/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: The past few months have witnessed wave after wave of online pandemics. Never-seen-before strains of existing malicious codes and completely new Trojans spread across millions of computers worldwide. Your computer, your identity, your money… nothing was spared in the cyber mafia’s attempt to take over the internet.
Among the millions of attacks that Symantec has observed, a few stood out – in terms of reach, damage and sheer ingenuity. Read on for a lowdown on 5 highlights of the cyber criminal’s 2009.
Locking you out of your own homepage
RANSOMWARE: Like in the physical world, cyber criminals too can hold you to ransom, by encrypting important files or locking you out of your own computer.
This threat uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims. Once infected with Trojan.Ransompage, an example of a Trojan that achieves this, your browser will display a persistent inline ad on every page you visits. The ad will cover part of the original Web page, as shown below. The ad will stay on the screen even if the page is scrolled. This ad is written in Russian and states that in order to remove the ad (and to gain access a porn site) the victim must send a premium rate text message to the number provided, and the user will receive a code to remove the ad.
You may think you can avoid this by simply switching browsers. However, the malware author is a step ahead and targeted three very popular browser with this piece of malware.
The other face of social networking
KOOBFACE: The Koobface worm infects users by using social engineering attacks. It spreads by abusing social networking websites or by employing search engine optimization techniques to lure potential victims to malicious sites.
MODE OF TRANSMISSION: The infrastructure used by the Koobface gang is relatively simple: a central server redirects victims to one of the infected bots where the social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones.
A year has passed since Koobface was first detected; yet, this worm and the people behind it are still very active in keeping their infrastructure up to date, finding new means of propagating the infection, and taking advantage of their victims.
In just three weeks, Symantec observed 17,170 distinct infected IP addresses. This gave us a basis to gauge the extent of the infection. The figure below shows the geographic location of these Koobface bots. As indicated, several Indian cities are home to Koobface bots.
Flying into the cyber mafia’s trap
AIRLINE TICKET SPAM: All of us want to travel the world, if only we could afford the astronomical airfares! Cyber criminals know that, which is why they’ve made it easy to grab cheap – or free – airline tickets to popular destinations. You don’t even have to look for it online, because these offers land straight in your mailbox!
Symantec researchers are observing an increase in spam that is offering cheap airline tickets or gift vouchers to use towards a purchase of airline tickets. Spam messages are originating with email addresses, such as “AirlineTickets@spam-domain” and “Free.Airline.Tickets@spam-domain.” A link redirects the user to an online form where the user’s personal information and credit card details are requested. In many cases, it’s the victim’s money that will travel the world, and not the victim himself.
The top 10 headlines used in airline ticket spam are as follows:
Subject: RE: 2
Subject: Fly the skies with cheap airfares.
Subject: Fly Anywhere in the U.S.
Subject: 2 Round Trip Airline tickets. Fly anywhere in the US
Subject: Airfare on us - with this
Subject: Airline ticket bookings made easier.
Subject: Airline tickets. The quickest way to anywhere.
Subject: Airline tickets to any place in the world.
Subject: Amazing deals across all airlines.
Subject: Book cheap airline tickets now!
Even death can’t stop them
TRAGEDY SPAM: Three global celebrities passed away last year, and while the world mourned, cyber criminals got busy. The deaths of Ed McMahon, Farrah Fawcett, and Michael Jackson were prime targets for spammers and malicious code authors alike.
Internet users saw a flurry of threats seeking to play upon the emotions and curiosity of the public around these events. If you looked for news, videos, pictures, or any information regarding these individuals and their lives, you’re likely to have had a close encounter with the cyber mafia.
In just one of several examples, Symantec observed spam that appears to be a spoof on CNN but actually contains a link to a malicious Web page. Users who clicked on the link were redirected to a page that prompted them to download and run a file on a fake Flash Player, which actually installed malicious code.
Here are some of the additional spam and online tactics Symantec saw:
Spam with subject lines related to these deaths with malware attached Search engine poisoning campaigns injecting malicious sites into the top search engine results related to any of these deaths Sites and links claiming to host videos of the last moments of these individuals lives, but actually peddling fake goods or malware Social networking messages on these deaths that linked to malware Dial T for trouble The increasing use of smartphones has given cyber criminals a vast, lucrative new avenue to create trouble. Recently, we’ve seen a series of threats that target mobile phones. With India’s mobile additions exceeding 12 million every month, the payoff for the online mafia is quite obvious. Described below two unique attacks.
PHONESNOOP: A Blackberry application called PhoneSnoop was released recently, which allowed remote users to listen in on a Blackberry user’s surroundings.
The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.
THE IPHONE WORM: The number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share, as malware authors want the biggest bang for their buck. In 2009, we saw Macs and smartphones targeted more by malware authors, for example the Sexy Space botnet aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeting Mac users.
An Australian hacker wrote the first worm for jailbroken iPhones. The worm has been dubbed “Ikee” and uses the default SSH password of jailbroken iPhones to log in and spread.
Many users who have jailbroken their iPhones in order to customize them have not changed their SSH password, allowing others to log in to their phone. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones.