The source of the articles is in the Avira Techblog:
Twitter Phishing (on first sight)
Facebook Phishing (on first sight)
Over the weekend our spam traps received a massive wave of emails looking like the one below:
The emails seem to stem from “Twitter Support” (support@twitter.com) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.
Amazon: Bestsellers Electronics and Photo
After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.
Finally comes the surprise: The target website at the end of the redirects is not a phishing website but a Canadian online pharmacy.
For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.
As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.
Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.
The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+@facebookmail.com”.
Some observations about the current spam mails:
* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “notification+@facebookmail.com”
Amazon: Bestsellers Electronics and Photo
We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:
PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.
CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.
Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.
Short link: http://wp.me/p1Ipp-7s
Amazon: Bestsellers Electronics and Photo
© Copyright 2010 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch
I’m a consultant working with Palo Alto Networks; they have an excellent whitepaper on the subject of blocking social networking apps that you may have to worry about, “To Block or Not. Is that the question?” here: http://bit.ly/d2NZRp. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.) Let me know what you think.
There is a very cutting edge webinar coming up that you can register for now. It delves into social media and the role it will play in the future of the business world http://bit.ly/cR80Al
Well Kelly,
I agree that these technologies are very important, but what do you think after one of them introduces some malware in the company ?
What do you think, will the company revise their policy about the Web 2.0 ?
Sorin