocker spear phishing campaign looks to be ‘The Grinch that stole Christmas’ in Australia

Cryptolocker is one of the most notorious attacks we’ve seen in a while, one which definitely would ruin someone’s day, or in this case holiday spirit. As of December 16 6:53AM PST, Barracuda Real-Time Systems have intercepted and blocked a new version which has a 1 out of 54 detection rate according to VirusTotal. The attack comes as an email disguised as the State Debt and Recovery office in Australia. It uses a common fear tactic describing that a camera has caught the recipient speeding and must now pay a fine in order to avoid suspension of driver’s license or vehicle registration. Once the victim clicks on the “Invoice” or “View Camera Images” – he is then directed to a website and instructed to download a penalty or reminder notice. The webpage utilizes a captcha which will actually require the right combination of letters or numbers to download the file, possibly another trick by the attackers to legitimize the site. Once downloaded and opened, Cryptolocker encrypts the data on the host computer, rendering all files to be unusable or opened until payment is made. While these newer versions of Cryptolocker do not appear tied to the original version which was said to have been disrupted, we should remain vigilant of copycat attacks that have and will certainly follow. As always, any emails received should be treated with extreme caution. Users should always keep anti-virus up to date, and use best practices when opening suspicious emails from unknown senders. Customers running the Barracuda Spam Firewall and Barracuda Email Security Service with up to date security definitions are protected from these...

read more

Online shoppers beware; big retail companies the subject of distributed malware and phishing attacks

Aside from being retail juggernauts, companies like Best Buy, Walmart, and Costco have another big thing in common this holiday season. These brands are among the highest names being used in malware and phishing campaigns worldwide. Over the past couple of weeks, Barracuda Labs has continued to see an uptick in the amount and frequency (millions of emails) of spamming and phishing emails, in attempt to prey on online shoppers. Spammers have attempted to phish for credentials to these popular sites by sending emails that include virus attachments disguised as receipts. This seems like a reasonable plan, hoping to lure unsuspecting holiday shoppers into printing out the receipts in order to pick up their products. While we expect an increase as Christmas approaches, we urge everyone placing orders online to protect themselves by adhering to a few simple rules: Track your orders on the same site you placed it. Do not download any attachments. FedEx and UPS will never ask you to download or print any document to have your package delivered. If it’s too good to be to true it, it probably is. Stick to the sites that have a good reputation — if you have never heard of the site and it promises items at heavily discounted prices, you probably want to stay clear from shopping there. Customers running the Barracuda Spam Firewall and Barracuda Email Security Service with the latest security definitions are protected from this attack....

read more