When my wife told me she had received an email with a purchase confirmation she hadn’t done, my first thought was:

How can she even remember what she bought? She buys thousands of clothes online, probably she doesn’t remember it, this wouldn’t be the first time

After she told me 1,000 times she had not bought anything in that store, I decided to take a look at it, and it really looks like a legit message, so I asked her again. She looked at me in a way that only your better half can do, and at that moment I understood that my life was in risk if I dare to ask again.

I looked at it again and it turned out it was not a legit email. Usually cybercriminals use this kind of social engineering techniques but the messages are usually less elaborated than this one:

When you click in the URL to view the order, you go to a different place, as it is a html message and the real link cannot be seen in the text, so the user thinks he will see the actual order. Then you are asked to download the following file:

As you can see the file name is the same as the subject of the message and the fake order number, and it uses the Acrobat icon to fool users into open the file as they will think it is a PDF, as most users have their systems configured to hide known file extensions and they couldn’t see the .exe that you can see in the picture.

Once you have done it… bad news, this is a nasty Trojan with bot capabilities. It is designed to steal all kind of personal information: from Bank of America customers to players using the game platform Steam. And it will log everything you do in your computer, so the next time you go to Facebook, Gmail, etc. your passwords will be sent to the cybercriminals.

Doing some reversing I found out it also looks for some other Trojans, mainly bot competitors, to remove them in case they are in the system, such as Zeus, DarkComet, etc. As Sean Connery (Ramirez) said in the film Highlanders: “In the end there can be only one.”

Once installed in creates a registry entry to ensure it will be executed every time the computer is started. It uses the name “Windows Defender” for that registry entry, so if the user sees that he will think it is some kind of legit application. It also modifies some values in the registry to bypass the firewall (very important when you pretend to send out the stolen data).

Lessons learnt:

1.- Your wife is always right, and in case she tells you something you don’t have to ask about it anymore

2.- Remember everything you buy online to avoid being fooled.

See the original post:
Bot shopping with my wife

Today we are publishing the PandaLabs report, where you can enjoy an overview of the main figures and security news that have happened in the last 12 months, as well as some figures. You will see how malware creation hit a new record high in 2011 with 26 million samples, that Trojans continue to be the most pervasive malware threat, and some nice stories about cybercrime and cyberwar, as well as some other information about social networks.

I really hope you enjoy it, you can download the report here.

Read the rest here:
PandaLabs Annual Report – 2011

Once again, user curiosity becomes cyber-criminals’ best ally. Scammers exploit people’s interest in celebrities to infect users. We have recently detected a new Facebook scam that uses a fake video of singer Katy Perry and ex-husband actor Russell Brand to trick users.

If the user clicks the link, they are taken to a fake Facebook page where they are invited to download a plug-in to watch the video.

The page indicates that over 4,000 people have already clicked the “Like” button, which is used by the scammers to trick victims into believing that the video is legitimate.

If the user tries to play the video, the worm will act differently depending on the browser used. If you use Firefox or Chrome, the worm installs a browser plug-in and uses it to post the scam to the victims’ friends’ pages. On Internet Explorer, the worm displays an age verification page to access an application called “X-Ray Scanner”.

Then, before the user can take any other action, the browser takes them to a typical scam site where they are asked to enter their phone number. However, if they do so, they will start receiving unwanted premium rate text messages.

Here you have some tips on how to avoid falling victim to this type of scam:

- Be wary of websites offering sensational videos or unusual stories.
- Before you click on a link sent by one of your contacts, make sure it has been intentionally sent by your friend and it is not the result of a massive scam like this one.
- Don’t accept friend requests from people you don’t know. This will help keep your privacy safe.
- Always keep your computer’s operating system and Web browsers up to date, and make sure you have an up-to-date antivirus solution installed.

If, however, you suspect you have fallen into the trap:

- Check your browser plug-ins and remove any suspicious ones.
- Check the applications that have permission to access your Facebook account, and delete those you don’t know.
- Change your Facebook account password. If you use the same credentials to sign in to other services as well, change them too. It is always better to take all necessary precautions.

