Saturday, January 19, 2013

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam, Round 2

Six months ago, in July 2012, I wrote about "Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam."

Now in January 2013, hackers and scammers are up to the same tricks.

(If you believe you may have been victimized, you can skip to the bottom for suggestions.)

I've recently received three e-mails from two hacked Yahoo! accounts owned by people I know. Each e-mail contained only a link and no explanatory text, and the subject line was blank.

In each case, the link address contained a directory called "wp-content" which indicates that all these spammed pages were hosted on hacked WordPress blogs (although I later discovered other hacked sites without wp-content in the URL).

At least one of these hacked blogs was using an outdated version of WordPress (3.3.1). One site didn't display the version number. Surprisingly, the third hacked site was actually running the current version of WordPress (3.5). Most often when I've seen hacked WordPress sites they've been running an old version of WordPress for which there are publicly disclosed vulnerabilities.

If a victim clicks on the link in one of these e-mails that appears to be from someone they know, they are redirected to a page that either says "You see this page because one of your friends have invited you. Page loading, please wait...." or else it automatically redirects right away or in 1 to 5 seconds.

The victim is then redirected to one of three types of sites:
  1. a fake Fox news site advertising a "Raspberry Ultra Drops" weight loss drug, which the site implies is endorsed by television host Dr. Oz (see screenshot below)
  2. a fake CNBC news site advertising a "work from your home" scam; see my June 2012 article about related fake news sites at Sophos' Naked Security blog for lots of details and screenshots
  3. a site specifically for those who clicked on the e-mail link on an Android device (which reportedly attempts to install Android malware; see below)
A fraudulent site purporting to be Fox News

Based on an article at Lookout Mobile Security and one of the comments there, apparently the Android-specific redirection leads to (or at one time led to) a file named "Update.apk", a malicious Android app. It appears that as of the last time this file was uploaded to VirusTotal, 32 out of 46 antivirus engines detected it as malware and identified it as one of the following:

Andr/Notcom-A, Android_dc.MK, Android:NotCom-A [Trj], Android.Notcompatible, Android.Notcompatible.A4ad, Android.Proxy.1.origin, Android.Troj.Undef.(kcloud), Android.Trojan.NotCompatible.A, Android.Trojan.NotCompatible.A (B), Android/NoComA.A, Android/NotCompatible.A!tr.bdr, Android/NotCompatible.A.2, AndroidOS_FAKEUPDATES.VL, AndroidOS/GenBl.0B2E9A9E!Olympus, AndroidOS/MalAndroid, Backdoor.AndroidOS.Nisev.a, Backdoor/AndroidOS.bqz, Backdoor/AndroidOS.Nisev, HEUR:Backdoor.AndroidOS.Nisev.a, NotComp.A, TROJ_GEN.F47V1211, Trojan, Trojan:AndroidOS/NoCom.A, Trojan.AndroidOS.NoCom, Trojan.AndroidOS.NoCom.a (v), Trojan.Nisev.bdokyh, UnclassifiedMalware

Following are some various file names that may be found in a directory on one of the hacked sites. Based on my investigation into the similar hack/spam/fraud campaign last July, I am certain that this is not an exhaustive list of file names. (In fact, I observed that additional files with different names appeared within just the past few hours on one hacked site while I was writing this article.) Note that the links below lead to VirusTotal scan reports, NOT the files themselves.

111a.php, addht.php, avmdkg.php, bhesp.php, biokrls.html, bjsdvs.php, bonuspack.php, casualwor.php, cizxusod.php, colsdj.php, conneng.php, creatives.php, curioso.html, dgjdgs.php, dsfv.php, dspvs.php, duna.php, dwncst.php, ebolsg.php, enjslol.html, eopikal.html, etheha.php, fbgogos.php, firstfight.php, fkbmns.php, fogjlop.html, foglsd.php, fpbs.php, frnds.php, fusion.php, fvcagex.php, fvjsvg.php, gbdlg.php, gdkedns.php, geopic.php, gfobnd.php, ghsakl.html, gjuk.php, gnslfs.php, gsm.php, hamiltons.php, hellodear.php, helpsx.php, hposvds.php, ikhkjskl.php, j.php, jhikdba.php, kawabagga.html, kawabangas.php, kllem.php, mainats.php, maincl.php, mainx.php, makoler.html, ndold.php, newinform.php, newsts.php, nextgt.php, nmklsi.php, nwmslck.php, odnhgls.html, ofneg.php, ornvls.php, pdklsa.php, pmcntr.php, privsek.html, rcccy.php, rcctm.php, ronnd.php, rtebcsw.php, SanFrancisco.htm, saweg.php, stesa.php, stndrt.php, unitds.php, upmlc.php, vghjdk.php, vozivapso.php, wmnhl.php, wrvfsfd.php, xdll.php, xhjg.php, xxxxjs.php, yahmlc.php, yepyep.php, yiTUdso.html, youranswerrr.php, zjgfnwe.php

