03/15/2011

Japanese Earthquake Disaster Scams Exploit at Record Pace

It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.

Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.

Phishing site posing as donation site

Site shown after clicking 'join now'
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.

Abused blog function on phishing site
Attacks  like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)

Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.

One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.

These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.

Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.

Perhaps the message here is to be careful when searching for media content by using known trusted media sites.

Facebook pages are being utilized as well.  One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.

The facebook page is titled  â€œJapanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs  visitors  to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.

The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.

Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.

Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.

Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.

These sites are either parked, for sale, or linked to other earthquake websites.

Some example sites include:

  • 3-11-2011-[removed].com
  • 3-11[removed].com
  • earthquake-[removed].com
  • earthquaketsunami[removed].com
  • earthquakerelief[removed].com

Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:

Japan scam message

Attachments and .zip files can be embedded in such emails so beware if the source is unknown.

Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.

03/08/2011

Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.

Fake-av-ie-2

Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.

Fake-av-firefox

Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.

Fake-av-chrome

If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.

Fake-av-dafari

These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.