Continued here:
Katy Perry and Russell Brand baits to spread a new Facebook worm

Last week we got a new follower in Twitter, Alena Edwards:

No tweets so far, the only information about “her” is the message in her profile, where she’s looking for funny guys and gives us a link. Probably it is a spammer, but instead of tweeting links just put the spam link in the profile description. So let’s see what happens when we go there:

It looks like the typical dating site, maybe not for regular relationships but for more spicy moments… It is awesome the number of hot girls that are alone looking for some friends take a look at some of the pictures I could see there:

After checking there were no exploits, etc. I tried to get some more info about that domain, and this is what I got:

So the site was created the day before Alena started following us. Then I created a email address to register in the site,  filling all the fields. Once I did it I was registered, but not for that domain I was in, but for a new one, called XXXBlackBook. I was told I was going to receive an email from them to activate my account, so I went to check my inbox and I had the message:

Once I did it I could access as a regular member to the site. In the same website you have an inbox where other members can send you messages, and in a few minutes I got a new one:

To follow my research, I clicked on the message to take a look at it, but sadly I got this:

So you can get messages but to read them you have to upgrade to a silver or gold account… and it is not cheap:

When I took my credit card my wife came to the room and I had to stop the research

Read the original:
Sex, lies and Twitter

As most of you already now, yesterday Megaupload was closed by the FBI, accused of “copyright infringement”. You can read FBI’s press release here where the details of the case are explained, and you can see how each accused person in this case could face 50 years jail time.

We should be concerned, as the next step could be to close Google or Bing, at the end of the day we all use it to find the stuff we want, and I have seen many times results in those search engines with Megaupoad links. And what next? Will they close Internet?

Anonymous has of course reacted, and has started DDoS attacks against a number of different websites, among the targets we can find the Department of Justice, the RIAA, and Universal Music. Again, the best way Anonymous is able to come up with is to launch DDoS attacks. They could try to give information to the people, etc. but that is boring for them, it  is way funnier to break the law.

Going back to the press release, you can also read this:

This case is part of efforts being undertaken by the Department of Justice Task Force on Intellectual Property (IP Task Force) to stop the theft of intellectual property.

Meanwhile, in the real world, thousands of millions of dollars are stolen every year by cybercriminals (real money, taken from users’ credit cards and bank accounts). But as long as there is no theft of intellectual property, that’s ok. Wait a moment, is that OK? Maybe some priorities should be adjusted.

Originally posted here:
Megaupload and the cybercrime fight

In the last months we have seen an increase of ransomware attacks. While the first ones we saw were posing as Microsoft to threaten the user because it had been detected a pirated version of Windows, and in case you didn’t pay the fine they would contact the local law enforcement agencies, the new ones are posing as the very same law enforcement agencies.

While we are use to see this kind of fake messages in English, in this case the attacks are localized, we have seen English, German, Spanish or Dutch language (among others), depending on the targeted country. All of the attacks are targeting some European country, so it looks like that all of them are related and the same cibercriminal gang could be behind them.

The last one has appeared a couple of days ago, this time it is targeting Spain. The file is using as icon the following Internet meme:

Once infected, this is what you will see in your desktop:

In the message it says that it has been detected access to illegal material (such as child pornography and spam about terrorism) from that computer, and that the computer will be locked to prevent such a use. To solve that you have to pay a fine of €100:

The worst thing for the user is that it actually blocks the computer, so it is not easy to remove. To do it, restart the computer in safe mode and run a scan with an antivirus solution that is able to detect it.

These are different examples we have seen in the last months:

English

Italian

Dutch

German

Spanish

Originally posted here:
The Rise of the Ransomware

2011 is coming to an end, so now it’s time to try to see what we have to expect for the next 12 months:

• Social networks: Social engineering techniques exploiting users’ weaknesses have become the leading attack method in social networks. Trending topics such as the Olympics or the next US Presidential elections will be used as a bait. Cybercriminals will continue to target social media sites to steal personal data.

