1. Zeus/Zbot/Spybot spam messages

Every week we talk about the latest spam run that is out there luring users to websites that use the Blackhole exploit kit to install various pieces of malware on their PCs.

Normally, users are tricked through a malicious spam emails that contains a link that when followed will eventually infect the users PC.

They also use another spam technique that is much easier and doesn’t require an exploit kit. The emails in these spam messages carry malcode in ZIP file attachments. Often it’s the same malware that would be installed with the exploit kit, but the bad guys are hoping their victims will be gullible enough to just run the EXE.

Often, they’re right, and the bad guys then don’t need to download an exploit via a malicious URL, if the victim can be tricked into immediately executing the malware on his or her computer.

To see this in action, look at this example below. The email is from: “KingCountyEcommerce@KingCounty.gov” (which is not a working email address) about overdue property taxes.

 

exe threat

The attachment is, as always, a ZIP containing an EXE. Most people’s reaction to this would probably be something like: “What?  I don’t even own property in King County, this must be a mistake, or worse….”

That would prompt them to double-click the attachment to investigate. Then, as the expression goes “it’s all over red rover….” as the bot malcode infects their machine.

 

 

 

 

 

 

 

 

 

Also here are some lures that purport to be from USPS, FedEx and the IRS.

IRS scam

 

FedEx scam

 

USPS threat

 

One very important fact to remember is that spam never comes from the “from” address it contains. Any piece of an email message can be forged. If the email looks suspicious, if you don’t normally get emails from your bank or if you haven’t ordered any packages, don’t follow the link and don’t open the attachment.

If it is just too much for your curiosity and you absolutely must check, go directly to your bank, FedEx, USPS, IRS or other ecommerce website, email them directly, or pick up the phone.

Probably the best advice is: if you are the least bit suspicious, delete the email or report it to your IT department.

2. Malware installed via drive-by exploit kits: XP Home Security 2012, XP Internet Security 2012, and XP Security 2012 rogues.

In the last week, we have been seeing rogue security products installed by drive-by exploit kits appearing with 2012 version names on their graphic interface. They’re all clones with slightly different names to confuse potential victims and anti-virus researchers.

 XP Home Security 2012

 XP Home Security 2012

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


XP Security Internet Security 2012

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


XP Security 2012

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

XP Internet Security 2012 

XP home security


 

 

 

 

 

 

 

 

 

 

 

 

 

 

XP Security 2012

XP home security 2012

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Drive-by ransom ware installations

Drive-by installs of ransom ware this week include phony notices from the German Bundespolizei National Cyber Crimes Unit that claim to have found child porn and terrorist-related correspondence on the victim’s machine – which is locked up. The malcode splash screen says that the little matter can be cleared up if the victim pays 100 Euros ($131 USD.)

bundersburger

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.  Facebook Scams

The usual Facebook scams have been doing the rounds in the last week with no new lures, just many of the same old ones – celebrity sex tapes, videos and bogus death stories.

 

Facebook scams

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The top scam on Facebook remains the “install the YouTube premium plugin to see the video” for Firefox and Chrome. YouTube doesn’t actually have a “premium” plugin, it’s an invention of the malicious operators.

Facebook video scam

 

 

 

 

 

 

 

 

 

 

 

 

Most sites distributing the premium plugin are hosted on blogspot.com, Google’s free blog hosting sub domain, so keep your eyes peeled for that in the URL.

blogspot url