1. Blackhole moving to IRS instead of NACHA email spam.
Using the IRS name and logo in email is one of those perennial favorites of scammers. It makes sense from their point of view, since any correspondence from the Internal Revenue Service is either serious good news or serious bad news – everybody is going to check it out. Of course, the IRS doesn’t use email for obvious reasons (For the IRS warning on phishing and other scams see: http://www.irs.gov/privacy/article/0,,id=179820,00.html)
The Blackhole operators are, however, banking on the fact that a lot of their victims are not going to know that.
2. Work at homes sites (Using NBC and geoip.js)
The work-from-home scammers’ latest strategy is the use of the NBC logo and NBC look-alike pages to lend cachet to their ads. There might be a decline in TV news viewership these days, however, this scam suggests that there is still a lot of trust out there for the major news channels – at least the scammers are banking on that.
Of course a web user’s first line of defense here should be common sense: if it seems too good to be true, it’s probably phony. Anything an untrained person can do to make $10,900 a month working from home will probably attract the men with badges.
Second line of defense: check the whois information for the site. In this case, NBC10NEWS.COM is registered to a post office box in Nobby Beach, Queensland, which is on the east coast ofAustralia. The whois info states that “All Postal Mails Rejected.”
Really? A major U.S. TV network affiliate has a web site registered on another continent and doesn’t take mail. Sure.
Strangely enough, this site has been around since 2008. Often fly-by-night sites have been registered only a few days or weeks before they show up in spam emails.
And another scam site we found, NBCHOME7.COM, was registered in July to an “organization” that calls itself “wang zheng” in “Shang Hai,”China. “Shang Hai” isn’t a standard spelling for the city ofShanghaiand Wang Zheng is a fairly common Chinese man’s name by the looks of search engine results.
To give these pages further veracity, the malicious operators use a (legitimate) script to insert the viewer’s city or location into the text. It’s this code: <div>BREAKING NEWS:</div><div>Single Mother from <script src=”http://j.maxmind.com/app/geoip.js”></script>
Geoip.js is a legitimate piece of code that is commonly used on web sites to return the viewer’s location (see: http://www.maxmind.com/app/javascript_city).
In this screenshot we’ve circled the result in red:
3. Blackhole Exploit Kit installs
Open Cloud AV
We’re seeing the Open Cloud AV rogue being installed by the Blackhole exploit kit. Obviously, the Blackhole operators think this is quick and easy way to monetize their malcode distribution.
Security Sphere 2012
And just in the event you think rogue security products are going away, we’ve seen quite a few detections of Security Sphere 2012 being delivered by drive-by download.
Ransom ware
For only 100 Euros ($133 USD) you can get your machine back. This one also arrives via drive-by download.
– AVG Threat Research Group
Leave a reply
