Friday, July 24, 2009

From Russia, With Love . . . new Postcard spam spies on your PC

Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evening of July 22nd we began to receive Postcards from thousands of our friends, that we didn't even know we had!



The emails all looked pretty much the same . . .



But they actually pointed to many different websites:

www.postcards.org.deaseza.gs
www.postcards.org.deashza.cn
www.postcards.org.deashza.gs
www.postcards.org.deaswza.gs
www.postcards.org.gewasq.cn
www.postcards.org.gewasq.hn
www.postcards.org.hcpill.com
www.postcards.org.hcpill.net
www.postcards.org.hertfe.com.mx
www.postcards.org.hyrewa.com.mx
www.postcards.org.jukhyt.com.mx
www.postcards.org.kijerw.in
www.postcards.org.kiytre.eu
www.postcards.org.lensaq.com
www.postcards.org.lensaq.net
www.postcards.org.lenshe.com
www.postcards.org.lenshe.net
www.postcards.org.liwefz.cn
www.postcards.org.liwesz.gs
www.postcards.org.liwesz.hn
www.postcards.org.liwofz.in
www.postcards.org.qemuide.cn
www.postcards.org.qemuide.gs
www.postcards.org.qemuide.hn
www.postcards.org.qemuide.in

Each of these websites offers you the opportunity to download your postcard:




The "postcard" link actually downloads a program which infects your computer with "Zeus Bot" software, which allows the criminal to steal all of your passwords for your bank, email, FTP sites, social networking sites, etc.

Even if you are "smart" and don't download and run the "postcard.exe" program, the cyber criminal has placed other traps on his website. In this case, there is a hidden "iframe" on the page, which causes your computer to open a "hidden window" and run whatever commands are located on the website:

evgard.ru/img/in.php


These websites are part of a group of "fast flux hosted" domains, which the anti-phishing community has been calling "Avalanche" because of their similarity to the old Rock Phish criminal campaign. "Fast Flux" domains actually resolve to the IP addresses of innocent victim computers who have a "web proxy" secretly running on their computer. Our cybercrime researchers at UAB have identified more than 3,700 computers that have served as the "web proxy" for these campaigns so far, including several hundred computers in the United States. Each of those proxies looks up the real criminal website, and forwards the information back to their visitors, so that the victim never actually touches the criminal's true computer, only the web proxy of another victim.

Most recently this group has been used for a few different campaigns including:

Ally Bank

secure.ally.com.deaswq.com
secure.ally.com.deaswq.net
secure.ally.com.deasws.com
secure.ally.com.deasws.net
secure.ally.com.hcpill.com
secure.ally.com.hcpill.info
secure.ally.com.hcpill.net
secure.ally.com.picdll.com
secure.ally.com.picdll.net

Comerica

businessconnect.comerica.com.session-id-379.sandigocc.com.mx
businessconnect.comerica.com.session-id-4367610.sdcac.com.mx
businessconnect.comerica.com.session-id-5539.sandigocc.com.mx
businessconnect.comerica.com.session-id-562.dirmode.org.mx
businessconnect.comerica.com.session-id-6290003.dirmode.com.mx
businessconnect.comerica.com.session-id-6815.fikhi.com.mx

eBay

cgi.ebay.com.bvgfty.com
cgi.ebay.com.bvgfty.net
cgi.ebay.com.hukkil.com.mx
cgi.ebay.com.hyfers.com
cgi.ebay.com.hyfers.net
cgi.ebay.com.hyrrte.com
cgi.ebay.com.hyrrte.net
cgi.ebay.com.ikhy1.com
cgi.ebay.com.ikhy1.net
cgi.ebay.com.ikhya.com
cgi.ebay.com.ikhyi.com
cgi.ebay.com.ikhyi.net
cgi.ebay.com.ikhyk.com
cgi.ebay.com.ikhyk.net
cgi.ebay.com.ikhyl.com
cgi.ebay.com.ikhyl.net
cgi.ebay.com.ikhyt.com
cgi.ebay.com.ikhyt.net

They are able to sustain such a high throughput of phishing - those counterfeit bank websites which trick you into giving up your password - because they have an elaborate back end for laundering their money. An army of Americans have chosen to sign up for them to work as "money mules". Rather than taking the risk of performing the financial transactions themselves, the criminals have recruited people with different spam for "work at home" jobs to do the deed for them.

Here's an advertisement being offered currently by these same criminals:



In this case, they promise that you can be a "work at home" Customer Service Specialist, earning $27 per hour "+ a bonus per processed transaction".

Those "processed transactions" work like this.

1) They send someone a spam message with a link to a fake bank website

2) The victim gives up their userid and password on the fake website

3) The criminal logs in to the real bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule.

4) The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves.

In the new "ZBot" version of this scam, only step 1 changes. You no longer have to visit a fake bank website. Once you have the ZBot malware installed on your computer, the criminal gets your password when you visit your bank's real website. If you have multiple banks and multiple credit cards, the criminal will eventually have passwords to them all as you log in to multiple accounts. This is also true for business accounts. Brian Krebs recently reported how Bullitt County Kentucky lost $415,000 by having it transferred out of their own bank accounts and sent to dozens of Money Mules. The mules each received between $7,000 and $9,900 per transaction, and then wired most of that money overseas.

How prevalent is ZBot? IDG's Ellen Messmer reported this week in her article America's Ten Most Wanted Botnets that Zeus Bot now has 3.6 Million infected victims in the United States, slightly ahead of the 2.9 Million infected with Koobface.

That's 3.6 Million Americans whose computers and financial transactions are being spied upon by Russian criminals.

Do we know its Russian? ZeusBot is actually a system for stealing website data from victims. It comes complete with a nice Graphical User Interface for keeping track of your infected machines, and tools to allow you to prioritize certain banks that are of highest interest to you. At any given moment there are more than 400 distinct command & control sites active for Zeus, so its possible there are many criminals involved. However, the ZeusBot system is written in Russian, as are the users manuals. Some of those controllers are in the United States, and we encourage US Law Enforcement to do everything they can to get to the bottom of this situation.

Your friends in Computer Forensics Research and the security industry can help. Just ask.

SAFETY UPDATE

ATTENTION NETWORK ADMINISTRATORS!!!
If you are observing traffic to the following netblock please contact me at gar@cis.uab.edu. Thank you!

91.213.72.0/24

This netblock is where the Zeus controller for the postcards malware is sitting. Its already shifted several times this week, but included:

91.213.72.10
91.213.72.11 - munaagami.net
91.213.72.12 - conscop.com
91.213.72.13 - pinesk.com

The version I visited this morning was using the "conscop.com" domain as its command and control.

No comments:

Post a Comment