2010年7月27日星期二

How to Detect and Prevent Phishing Scams

Overview of Phishing Scams


The unique purpose of a Phishing scams is to obtain your sensitive information to do frauds. Scammers send mass emails to every address they can find. Typically the email will appear to come from a bank or financial institution. It is e-mail content to prompt you to update your information for some reason, and they usually provide a link that you can click to do so.
This all sounds reasonable and it may look legitimate; phishing scams are anything but legitimate. The link provided does not take you to the financial institution’s website. Instead, you’ll be submitting your information to a website run by the scammers.

Why Scammers Use Phishing Scams


Why would somebody do this? Well, you can gather a lot of sensitive information with a phishing scam. First, you can get somebody’s account number and password. Then you can try to hijack their assets. Some phishing scams ask for all of your personal information (SSN, mother’s maiden name, date of birth, etc) so that they can steal your identity and open credit accounts in your name. Some victims of phishing scams have given up their credit card numbers only to find that the card was used fraudulently.

How to Detect Phishing Scam Emails


Most of the phishing scams are carried through phishing emails,so the most important key to prevent phishing scam is how to distinguish phishing emails. Detecting most of these phishing emails is easy, using a number of security products is the most convenient way, such as Ax3soft Sax2,it is a professional intrusion detection and prevention system (IDS) used to detect intrusion and attacks, for more information, visit http://www.ids-sax2.com/SaxIDS.htm.
if you are a bit careful. Then the followings are several ways that can help you identify phishing emails。

*

Look for your Name in the address: Phishers, generally don’t know the names of their targets. They are actually phishing for the weak and unalarmed users to make their targets. Look for the header of the email you received. If you do not find your name or email address in the address bar, this is a red sign. You have to be cautious on this email. See Figure below.
*

Look for the Salutation / Greetings: Generally, the financial organizations are very careful about the personal experience which their users get while transacting with them. One usual practice taken care by them is to greet their customers with the name. If you do not find any greeting or salutation, then it is also a thing to deal the email with caution. We are not saying that all emails without salutation are phishing emails, but this is definitely a preliminary way of raising your alarm bell. See Figure Below.
* Look for the URLs as shown in the emails and your Browser Status Bar: Nowadays, most of the browsers display the URL in their status bar if you hover your mouse over a hyperlink. This is your most important trick to quickly discover most of the phishing attempts. Hover your mouse over the link, and without clicking just look down below at your status bar. Compare the two links very cautiously.
*

Look if any generic name is there in the salutation: Like mentioned above, if you do not find a salutation, or you find a generic salutation, then it is time to be concerned. We are not saying that all such emails are phishing, there are many exceptions to this as well, but it is surely a sign to be more cautious and look for other clues. See Figure Below.
*

Look for Poor Grammer and Salutation: Without prejudice to any country or race, it has been observed that most of the phishing attacks are from countries where population is not English speaking. And it leaves a mark everywhere. Since phishers are generally individuals, not organizations, and mostly operating from close confines, there are small grammatical and punctuation mistakes in their copy. Look for them, and be warned.
* Do not rely on the link address shown in the Browser Status Bar: Even if, you find that the URL address as shown in the Browser Status Bar is exactly the same as that shown in the email, there are chances that the actual hyperlink is pointing to somewhere else. In such a case, your safest bet is to just select the URL and copy it. Open a second browser windows, paste the address there and press enter. Remember, do not use the Copy Link Location command from the right click menu. It will defeat the entire purpose.

*

Do not rely even if you find your name in the salutation or address: With the advancement of technology, phishing techniques are also getting smarter every day. Now phishers dig deep and research to find the name and addresses of their targets. So even if you find that proper Greetings and salutations are there, still there are chances that you are staring at a phishing scam attempt.
*

Look for the domain name of the link: The domain names tell you many things. If the domain name of the URL, to where your Browser status bar is pointing, is same as your financial institution, then you are most like safe. But be very cautious here. You should be knowing, what exactly is the domain address in a URL. Phishers try to make it look like the original domain, and you have to find the actual domain name from that.
* Use Copy & Paste: Yes it is really good idea. But remember, don’t use Copy Link Location from the right click menu.

Fake Xerox WorkCentre Pro Scans Hide Trojan

Ax3soft have intercepted a new spam campaign, it attempts to trick users into executing malicious files by claiming they are scanned documents. The email are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. An office print and scan center such as a Xerox machine sent a scanned document by email to a recipient. This kind of condition is really very common.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

It looks like that the true email template used by Xerox scanning devices was copied by the spammers and the listed file type only be modified by it. When Xerox WorkCentre Pro can send scanned documents through email, these are never sent in ZIP format. Reported by the Tech Herald


An executable file called Xerox_doc.exe will be showed while opening the file archive, it is a new variant of the Official Trojan. Trojans in the Official family of malware can work as botnet clients and are basically used as distribution platform for other menaces, such as adware or scareware.

The trojan also called Gen: Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).



The files will be created as followings:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

Stop the Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe. Do not be cheated by it. The Windows Security Center Service is a bad service ,it can do nothing with the legitimate service Security Center from Windows.

It will execute a lot of Windows registry changes and the trojan establish connection with the following IPs on port 80

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

*

hxxp://www.kollo.ch/images/cgi.exe
*

hxxp://musiceng.ru/music/forum/index1.php
*

hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
*

hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

New trojan variant in mails with "Look my CV. Thank you!"

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Creat files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following hosts:

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

· hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware which called W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

Load the following modules into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

New trojan variant in mails with "Look my CV. Thank you!"

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Creat files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following hosts:

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

· hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware which called W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

Load the following modules into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Emails with the subject "UPS INVOICE NR9094991" and "Delivery Problem NR2204780" contains trojan

Ax3soft noted the highest virus detection rate from these months, which owes to the combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR2204780″

The similar subjects are (the numbers are choosed randomly):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The zip archive upsinvoice3325037.zip is contained in the email and it is available to extract the file UPSINVIOCE.exe which has 36 kB capacity.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

Creat files as followings:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

Load the following modules into the address space of other processes:

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

the trojan tries to establish a remote connection with IPs on port 80 as followings:

85.87.17.230
89.149.202.142
95.211.27.238

Download data from the following hosts:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

If you want to unsubscribe, please click here.