• Search Blog Archives

  • Recent Posts

  • Archives

  • Categories

  • Websense

  • Security Sites

Follow us: 
Like us on Facebook Follow us on Twitter Visit us on YouTube Get Websense Security Labs alerts delivered to your inbox Follow us on LinkedIn

Japanese disaster - ammo for cyber arsenal
Posted: 15 Mar 2011 06:54 AM

It’s no secret that criminals try to use huge disasters to their benefit to make some cash,  this time is no exception!  We have been able to track several black hat methods to convince people to "help” Japan’s disaster-affected population.  The set of techniques are not new and usually involve:

 

  • SEO poisoning
  • Rogue AV (anti-virus)
  • Phishing emails asking for donation
  • Malicious files attached to emails claiming to be legitimate documents
  • Facebook apps with CPA (cost per action) lead surveys

 

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

 

Black Hat SEO

 

SEO poisoning was used within minutes after the first wave hit the Japanese coast.  Using common search terms like, "japan earthquake news 2011" to search for the latest information in search engines is bringing all sorts of results, including malicious sites hosting fake AV.

 

Looks like a benign search result:

 

 

Following a link, the victim lands at a website with a slightly modified version of a redirection to fake AV,  in previous campaigns such websites were directly hosting fake AV,  nowadays they redirect to fake AV.

 

 

Rogue AV

 

When redirected via a "CLICK HERE" button,  a warning appears stating that your computer might already be infected:

 

 

Whether the "Cancel" or "OK" button is clicked, rogue Windows OS-like anti-virus will popup,  though it is running on a Linux OS

 

 

Phishing Email

 

Below is a very simple, nicely written and almost legitimate email which asks the recipient for a donation on behalf of Humanitarian Care Japan.  Notice this little detail:  "reply to:"  is a free mail address and completely different from the sender's address.

 

 

Malicious Email

 

Another type of e-mails used are malicious e-mails and e-mails with links leading to malicious content. One like this is used in a targeted attack,  providing information about the nuclear crisis in Japan, and also has a document attached called "Understanding Japan's Nuclear Crisis.doc" which surprisingly enough has very low coverage 5/43 in VT. Also, as you can see from the message source, it was also sent from a free mail account.

 

Facebook apps with CPA lead survey

 

And the last, but not least, vector of attacks is through social networks.  For example, Websense Threatseeker Network has identified a set of Websites that entice users to watch a video about the latest disaster events in Japan. As you can see per the picture below the involved sites are registered with .info TLD. D1 - stands for "Registered for 1 day". Instead of getting a movie, users are redirected to a Facebook application installation page. The application asks for permission to post on the user's wall.

 

 

 

 

 

 

The scam application has different names such as "RemoteViews",  "Collect",  "Consumer" and others.  Once clicked it asks the victim to fill in a survey to unlock pictures of people who viewed the victim's profile:

 

 

It also leaves a post on the victim's wall with a link to this application:

 

 

We have already discussed CPA (cost per action) leads in our previous blog about Viral Facebook Applications as well as most techniques listed in this blog.  

 

In conclusion we can see how, again and again, such disastrous events give cybercriminals a lot of  "ammo" for their "arsenal" of malicious activities.

Filed under: , ,

Artem Gololobov

no comments

Leave a Comment

(required) 

Email address: (required) 
 
  
 


©2012 Websense, Inc. All Rights Reserved.