• Malware increase: In the past few years, the number of malware threats has grown exponentially, and everything seems to indicate that the trend will continue in 2012. In fact, malware is the weapon use by cybercriminals to carry on their attacks.

• Trojans: they are cyber-crooks’ weapon of choice for their attacks, as shown by the fact that three out of every four new malware strains created in 2011 were Trojans, designed to sit silently on users’ computers and steal their information.

• Cyberwar: or maybe it is more accurate to say cyberespionage. 2011 has been the year with most intrusions ever aimed at companies and government agencies. From New Zealand to Canada, from Japan to the European Parliament, there have been countless attacks aimed at stealing secret or classified information. We live in a world where all the information is in digital form, so modern-day spies no longer need to infiltrate a building to steal information. As long as they have the necessary computer skills, they can wreak havoc and access the best-kept secrets of organizations without ever leaving their living-rooms. In 2012 we will see these kind of attacks even more.

• Mac malware: As the market share of Mac users continues to grow, the number of threats will grow. Fortunately enough, it seems that Mac users are now more aware that Mac is not immune to malware attacks and they are increasingly using antivirus programs, hindering cyber-crooks. The number of malware specimens for Mac will continue to grow in 2012, although much less than for PCs

• Mobile malware: Over ten years ago, antivirus companies started making dire predictions of a mobile malware epidemic. Years later, as the situation was not as apocalyptic as predicted, they started claiming that the installation of antivirus software on mobile phones had prevented the catastrophe. Well, they were wrong again. If having an antivirus solution were enough to solve all types of malware problems, the world would be a happier place. Unfortunately though, both users and security vendors alike are in the hands of cyber-crooks, who are the ones who decide which platform to target. In this context, last year PandaLabs predicted a surge in cyber attacks on mobile phones, and the fact that Android has become the number one mobile target for cyber-crooks in 2011 confirms that prediction. In 2012 there will be new attacks on Android, but it will not be on a massive scale. New mobile payment methods –via NFC for example– could become the next big target for Trojans but, as always, this will largely depend on their popularity.

• Malware for tablets: The fact that tablets share the same operating system as smartphones means that they will be soon targeted by the same malware as those platforms. In addition, tablets might draw a special interest from cyber-crooks as people are using them for an increasing number of activities and they are more likely to store sensitive data than, say, a smartphone.

• Cybercriminals targeting small to medium-sized companies: Why do cybercriminals target online banking customers instead of directly attacking banking institutions to steal money? The answer to this question has to do with the cost-benefit ratio of the attack: Financial entities are usually very well protected, and the chance of launching a successful attack is remote and very costly. However, attacking their customers to steal their identity and impersonate them is much simpler. The security of small to medium-sized companies is not that strong, and this makes them very attractive for cyberthieves, who can steal data from hundreds or thousands of users in one go. On many occasions, small to medium-sized companies do not have dedicated security teams, which makes them much more vulnerable.

• Windows 8: The next version of Microsoft’s popular operating system is scheduled for November 2012, so even though it is not supposed to have much on an impact on the malware landscape in the coming year, it will surely offer cyber-crooks new opportunities to create malicious software. Windows 8 will allow users to develop applications for virtually any device (PCs, tablets and smartphones) running Windows 8, so it will be possible to develop malicious applications like those for Android. This, in any event, will probably not take place until 2013.

Here is the original post:
2012 Security Trends

This could be a long blog post, but I’ll try to make it short. However, for those of you that are lazy, here you can read the answer to the question, and the ones interested on the whole story (I will make it short, I promise) just follow the * mark:

NO (*)

(*): One of the characteristics of a targeted attack is that the attacker has previously studied the victim (who is a specific person or organization). This attacker will study the victim: Which systems he is running, where the most valuable information is located, what defenses are built in place, etc. And not only that, also the person(s) will be investigated, in which fields are they working, what hobbies they have, etc. This is why it is almost impossible to avoid these kinds of attacks. However, this is not a reason to lower our defenses, and that’s something that really puzzles me: taking a look at some of the major attacks we have seen in the last years, many of them were possible because there were servers with no antivirus protection, with an outdated operating system, etc. In a single word: negligence.

