PC-Armor Computer Security News Blog

Beware of the Dancing Skeleton

Well, the cybercriminals are busy, busy, busy…according to the F-Secure Weblog from today, the latest Storm site, The Dancing Skeleton, is poised and ready to infect unpatched and unsuspecting victims with the latest threat, “Halloween.exe“.  Check out F-Secure’s blog at:

http://www.f-secure.com/weblog/archives/00001304.html

Recent history has shown us that cybercriminals launch new attacks during holidays, sporting events like the NFL season kickoff, and newsworthy events.  Just remember, don’t click links  pointing to an IP address and always be wary of other tricks.

Be safe and have a Happy Halloween!

Think before you click that link!

Here’s a new email I received today that raises some Red Flags.  After looking up the originating IP address [in the header of the email], the source of origin is Tangerang, Banten, Indonesia.  Why would a company who’s domain is registered to a company in Florida, be sending solicitations from Indonesia?

Hmmm, could it be spoofed?  Maybe.  I wonder, since all the links within the email, although registered to the company in Florida, have a domain name that clearly indicates some affiliation with Diabetes.  Why would a domain with “Diabetes” in the domain name, try to sell “Legal” movie downloads?  Sounds phishy.

Here is the body of the email:

Subject: Watch Movies LEGALLY on your PC and MP3 player

We would like to inform that you can easily download your favorite movies and TV shows onto your PC, laptop and iPod(R) so you can begin watching them right away!

Press here for the simple PC and LAPTOP instructions: (questionable link removed for your protection)

Press here If you want instructions as to how to download your favorite movies to your iPod(R): (questionable link removed for your protection)

The movie studios DO NOT want you to know about us, but there is nothing they can do about it!

Finally, We would like to inform that you can easily backup your DVD movie collection to the same inexpensive CDs youve used to copy music. Now theres no need to go out and purchase an expensive DVD burner or expensive blank DVDs. Nothing could be easier!

Press here for the simple instructions: (Link domain is registered to Advertising Company in Florida and has an extension of .js; which could be a malicious JavaScript)

To not receive future offers/promotions from “MovieDownloadCenter” via Trek Data please press on the below link and scroll to the bottom of the page: (Another questionable link removed for your protection)

The email provides an address in Florida for comments and questions; but the email address to send questions, is a Gmail address.  Why wouldn’t they be using an email address from the company’s domain like other companies?

I have to wonder if this truly is legal for a couple of reasons: first, they emphasize the word “Legal” in the subject of the email, and secondly, the email states, “The movie studios DO NOT want you to know about us, but there is nothing they can do about it!“  Why?  Is it because the email originated from overseas and perhaps they are protected by the laws in that country?

Also, check out the spelling and grammar; there are some spelling errors and it doesn’t quite meet the standards of good business writing.

The point to this entry is to pay attention before you blindly click links in emails such as this.  Do you really need to download movies to your PC?  Is it worth a possible compromise of your personal information or an infection to your computer?

When you make wise decisions…you will GREATLY improve your electronic security!  Think about it…

Nigerian Scam

Greetings,

While checking the Email for “info@pc-armor.com” today, I came across what appears to be a Nigerian Scam.  Before I show you the body of the Email, I would like to quote a warning by the FTC that is posted on their website at:

http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.shtm

 “If you’re tempted to respond to an offer, the FTC suggests you stop and ask yourself two important questions: Why would a perfect stranger pick you — also a perfect stranger — to share a fortune with, and why would you share your personal or business information, including your bank account numbers or your company letterhead, with someone you don’t know? And the U.S. Department of State cautions against traveling to the destination mentioned in the letters. According to State Department reports, people who have responded to these “advance-fee” solicitations have been beaten, subjected to threats and extortion, and in some cases, murdered.

If you receive an offer via email from someone claiming to need your help getting money out of Nigeria — or any other country, for that matter — forward it to the FTC at spam@uce.gov.

If you have lost money to one of these schemes, call your local Secret Service field office. Local field offices are listed in the Blue Pages of your telephone directory.”

Or course, the FTC site has more information about such scams, but I wanted you to see the important questions to ask yourself and what to do if you receive anything like the following example, which would be to forward the entire email to “spam@uce.gov” and then delete the message.  Now, let’s see what the body of one of these emails might look like…

Dear friend,

I know this will come to you as a surprise because you dont know me. I am (named removed for your protection) I work in the Citibank International Plc as the Head Of the Packaging and Courrier service Dept. During the air-lift of some Royal Luggages to Middle east, I decided to include additional Luggages Containing $15M(Fiftheen Million US Dollars)Only for my own Benefit though it was Labelled Security “Equipment” for security reasons.

I am Obliged to contact you to assist me in getting this luggage cleared and delivered to you from the agent as I have agreed on the Following terms.
1) Relevant Documents to claim this luggage will be procured in your name to enable the agent clear and deliver it to your mailing address.
2) That you will be entitled to a share of 30% of the total Money.
3) That 10% of the total money will be set aside for any expenses.
4) That 60% of the money will be for me.

If this business Transaction/Terms is ok by you, do Furnish me with your full names,Mailing Address,Your Personal Telephone/Fax Numbers for Communication and Onward Transfer to the agent in Middle East. You can reach me at my private email address: (Email address removed for your protection)

Note that this Business Transaction is 100% risk free as all relevant documents to back up the claim of the luggage will be provide for you hence we advice you to keep the entire transaction close to yourself until you must have received the luggage,for security reasons.Other modalities will be discussed as soon as you get back to me. Use this code when replying: (Secret Code Removed for your protection)/CitiBank.

Yours Faithfully,
(named removed for your protection)
Courier Dept(Citibank Plc).
+(Probably a Fraudulent Telephone Number, Removed for your protection)

Not only does the Email ask for personal information, it has numerous spelling and grammatical errors; which are dead giveaways to fraudulent scams!  It is important to understand that NO LEGITIMATE BUSINESS WILL EVER ASK YOU TO DIVULGE ANY OF YOUR PERSONAL INFORMATION IN AN UNSOLICITED MANNER, and that includes Email, Regular Mail, by Telephone, or in person.  As long as you can remember that very simple concept, you will avoid becoming a victim of such scams, because you didn’t take the bait!  The best thing you can do if you ever receive scams such as this, would be to forward the entire email to “spam@uce.gov“, as well as the investigative department of the company the email is imitating.

Common Sense will go a long way in protecting your financial security and personal identity.

PC-Armor.com

Malicious PDF File Outbreak Today

There are a Couple of things worth mentioning today: The malicious Psycho Kitty eCard is still circulating, because I received one today with the subject of:

Subject: You have yet to open your ecard.

The body of the email reads, “Someone sent you this Psycho Kitty card. It is Hilarious!” and of course, there is a link the criminals want you to click that points to an IP Address.

The other notable news from today is about a PDF Malware Spam outbreak throughout the Internet.  My F-Secure Anti-virus program has a nice little feature called “Security News” and during high levels of malicious activity, a balloon will pop up by the system clock with a warning to the consumer.

Today, the balloon popped up with an F-Secure Level 2 Security Alert and it read,

“Malicious PDF files being spammed out in volume. The files have “report” themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.“

As usual, F-Secure protects against this threat; but other Anti-virus program may not, so please be aware that malicious PDF files are currently being spammed and you need to be extra cautious before opening them.

Also, Make sure you have the latest version of Adobe Acrobat and Acrobat Reader, because Adobe recently released security patches to address a critical vulnerability that if exploited, could have given the attacker complete control of the infected system.

To learn more about the latest PDF Threat, visit the F-Secure advisory at:

http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

Or the SANS advisory at:

http://www.f-secure.com/weblog/archives/00001303.html

Stay safe out there…cyberspace is a hostile place!

If you use RealPlayer 10.5 or RealPlayer 11 beta, patch it immediately!

A patch for RealPlayer 10.5 and 11 Beta with a rating of “extremely critical” has been released to address a security flaw that has been recently targeted for attacks.

When a victim visits malicious Web sites using Microsoft’s Internet Explorer Web browser, the perpetrators could exploit a buffer overflow vulnerability in RealPlayer and run malicious code on the targeted machine.

You can download the patch and read more details about this attack on the RealPlayer web site at:

http://service.real.com/realplayer/security/191007_player/en/

Beware of eCards

Today, I received an e-mail with the subject of, “Someone Just Sent you an ecard!“  Remember the storm worm?  Well, this is probably another variant.  The body of the text read:

“The original Psycho Card is back, and someone sent it to you. Click here
to view it online. http://xxx.xxx.xxx.xxx/” (I changed the IP for your protection)

I checked out the originating IP address and it came from Cairo, Egypt.  I don’t know anyone in Egypt…

The IP address it wants me to click to retrieve the card is located in Arlington, Texas.

Be safe out there and be absolutely certain ALL emails are safe BEFORE you open and click anything within the body of the message!

This example was definitely malicious!

Blog Spam

Spam not only impacts normal e-mail accounts; but it also inundates Blogs.  We probably receive 30 or more spam messages every single day with subjects including everything imaginable under the sun!  We get people wanting to sell drugs, business opportunities, sex, and on, and on…and most of these illegitimate posts contain links that most likely point to malicious sites.

My guess is that most of this junk is being pushed out by Botnets.  Wouldn’t it be great if we could somehow find a way to cripple Botnets?  We have an idea and will be sharing it soon, so stayed tuned.

PC-Armor