1. What’s lurking in those links on YouTube?
YouTube visitors should be wary of the links that come with YouTube videos and should be especially wary of videos that turn out to be graphics directing them to links on the page. This one “only” had a survey scam on it. An earlier version, which was taken down shortly after it was first detected by AVG LinkScannerR, led to a site loaded with the Blackhole exploit kit.
The video directs visitors to a link which leads off the YouTube site:
The new site appears to offer the original video.
But instead leads down the online-survey rabbit hole. This scam promises the visitor access to videos in this case, as well as gift cards. We chose the Victoria Secret Gift Card for the sake of illustrating the scam.
And after he gives away contact information.
And signs up for more yet more advertising.
The victim gets to fill out yet one more survey.
We cut off the chase at that point. You can be sure there is no gift card coming from these folks.
2. Phony “Better Business Bureau” spam has attached downloader.
The AVG Web Threat Research Group found a piece of spam email this week that impersonates correspondence from the Better Business Bureau and carries a malicious attachment. The spam is aimed at businesses and claims that there is an attached BBB complaint against the victim.
The clumsy English in the text should be one giveaway that something isn’t right: “The Better Business Bureau has got.” and “We look forward to your urgent attention.”
3. Facebook “deactivation” spam leads to Blackhole exploit kit site
The Web Threat group also investigated a phishing email purportedly from Facebook aimed attracting visitors to a site loaded with the Blackhole exploit kit. Again, the bad English was a giveaway: “You will then be able to exploit the site as before.” I don’t think the average user thinks of him or herself as “exploiting” Facebook.
Clicking on any of the links lead to this familiar indication of Blackhole:
4. Blackhole ransom ware page changes
The Blackhole exploit kit can load victims’ machines with a variety of malicious code, including ransom ware. This week the Web Threats team found a new ransom ware page being downloaded. The page, in German, claims that pirated material has been found on the victim’s PC, that it has been made inoperative and he or she must pay a $50 Euro fine to get it to again function.
5. The changing GUIs of Blackhole-delivered rogue security products
Malicious sites running the Blackhole exploit kit, among other malicious things, download rogue security products with names that change daily. These are clones of the same malcode with slight changes intended to obscure their identity to inexperienced home users. Some we’ve seen in the last week:
Rogue: Windows Pro Web Helper
Rogue: Windows ProSecurity Scanner
Rogue: Windows Sleek Performance
Rogue: Windows Abnormality Checker
– AVG Threat Research Group
Leave a reply