Monday, May 16, 2011

ACH Spammer switches to Shortened URLs

For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domains in place for a campaign that we have been calling "NACHA Spam".

In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.

In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.

Here's a sample of the email body:




The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association




This morning's most popular subjects:

count | subject
-------+--------------------------
159 | ACH payment canceled
144 | ACH transfer rejected
143 | ACH payment rejected
143 | Rejected ACH payment
137 | Rejected ACH transaction
137 | ACH Transfer canceled
135 | Rejected ACH transfer
131 | Your ACH transfer
131 | ACH transaction canceled
130 | Your ACH transaction
(10 rows)

count | sender_email
-------+-------------
135 | risk@nacha.org
134 | alerts@nacha.org
134 | risk_manager@nacha.org
133 | alert@nacha.org
133 | admin@nacha.org
129 | transactions@nacha.org
124 | ach@nacha.org
122 | payment@nacha.org
120 | transfers@nacha.org
117 | payments@nacha.org
109 | info@nacha.org
(11 rows)

The "new" feature of today's spam campaign is that the criminals have begun using URL shortening services to do their redirection. Although this is new for the current campaign, we've seen it before. We wrote a technical report on the subject last fall called URL Shorteners Used by Online Drug Dealers.

So far this morning, we've observed 34 different URL shortening services in play on this campaign:

count | machine
-------+-----------------
116 | 2mb.eu
93 | p1nk.me
92 | 80p.eu
92 | mzan.si
90 | linkr.fr
88 | redir.ec
84 | 2.gp
80 | udanax.org
79 | ks.gs
71 | whir.li
71 | qr.net
70 | TinyBP.com
68 | spedr.com
68 | urlzip.fr
66 | tiny.ly
60 | shortn.me
48 | mx.vc
16 | urli.nl
11 | snipurl.com
6 | shrt.st
3 | gd.is
3 | virg10.com
2 | rurls.ru
2 | zipurl.fr
2 | lu2su.net
1 | nutshellurl.com
1 | surl.hu
1 | icy.tsd.to
1 | squeerl.net
1 | 3cm.kz
1 | tuit.in
1 | tqb.qlnk.net
1 | mi13.tk
1 | minu.me
(34 rows)

Some of these are

A full list of the more than 1,000 shortened URLs we've seen follows. Remember, these are MALICIOUS URLs. Don't go there if you aren't trained to deal with this kind of stuff.

count | machine | path
-------+-----------------+--------------
5 | spedr.com | /4y7SQSmS
5 | redir.ec | /tYvk
4 | snipurl.com | /27vmxz
4 | redir.ec | /EcPZ
4 | TinyBP.com | /15kcx
4 | 2mb.eu | /TUQBY8
4 | udanax.org | /ZPLf
3 | 2mb.eu | /W8Li1F
3 | mzan.si | /GwQm
3 | qr.net | /b4e0
3 | linkr.fr | /rLao
3 | tiny.ly | /dPnJ
3 | TinyBP.com | /53wi
3 | whir.li | /3z7g
3 | spedr.com | /G9mJzD3W
3 | 2mb.eu | /T2mMP3
3 | linkr.fr | /Jw7M
3 | udanax.org | /ZP0F
3 | urlzip.fr | /W0T
3 | 80p.eu | /ip
3 | virg10.com | /6t6
3 | qr.net | /b4ev
3 | 2mb.eu | /fKVGJX
3 | mzan.si | /N56x
3 | shortn.me | /igWl
...
(1080 rows)

(List truncated in interest of space -- for the full list of shortened URLs, click here: ACH.shortened.urls.txt.)

While we haven't followed every link, all that we have followed so far redirected to a fake forum page on mnuyspe.co.be (193.105.121.158) where "drive-by" exploits are attempted.

Wednesday, May 04, 2011

Help stop the Osama bin Laden Videos on Facebook

If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with invitations to watch a video of Osama bin Laden being killed.



The behavior of this particular scam is too cause a link to be posted BY YOU on all of your friends' walls. (There is another popular one going around -- "See Who Viewed Your Profile" -- that behaves in the same way. Facebook confirms that there is no app that can do that, and encourages us to use the "REPORT" feature when we see that.

If you click the link, many geeky "redirections" (described at end of article) happen before you end up on a page that looks like this:



The danger starts if you click "Watch Video". DON'T DO IT!

While it would be interesting to explore the Cross Site Scripting vulnerability that allows this to happen, the more important thing to share is "what should a FaceBook user who sees this activity do about this offending post on their wall?"

Whenever you see something objectionable on your wall, the thing to do is REPORT IT!

Hover your mouse over a message on your wall, and a grey "X" will appear at the top right of the message.



When you click the "X" by the top right corner of the wall post, you are presented with a drop down menu. We're going to choose the bottom item -- "Report As Abuse"



Since the post is not "about me", we go to the lower section and choose "Spam or scam"




When we click "OK" we get an option to block the user. Since this is an innocent mistake by our friend, we don't want to "block" the friend, so just check the bottom box that says "Report to Facebook." If our friend is the sort of helpless, clueless individual that clicks on everything they see, eventually we would want to block this friend.



We get a nice "Thank you" from our friends at Facebook Security! These really help the team! They get the messages and use them to prioritize what things need to be addressed. If many reports are received for the same link, or about the same user, those things get addressed more quickly. Different types of reports go to different sub-groups so just because they are busy helping fight something like today's report doesn't mean that they ignore cyber-bullying.

Facebook WANTS YOU to report things that bother you. That's how they keep a clean neighborhood.

Help them help you. REPORT SCAMS!

Then take a moment more and send your friend a friendly message letting them know what's going on. They might want to let the rest of their friends know.

Facebook security has several recommendations, including a couple that I honestly wouldn't have thought of. (I'll put those first)


  1. Unlike the page which tricked you into showing fake video and report them immediately to Facebook. -- in addition to posting the message to your friends' walls, this tricky Facebook worm causes you to "Like" its page. The more "Likes" a page has, the more people are convinced it's real, so it is helpful to go "UNLIKE" the page. (if you've liked it, it will be a choice on the left side menu.)

  2. If a friend is posting suspicious messages to your wall, they may have malicious software on their computer, or may have clicked something bad themselves. Facebook Help says the best thing to do is tell your friend to contact Facebook Help.

  3. If YOU are the one posting the message, this Facebook Help post is for you: Wall posts were sent from my account, and I didn’t send them. It has helpful hints about anti-virus, not clicking on spam, and how to reset your password.

  4. Have up-to-date anti-virus software

  5. Keep an eye for messages that often feature misspellings, poor grammar and nonstandard English. If it doesn't look like a message your friend would type, REPORT IT! It may be related to malware or a malicious app that is using your friend's account!

  6. Do not open spam mails, including clicking links contained within those messages.

  7. Don’t copy and paste any scripts in your Facebook profile. Several scams have worked by encouraging you to paste something odd in your profile. Some of those scripts install apps, grant permissions, or make you do things you wouldn't want to do!

  8. If you’re using Chrome, make sure you don’t paste any scripts in your browser bar, as the browser tries to preload anything you type in the ‘awesome’ bar.




Geek Alert!

Here's an example stream of what happens if you click one of these links ...
In this case, the link is going to pass through several rounds of redirection, which we can see by doing a "wget" of the destination URL. A "301" command makes your browser move on to another web address without really adding any new content.

In the top example, the destination URL is tinyurl.com/3b8uayr

wget http://tinyurl.com/3b8uayr
Resolving tinyurl.com... 64.62.243.89, 64.62.243.90
Connecting to tinyurl.com|64.62.243.89|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://zamakoko.mo.tl/ [following]
--19:51:27-- http://zamakoko.mo.tl/
=> `index.html'
Resolving zamakoko.mo.tl... 174.122.44.67
Connecting to zamakoko.mo.tl|174.122.44.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://on.fb.me/jM9tNF [following]
--19:51:47-- http://on.fb.me/jM9tNF
=> `jM9tNF'
Resolving on.fb.me... 168.143.174.97
Connecting to on.fb.me|168.143.174.97|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.facebook.com/pages/0sama-tape/121566207922629 [following]
--19:51:59-- http://www.facebook.com/pages/0sama-tape/121566207922629
=> `121566207922629'
Resolving www.facebook.com... 69.63.189.16
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.facebook.com/common/browser.php [following]
--19:52:05-- http://www.facebook.com/common/browser.php
=> `browser.php'
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,771 --.--K/s
19:52:24 (1.40 MB/s) - `browser.php' saved [11771]

Which leaves us sitting here: