Pinterest is getting lots of media attention lately. Spammers are also starting to exploit the social-media “pinup” site to make quick money. We have found that there are already lots of ready-to-use tools that make it easy for anyone to start Pinterest scams without much difficulty or technical skill. These tools are so easy that many require only the attacker or scammer to change a couple of lines of code in the available kit. They can literally start a new Pinterest scam within minutes! Such tools come bundled with all the required software: account creator, mass follower tools, mass liker tools, comment posters, etc.

We found a couple of such toolkits on the Internet. They are also available for sale on various forums over the net.

Each tool performs a specific function. For example, the folder Pinterest Content Locker contains a couple of scripts to set up scams. This particular one is a scam technique in which victims visit the website and get a “content locked” message stating that they need to click on the “Pin It” button to unlock the content. Here is an example:

In the php code we can see the following:

The code contains an array of links and it randomly selects one to post on Pinterest. It also uses an “unlocked” cookie to check whether a user has already visited the webpage and clicked on the pin button.

The scam requires that a victim click on the “pin it” button before seeing the content of the web page:

The code then calls a function Clicked. This function opens a new window and takes the user to Pinterest for pinning the content. Then it calls another function Remove_Overlay:

This function sets the cookie “unlocked” with value =1 and expiration date as the current date plus one. This is done so the next time users open the same URL, they will not get the content-locked message.

The code also has the folder viral script, which contains a php file used to display various scams:

The image asks the user to click on the “pin it” button, which posts the URL to Pinterest. Then it asks the user to perform the final step, which leads to an attacker-defined survey URL.

The trick is to get victims to click on the “pin it” button before clicking on “Final Step.” If users first click Final Step, then they see this message:

Let’s look at the code of “Click Here”:

It has a link element with id=”linkos” and whose value is javascript:window.alert(“Please Complete Step 1”).

This value can be modified at runtime after the user has clicked on the “pin it” button, shown in the next image:

When a user clicks “pin it,” it calls the function “PopupCenter, which will post the link to Pinterest and call the function “RevealLink.” This function changes the value of “linkos” as follows:

Another template employs the preceding technique with a different GUI, which seems like the actual Pinterest site:

The template contains an executable named Pinterest Amazon Product Submitter. This is a bot that scrapes Amazon for products based on given keywords and then submits them to Pinterest.

When victims click on a Pinterest post they are redirected to the scammer’s site, which will contain a “redirect script” or “cloaker script” that will simply redirect users to Amazon with the scammer’s affiliate ID. Amazon does not see the referral as Pinterest but rather as the scammer’s custom page–and the scammer can earn money:

There is also a mass bit.ly link generator, which will generate random links for the scam’s URL:

The trick here is to use “?” at the end of the URL so that tool will add a random string after “?” and get different URLs from bit.ly. This technique makes it possible for an attacker to generate as many random URLs as needed, with all pointing to same location.

Another script, “Detecting Mobile Phone Visitors,” can check the user agent of the web browser and determine the device from which a user visits the site.

Depending upon the device, a user can be redirected to a variety of URLs. We have observed that in the case of mobile devices, the redirection often leads to pornographic images which, upon being clicked, open a phone dialer with premium calling numbers. In the case of nonmobile devices, the redirection often leads to various survey scams.

The toolkit also includes “Pinterest follower bot,” which can be used for mass following on Pinterest:

We also find a tool for making mass comments on Pinterest posts:

Another tool generates Pinterest invites:

And would you believe that these tools even come with well-written documentation?

Such toolkits make it very easy for scammers to start their own scam sites and become functional cybercriminals with a minimum of skills and time. They need only change a couple of simple things, such as URLs, and they are ready to go. Almost all these steps–from creating mass Pinterest accounts to mass liking, commenting, and posting–have been automated.

Most of these scams try to lure users with titles such as “get free gift card,””Shocking Video,” “you can not believe it,” etc.:

When users click on such URLs, they will be:

• Redirected to a survey scam, where scammers earn money when users complete surveys
• Redirected to Amazon or another site, where scammers can earn money by referral
• Led to premium calling numbers of mobile devices

Please follow these guidelines to stay safe:

• Never share your password with anyone. Such tools make it very easy to mass-comment or post from any account.
• If any web page asks you to “Pin It” before you can see the content, most likely it is a scam
• If any web page offers you a “free gift card” and redirects you to surveys, most likely it is a scam
• Be careful while clicking links that have catchy titles like “shocking video,” ”you will not believe it,” ”free give away,” etc. Most of the time, they lead to scams and trouble!

Follow this link:
Peering Into a Pinterest Scam Toolkit

The Android:FakeInst family of malware seems to be never ending story. Its creators have been trying to trick users into sending premium rate SMS messages for several months now. Just a few days ago, we discovered 25 more apps placed on alternative markets that are all based on very similar concepts as was the one in the story we wrote about before Christmas.

This time malicious Android applications are hosted on several domains:

Go here to read the rest:
Don’t think alternative markets save your money

The Flashback trojan has been all over the news lately, but it is not the only Mac malware threat out there at the moment. A few weeks ago, we published a technical analysis of OSX/Lamadai.A, the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability CVE-2011-3544 to infect its victims. OSX/Lamadai.A has built-in features typical of a backdoor: namely download and execution of an arbitrary file, uploading of local files to the operator’s Command and Control (C&C) server, and spawning of a command-line shell.

After the technical analysis was done, we began the monitoring phase. This phase is very important because it allows for tracking of how the malware is used by its operator. We can catch new variants of the threat early on, or even a totally different malware family (as often seen in pay-per-install schemes), or see the operator launch Denial-of-Service attacks (or any other kind of malicious activity) from the infected systems.

The monitoring phase allowed us to witness a short, live dialog between our infected machine and the malware operator that we published this dialog in our initial analysis of OSX/Lamadai.A. This experience gave us some new ideas that we could put in place in order to gather more knowledge about this threat and the person or people behind it.

What we did is this: we planted some fake files in the home directory of our test “infected user” and waited for the operator to come back. About one week later, we got our first connection. Here are the highlights of the dialog that took place over a period of about 10 days. It started with a little reconnaissance in the ~/Documents directory. The Unix command ls is used to list directory content:

Then we see the theft of some Tibetan army status documents and a little porn for added value.

Now more reconnaissance and file theft, this time in the ~/Downloads directory.

It is quite interesting to see that the operator did not steal all the files we had put out for him. He left these three untouched:

• 2012_report.doc
• application.zip
• im5744.jpg

A few days went by during which the operator was only connecting to the system to issue some basic commands, most likely with a view to determining whether this was a newly infected system or not. The Unix command id returns the current user's identity and the sw_vers command prints the OS version information.

We decided it was time to refresh the environment to simulate infection of a new user and to install interesting new files to the user’s home directory.

Shortly after the new environment was up and running, we got an incoming connection. Almost instantly, the operator issued a command to download and execute a file (technical details of the new file below)!

Immediately after, the operator ran a few netstat commands, most probably looking to see if the new payload was listening on the network properly. The Unix command netstat displays the network status of the system, such as network connections and routing table.

Not seeing what he wanted to see, our operator tried to re-execute the dropped executable! Let’s see how that turned out:

Yes, you do have to specify the path to the executable when /tmp is not in $PATH. In despair, he attempted to take some screenshots of the entire desktop window, using the OS X ‘screencapture’ command. Oddly enough, the file was not saved in his current work directory as it should have. We can’t explain why that happened.

Then, a few connection attempts later, the operator logged back on and totally lost it. He issued two Unix ‘rm’ commands, used to remove directory entries: one to remove the user’s home directory and one to remove the system’s root directory.

That concludes this dramatic episode of Monsieur Frustrated Operator. Now to some technical stuff.

One of the first things we did was to recover and analyze the Mach-O executable dropped onto our test machine. We were curious to see what that was: a new variant of OSX/Lamadai, or even a specialized new piece of software? Instead, we found it was the same variant of OSX/Lamadai with a hardcoded C&C server set to 127.0.0.1. This explains why the operator grepped his netstat output for “127.0.0.1”. However, the rationale behind this action is up for debate inside ESET’s Security Intelligence Laboratory. Some argue that the operator realized he was connected to a monitoring system instead of a real, infected one and wanted to redirect the traffic away from the real C&C. Others contend that it would have been easier for him to simply deactivate or remove the malware from the system.

Also, when we first analyzed OSX/Lamadai.A, we said that the malware did not have persistence capabilities on an OS X 10.7.2 system, as the path /Library/Audio/Plug-Ins/AudioServer was not user-writable. We looked a little deeper into this, as other researchers reported that the threat was indeed persistent on their machines. We realized that this very same path is user-writable in previous OS X versions (10.5/Leopard and 10.6/Snow Leopard). This is the cause of some potential confusion and a timely reminder of the benefits of upgrading to the latest version of OS X.

Credits go to Marc-

Please, update your AntiViral Toolkit Pro (AVP) anti-virus database Cambridge, UK, May 26, 2000 – Kaspersky Labs Int., a fast-growing international anti-virus software development company, reports the discovery of a new dangerous Melissa-style virus Macro.Excel97/Word97.Cybernet. At this time, the…

The rest is here:
Cybernet: Melissa-style virus infects both Word and Excel files and spreads via the Internet!

Kaspersky

On March 6, the widely recognized institute AV-TEST published a long awaited review of Malware Protection for Android–with really disappointing results for us And the report was widely quoted in the media.

An analysis on our side quickly showed that an outdated version of McAfee Mobile Security had been tested. Yesterday AV-TEST announced that they had run a retest and they released an update of the results. This time, the current version of McAfee Mobile Security (2.0.1.366) and the new results reflect where we (and you) expect us to be: At the top.

In the test the top 10 products are rated with a >90 percent detection rate. A more detailed report of malware family detection shows we were one of just three products with flawless detection through all malware families. You can read all about the test and download the full report at AV-TEST.org.

We are happy that the confusion could be cleared up. If you ever needed a compelling reason to update to the latest version, then this test is one.

Visit link:
Android Malware Retest Puts McAfee Mobile Security at Top of Class

Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm going by the name of “CoolNow” that infects computers upon visiting malicious Web-sites and spreads using the popular MSN Messenger Internet-pager. At this time, several incidents of infection by this malicious code have already been reported.

Originally posted here:
The "CoolNow" worm attacks MSN Messenger Users

Kaspersky Labs, an international data-security software developer, announces the detection of the new, highly dangerous Internet worm “Yarner” that disguises itself as the anti-virus program YAW. At this time, there have been reports of mass-infection caused by this malicious program in Germany.

Continue reading here:
Yarner: Not Every Anti-Virus Is the Real McCoy

Kaspersky Labs, a leading international data-security software developer, reports the detection of the Internet-worm known as I-Worm.Zircon.c. At this time it is known that infections from this dangerous virus have occurred in several countries.

See the article here:
I-Worm.Zircon: New Virus is rapidly spreading on the Internet

Fraudsters continue to innovate their scam propagation methods. Again using Facebook and a pretense of a shocking video, they also utilize browser plugins to execute malicious scripts. We also see how the malware scene is intertwined, when the user is directed to a dubious Potentially Unwanted Application.

Facebook auto-like scams have been commonplace on the world’s largest social network for some time now. Typical techniques that the “likejacking” fraudsters use include overlaying pictures, invisible ‘Like’ buttons, and so on. Such tricks could be used for various nefarious purposes including malware distribution – a few examples of malware spreading through Facebook (albeit not always through likejacking) included Koobface, Boonana, Win32/Delf.QCZ, Yimfoca, to name just a few.

The scam described below does not, at the time of this writing, lead to the download of a malicious Windows executable, but appears to use the viral spreading campaign to promote a cheesy porn site and probably to monetize the web traffic in accordance with a Pay-per-Click model. Let’s look at the details that make this case interesting.