New phishing attack against Facebook business pages

There’s a new attempt at an old phishing attack running on Facebook today.  The attack appears to target business pages on Facebook by posing as a Facebook compliance message.  Here’s a screenshot of the attack, which we received in our notifications panel on Facebook: The message appears to be a Facebook compliance message, because it uses the Facebook logo and name.  It also appears to be a direct message due to the use of “Dear Customer” in the greeting.  However there are a few things that should stand out to you as suspicious: It uses the ow.ly URL shortener and not a proper Facebook URL. It uses threatening language indicating extreme action. The message itself is nonsense.  It begins by saying that there are irregularities of content and a violation of ToS.  Then it requires you to verify your contact information, and thanks you for helping them improve ‘service collaboration.’ It is a notification and not a message.  Facebook notifications indicate shares or mentions by another user.  These are not direct messages to a customer, and normally do not include any type of greeting like “Dear Customer.” This is what you will see if you hover your cursor over the account link:   This URL is another indication that this is likely not an official Facebook communication.  If you were to follow the link to this account, you would see that this attack has targeted hundreds of business pages on Facebook. This attack page was taken offline earlier today, but there may be more versions of this page still functioning. The attack is structured as follows: The attacker identifies the business page. The attacker then shares the latest post from the business page. The share is prefaced by the message that you see in our screenshot at the top of this post. The body of the message includes a shortened link designed to look like a Facebook account verification link. These indicators should be enough for you to recognize this as a scam and...

read more

The Big Business of Spam: Adulterers beware, scammers may be targeting you

As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from AshleyMadison.com. The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own. To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users. Here’s how this particular scam works: An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below) Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below) After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below) What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers...

read more

Online shoppers beware; big retail companies the subject of distributed malware and phishing attacks

Aside from being retail juggernauts, companies like Best Buy, Walmart, and Costco have another big thing in common this holiday season. These brands are among the highest names being used in malware and phishing campaigns worldwide. Over the past couple of weeks, Barracuda Labs has continued to see an uptick in the amount and frequency (millions of emails) of spamming and phishing emails, in attempt to prey on online shoppers. Spammers have attempted to phish for credentials to these popular sites by sending emails that include virus attachments disguised as receipts. This seems like a reasonable plan, hoping to lure unsuspecting holiday shoppers into printing out the receipts in order to pick up their products. While we expect an increase as Christmas approaches, we urge everyone placing orders online to protect themselves by adhering to a few simple rules: Track your orders on the same site you placed it. Do not download any attachments. FedEx and UPS will never ask you to download or print any document to have your package delivered. If it’s too good to be to true it, it probably is. Stick to the sites that have a good reputation — if you have never heard of the site and it promises items at heavily discounted prices, you probably want to stay clear from shopping there. Customers running the Barracuda Spam Firewall and Barracuda Email Security Service with the latest security definitions are protected from this attack....

read more

Hackers take advantage of Ebola-related fundraising

Companies like Facebook, Google and YouTube have been taking a proactive approach to help fight the Ebola virus that has taken countless lives in Africa.  When visiting these sites, you may notice that these companies are asking users to donate to finding a cure for the Ebola virus. Hackers in turn are also recognizing the opportunity to capitalize on the new trending topic.   With the fear of the Ebola virus making its way to the States, it’s not surprising that many folks are raising awareness and are now trying to educate themselves on the virus.   Also not surprising are websites popping up asking for donations to find the cure. It is important to be sure when donating, that you are donating to a reputable site. Hackers love to start crowd funding sites similar to this one – https://www.indiegogo.com/projects/help-us-help-others–1169 – which has since been taken down, to steal user information and credit card numbers.   The goal for hackers is to dupe a person and have them start sharing the link via emails and social media.  It’s easy for hackers to test whether or not they can use this approach going forward in future attacks.   The idea of donating to help find a cure is great, however you should make sure that you are doing so in the appropriate forums. Never click on links sent to you via email or shared links on social media. If you plan on donating to find a cure do research on reputable sites and go to them directly.    Check out our Barracuda Spam Firewall and Barracuda Web Filter for information on how to protect yourself from online...

read more

Daniel Peck to present phishing detection methods at AppSec USA

Sep 12, 14 Daniel Peck to present phishing detection methods at AppSec USA

Posted by in Phishing

AppSec USA is coming up next week and our own Daniel Peck will be there to discuss a new approach to phishing detection.  Daniel is a Principal Research Scientist who works primarily on studying social networks as an attack vector.  He has created a large body of work in research, such as: Comparing content and non-content based systems to identify malicious accounts on Twitter/Facebook Exploiting programmable logic controllers Identifying/classifying malicious javascript Here’s the description of Daniel’s AppSec 2014 presentation: We will discuss current approaches to phishing detection, and present a new one along with accompanying tool. We will discuss several perceptual hashing algorithms, and describe how we can leverage them to detect phishing sites masquerading as popular sites such as Paypal, Amazon, and others. Code to collect and identify these malicious sites, and a browser extension leveraging will be explained, demonstrated and released for attendee use and study. Daniel is not new to AppSec USA.  Last year his presentation focused on scripting Android applications. AppSec USA is an annual software security conference for developers, security auditors, risk managers, executive management, government, press, law enforcement, entrepreneurs, and more.  Everyone with an interest in software security will find something at AppSec.  Here’s what the conference has to offer: Insightful keynote addresses delivered by leading industry visionaries from thought leaders of critical infrastructure. Over 50 sessions World-renowned subject matter experts Five core tracks: builder, breaker, defender, management, DevOps An all-new, workshop-style Skills Lab track providing instruction and hands-on experience with essential security tools and skills Over a thousand attendees exclusively focused on Software Security A career fair and sponsor expo featuring top companies in the industry The conference is also a major fundraiser for OWASP, the Open Web Application Security Project.  The OWASP Foundation is an open-source, non-profit  application security organization made up of organizations and individuals from around the world.  The OWASP Foundation is the de-facto standards body for web application security used by developers and organizations globally. AppSec USA 2014 will be held in Denver...

read more

The cost of phishing

Sep 09, 14 The cost of phishing

Posted by in Anti-Spam, Email Security, Phishing, Spam

I’ll be giving a presentation next week at Appsec USA on perceptual hashing and how it can be used as a component of anti-phishing systems. It will be more of a proof of concept and introduction to an interesting algorithms than it is about practical realities. Enough self promotion though. While doing some research into the economics of phishing. I was floored by the numbers being thrown around and how much the business of information security and cybercrime has changed in the decade that I’ve been a part of it. I can only image how those with two times my experience feel. The numbers, while likely quite exaggerated, are staggering. Phishing itself is estimated to cost ~6 billion annually, while cybercrime in general is pegged at being over 400 billion. What surprises me the most about this is that phishing and email security is viewed as a largely “solved” problem. 6 Billion on the table, and yet this area of security hasn’t significantly advanced in years. Some would argue that there have been no real improvements since reputation based systems came on the scene in the mid 2000s. Phishing, and malicious messaging in general, is interesting in that their targets should often know better, and protecting the last few 0.01% of the population gets increasingly expensive. At the same time the value that an attacker can extract from that 0.01% is on the rise. I have to wonder what level of fraud we’re all collectively “OK” with and if we’ve gotten there in the world of email...

read more