You can make payment method changes at AOL throughout your monthly billing cycle if you decide that a different payment method would better suit your needs.
Due to recent fraudulent activities on some of Ybonline online accounts we are launching a new security system to make Ybonline online accounts more secure and safe.
We have taken note of a series of unauthorized log on attempt on your Abbeynational online account, traceable
through the difference in the IP address and location registered with your online bank account details.
We are currently updating our online banking services, and due to this upgrade we sincerely
call your attention to follow below link and reconfirm your online account details.
We are currently updating our online banking services,
and due to this upgrade we sincerely call your attention to follow
below link and reconfirm your online account details.
HSBC has sent you a mail to update your account but still you are unable to complete your account details,As a result of this, We are making an extra security checking on all of our Customers account in order to protect their information from theft and fraud.
This is to all existing Customers of Lloyds TSB Internet Banking,
We are currently reviewing our customer database, this is to further enable us
encourage and serve you better.
We were unable to process your billing details.We are unable to activate your account because we have just upgraded our online security parameters to make your Bank account and informations more secured from online frauds,so we request that you reconfirm your online Banking details with the one we have on file before you will be able to send and receive money online.
We just received an alert that some internet fraudstars are trying to get access to your account and some fraud messages was sent to some of our customers yesterday.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a developing "reverse Vishing" attack in China.
The attackers have been posting to BBS fake telephone numbers against the names of legitimate organisations in an attempt to associate those numbers with the customer support numbers for famous Web properties. The use of search engine optimisation (SEO) poisoning techniques in this manner shows the increasing sophistication behind traditional telephone lottery scams. If users search for customer support information, the highest ranking Web sites are returned in Baidu or Google search results with the fake phone numbers.
The attackers are using this in two ways. First, they send out spam email suggesting the recipient has been successful in a lottery. Before sending on the requested contact details the user would wish to verify these claims. Upon conducting a search in popular search engines, the user would see the association of fake telephone numbers with the customer support details.
Second, the high-cost telephone numbers are an additional revenue generator for the scam artists, and they add a layer of authentication to the scam. Unlike traditional Vishing where automated voice sytems call the victims in order to gain information this attack prompts uses social engineering to prompt the user into calling the fraudalent phone line. As of this morning, our China-based Security Labs team has proven the fake telephone numbers are still active. The messages provide details to convince the user the lottery fund is genuine.
As we have found so far, most of these numbers belong to the Hainan province in China. Many high profile names like Sina, Taobao, QQ, Tencent, etc., from portal sites to shopping sites, have been used as part of the attack. Dozens of fake telephone numbers are being used to lure users into dialing. This makes association with a single attack source more difficult. The scam artists post these fake phone numbers to some popular BBS and message boards because those BBS and message board Web sites have a high ranking returned in search engine results.
An example blog spam post to a high profile forum:
To illustrate the scale of the blog spam / comment spam technique used in this attack, Google and Baidu are currently indexing tens of thousands of Web sites containing the fraudulent telephone numbers.
Screenshot of the search results in the first page of Google:
Screenshot of the search results in the first page of Baidu:
Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to 'MSNBC.com Breaking News' and 'Bogus CNN Custom Alerts ', these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.
Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.
Here is a screenshot of a sample spam email:
The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe.
Here is the screenshot of index97.html page showing the popup and download window:
The obfuscated source code from index97.html:
The source code from index97.html, deobfuscated by ThreatSeeker:
Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message. Breaking news! Be the first to know. Very important news. Astonishing Please take a look. Sensational information inside. Check this out. This is a bomb This is really great news. Please check.
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from nine different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world. (Please refer to the Sunkist entry on Wikipedia).
It is interesting to see how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites, because they target their peers, their own users, and other visitors.
Screenshot of the infected site:
Screenshot of the infected site's source:
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.
These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.
The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:
Unaffected name server:
Poisoned DNS server:
A user querying an unaffected DNS server is taken through to a clean site:
A user querying a poisoned name server is taken to a malicious site under the attacker's control:
The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new campaign of malicious spam posing as FedEx notifications.
The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader.
This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector.
Here is a screenshot of the malicious email:
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec.
Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. Here is a screenshot of a sampled spam email:
The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.
Here is the screenshot of up.html page showing the popup and download window:
up.html obfuscated source code:
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history msnbc.com BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark msnbc.com - BREAKING NEWS: How to save money on gas msnbc.com - BREAKING NEWS: Preliminary polls for the election msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading msnbc.com - BREAKING NEWS: Jury duties for you msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk msnbc.com - BREAKING NEWS: Abortion outlawed in California msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits msnbc.com - BREAKING NEWS: Anthrax case solved msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd msnbc.com - BREAKING NEWS: Too much freedom will destroy America msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system msnbc.com - BREAKING NEWS: Americans loves to sue people msnbc.com - BREAKING NEWS: Please give your opinions for change msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ network has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec.
Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file).
The bogus CNN Custom Alerts spam we have been seeing today typically look like the following:
The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics.
The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.
The cnn****.html page with popup:
cnn****.html obfuscated source code:
Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success:
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ network has discovered a rogue Beijing Olympics ticket lottery Web site.
The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call.
Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD).
This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users.
A screenshot of the scam Web site:
A screenshot of the page used to collect personal information:
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered that a CNET Networks site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host.
The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.
Screenshot of infected site:
Screenshot of the malicious payload:
Software vulnerable to this attack includes: - Adobe, Flash Player, 9.0.115.0, and previous - Adobe, Flex, 3.0 - Adobe, AIR, 1.0
Websense Messaging and Websense Web Security customers are protected against this attack.
This is an update to our previous alert on the DNS cache poisoning attacks.
The previously embargoed details of a critical DNS cache poisoning flaw have been correctly deduced, and are now public. In a webinar held just yesterday, Dan Kaminsky, the security researcher who discovered this flaw, confirmed that the vulnerability has been leaked.
More code to exploit this flaw has surfaced since our previous alert on this topic, and attacks have been spotted in the wild.
Major ISPs, including AT&T, Time Warner, and Bell Canada have yet to respond to this threat, leaving millions of subscribers at risk. Microsoft has issued a formal security advisory; Apple, whose Mac OS X servers are susceptible, have yet to issue a statement.
Websense® Security Labs™ strongly recommend that customers running their own DNS servers patch immediately. Customers who rely on an upstream DNS provider are urged to contact their provider to confirm that this issue has been addressed properly.