However, this is not always the case. If we take a look at the 2 most important attacks that have happened during 2011 (the RSA incident and the Duqu case) we will see that both attacks were really sophisticated, and that the way to start the intrusion was a mix of social engineering mixed with some kind of software vulnerability. I would like to point out that in both cases users were receiving a document, and once it was opened the document dropped and run a file in the system, and from that moment on the system was compromised. Of course, these kind of attacks can be done using known or unkown vulnerabilities, and you could argue that a user has no way to detect that a document is malformed in that way, and that the antivirus won’t detect a single thing as it will be new and the attacker has previously checked that the malware pieces involved were not detected: fair enough, I do agree with that.

And what if I tell you that if they had used Panda the attack would have failed? In 2004 we released TruPrevent technologies, with the goal to detect a portion of the brand new malware, that one that was still not detected with signatures. Since then we have included those technologies in our products, and one of those basically prevents that opening a document a file is downloaded and executed. Smart, nice, clean…

Conclusion: in case RSA, or any of the companies attacked by Duqu, had used even the free version of Panda Cloud Antivirus those intrusions wouldn’t have happened… IN THAT WAY. Anyway, remember the answer to the question (“NO”). Attackers would have figured out a way to circumvent it, probably trying a different kind of attack, but the harder we make it, the more chances we’ll have to avoid it.

Read more:
Could targeted attacks be avoided?

There is a new friend in the village. Many people thought that the fake antivirus (aka rogueware) business had decreased, and it was true that for a few months rogueware infections were not that prevalent, mainly due to the efforts made by law enforcement with the help of security companies, but it was a matter of time to have them back. In the last weeks we have seen an increase in the infections, and today I want to show you a new one that calls itself “Cloud AV 2012″.

Cybercriminals always try to confuse their victims, so they use names similar or equal to those used in real antivirus products. In this case they have taken advantage of the famous Panda Cloud AV to do their trick. Once it is installed in your computer, it will create a link in your desktop to open the program, but you won’t need to do it as as soon as it is installed it will open itself and will launch a system scan, which will give you as a result loads of malware found in your system. Of course that won’t be true, but they don’t care:

What any user would do here is to click on “Remove threats”, but once you click on it, a new window will pop up asking you to buy the product:

Of course, if you want to buy it you will be redirected to a web form where you can make the payment:

Of course if you give your credit card to pay the 52$, you’ll get the code to unlock the fake antivirus… if you don’t do it, you’ll get a message every now and then telling you are still infected. And what it’s worse, everytime you try to run any program in your computer it will tell you that it is infected, so your computer will be useless.

So… what to do if you are already infected? You should start your computer in Safe Mode, go to www.cloudantivirus.com and install the real Panda Cloud Antivirus to remove all the malicious files. Easy, isn’t it?

Read the original post:
Fake Cloud AV 2012

Greetings from Hong Kong! This week we are enjoying the security conference AVAR, which is taking place in Hong Kong. Some interesting topics are being covered, such as the talk “Malware in EFI”, where Intel’s Igor Muttik showed us how malware could take advantage of the the EFI (Extensible Firmware Interface)  and the challenges we could be facing, as well as the countermeasures that can be taken. Another topic that has been around a lot is malware in mobile devices. Even though it is not that prevalent, it is true that it is an emerging threat and it raises some interesting thoughts. Of course the cloud is another topic covered here, but one of the most interesting ones are those that are talking about targeted attacks in certain countries in Asia, as South Korea and Japan. The full program is here in case you want to take a look at it.

As some of you may remember, in last year’s AVAR in Bali I was awarded the “Wildlist Reporter of the year” prize, so this year I was the one in charge of giving the prize to the next. On Thursday night, after the gala dinner, I went to the stage to announce the next “Wildlist Reporter of the year” winner, and that was my good friend Philipp Wolf, Director of Protection Labs in Avira. In the following picture, from left to right, you can see Luis Corrons, Philipp Wolf and Peter Chung (Wildlist Director):

Wildlist Reporter of the Year

The rest is here:
Hong Kong, AVAR 2011