New phishing attack against Facebook business pages

There’s a new attempt at an old phishing attack running on Facebook today.  The attack appears to target business pages on Facebook by posing as a Facebook compliance message.  Here’s a screenshot of the attack, which we received in our notifications panel on Facebook: The message appears to be a Facebook compliance message, because it uses the Facebook logo and name.  It also appears to be a direct message due to the use of “Dear Customer” in the greeting.  However there are a few things that should stand out to you as suspicious: It uses the ow.ly URL shortener and not a proper Facebook URL. It uses threatening language indicating extreme action. The message itself is nonsense.  It begins by saying that there are irregularities of content and a violation of ToS.  Then it requires you to verify your contact information, and thanks you for helping them improve ‘service collaboration.’ It is a notification and not a message.  Facebook notifications indicate shares or mentions by another user.  These are not direct messages to a customer, and normally do not include any type of greeting like “Dear Customer.” This is what you will see if you hover your cursor over the account link:   This URL is another indication that this is likely not an official Facebook communication.  If you were to follow the link to this account, you would see that this attack has targeted hundreds of business pages on Facebook. This attack page was taken offline earlier today, but there may be more versions of this page still functioning. The attack is structured as follows: The attacker identifies the business page. The attacker then shares the latest post from the business page. The share is prefaced by the message that you see in our screenshot at the top of this post. The body of the message includes a shortened link designed to look like a Facebook account verification link. These indicators should be enough for you to recognize this as a scam and...

read more

Super Bowl Presents Super Opportunity for Spammers

It’s no secret that highly-anticipated events like the Super Bowl generate buzz around everything from commercials to merchandise, allowing opportunistic businesses to capitalize on the millions of eyes viewing from around the globe. However, what many folks fail to recognize is the opportunity events like the Super Bowl also create for scammers to generate disingenuous websites and emails to trap people into paying for items they will never see. This year is shaping up to be no different as proven by Barracuda Labs, which has already detected spam for replica jerseys on sale for the 2016 Super Bowl teams via sites such as pantherssuperbowlshop-dot-com and broncossuperbowlshop-dot-com. Fake Panther Super Bowl site   Fake Broncos Super Bowl site Click here for a larger image of both sites. In this particular instance, spam emails from the above sites claim to have replica jerseys on sale, but the links unfortunately lead to false websites. These false websites then ask people to pay for replica jerseys without a secure payment option, and request credit card information for fraudulent purposes. Ultimately, these sites are scamming people out of money by pretending to sell items that they will never ship and even go so far as to claim the items ordered are “Out Of Stock” after payment was already received. How to tell it’s a scam: Based on what we’ve seen in these scam messages, the domains are targeted attacks focused on fans of the 2016 NFL Super Bowl teams (Carolina Panthers and Denver Broncos). The domains used here were registered on December 15, 2015, which was right around week 15 of 17 for the NFL – two games before the playoffs started. Our research shows that the registration information points to the spam coming from: tian xiang da sha,405#,wan he lu 99hao,Chengdu,China. Both of the sites request buyers to input personal information including, name, address, credit card info etc. However, once they try to access their cart at the time of purchase –it doesn’t allow them to purchase as...

read more

The Big Business of Spam: Adulterers beware, scammers may be targeting you

As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from AshleyMadison.com. The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own. To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users. Here’s how this particular scam works: An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below) Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below) After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below) What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers...

read more

The Big Business of Spam: What Caitlyn Jenner Uses to Prevent Wrinkles and Stop the Aging Process

