Scam alert: Tesco will not pay you €120 for filling out a survey!

ESET Ireland warns of a scam abusing Tesco’s name, which promises €120 for filling out a survey, but steals credit card details instead.

Irish mailboxes are bombarded by various phishing scams every week. We usually point out the most alluring of them, so that Irish computer users would know how to recognise and avoid them. This week’s winner would have to be a fake email purporting to come from Tesco, titled “YOU GET PAYD FOR YOUR FEEDBACK” (trademark phishing spelling error included) and with the following content:


Who would say no to some free cash, right? Upon clicking the link, you’re taken to a very Tesco-looking fake website that actually does include a survey asking standard consumer questions about customer satisfaction, shopping habits, etc, to be filled out. But the scam part comes at the end.


The fake “survey” page ends with “Thank you for taking the time to respond to this survey. In return, we will add 120 € credit to your account just for your time. Please enter your account details to credit your 120 € reward” but you have to enter all your personal and credit card details there. Full name, address, date of birth, card number, expiration date, verification code and all other relevant details for making purchases in your name are handed over to the cybercriminals.


Don’t fall for it! Ignore this and similar emails and stay safe online.

by Urban Schrott, ESET Ireland

New sick Facebook scam exploits Robin Williams’ suicide

ESET Ireland is issuing a warning about a widespread Facebook scam, this time exploiting the tragic suicide of comic actor Robin Williams.

The scam, which has spread widely on Facebook, claims to show a “goodbye” video made by Robin Williams before he committed suicide last week. However, when Facebook users click on the link they are told to share it with their online friends and complete a survey before they can watch the promised video. Each completed survey earns the scammers a small amount of money.

How the Robin Williams Facebook scam works:

The first thing you see is a post shared by one of your Facebook contacts, entitled, “ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE”. Here is an example of how it might look in your Facebook newsfeed:


Clicking the Facebook link takes you to a third-party website, which claims to have a video that was purportedly filmed on Williams’ mobile phone in the minutes before his death.

If you click to watch the video, you are informed that you first need to share the link on your Facebook wall. The scammers do this to encourage as many people as possible to go through the same process.



Instead of being shown the video, you are presented with a survey, from which the scammers behind this Facebook scam are making money.

“The point of the scam is that each time someone fills in the survey, they are paid an unknown sum,” said Peter Stancik, security expert at ESET.This is not the first time that a celebrity death is used as click bait on Facebook. The more victims that complete the survey, the more money the scammers make. And, in case you were wondering: no video is shown after completing this Facebook scam.


ESET Ireland’s advice:

The best thing to do is not to share or click on this scam, and report any sightings of it to Facebook. “It is a good idea to first check the links you click on social networks, and never Share or Like something before you have seen it yourself. Putting this in other people’s feeds is a surefire way to upset your friends” added Stancik.

Read more about this scam on ESET’s security blog, We Live Security:

Attention gamers: You’re targets for crime!

Video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles.

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well, such as theft of in-game goods, counterfeiting items and gold farming. But computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts. ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

This is a shortened version of Aryeh Goretsky’s article on We Live Security. Go here for the full story.

Was the »1.2 billion passwords stolen« story just a publicity stunt?

Last week the media was buzzing with the story that supposedly a Russian gang stole 1.2 billion passwords. But several experts, including ESET’s, have raised questions whether the »news« wasn’t just a publicity scam.

At ESET Ireland, we have ourselves noticed that the media love bombastic headlines. If known names get hacked, if governmental institutions lose data, or if many passwords are compromised, the security company revealing this will get a good share of publicity. This is why last week’s media frenzy about “1.2 billion passwords getting hacked by a Russian gang” raised many eyebrows.

What did the “report” say? Somewhere south central Russia, a group of men in their twenties dubbed “CyberVor” gang (“vor” means “thief” in Russian), is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses stolen from some 420,000 different websites.

We’re not saying such a thing is impossible, as cybercriminal groups do collect such information via SQL breaches as was hinted in this case, as well as trade data on their own black market. So a gang intent on hoarding the largest database, could through time amass the said amount of passwords. “Russian hackers” is always a welcome topic that gets attention, even if the statistics sometimes contradict this, so the story got massive global coverage.

And this is where the eyebrow raising begins. The company that revealed the info is called Hold Security, a company very few people heard about before this story and that doesn’t offer an address or phone number on their website. It did however get their story about this “massive hack” published in the New York Times just when the Black Hat and Def Con conferences with many of the world’s top security experts attending were taking place in Las Vegas.

However, Hold Security did not reveal in any way how they have discovered this, what exactly they have discovered, what they have obtained and how they have disclosed this to the affected websites so the webmasters can take pro- or reactive measurements. Cybersecurity expert Graham Cluley was among the first to express his concerns.

But what followed the shocking announcement left us even more baffled. Hold Security offered a service where they charge money for webmasters to find out if their websites were affected by the hack in a form, that is reminiscent of phishing websites, where they ask users to enter their passwords and email addresses for them to “check” if they’ve been hacked! Tony Bradley of Minimal Risk commented in his blog, that the disclosure of Russian password hack seems like fake antivirus scam.


