Super Bowl Presents Super Opportunity for Spammers

It’s no secret that highly-anticipated events like the Super Bowl generate buzz around everything from commercials to merchandise, allowing opportunistic businesses to capitalize on the millions of eyes viewing from around the globe. However, what many folks fail to recognize is the opportunity events like the Super Bowl also create for scammers to generate disingenuous websites and emails to trap people into paying for items they will never see. This year is shaping up to be no different as proven by Barracuda Labs, which has already detected spam for replica jerseys on sale for the 2016 Super Bowl teams via sites such as pantherssuperbowlshop-dot-com and broncossuperbowlshop-dot-com. Fake Panther Super Bowl site   Fake Broncos Super Bowl site Click here for a larger image of both sites. In this particular instance, spam emails from the above sites claim to have replica jerseys on sale, but the links unfortunately lead to false websites. These false websites then ask people to pay for replica jerseys without a secure payment option, and request credit card information for fraudulent purposes. Ultimately, these sites are scamming people out of money by pretending to sell items that they will never ship and even go so far as to claim the items ordered are “Out Of Stock” after payment was already received. How to tell it’s a scam: Based on what we’ve seen in these scam messages, the domains are targeted attacks focused on fans of the 2016 NFL Super Bowl teams (Carolina Panthers and Denver Broncos). The domains used here were registered on December 15, 2015, which was right around week 15 of 17 for the NFL – two games before the playoffs started. Our research shows that the registration information points to the spam coming from: tian xiang da sha,405#,wan he lu 99hao,Chengdu,China. Both of the sites request buyers to input personal information including, name, address, credit card info etc. However, once they try to access their cart at the time of purchase –it doesn’t allow them to purchase as...

read more

The Big Business of Spam: Adulterers beware, scammers may be targeting you

As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from AshleyMadison.com. The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own. To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users. Here’s how this particular scam works: An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below) Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below) After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below) What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers...

read more

AskMen.com Offers Young Men Advice, Ransomware

Jul 07, 14 AskMen.com Offers Young Men Advice, Ransomware

Posted by in Research, Web Security

Yesterday (Sunday, July 6), as well as in June, May and April, AskMen’s website served visitors malware via drive-by download attacks that targeted vulnerabilities in various browser-related software components including IE, Flash, and the Java web plugin. During the June incident, ransomware (a type of malware that denies the user access to their files or computer until a ransom is paid) was installed on visitors’ computers. Given the need to coerce payment from its victims, ransomware is visually noisy, as indicated by the following screenshot taken at the end of a June 19 visit to AskMen[.]com. AskMen for advice, get ransomware. The chain of redirects that began at AskMen’s front page and ended with the installation of ransomware on visitors’ computers is as follows. hxxp://www[.]askmen[.]com/</redacted> (xMultiple) -> hxxp://ec6155aa[.]pw/<redacted> –>hxxp://asjdaydyaf[.]info/<redacted> (xMultiple) —> hxxp://bannertrackingstat[.]com/<redacted> (xMultiple) In the above chain, the ec6155aa[.]pw domain is generated dynamically based off of the current date. Subsequent reverse engineering of the name generation algorithm and examination of domains for nearby dates revealed that the the drive-by download campaign lasted from June 18 to June 23. Additional details can be found on the following page. Requests to asjdaydyaf[.]info corresponded to a site backed by the RIG Exploit Kit, which currently targets IE, Flash, Silverlight, and Java. In this instance, RIG yielded a malicious JAR file with relatively few AV detections. Successful exploitation resulted in the installation of CryptoWall, a type of ransomware that uses strong cryptography to hold the user’s files hostage. Visualizations of each AskMen[.]com drive-by download instance and the corresponding packet capture (PCAP) files for April, May, June and July are available via Threatglass. UPDATE (July 9): Barracuda Labs has been corresponding with the AskMen website operators, who have indicated that they have discovered and resolved the security issue behind the incidents. UPDATE (July 19): The AskMen website is again serving drive-by downloads, which suggests a vulnerability within its infrastructure or intrusion within...

read more

Introducing Threatglass – New Industry Portal Offering Exploration, Visualization and Analysis of Exploited Websites

Today, Barracuda released a new online tool for sharing, browsing and analyzing web-based malware—Threatglass, available at threatglass.com. Our Barracuda Labs team is the backstage director to foster this idea, design the large-scale backend system, and finally implement a nice GUI to show it to the world. We are very excited here to be able to offer this resource – free of charge – to both casual users and the security research community as a whole. Welcome to threatglass.com!   The backend system of Threatglass has been working internally inside Barracuda for a few years, which has been used to automatically scan suspicious websites from Barracuda’s customer network and the Alexa top 25,000 websites, in order to better protect Barracuda’s customers. The system was designed in a large-scale and automated manner that utilizes thousands of virtual machines to visit URLs in web browsers to see what will happen to the browsers, their plugins, and the operation systems.  Without prior knowledge of specific exploits served to the browser or its extensions, the resulting network-level actions are recorded and analyzed to reveal whether the visited URLs serve malicious content. With millions of URLs being scanned every week, the system has accumulated nearly 10,000 live web-based malware infections to date. Meanwhile, new data resources are feeding in daily, including our recent social feeds from Facebook and Twitter. Two of our previous posts specifically demonstrated the power of the Threatglass backend system—summaries of maliciousness on top-ranked Alexa Domains in February 2012 and July 2012. The frontend of Threatglass is a modern web portal that provides a unique visualization of malware-infected websites identified by the backend system with a Pinterest-like graphical feel. Threatglass allows users to casually browse website infections that date back to September 2011, and view the charting and trending graphs to retrospect historical malware trendings. Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of...

read more

Hasbro.com: Toys, Games and Malware for Boys and Girls

Jan 27, 14 Hasbro.com: Toys, Games and Malware for Boys and Girls

Posted by in Research, Web Security

A week ago (on Monday, January 20), as well as on January 14, 11, and 10, Hasbro’s website pushed malicious software to visitors’ computers. As with the Cracked.com compromise a week prior, the incident was the result of direct site compromise, and affected users were unlikely to have recognized that their computers were infected. For reference, below is a screenshot of Barracuda Labs’ malicious URL detection environment after a successful attack. No smiles during this visit to Hasbro’s website. The chain of redirects that began at Hasbro’s front page and ended with the installation of malicious software on visitors’ computers were as follows. hxxp://www[.]hasbro[.]com -> hxxp://www[.]hasbro[.]com/<redacted> (xMultiple) –> hxxp://stats[.]jusybes[.]pw/<redacted> —> hxxps://stats[.]jusybes[.]pw/<redacted> (xMultiple) —-> hxxp://ahnc[.]blockscheine[.]com/redacted (xMultiple) The second request to stats[.]jusybes[.]pw is notable as HTTPS is used to obfuscate the resulting redirection to ahnc[.]blockscheine[.]com, which serves several Java exploits. Upon successful exploitation, a payload is installed that is not well detected (both Symantec and Trend flag the malicious executable as benign). Given the frequency with which Hasbro’s website has recently served drive-by downloads, Barracuda Labs recommends that users refrain from visiting the site until its operators have confirmed it is again safe. An archive containing packet capture (PCAP) files that show the sequence of events for drive-by downloads originating from Hasbro.com for January 20, 14, 11, and 10 can be downloaded...

read more

Not Funny: Cracked.com Serves Visitors Malware Again

Jan 16, 14 Not Funny: Cracked.com Serves Visitors Malware Again

Posted by in Research, Web Security

Yesterday (Wednesday, January 15), Cracked Magazine’s website served malicious software to visitors via exploits that target a user’s web browser and plugins. In this case, malicious content originated directly from the Cracked.com website, and it is unlikely that the user would have noticed anything unusual while their system was attacked. For reference, a screenshot of Barracuda Labs’ malicious URL detection environment after successful compromise occurred is as follows.  Cracked.com: Business as usual? The chain of redirects began at the index of Cracked.com and concluded with delivery of exploit content and the installation of malware onto the visitor’s computer. These details are as follows. hxxp://www[.]cracked[.]com -> hxxp://klamb[.]in/<redacted> (x2) –> hxxp://lanim[.]nambon[.]in(:21093)/<redacted> —> hxxp://palak[.]nambon[.]in(:21093)/<redacted> In the above chain, content from the malicious domain (registered January 15, the same day as the start of the incident) originates via Cracked’s index page. No ad networks were involved, which means that some kind of direct website compromise occurred. A HTTP request to the klamb[.]in domain redirected to lanim[.]nambon[.]in,which responded with malicious content targeting both the web browser and the Java web plugin used by Barracuda Lab’s detection environment. An exploit for CVE-2013-2551 (which targets vulnerable, 32-bit versions of Internet Explorer 6 through 10) successfully compromised the detection system’s web browser. Per VirusTotal scan results, the malicious software installed after successful exploitation is poorly detected (neither Symantec, McAfee, nor Trend’s AV offerings detect the file as malicious). Barracuda Labs recommends that users refrain from visiting Cracked.com until the site’s operations group investigates the incident and certifies the site as safe. In addition, as has been repeatedly advised, users should keep their software updated to prevent exploitation of known vulnerabilities and avoid software with a poor security track record. An archive containing a packet capture (PCAP) file showing (via some analysis) the exact sequence of events that led to system compromise can be downloaded...

read more