These files have rather low detection rates by major antivirus engines; a few redirection files are currently not detected at all, while some are only detected by as many as 14 out of 46 engines. Thus there's a pretty good chance that your antivirus software won't detect these Web pages as malicious. The files are identified as any of the following types of malware (or similar names):

HTML:Redirector-AI, HTML:Redirector-AI [Trj], HTML:RedirME-inf, HTML:RedirME-inf [Trj], HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.Redirector, HTML.RedirME, HTML.Refresher, JS:Redirector-AAC [Trj], JS.A.Redirector.336, JS.A.Redirector.340.A, JS.A.Redirector.341, JS.A.Redirector.412.A, JS/Redirector.PN, JS/Redirector.WB!tr, TROJ_GEN.F47V0108, TROJ_GEN.F47V0109, TROJ_GEN.F47V0114, TROJ_GEN.F47V0115, TROJ_GEN.F47V0116, TROJ_GEN.F47V0118, TROJ_GEN.F47V1228, TROJ_GEN.F47V1229, TROJ_GEN.RCBH1I4, TROJ_GEN.RCBH1I5, TROJ_GEN.RCBH1IA, TROJ_GEN.RCBH1IK, TROJ_GEN.RCBH1J8, TROJ_GEN.RCBH1JN, Trojan.JS.Redirector, Trojan.JS.Redirector (A), Trojan.JS.Redirector.ASR, Trojan.JS.Redirector.ASR (B), Trojan.JS.Redirector.wb, UnclassifiedMalware

One file was rather different from the rest: gsm.php. This file had an 18/46 detection rate on VirusTotal, and it was identified as a PHP shell backdoor by the antivirus engines that detected it:

Backdoor, Backdoor:PHP/C99shell.R, Backdoor.HTML.EMO.D, Backdoor.HTML.PHPShell-Interface (v), Backdoor.PHP.C99Shell, C99Shell.CX, EXP/C99Shell.W, Exploit.C99Shell.Gen, HTML:Shellface-D, HTML:Shellface-D [Trj], HTML/Shellnine.A, PHP/BackDoor.AO, PHP/C99Shell.A, PHP/C99shell.R, PHP/CShell.Y, Trojan.Html.C99Shell.dwlsk, Trojan/PHP.Shell

Following is a list of some of the domains to which these pages attempt to redirect. Note that the links below lead to the Web of Trust reports for each domain, NOT the domains themselves.

194.60.242.54 (the site hosting Android malware), allnewsjob.ru, foxfoxnws.com, foxfxnws.com, foxnews.top10.super.fxpublication.com (a subdomain of fxpublication.com), fx-nwstop.com, fxnew12.com, fxs-news.com, fxsclocks.com, fxsnws24.com, fxsyounews.com, fxx-news.com, fxxnws24.com, greatlifechance.net, homeincomenow10.com, homeincomenow6.com, hot-foxnws.com, journals26.com, life-news1241.ru, lifenews241.ru, msnb21.com, msnb24c.com, mynewstop.com, news1241.ru, newsfoxs.com, newsonlinework.com, njournal24.com, nws5fxs.com, nwsfxs.com, online18work.com, onlinebestnews.ru, raspberryhots.com (purchasing site), raspbuyberry.com (purchasing site), rasptrims.com (purchasing site), slimsfox.com, story29.com, story76.com, topfox24.com, toplastnews.ru, workfromyourhome15.com, workfromyourhome8.com, workinghome31.com, workinghome46.com, workinghome47.com, xtranws.com

What To Do If Your E-mail Account Has Been Hacked

If your e-mail account has been hacked and you can still log into it, change your password immediately, and be sure to use a good, strong, long, and unique password; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Keep your new password exclusive to this e-mail account; don't reuse your password on any other site. Send an e-mail to your contacts (please use BCC rather than To or CC) asking them to delete any recent e-mails from your account that just contained a link (and if you want, you can suggest that they read this article if they clicked on the link). If you used your old password on any other sites, change your passwords at those sites as well (and be sure to use different passwords than the new one you just created for your e-mail account). If your e-mail provider has security questions as a backdoor if you forget your password (e.g. Yahoo!), change your security questions and answers, and be sure to not choose answers that other people might know or be able to find out about you. It wouldn't hurt to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If your e-mail provider has an option to enable two-factor authentication (for example, sending you a code via SMS text message whenever someone tries to log in), enable this option for better security. Never log into your e-mail from a public computer (for example at a hotel or library) or while connected to a public Wi-Fi network (for example at a restaurant, coffee shop, or airport). See also this Sophos article for additional tips on how to protect your e-mail accounts.

