The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers.

Most security professionals don’t need any further information to know what happened and that it wasn’t the McAfee installation firing these apparent anti-virus (AV) alerts. Instead this was a web dialogue with animations masquerading as the Windows My Computer screen and an AV dialogue. Accepting the download lead to a malicious software installation and payment screen, a scam commonly referred to as scareware. Scareware is software sold or downloaded by creating a perception of a threat to the user, playing off that user’s fear and anxiety of viruses and spyware infecting his or her computer.The real McAfee estimates that worldwide scareware scams have raked in profits of more than $300 million annually, with a meteoric growth rate of 660% for infections over the past two years. The number of scareware product variants was about 142 in 2004, there have been 110 new variants tracked in just the first two months of 2010.

The software, originally spread through classic methods such as spam, has moved on to more sophisticated attacks by providing links to infected web sites through popular social media content such as Twitter, YouTube, and Facebook, by feeding a corrupted advertisement into an ad network for web sites, and by poisoning search results called Search Engine Optimization (SEO) poisoning.

This last attack, SEO poisoning, was what infected my Uncle: a web search was poisoned with results from compromised legitimate web sites. By creating content with popular terms and linking back to it from legitimate ranked sites, the rules search engines like Google use to prioritize results are subverted. The video below demonstrates the effect with search results that showed up the first page of Google results shortly after the earthquake in Haiti:

This rogue anti-virus/spyware software is distributed through a complex network involving around fifty known companies at the top building and distributing software to affiliates who earn rewards for successful sales. The companies at the top of this scheme operate at times with such impunity that their executives are bold enough to have professional profiles on the business networking site LinkedIn.

In October of 2008 one of these networks was mapped out when a hacker named Neon broke into a computer housing accounting information for a Russian company called Bakasoftware. This company provided access to solicited affiliates through an online control panel providing varied methods of infecting computers. Affiliates could earn from 58% to 90% commission on sales of the rogue software.

The Lexus Contest.

At times creative bonuses are involved: one contest by a site called TrafficConverter.Biz offered a $36,000 Lexus to the top affiliate. In 2008, the top five affiliates in the Russian Baka Software Gang averaged weekly commissions of $107,604 according to documentation found by researcher Joe Stewart. When the Federal Trade Commission obtained a court order to stop Belize’s Innovative Marketing from selling rogue software, the firm had made approximately $180 million dollars in a year through four million customers who purchased the software thinking it was real. There is probably no better metaphor though than the high end Mercedes sedan once displayed on scam web site iframeCASH.biz, known to be similar to the model driven by its founder and scareware pioneer, St. Petersburg’s Andrej Sporaw.

iFrame Cash.

My Uncle was mildly embarrassed by the entire episode, but should not be, because the techniques used to propagate these scams have become so advanced that the educated and computer savvy among us are not immune. The software replicated the logos, the look and feel of the anti-virus he knew he had installed. The sophistication of these schemes has risen alongside the profit available to be made. He was under the impression of many Internet users: as long as he had his anti-virus software installed, kept Windows updated, didn’t open strange e-mails, and stayed away from strange web sites he would be safe using the Internet. When legitimate web sites are compromised with scripts launching fake AV dialogues, these rules do not apply. Such methods have led to an estimated one million victims of scareware per day worldwide.

Fortunately in my Uncle’s case he was able to cancel the credit cards involved and clean up the PC before experiencing any problems. Others have had their PC’s hijacked with the rogue software preventing updates to legitimate software, locking up the PC, preventing un-installation, installing malware, and generating a constant stream of pop ups in the web browser.

How do you avoid the scam? Remember that no legitimate anti-virus company will perform an unsolicited scan of your computer and ask for payment to correct issues identified. Close out of the browser when you see such a dialog come up. Run scans with your legitimate anti-virus and anti-spyware solutions on your PC (remember though that these installations are designed to work around anti-virus before you get too frustrated). Finally consult with a colleague who has experience in dealing with information security problems.

Information technology folks are usually willing to help, they know that when you work in technology you will always be your own family’s private help desk, a little like how the family doctor is always stuck giving everyone medical advice.

Related Posts:

• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake

The worst earthquake in that area for 200 years, a magnitude 7.0, hit Haiti late Tuesday afternoon leaving areas like the capital of Port-au-Prince in ruins and many people in need. Predictably people are looking for ways to help and are using Google to search for relief agencies that can take donations to help the affected. Bad actors have taken advantage of this by engaging in search engine poisoning: taking over existing web sites and using techniques that boost search ranking. These sites are then used as redirects to sites that install malicious software using scareware tactics on user’s PC’s, such as rogue antivirus software. Bad actors have also set up fake donation web sites. Finally they employ communication mechanisms such as Spam e-mail, Twitter messages, and related electronic communication methods in order to direct users to these web sites.

