Trademytweets[SCAM]com is a new variation of the old Tweeterfast, Tweeterfollow theme. Recent domains that have operated under the same gray umbrella are gettwitterfollowersforfree.com and
SpreadMyTweets.com.

Trademytweets claims:

“How does it work? When you sign in with your Twitter details, our system will find you 20, 40, 60 or 100 other Tweeters. Then with these people it will begin to make them follow you as you follow them, instantly. “An eye for an eye.” This service will continue until you choose to stop it.”

Current keyword tweets:with approximately 10 tweets per minute involving numerous affected accounts.

“Want some Free Twitter Followers?”
“Just used TMT for some free followers”
“Get Free Twitter Followers!”

Update for March 30, 2010:
You have been using this shortened link since March 25, 2010 http://isDOTgd/aXDme on Twitter.
Here is one example account with much more than ONE tweet every 20 hours…

You certainly have great marketing skills.

Update 8:49 PM March 30, 2010

It appears that if one receives more tweets from this service than one tweet every 20 hours, they are logging into the site and requesting to add more followers.  The site is currently down at the moment.

Until Next time – stay safe online!

Disclaimer: This blog post is in relation to my collection of spam. I am not a spam expert.

The past few weeks have elicited all manner of spam at Teksquisite, and also at Gmail and Yahoo accounts.  Spammers often collect email addresses from customer lists, chatrooms, email chain letters, forums, newsgroups, websites, and viruses. Current email accounts that are receiving spam have connections to prior chain mails, forums, and newsgroups. Spam or junk email is almost always unsolicited and unwanted.

“Increasingly, e-mail spam today is sent via “zombie networks”, networks of virus- or worm-infected personal computers in homes and offices around the globe; many modern worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes. This complicates attempts to control the spread of spam, as in many cases the spam doesn’t even originate from the spammer.” –Wikipedia

Most common email spam:

1. Chain mail – Gordon Brown Hoax 
2. Trojans – botnets, bredolab, Pushdo
3. Phishing – Please log into your financial account and confirm
4. You are a winner – congratulations, lotteries
5. Offers – Viagra, educational, OEM software
6. Personals – find true love here
7. Scam news – generally will contain a link to malware

With an increase in botnet-related spam (mainly Bredolab,) a sharp rise in educational and pharmaceutical/medical spam, and definitely far more activity in the arena of phishing spam regarding financial accounts – you really should pay close attention to what lands in your inbox, because Trojans in the form of zipped files do not always end up in your spam folder.

I find it inconceivable, and somewhat disturbing that I collected almost 900 spam emails last week.  This is quite a jump in spam, considering, that during the first week of January spam for all accounts leveled slightly below 300.

Over the past three weeks I have seen a sharp rise in UPS Postal Support email that always contains an attachment “invoice” that is spoofed from some.address@ups.com with signatures such as:
Postal Support RANDOM NAME
UPS Manager, RANDOMNAME

The attachment currently arrives as a ZIP file: 

My advice to you is to KEEP IT ZIPPED AND DELETE IT!

Spam Examples

• Chain Mail: Gordon Brown Virus

Chain mail claiming that if you receive a picture of British Prime Minister, Gordon Brown smiling, your computer will become infected with a virus.

You can read more about this hoax over at Graham Cluley’s Blog.

• Trojans: Trojan.Downloader, Bredolab, Pushdo, Zeus [botnets]

Once the zip file is extracted, an exe file (disguised as an Excel file) downloads Pushdo (a malacious bredolab downloader.) In an article at cnet News, Joe Stewart, director of malware research at SecureWorks stated:

“Pushdo downloads different Trojans onto infected machines and has been used to send spam as part of the Cutwail spambot…”It’s a typical pay-per-install system,” used to distribute banking Trojans, password stealers, ad clickers, and search hijackers”

“For those unfamiliar, Bredolab is a simplified botnet – a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software (”scareware”), Bredolab’s other favorite download is Pushdo.” –Fortinet

Since Pushdo is not written to disk and is memory resident, botnet owners frequently change the code and behaviors of Pushdo, which further makes it difficult to classify variants over time.  What I have posted here today, may not be applicable tomorrow!