Kashmir Hill of Forbes made the connection between panic-mongering and making a profit in her article Firm That Exposed Breach Of ‘Billion Passwords’ Quickly Offered $120 Service To Find Out If You’re Affected that “the Internet predictably panicked as the story of yet another massive password breach went viral” but that “you can pay ‘as low as $120’ to Hold Security monthly to find out if your site is affected by the breach.”

At ESET Ireland we agree it would be unwise to dismiss the possibility of such a hack and website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws, but the scarcity (or refusal to present it) of evidence or additional info, as well as the shady business offer following it, leaves us all with a very strange aftertaste.

What’s scamming this week? FBI, Tesco and Bank of Ireland


ESET Ireland warns of FBI, Tesco and Bank of Ireland names abused by scammers in phishing emails sent to Irish mailboxes.

Another week, another variation of the old phishing scams hitting Irish mailboxes. This week the scammers are telling us Bank of Ireland wants us to update our account, Tesco wants to add €120 to our cards and FBI wants to pay us $5.9 million. Wow!

Dear customer,
We wish to inform you that access to your online account will soon expire. In order for this service to continue without any interruption, You are require to fill and confirm your details via the following link below:
Update Your Bank Of Ireland online account:- click here to update
After which your online account will then be automatically restored and you will be contacted by one of our bank employees.
With online banking , you have everything at your fingertips with a click .
With online banking , you have quick and easy access to your checking account. You can easily do transfers and standing orders with one click.
We are very pleased to be at your service
Bank Of Ireland Customer Service.


So says the first phishing email. They’re basically telling us to go to their page and give them our online banking log in details, so they can do whatever they want with them. Bank of Ireland warns of these scams on their website, saying “Never respond to any unsolicited e-mail that asks you to validate your login / payment credentials no matter how reasonable the request looks.”

You have been selected to access the Tesco Survey and win a 120€ direct to your card.
Please click here and complete the form to receive your reward. Thank you.


The “Tesco” spam is even more straightforward, but like the one above just leads to a site that harvests people’s personal details and financial info. Tesco also offers some advice on staying safe online on their website, adding “Please remember we will never ask for your bank or security details.”

But my personal favourite this week is the FBI one. The gist of it is, that FBI is warning us “that you are among one of the individuals and organizations who are yet to receive their overdue payment from overseas which includes those of Lottery / Gambling, Contract and Inheritance. Through our Fraud Monitory Unit we have noticed that you have been transacting with some impostors and fraudsters” and that “The Cyber Crime Division of the FBI gathered information from the Internet Fraud Complaint Center (IFCC) on how some people have lost outrageous sums of money to these impostors”, and because those wicked fraudsters are out to get us, we should contact barrister James Henry of the Central Bank of Nigeria directly, with all our banking details, so he can transfer us $5.9 million that we are “owed”. Scammers trying to scam us by warning us of scammers. Cute, isn’t it?

Well, now you know. Don’t fall for their tricks and stay safe online.

Monthly Threat Report: July 2014


The Top Ten Threats


1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.3%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:


2. JS/Kryptik.I

Previous Ranking: 2
Percentage Detected: 1.82%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.


3. Win32/RiskWare.NetFilter

Previous Ranking: n/a
Percentage Detected: 1.73%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.


4. LNK/Agent.AK

Previous Ranking: 3
Percentage Detected: 1.55%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.


5. Win32/Sality

Previous Ranking: 4
Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:


6. HTML/ScrInject

Previous Ranking: 8
Percentage Detected: 1.37%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.


7. Win32/Adware.MultiPlug

Previous Ranking: n/a
Percentage Detected: 1.28%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.


8. INF/Autorun

Previous Ranking: 5
Percentage Detected: 1.24%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.


9. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.15%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues:

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.


10. Win32/TrojanDownloader.Zurgop

Previous Ranking: n/a
Percentage Detected: 1.14%

Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt or PECompact.

ESET wins another VB100 award, this time on Windows 7

ESET continues to be consistent in malware detection, this time in Virus Bulletin’s test on Windows 7. For over a decade now, ESET has regularly come out on top of Virus Bulletin’s tests. See ESET has received its 75th “VB100” award and ESET Has Received Its 80th VB100 Award and Celebrates a Record of 10 Years Consecutive VB100 Awards for the history of our VB100 awards.

For this last award Virus Bulletin wrote:


Last 6 tests: 6 passed, 0 failed, 0 no entry

Last 12 tests: 12 passed, 0 failed, 0 no entry

ESET’s VB100 record speaks for itself, with nothing but green ticks in our results table going back more than a decade – a remarkable run of excellence. This month the product set up in good time, presenting the usual slick and professional interface with clear, simple usability on the surface and a comprehensive set of options underneath for those who want to fine-tune things. Stability was once again impeccable.

Scanning was fairly slow initially, but very quick indeed in later runs. Overheads on file access were pretty light and our set of activities completed in decent time, with low RAM use and fairly reasonable CPU use too.

Detection was very good across the board, and with no problems in the core sets yet another VB100 award goes ESET’s way, adding to its splendid tally.

“A remarkable run of excellence.” We like the sound of that. :)


Get every new post delivered to your Inbox.

Join 72 other followers