Scareware

Clicking any of highlighted sites’ urls (search results) shown below redirects the user to a browser dialog box suggesting the user has viruses on their PC. It then suggests a system’s check and opens up a scareware dialog. Scareware is software sold or downloaded via creating a perception on the part of the user of a usually non-existent threat to said user that is typically non-functional or malicious.

Performing a search for “haiti earthquake donations” will yield the results shown:

Compromised web sites showing up in Google search.

Here is the dialog that shows up after the redirect from the hijacked web site to the malicious one:

Scareware dialog box upon redirect.

Scareware dialog after selecting Ok or Cancel

This is not at all unusual, the aftermath of Hurricane Katrina, the Tsunami in Asia in 2004, and any other natural disaster usually sees the same kind of activities.

Video Demonstrating Malicious Antivirus Install

So you don’t have to do it yourself, clicking on any of the links above redirects the user to malicious web sites like scan-now24.com (hosted in Kansas City, MO) and full-pc-scanner1.com (hosted in Zuid-Holland, Netherlands). Here is a demonstration of the entire flow end to end, and the rogue anti-virus attempting to install on a PC.

Search Engine Poisoning?

If you look at the Google search above, the result in red is a take over of the web site sevencycles.com, which appears to be a bicycle retailer. The site currently redirects to full-pc-scanner1.com like the others, but earlier today was showing up like this:

Search engine poisoning

The source of this page is a mess of injected content around the existing sevencycles bicycle information, most of it internal links to the site with name value pairs referencing Haiti and links to other site’s images of Haiti.

HTML source of the broken sevencycles.com site from earlier today.

Bizarrely some of the injected text refers to what appears to be Wyclef Jean’s legitimate charitable effort: “text “Yele” to 501501 to donate $5″. as well as the real address of the Lutheran World Relief – Haiti Earthquake, P.O. Box 17061. This is likely just content grabbed related to the Haiti relief efforts to push up the site rank in search engines like Google.

Spam E-mail

This morning e-mails such as the one below noticed by Symantec started showing up in people’s inboxes, this one purportedly from the British Red Cross with the subject: “Make Your Donations Now,”. Aside from a few grammatical problems and the fact that charities would not use Western Union to accept donations, the note looks fairly legitimate, thus you can see how someone might be fooled.

British Red Cross Spam E-mail

Fraudulent Donation Sites

A number of web site domains have been registered following the tragedy. Some of these may have been registered for legitimate means, but many are being parked (reserved), and a few will end up hosting malicious content or fake donation sites.

A longer list of examples is below in Appendix A, here are the first five from that list:

haiti7earthquake.com   Creation Date: 12-jan-2010
haitianaid.com   Creation Date: 12-jan-2010
haitiandisasterrelief.com   Creation Date: 12-jan-2010
haitianearthquake2010.com   Creation Date: 12-jan-2010
haitianearthquakeaid.com   Creation Date: 12-jan-2010

The Better Business Bureau has a portal that allows you to check out charities before making any donation.

The Federal Bureau of Investigation also put out a press release this morning, warning of “Haitian Earthquake Relief related fraud”. The release contains this advice:

• Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
• Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
• Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
• Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
• Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
• Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

Source: http://www.fbi.gov/pressrel/pressrel10/earthquake011310.htm

So Where do I Donate?

Valid charities include:

• The American Red Cross
• Catholic Relief Servers
• Doctors Without Borders
• Google has setup a site to make donations to UNICEF and CARE also.

Finally

Nothing new here, a newsworthy event such as a natural disaster will bring spammers, scareware purveyors, and other fraudsters out of the woodwork every time. Use expert sites such as the Better Business Bureau to vet charities, understand that a legitimate charity would not accept money through strange vehicles like a money order, and best of all just contribute to a well known charity you are already familiar with.

Real anti-virus vendors will try to scare you, but in regular advertisements not browser dialog boxes telling you that you have a virus installed. The rogue anti-virus industry is disturbingly successful, its important to purchase anti-virus from a well known vendor, or use one of the couple good free solutions if nothing else (Avast, AVG, et al.). If you’re a home user, just set it to auto-update. If you’re a business, have a process in place for rolling out new AV signatures or if you are unwilling or don’t have the right expertise, offload this to a good managed service provider.

Appendix A – List of Recently Registered Domains

haiti7earthquake.com   Creation Date: 12-jan-2010
haitianaid.com   Creation Date: 12-jan-2010
haitiandisasterrelief.com   Creation Date: 12-jan-2010
haitianearthquake2010.com   Creation Date: 12-jan-2010
haitianearthquakeaid.com   Creation Date: 12-jan-2010
haitianearthquakeaid.net   Creation Date: 12-jan-2010
haitianearthquake.com   Creation Date: 12-jan-2010
haitianearthquakefund.com   Creation Date: 12-jan-2010
haitianearthquakerelief.com   Creation Date: 12-jan-2010
haitianhero.com   Creation Date: 12-jan-2010
haitianrelief.com   Creation Date: 12-jan-2010
haitidisaster.com   Creation Date: 12-jan-2010
haitidonations.com   Creation Date: 12-jan-2010
haitiearthquake2010.com   Creation Date: 12-jan-2010
haitiearthquakeaid.com   Creation Date: 12-jan-2010
haiti-earthquake.com   Creation Date: 12-jan-2010
haitiearthquake.com   Creation Date: 12-jan-2010
haitiearthquakefund.com   Creation Date: 12-jan-2010
haiti-earthquake.net   Creation Date: 12-jan-2010
haitiearthquake.net   Creation Date: 12-jan-2010
haitiearthquakenews.com   Creation Date: 12-jan-2010
haitiearthquakereleaf.com   Creation Date: 12-jan-2010
haitiearthquakerelief2010.com   Creation Date: 12-jan-2010
haitiearthquakerelief.com   Creation Date: 12-jan-2010
haitiearthquakerelieffund.com   Creation Date: 12-jan-2010
haitiearthquakerelieffund.net   Creation Date: 12-jan-2010
haitiearthquakerelief.net   Creation Date: 12-jan-2010
haitiearthquakeupdates.com   Creation Date: 12-jan-2010
haitihelp.com   Creation Date: 12-jan-2010
haiti-in-earthquake.com   Creation Date: 12-jan-2010
haitiquake.com   Creation Date: 12-jan-2010
haitiquakefund.com   Creation Date: 12-jan-2010
haitiquakerelief.com   Creation Date: 12-jan-2010
haitirelief2010.com   Creation Date: 12-jan-2010
haiti-relief.com   Creation Date: 12-jan-2010
haitirelieffund.com   Creation Date: 12-jan-2010
haitiringtones.com   Creation Date: 12-jan-2010
haititsunami.com   Creation Date: 12-jan-2010
haiti2010quake.com   Creation Date: 13-jan-2010
haiti7aid.com   Creation Date: 13-jan-2010
haitiaftershock.com   Creation Date: 13-jan-2010
haiti-aid.com   Creation Date: 13-jan-2010
haitiaidsociety.com   Creation Date: 13-jan-2010
haitiancharities.com   Creation Date: 13-jan-2010
haitiancharity.com   Creation Date: 13-jan-2010
haitiandtps.com   Creation Date: 13-jan-2010
haitianearthquakeappeal.com   Creation Date: 13-jan-2010
haitianearthquakeappeal.net   Creation Date: 13-jan-2010
haitianearthquake.net   Creation Date: 13-jan-2010
haitianearthquakerelief.net   Creation Date: 13-jan-2010
haitianguanye.com   Creation Date: 13-jan-2010
haitianphotoalbum.com   Creation Date: 13-jan-2010
haitianquake.com   Creation Date: 13-jan-2010
haitianquakerelief.com   Creation Date: 13-jan-2010
haitianrecovery.com   Creation Date: 13-jan-2010
haitianrelieffund.com   Creation Date: 13-jan-2010
haitianrelief.net   Creation Date: 13-jan-2010
haitianrescue.com   Creation Date: 13-jan-2010
haitiansurvivors.com   Creation Date: 13-jan-2010
haitiansurvivors.net   Creation Date: 13-jan-2010
haitianvictims.com   Creation Date: 13-jan-2010
haitianvictims.net   Creation Date: 13-jan-2010
haitianvolunteers.com   Creation Date: 13-jan-2010
haitiassist.com   Creation Date: 13-jan-2010
haitiatlanta.com   Creation Date: 13-jan-2010
haitibracelets.com   Creation Date: 13-jan-2010
haitibreakingnews.com   Creation Date: 13-jan-2010
haiticanada.com   Creation Date: 13-jan-2010
haiticharity.com   Creation Date: 13-jan-2010
haiticharters.com   Creation Date: 13-jan-2010
haiticonstructionjobs.com   Creation Date: 13-jan-2010
haiticrises.com   Creation Date: 13-jan-2010
haitidevastation.com   Creation Date: 13-jan-2010
haitidisaster2010.com   Creation Date: 13-jan-2010
haiti-disaster.com   Creation Date: 13-jan-2010
haitidisasterfund.com   Creation Date: 13-jan-2010
haiti-disaster.net   Creation Date: 13-jan-2010
haitidisaster.net   Creation Date: 13-jan-2010
haitidonation.com   Creation Date: 13-jan-2010
haitidonation.net   Creation Date: 13-jan-2010
haiti-donations.com   Creation Date: 13-jan-2010
haitiearth.com   Creation Date: 13-jan-2010
haitiearthquakeappeal.com   Creation Date: 13-jan-2010
haitiearthquakeappeal.net   Creation Date: 13-jan-2010
haitiearthquakedisaster.com   Creation Date: 13-jan-2010
haitiearthquakedonate.com   Creation Date: 13-jan-2010
haitiearthquakedonations.com   Creation Date: 13-jan-2010
haiti-earthquake-help.com   Creation Date: 13-jan-2010
haitiearthquakehelp.com   Creation Date: 13-jan-2010
haitiearthquakepictures.com   Creation Date: 13-jan-2010
haitiearthquakerecoveryfund.com   Creation Date: 13-jan-2010
haiti-earthquake-relief.com   Creation Date: 13-jan-2010
haiti-earthquake-relief.net   Creation Date: 13-jan-2010
haitiearthquakeresources.com   Creation Date: 13-jan-2010
haitiearthquakes.com   Creation Date: 13-jan-2010
haitieq.com   Creation Date: 13-jan-2010
haiti-farm-land.com   Creation Date: 13-jan-2010
haitifeedthechildren.com   Creation Date: 13-jan-2010
haitifoundation.com   Creation Date: 13-jan-2010
haiti-funds.com   Creation Date: 13-jan-2010
haitifunds.com   Creation Date: 13-jan-2010
haiti-help.com   Creation Date: 13-jan-2010
haitihelp.net   Creation Date: 13-jan-2010
haitihiphop.com   Creation Date: 13-jan-2010
haitihoax.com   Creation Date: 13-jan-2010
haitiinfocenter.com   Creation Date: 13-jan-2010
haitijanuary122010.com   Creation Date: 13-jan-2010
haitilifeexpectancy.com   Creation Date: 13-jan-2010
haitimemorial.com   Creation Date: 13-jan-2010
haitineedsus.com   Creation Date: 13-jan-2010
haitineedsus.net   Creation Date: 13-jan-2010
haitineedsyourhelp.com   Creation Date: 13-jan-2010
haitionearthquake.com   Creation Date: 13-jan-2010
haitionfund.com   Creation Date: 13-jan-2010
haitipix.com   Creation Date: 13-jan-2010
haitipix.net   Creation Date: 13-jan-2010
haitiplunge.com   Creation Date: 13-jan-2010
haitipourdemain.com   Creation Date: 13-jan-2010
haitipulse.com   Creation Date: 13-jan-2010
haitiquake2010.com   Creation Date: 13-jan-2010
haitiquakehelp.com   Creation Date: 13-jan-2010
haiti-quake-rescue.com   Creation Date: 13-jan-2010
haitiquakes.com   Creation Date: 13-jan-2010
haitiquakevictims.com   Creation Date: 13-jan-2010
haitiquilt.com   Creation Date: 13-jan-2010
haitirebuild.com   Creation Date: 13-jan-2010
haitireconstruction.net   Creation Date: 13-jan-2010
haitirecovers.com   Creation Date: 13-jan-2010
haitireliefaid.com   Creation Date: 13-jan-2010
haitireliefbracelets.com   Creation Date: 13-jan-2010
haitireliefkc.com   Creation Date: 13-jan-2010
haitirelief.net   Creation Date: 13-jan-2010
haitireliefparty.com   Creation Date: 13-jan-2010
haitirescue.com   Creation Date: 13-jan-2010
haitirescuefund.com   Creation Date: 13-jan-2010
haitirescuemission.com   Creation Date: 13-jan-2010
haitisearthquake.com   Creation Date: 13-jan-2010
haitisecurity.com   Creation Date: 13-jan-2010
haitiservice.com   Creation Date: 13-jan-2010
haitishakes.com   Creation Date: 13-jan-2010
haitishirt.com   Creation Date: 13-jan-2010
haitishirts.com   Creation Date: 13-jan-2010
haitishock2010.com   Creation Date: 13-jan-2010
haitisos.net   Creation Date: 13-jan-2010
haitisurvivors.com   Creation Date: 13-jan-2010
haitisurvivorsvideo.com   Creation Date: 13-jan-2010
haitisurvivorsvideos.com   Creation Date: 13-jan-2010
haitisurvivorvideo.com   Creation Date: 13-jan-2010
haitisurvivorvideos.com   Creation Date: 13-jan-2010
haititemporaryprotectivestatus.com   Creation Date: 13-jan-2010
haititremor2010.com   Creation Date: 13-jan-2010
haititremor.com   Creation Date: 13-jan-2010
haitiupdate.com   Creation Date: 13-jan-2010
haitiupdates.com   Creation Date: 13-jan-2010
haitivictims.com   Creation Date: 13-jan-2010
haitiville.com   Creation Date: 13-jan-2010
haitivolunteers.com   Creation Date: 13-jan-2010
haitivox.com   Creation Date: 13-jan-2010
haitiaid.net   Creation Date: 14-jan-2010
haitiancasino.com   Creation Date: 14-jan-2010
haitiancasinos.com   Creation Date: 14-jan-2010
haitiandonation.com   Creation Date: 14-jan-2010
haitiboardwalk.com   Creation Date: 14-jan-2010
haiticasino.net   Creation Date: 14-jan-2010
haitigamblers.com   Creation Date: 14-jan-2010
haitigambling.com   Creation Date: 14-jan-2010
haitihello.com   Creation Date: 14-jan-2010
haitihello.net   Creation Date: 14-jan-2010
haitihilfe.com   Creation Date: 14-jan-2010
haiti-info.net   Creation Date: 14-jan-2010
haiti-lavi.com   Creation Date: 14-jan-2010
haitilavi.com   Creation Date: 14-jan-2010