For a better understanding of Bredolab see You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence by David Sancho, Senior Threat Researcher at Trend Micro.

• Phishing – Please log into your account

1. This type of spam requests that you verify your account via a spoofed link where your personal details will be captured for the phishers
2. HSBC Bank will never send an email asking you to verify details.
3. There are all types of variations in these spoofed emails.  If you receive e-mail claiming to be from HSBC, call HSBC at 1-800-975-4722. Follow the instructions regarding fraudulent email here.

• You are a winner – congratulations, lotteries

Never reply to this type of email because you will end up on a global spammer list.  Delete it.

• Offers: OEM Software (Original Equipment Manufacturer)

OEM software is NOT FOR RESALE (NFR) and always includes licensing along these lines: “For distribution with a new personal computer only. This software may not be sold independently.” OEM software must be sold with hardware.

Some spam email often links to ebay where you can purchase OEM software. The seller appears compliant with the hardware requirement by advertising to remove hardware from the original system (or so they claim!)

“In accordance with eBay policy, I offer the HDD that came with the system (it currently has bad sectors and is not usable), which I can ship at the buyer’s request.”

Many recent OEM emails that I received are claiming to be a company located at 1100 South State Rd 7, Suite 501 in Margate, FL 33068.  Their website is registered to a Russian domain.  Thanks to Twitter folks @ChrisMuncy, @dckovar and @Lisa827 for advice on contacting the tax office in order to find out about the building that the business is located in.  In this particular case, the City of Margate, Florida was unable to find any records for a business registered at Suite 501 at the above address.  They will be sending out a code officer today to inspect the location since they only have four active businesses registered at this building.

Also be sure to stop by SIIA (Software & Information Industry Association) and brush up on
What You Need to Know About OEM and Academic Software.

12 steps to less spam:

1. Do not post your email address online in clear text.  If you must post it online be sure that your address is munged so that the bots will not see it.
2. Never respond to suspicious emails.
3. Do not unsubscribe to spam email.
4. Do not use your personal email address for public use. Instead, use a disposable email address and set it up to forward messages to your personal email account.  If you begin to receive spam in a disposable account –simply delete the disposable account and sign up for a new one.
5. Do not open suspicious attachments, links, or images. This could lead to malware downloading on your computer.
6. If you are using a software email program (and not a web-based one) be sure to disable the preview pane.
7. Use spam-blocking tools and filters.
8. If you need to forward email to groups of people use a disposable email address in the TO: field and add all recipients to the BCC: field.  This will shield the email address from others as well as from spam harvesters.
9. Be sure to have antivirus software installed on your computer, run a full scan every week, and keep it updated!  You should run some form of an anti-malware software each week too, such as Malwarebytes.
10. When you sign up for something on the web, be sure to uncheck the box that says “YES, I want to be contacted by select third parties concerning products I might be interested in.”
    
11. Be sure to take advantage of reputable and free computer scans such as the firewall leak and ShieldsUP tests over at Gibson Research Corporation.
12. Report spammers.  Register for free spam reporting service at SpamCop.

If you plan on using this service often, consider making a donation!

Some helpful Links:

Federal Trade Commision FTC

If you are a victim of a financial solicitation contact
the Internet Crime Complaint Center

Medical fraudulent claims (devices or products)
Email: webcomplaints@ora.fda.gov

Investment-related email- *Copy headers and forward to:
Email: enforcement@sec.gov

*How to copy email headers

Until next time — stay safe online!

I’ve been following the Tweeterfollow musical domain saga since late September 2009.  The theme never changes.  I’ve also written about their scam/phishing/twitter account hijackings here.

Yesterday the Tweeterfollow (AKA: TF) domain push on Twitter was via Twtxtreme.info (currently disabled) using short url services tinyURL and retwt.me.  Today it looks like TF is promoting twtkingz.info via retwt.me and kiwi.url.  TF consistently uses IP: 124.217.246.188 but because TF switches domains frequently, they have not been blacklisted.

The web login page is always the same:

Description: A place to add more followers for your twitter page. This is a twitter adder site

Keywords: get more twitter followers, tweet, twitter network,twitter train, get more followers on twitter, twitter, tweeter, tweeteradder, tweeterfollow, deadlyx, rawhood, hoodzone, followers, train, vip, tweet

Logged in to the TF Web GUI

Once you are logged in to their website you will automatically follow all VIP members. Then you click  on Twitter profile random images [graphics from a3.twimg.com] to follow regular users [SIC].

Once you have clicked on all 20 default regular users profiles, the pop-up below appears:

Click on the OK button and 20 new profiles will reappear.  You can click all day long and into the night and you will still get the congratulatory pop-up each time you click the 20th profile.

You are also encouraged to purchase a VIP membership using PayPal or a credit card. The account that TF is currently using at PayPal is registered to ryann.johnson2009@gmail.com.

Ability to view protected tweets

Using http://isfollow.com/ I wanted to see if the locked accounts that I randomly followed through the TF API were following me.  The accounts listed below were not following me but I was able to view their PROTECTED TWEETS!

afrheyy
aliamutia
ibaddbxtch
IamHoodBarbie
ohannaweb

Since the above account is not following my test account I should not have been able to view IamHoodBarbies protected twitter stream. Obviously these Twitter profiles are all compromised accounts. A simple change of password is probably not the band-aid that should be used.

The Twitter filter managed to nab the “100 followers” string and filtered these tweets from the test account Twitter stream.  The test account is also not currently accruing a steady stream of profiles from Twtkingz[TOX]info API like it was yesterday.  During the past six hours the test account has only followed one protected account via the TF API.  The test account is still able to view protected tweets of accounts that are not following the test account.

Who is behind all this?

With all the emphasis on botnets, security breaches, and malware; In comparison, Tweeterfollow appears harmless.  Is it?

Domain ID:D30737265-LRMS
Domain Name: TWTKINGZ.INFO
Created On:10-Dec-2009 15:10:50 UTC

Last Updated On:10-Dec-2009 15:10:59 UT

There is something big going down on Twitter

Any website hosted at Piradius.net in Kuala Lumpur, Malaysia should immediately raise  a red flag.

Update:  12-15-09  8:13 pm EDT

Update:  12-16-09

Update:  12-17-09

Update:  12-22-09

Test account data:

December 18:
5 tweets Total

Timing:
2 tweets @8:08  pm from API
1 tweet  @9:54  pm from API
1 tweet  @9:55  pm from API
1 tweet  @10:25 pm from API

URL Breakdown:
3 tweets to twtfollow[TOX] info via ohurl.com
1 tweet to twtfollow[TOX] info via retwt.me
1 tweet = “This site just gave me 100 followers using” no URL

December 19:
9 tweets Total

Timing:
1 tweet   @6:09  am from API
1 tweet   @8:33  am from API
1 tweet   @2:10  pm from API
1 tweet   @4:34  pm from API
4 tweets  @7:09  pm from API
1 tweet   @10:10 pm from API

URL Breakdown:
1 tweet to youtube.com [generic]
1 tweet to twtspeedy[TOX] info [via retwt.me]
2 tweets to twtfollow[TOX] info [via Safe.mn = flagged as a "Dangerous website: Phishing/Malicious Content"]
2 tweets to twtspeedy[TOX] info [via TinyUrl]
1 tweet to twtfollow[TOX] info [kiwiurl.com]
1 tweet to twtfollow[TOX] info [via shorten.ws]
1 tweet to twtfollow[TOX] info [via snipr.com]

December 20:
15 tweets Total

Timing:
1 tweet   @12:34 am from API
1 tweet   @1:10  am from API
1 tweet   @6:11  am from API
1 tweet   @7:12  am from API
1 tweet   @8:34  am from API
2 tweets  @1:31  pm from API
2 tweets  @1:32  pm from API
1 tweet   @1:33  pm from API
1 tweet   @2:11  pm from API
1 tweet   @6:36  pm from API
1 tweet   @7:29  pm from API
1 tweet   @7:33  pm from API
1 tweet   @10:12 pm from API

URL Breakdown is getting spammy, so for the sake of brevity – here goes:
The shorl you requested has been disabled due to abuse. We’re sorry for the inconvenience.
lu.mu disabled
kiwiurl.com disabled
nvg8.it disabled
twtfollows {TOX] Info still online
twtlimit {TOX] Inf still online
retwt.me = .twtspeedy[TOX] info

December 21:
26 tweets Total

Currently pushing the following Toxic URLs:

twtfollows[TOX] info
twtlimit[TOX] info
twtspeedy[TOX] info

Stay Safe Online!

There has been chattering the past few days about unknown rogue software available for download on the Internet that lets you view private Facebook profiles. I can assure you that this new software called FacebookAgent is old news wagging a new wrapper. This is not just another scam! This rogue application also has a back door along with Trojans droppers put together by cyber-criminals to elicit financial information via social engineering techniques. Prior to examining FacebookAgent on a VM earlier today I ran Malwarebytes and had a clean scan with no infected files. After installation of Facebook Agent and testing in a VM I ran Malwarebytes again and had 159 infected files! (the results will be posted at the end of this article.) Domain: www.facebookagent[DOT]com Current IP: 74.208.137.211 131 1&1 Internet Inc PA

Facebookagent.com website provides this Disclamer:

“Facebook Agent is an automated help manual that guides you through the process of gaining a legal view of the desired profile. This process is completely legal and is achieved through the other party’s aproval and acknowledgement. This software and/or methods should not be used in any other case that is not mentioned above. All facebook trademarks are copyrighted to facebook.com. All actions taken through and in this application are on full responsibility of the user. Facebook Agent is in no condition responsible of any harm, damage or violations done while using this application. If at any stage of the process any party will find violation of law against them, the process should immidiately be terminated and reported to the administration team of the application. By clicking the Start button you agree to take full responsibility of the actions done by this application. All rights are copyrighted to facebook Agent 2009 – 2010. All trademarks found in this application belong to facebook Agent apart from facebook trademarks which are copyrighted to facebook.com. By clicking on the Start button you accept this terms and conditions.”

Most of the links at the FacebookAgent website result in saving or downloading setup.msi. The msi installer loads Facebook Agent.exe and a database file in the Program Files directory. The installer also loads Perflib_Perfdata640.dat into the local user profile temp directory and runs the database file under svchost.

When you first run Facebook Agent there is no exit from the program. Bad code and even worse downloads and toxic URLs await you. Since I did not choose to install the IWON toolbar featuring the MyWebSearch default search provider I had to participate in the Green Card Scam that is listed below.

According to the flimsy interface above you have to click to claim what you have won! Your prize is located at: hXXp://html.usagc[DOT]org/step1landing_eng[DOT]html?afk=ranygnewcplcmp0309eng. Then you have to fill out a form that includes your full name, email address, country of birth, marital status, and telephone number. You also have to answer this dropdown menu question:

After I filled out the online form with false information, I received this response:

Canada, Mexico, and the United States are ineligible. On the same page I was also given the option to select another country if I were a native of a qualifying country or if my parents were born in a qualifying country. I opted for Australia and was quickly promoted to step 2 in the process!

I had a good smirk over the warning “using a stolen or fraud credit card number will automatically disqualify you from participating forever!! USAGC will immediately cancel your application and pursue legal remedies.”

USAGC is a scam! Don’t fall victim to this Green Card lottery scam! The DV-2011 Diversity Visa Lottery( run by The U.S. Department of State) online entry registration period ended on November 30, 2009

I was soon bored with the Green card lottery scam so proceeded to install the IWON Toolbar and failed.

After finishing the installation of IWON, I had to go to iwon.com to register for a free account. Overall, you can only get to step 1 in Facebook Agent because you can’t get to step 2 without filling out credit card information.

Finally I ran Malwarebytes again to see what nasties Facebook Agent had installed.

I am currently reading a read me from a recent .rar that I downloaded and extracted over at Tubnut (that is a pet name for  my virtual station that analyzes files.)  The one question in the read me that consistently catches my attention is —How can I get somebody to login to my phisher— The answer: “That’s for you to find out, use your mind. Probably the simplest way is Social Engineering and some phishing skill. Here is an example : hXXp://imgdevil.com/pfiles/11140/munged”

The one commonality between affiliate marketers and cyber-criminals is that they are both highly adept in the art of social engineering. Michigan.gov defines social engineering as “an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.”

Most affiliate marketers remain in the gray area of social engineering.  They also hold a strong emphasis on scam-type marketing campaigns in order to promote traffic to their website, specifically for the purpose of financial gain.  In comparison, Cyber-criminals fully embark in blackhat social engineering techniques, developing fake “phishing” sites in order to gain access to financial accounts.

Today I found an affiliate marketer on Twitter who participates in both forms of social engineering.  Though his account is not listed in Twitter search, I assume that he is from Pakistan and that he only uses anonymous accounts/sites to post content.  I am not posting his information here at the Tekblog.  For the purpose of this post I will refer to the affiliate marketer/phisher as P-man. So lets now move on to disclose some of the findings from P-mans phishing .rar.

I was 100% amazed to not find a Twitter Phisher here!

The major points that P-man promotes is that a phisher must:

1- Find a web host that supports php
2- Have a plan in place to send victims to the Index page
3- Learn how to hide links in forums
4- Seek free hosting/free domains (all anonymous)
5- What email spamming service to use
6- The use of URL shortening services to hide the phish
7- Proxies

There are also text files in many of the phishing folders that direct you to other underground technology websites.  You will be instructed to register at these sites before you are allowed access.  I believe that these underground sites will also be looking at your IP, OS vulnerabilities, etc in order to asses your intentions in registering.  You can anticipate that there will be many sites that will also redirect you to set up a meeting in mIRC, regarding more complex phishing site configurations.

Paypal

While perusing the Paypal directory I noticed that there was a possible paypal phishing tutorial located at  the free domain of DaveDaDon.  His motto: Touch ME? Neva. His domain is now suspended…

Ironically Touch ME? Neva guy who goes by the online name of DAVEDADON,  had the balls last year to post at the Microsoft Fóruns do Visual Studio.  Perhaps ego rides a wild donkey too?

Freewebs

DAVEDADON also allegedly provided a Freewebs phishing tutorial at his now defunct site. This was the one and only folder in the .rar that included a WARNING.

This warning, apparently intended to pose as a disclaimer against holding DaveDaDon liable for anything that smacked of criminal intent:

DaveDaDon is not playing nice with his phishing students either!

P-man is anonymous…He uses Twitter and Facebook to push traffic back to an anonymous website.  P-man has myriad Pakistani friends.  P-man affiliates with phishers, may be phishing,  and emulates  viral marketing.

Online age: 13-21

Country: Pakistan

Twitter: 1007 followers (affiliate marketer, filtered from Twitter search)

Facebook: Fan page, 104 followers (most download links lead back to P-mans blog)

Until Next time — Stay safe online!

Update: 10/06/2009

Though this was not an obvious phishing campaign that takes your money, McAfee Site Advisor Rating:

Phishing or other scams

This site uses your Twitter account info to send spammy messages to your followers. Here is an example:
“I got 100 followers using http://TwitPWR.com/swf/ . Check it out!”

This is a clear case identity theft. I advise you to not fill your twitter username and password in this site.
Posted at 09/23/2009-08:49:43 PM by Alexis Kauffmann

Ryan Johnson is currently running another spam campaign on Twitter via Followersquick<>info [IP:124.217.246.188] .

Toxic URLs on Twitter can get me fired up faster than any other social networking site.  I think it is because the time it takes for Twitter to notice that there is a problem, and then for Twitter to act on it —  leaves a huge security hole and enables the bad guys to maximize and control the dark side of Twitter.

I’ve been watching the dark side of Twitter for over 7 months now, and there is a lot of malware stories that do not unfold at my blog.  There are also security experts outside of Twitter who follow up and have become just as frustrated with Twitter Internet security as I have become.

For the record, I am highly vocal about the fact that I think Twitter has a social obligation to the Internet community as a whole.   I think that they need to act upon social networking threats that transpire at their site immediately, and to have a rapid response system in place to confirm or deny the validity of reported offenses and offenders.

Current keyword culprits that have gone viral are [note that all are posted via API abuse]:

“This site just gave me 100 followers using hxxp://xrl<>us/bfosj8″

“I just got 100 followers using hxxp://TwitPWR<>com/swb/”

“I got 100 followers using http://is<>gd/3BP6e Go check it out”

“This site is great I got 100 followers in a day using hxxp://twi<>cc/Bjry”

“Hey Get 100 followers a day using xxtp://yumurl<>com/9yPYKZ.  Its super fast!”

“You should check this site out if you want 100 followers a day” hxxp://tinyurl<>com/n3oeal

“If you want 100 followers a day use” hxxp://alturl<>com/kdqj

“I use hxxp://TwitPWR<>com/swg/ to get 100 followers a day. It work great”

“If you trying to get more followers go to hxxp://shorten<>ws/bee0c2.You will get 100 followers fast!”

tweeterfast<>com Originates from IP: 124.217.246.188.

tweeterfast<>com
tweeteradder<>com
www.tweeteradder<>com
www.tweeterfollow<>com
www.tweeterpro<>com

tweeterfast<>com has a 301 from quick-followers<>com

Whois Information for tweeterfast.com

Registar ENOM, INC.
Registration Data:
Registered on 2009-09-23
Last updated on 2009-09-23
Expires on 2010-09-23

Nameservers:
ns1.tweeterfollow.com: 124.217.246.188
ns2.tweeterfollow.com: (DOES NOT EXIST)

Owner:
Admin:
Tech:
ryanjohnson2007hotmail.com
Ryan Johnson
+1.4103563433
+1.5555555555
Deadly Is Great
1533 Blue St.
Baltimore, Maryland 21217
US

Current nameservers are listed under tweeterfollow<>com. Check out this interesting archived page.
Rest assured that before this campaign is done — TWEETERFAST will give you more than 100 followers…

Don’t forget to check out their rules. When you sign up for an account at Tweeterfast, you are giving them the login and password to your account to further promote their site and your Twitter account will be hijacked.

Stay tuned for continued updates on Twitter as they become available.

Until next time — Stay Safe Online!

It is time to blow the dust off this blog and get back into updating the Tekblog on a regular basis!  I must confess that I have been ultimately quite lazy since the New Year began.  The move took a huge amount of energy and I am still not completely unpacked.  The storage room has evolved into a catastrophe of endless boxes still covered with tarp…

The first security post of 2009 involves protecting your personal data and how not to become a victim of phishing.   The Canadian Marketing Association defines phishing as “a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information.”

It appears that ASProx botnet is squirming around a bit.  Shadowserver Foundation reported on January 29th of this year that ASProx had been phishing again at the UK Alliance and Leicester Commercial Bank.

If you do your banking online it is very important that you verify that you are using the correct website! I have a few suggestions that you can begin utilizing today:

1- Look for the GOLD lock in the lower left or right hand side of your internet browser and make sure that the web address for the bank begins with https://

2- Double-click the GOLD lock and make sure that the site security certificate matches the name that is on the address bar.  If you are not sure what you are looking for check out the TD Banknorth website at https://secure.tdbanknorth.com

The name on the address bar at TD BANKNORTH should be secure.tdbanknorth.com and it will be located right next to the GOLD lock.