The cover for Vanity Fair’s July 2015 print issue was publicized on the Vanity Fair website June 1, and revealed the newly transformed, Caitlyn Jenner. The cover photo went viral reaching over 46 million people across Vanity Fair’s website and social media – with the internet virtually exploding. Jenner even beat President Obama’s record for reaching 1 million Twitter followers in just under five hours. With Jenner’s name in the headlines this week, it’s no surprise that spammers have jumped on the opportunity to try and use her likeliness to trick users into visiting sites to push beauty products in hopes to gain monetary value. So far, we’ve seen over 100K samples and variants of spam emails using Caitlyn Jenner as the lure to get people to click on compromised links. The emails all have different subject lines, but include the same content in the email body. The spam appears to be coming from possible compromised machines, most of which trace back to IP addresses in the United States. Figure 1 below is an example of the emails that are being sent out in large quantities, hoping to entice users into clicking on spammy links. The embedded links in the email titled “Caitlyn swears she just used this” and “Here is what went down” redirects users to the following website – http://www.goodbodyhealthtips.org/index.php?aff_sub=1394&aff_sub2=190076&aff_sub3=1021342e9d6b955d9a9c66e5ed3293 (labeled “wrinkle miracle”) – that pushes an anti-aging facial cream to prevent wrinkles, revealed by Dr. Oz called Dermakin Anti-Aging Cream. Figure 1 As shown in Figure 2 below, once on the page, the user will see the headline “Revealed by Dr. Oz! Jen’s Closely Guarded Secret For A Wrinkle Free Face” that is said to be featured in Yahoo!, Woman’s Day, VANITY FAIR, TIME, People and Aol. Figure 2 Figure 3 below shows that while on the page, the user will see “before” and “after” photos of stars like Ellen DeGeneres, Katie Couric, Goldie Hawn and Barbara Streisand who have allegedly used the wrinkle cream. Figure 3 At the bottom of...

read more

The Big Business of Spam: Dr. Oz’s Brand New Trick to Shed 27 Pounds in Just One Month!!

With a high obesity rate in the United States, people are looking for hope to find a miracle cure for weight loss. Unfortunately, spammers understand this and why it’s no surprise that Barracuda Central has picked up about 6,000 diet spam type emails since the beginning of 2015. With the Memorial Day holiday just passing, signaling bikini season, it’s also no surprise we have seen a rise in the volume of diet spam – showing just how intelligent spammers’ planning around the timing of certain types of spam are creating the big business of spam. Figure 1 One name that is often seen in the media in relation to cures for weight loss is Dr. Oz, who is no stranger to being scrutinized. Spammers often take advantage of his namesake and people’s hope for a weight loss miracle cure. In this specific email (figure 1), when a user opens a link, they will be directed to a news webpage that describes Dr. Oz’s weight loss discovery. This type of spam often displays names and pictures of well-known people, to try to entice the reader even more – Rachel Ray is used in the example below (figure 2). The site claims that “Pure Forskolin Extract,” (see Ad in Figure 3) which was actually introduced on the Dr. Oz show, is a “miracle pill” weight loss solution. It claims to burn body fat, and leaves the person with only lean muscle. Figure 2 Although the website is fake, part of the website’s content make it look legitimate to users. The first thing that the user will notice is the video of Dr. Oz advertising the Forskolin supplement that causes belly fat to melt. The website also uses content from healthierlivingdecision.com to make it look legitimate and mask the true nature of the site. But if the user clicks on any of the links on the website, including the registration link, it will direct them to the product page where they are prompted to enter their personal...

read more

Better Call Saul… New Crypto Ransomware using Breaking Bad Theme Emerges in Australia

According to reports from ABC Australia (http://www.abc.net.au/news/2015-05-11/new-computer-ransomware-encrypts-files-asks-for-up-to-1000/6461606) a new crypto ransomware threat is circling Australian’s email inboxes. You probably remember the Cryptolocker Trojan, as it is one of the scariest bits of malware we’ve seen in a while. Cryptolocker is ransomware that restricts access to a victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files. Read more about Cryptolocker in this blog post, http://blog.barracuda.com/2014/01/09/are-you-prepared-for-cryptolocker/ This latest version of Cryptolocker takes on the branding of the late, great, popular tv show, Breaking Bad. It uses the “Los Pollos Amigos” name, which is the restaurant that provided money laundering and was the base for other functions on the show. The ransomware also links to a video that shows victims how to use bitcoin, which was likely included to help the victims pay the ransom. Researchers believe that the ransomware is spread via email, and downloaded through an infected zip attachment. Barracuda Email Security Service and Barracuda Spam Firewall customers are protected from these types of emails. Ransomware a is particularly sinister attack, because it forces you to interact with the criminals in order to get access to your data. This particular version even includes the phrase “the one who knocks” in the email address, which is just insult added to injury for those who are familiar with Breaking Bad. Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker.  This Breaking Bad version gives you a good opportunity to revisit your Cryptolocker defense plan, including security software, your backups, and the overall state of your network. Are your users protected from malware, and ransomware in particular? Is there anything more you can do? If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points: Even police departments and governments are paying the ransom Untraceable...

read more