Related Posts:

• The Proliferation Of Scareware Hits Home
• The “Aurora” IE Exploit Used Against Google in Action
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

Meet Faith...or Emily...or...the face of the new Facebook attack

On Thursday morning, AVG researcher Roger Thompson, after sourcing some spyware attacks to a series of Facebook profiles, noted that these few hundred profiles were showing up with the same profile image (seen at left) but different profile information. The home video link on these profiles, belonging to Faith / Emily / whoever, points to the a web site that displays scareware dialogs: netmedtest.com/index.php?affid=30500.

Clicking the video url opens up a browser dialog box suggesting the user has viruses on their PC, suggests a system’s check and opens up a scareware dialog. Scareware is software sold or downloaded via creating a perception on the part of the user of a usually non-existent threat to the user that is typically non-functional or malicious.

The URL itself is registered to accounts with temporary or throw away e-mail addresses, amusingly these services like spambob and mailinator that were intended to help uses avoid spam are used by bad actors as the registration and contact e-mails for registering malicious web site URL’s. The site netmedtest is hosted in Haifa, Israel.

The Profile

The fake profile with video link.

If you click the video link, you get this dialog.

And after that, you get this dialog.

Facebook’s Response

Facebook spokesman Simon Axten notes that Facebook is in the process of identifying the fake accounts so they can be disabled en masse. The actual URL used to serve the spyware has been blocked by Facebook as well as the major web browsers already.

A Failure of CAPTCHA

The fact that there are a couple of hundred of these profile pages could suggest an automated setup of the accounts, which would mean a bypass of the CAPTCHA authentication used in account setup on Facebook. Facebook uses reCAPTCHA specifically (a free service that is digitizing the NY Times at the same time they are validating that the user is actually human).

Facebook CAPTCHA screen example.

CAPTCHA mechanisms have increasingly been compromised by both automated programmatic means such as the method used to break Google’s CAPTCHA, as well as through manual means where human interaction is used to solve CAPTCHA images (cheap sources of labor spend the day typing in CAPTCHA responses). Given that the fake profiles number in the hundreds, either method is realistically plausible. Facebook’s spokesperson indicates that they believe it is the second case: “Based on our investigation and the relatively small number of accounts created, we’re almost certain that they were created manually, rather than by a bot.”

At the time of writing this example bogus profile of Faith Price is still available on Facebook: http://www.facebook.com/people/Faith-Price/100000305282922.

Countermeasures

As previously stated, the major browsers have picked up the malicious link and are blocking it, and Facebook is aware of the problem, so for most users this is not a major issue at this point. As always, note that legitimate anti-virus companies will not advertise to you using scareware tactics and avoid clicking on links provided by persons you do not know. In general avoid drive by downloads by not surfing the web with a user account that has administrative privileges.

References

• AVG Blogs – Roger Thompson
• What is ReCAPTCHA?
• Facebook Captchas broken?

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.