3- Use the Firefox web browser and install the ShowIP add-on.  ShowIP will display the sites IP address.  If you are not  familiar with internet addressing then you can peek at this nice little article at Wikipedia.

When I arrive at the https TD Banknorth site the IP address is 12.111.190.163. This is a static IP address. I can verify the IP address by looking up secure.tdbanknorth.com in the WHOIS input box at Samspade.org. The Samspade search will return this value: secure.tdbanknorth.com = [ 12.111.190.163 ]  This is a perfect IP match and I can now safely bank online!

Network Security Journal lists 44 ways to guard against phishing attacks and states  “If you come across a phishing scam, REPORT it at once to the Anti-Phishing Working Group, the U.S. Federal Trade Commission (FTC) and the FBI through the Internet Fraud Complaint Center, both of whom work to shut down phishing sites and catch those responsible.”  Be sure that you close any compromised accounts immediately.

Until next time — safe surfing!

Final Note: Firefox 3 or later contains built-in Phishing and Malware Protection.

Do you find it difficult to imagine a Trojan horse phishing program capable of assimilating itself at an online banking site in real time?  As early as last year I would never have considered Hypertext Markup Language (HTML) injection to be capable of such a serious breach of browser integration.

Limbo malware is possibly the most sophisticated trojan yet  released and is so advanced  that it can alter the layout of your online banking site by injecting code into the site while you are banking online!  Once you have logged into your bank, the program can even hijack your connection and at the same time add an extra field into the bank page while harvesting your personal information in real time.

Limbo has many portals of disquise.  It sometimes poses as a popup message prompting users to download an add-on program, or uses invisible methods (unknown to the innocent user),  and in conjunction with other phishing attacks.

Kevin McAleavey, an administrator for Comodo states that he has “found that all they’re doing is using an old trojan (Banker.D),  editing it, and then packing it inside a rather sophisticated ‘shell’ which obfuscates and encrypts the file, and then places a stub at the front of the file which is designed to trash unpackers and emulators with NOP instructions as well as illegal characters and a number of other tricks which will hose unpackers.”

How will you know if you are in Limbo while doing online banking?  Uri Rivner, head of new technologies at RSA Consumer Solutions said “Nothing tells you that something is wrong here,  with one exception: You’re being asked to provide some information that you were never asked to do before.”

Another nasty about this particular malware is that it is heavily embedded in the underground market and is currently being sold to fraudsters at an affordable price of approximately $350 (U.S.)  In 2007 this type of product sold for $1000 (U.S.) and two years ago for as much as $5000 (U.S.)

How does this particular varient of malware work?  Most likely the user will become infected by visiting an infected website or via botnet.  Once your computer is infected the trojan will lie in wait until you access an online banking service.  Next it will record your login information and request that you fill in additional information in regard to your bank account.  After the trojan gathers this information, it will send it to the fraudster who bought the Limbo malware package.

How can you protect yourself?

Fraudwatch International suggests that you:

1. Never Click on Hyperlinks within emails
2. Use Anti-SPAM Filter Software
3. Use Anti-Virus Software
4. Use a Personal Firewall
5. Keep Software Updated (Operating Systems & Browsers)
6. Always look for “https” and a padlock on a site that requests personal information
7. Keep your Computer clean from Spyware
8. Educate Yourself on Fraudulent Activity on the Internet
9. Check Your Credit Report Immediately, for Free!
10. Seek Advice – If you are unsure – ask Fraudalert

To add additional layers of protection I would suggest that you also use the following applications and browser addons:

• Exploit Prevention Lab LinkScanner
• McAfee Site Advisor
• Threatfire 3
• Netcraft Anti-Phishing Toolbar
• Panda Active Online Scan (no download)

To reduce the risk of Phishing check out Stop-Phising.com (Indiana University)

Until next time, stay safe!