What To Do If Your Web Site Has Been Hacked

If your Web site has been hacked, don't merely delete the files listed above. If possible, restore your server from a clean backup. Scan for rootkits and other malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc). Change all passwords on the server, and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Disable any services you don't use on your server. Make sure all the software on the server (WordPress, Apache, etc.) is up to date and has all the latest security patches. See also this Sophos article for additional tips on how to protect your Web servers.

What To Do If You Clicked On a Link

If you clicked on a link in one of these e-mails, don't panic. If you entered your credit card number on one of the sites, call your credit card provider to report the fraudulent transaction and follow their instructions and advice; you may need to cancel that card number and get a new card. If you visited a link on your Android device, you probably only need to worry about infection if you installed the Update.apk file. If you installed it, you can try restoring your Android device from a backup (assuming you have one) and/or install antivirus software such as Sophos Mobile Security (which is free) onto your device to clean up the infection. If you visited a link on your PC, for your own peace of mind you may wish to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If you visited a link on your Mac, for your own peace of mind you may wish to scan your computer for malware (if you don't have antivirus software, you can get free Mac antivirus software from Sophos for home use, or get a free trial of a security suite from Intego). If you visited a link on your iPhone or iPad, you probably don't have anything to worry about as long as you didn't enter your credit card information on one of the sites.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, January 7, 2013

Basic Computer and Mobile Security Tips

by Kylene Long

Whether you are a Mac or Windows user, iOS or Android user, your computer or device is potentially vulnerable to infection. You should be cautious about where you go on the Web, what links you click on, and what apps you install.

One way to avoid visiting potentially harmful sites is to use Web of Trust (WOT), a plug-in for desktop browsers that can help you decide whether or not a site might be safe to visit. It uses simple stoplight colors (red, yellow, and green, with an alternative setting for colorblind users) to indicate potentially harmful and likely safe sites. With the WOT plug-in installed, when you search the Web with sites like Google and Bing you'll see colored circles next to each search result so you can have some idea of how trustworthy the site is before you click. If you ever accidentally visit a page that has a poor rating, the plug-in will display a warning. WOT's browser add-on is useful for computer experts and novices alike.

Also, don't always trust that you are typing in a Web address (URL) correctly. Look in the address bar to verify that what you've typed is correct before you press a button to go there. When you're not sure about the spelling of a site or whether it ends in .com or .org for example, or if you make frequent typos, you can alternatively do a Google search for the site's name instead of trying to type it from memory; normally the site you want is within the top few hits. Once you've found the site, you can bookmark it to make it easier to return to later.

Visiting links isn't the only thing to be cautious about.  It's also wise to be careful when installing software on your computer or mobile device, including apps from popular app stores like Apple's iOS or Mac App Store, Google Play Store, or Amazon Appstore.

Just because Apple and Google have a vetting process for apps doesn't mean that nothing undesirable ever slips past their app review processes (it happens—and more often than you might think). Always check the ratings on an app before downloading it. If an app has hundreds of reviews and an overall positive rating, it's probably safe. Be aware that there are some look-alike apps out there that at first glance may appear to be popular apps, or affiliated with popular app makers. Checking customer reviews can sometimes help you avoid the more shady apps.

Consider this: If you met a random stranger on the street, would you hand them your phone and let them do whatever they want with it, unsupervised? Whenever you visit a site you've never been to before, or install an app that you've never heard of, you should be aware that you're taking a risk. Obviously there's some risk inherent in doing anything; even legitimate sites can be hacked, for example. But it's still a good idea to keep your guard up, even if you use a Mac or an iPhone, iPad, or other smartphone or tablet.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow Josh on Twitter or .

Wednesday, January 2, 2013

Get Windows 8 Pro for $39.99 by January 31

Do you still have Windows XP on your computer? Unless you have plans to replace that computer within the next 15 months, now's a good time to upgrade your operating system.

Until January 31, 2013, Microsoft is offering upgrades to Windows 8 Pro for only $39.99 for all users of Windows XP SP3, Windows Vista, and Windows 7.

Given that Windows XP will only get security updates until April 2014 (only a year and 3 months from now), and given that the cost of the upgrade after this month will reportedly jump to $199, this is a great opportunity for PC users to move to a newer and more secure operating system without having to spend a lot of money.

And if you're a Mac user with an old version of Windows on a Boot Camp partition or in a virtual machine like Parallels Desktop, VMWare Fusion, or Oracle VirtualBox, Microsoft is offering the same upgrade pricing for you as well.

Before you make the jump to Windows 8, you'll have to ensure your system can handle it (in particular, you may need to buy a RAM upgrade first), and there are other considerations to keep in mind as well. Read more details in my article at The Mac Security Blog:

Upgrade to Windows 8 Pro on Your Mac

Then read the system requirements and download the upgrade from Microsoft:

http://windows.microsoft.com/en-US/windows/buy


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .