Your Account Has Been Flagged and needs to be Re-activated.

Dear Abbey National Digital Banking client!

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your account information.

Please complete all boxes at the update page for successful sign on.

You've got new funds!

Thank you for using our online services.

We recently reviewed your account, and suspected that your Lloyds TSB Bank account might have been accessed by an unauthorized third party.

We recently upgraded our Online Service to provide a good services for all our Online Banking Users in order not to be experiencing any difficulties when signing to your Online Account.

Faster Payment service is now available on our internet banking.

A response to the inquiry you recently sent us is now available in your Notice inbox.

You have 2 new important message waiting in your inbox folder.

For your security, the profile that you are using to access Abbey Online Banking has been locked because of too many failed login attempts.

As part of our ongoing commitment to offer you the safest possible internet banking service, we are constantly reviewing and enhancing the security we offer our customers.

A recent change in your personal information (i.e change of phone number).

A response to the inquiry you recently sent us is now available in your Notice inbox.

Important Notification

Message Alert:

We would like to notify you that Commerce Bank carries out client details verification procedure that is compulsory for all our customers.

As part of our security measure, We regularly screen activity in the online banking system.

Due to the recent update on our Online Banking Internet Banking system, we require that you login to your Internet Banking account in order to avoid service interruption.

Dear Abbey National Private and Corporate Banking member!

Our Technical Unit is doing a scheduled Electronic Banking software upgrade

We are sorry to inform you that your online services has expired, and must be renewed immediately, if you intend to use these services in the future, and prevent any similar situations you must take action .

As a Sterling Savings Bank customer, your privacy and security is a primary task for us.

You have recently updated your Credit Union account according to our standard security procedures.

Abbey National Plc. has been receiving complaints from our customers for unauthorised use of their Online Accounts.

This is to inform you that your Lloyds TSB profile needs to be updated To access your Lloyds TSB Secure profile, click on the link below:

To ensure that your service is not interrupted, please update your billing information today by clicking here https://bill.aol.com, After a few clicks, just verify the information you entered is correct.

During the regular update and verification of the RegionsNet® Online Banking Service, we could not verify your current information.

Lloyds TSB Transaction Notification Center

This message is to inform you that we have recently changed our terms and conditions of banking services.

During our regualry scheduled accounts maintenance and verification procedures, we have detected a slight error regarding your JPMorgan Chase Online Account.

Dear Abbey National Bank Bankline client!

For your protection, we have limited access to your account until additional security measures can be completed.

ATTENTION ALL CLIENTS.

Dear Abbey National Bank e-Banking member!

You have 2 new Alert Message !

To help us verify the activity on your account, we'll complete our checks and contact you within the next 24 hours (between 9am to 8pm).

Dear Abbey National Bank Internet Banking client!

Dear Abbey Private and Corporate Banking member!

We have just completed a scheduled Update on our Egg Online Banking server, we have every reason to believe your account (s) held at Egg Bank will experience minor errors/interruption.

We Kindly ask you to confirm your Online Profile For security

Dear Egg Bank Customer:

We would like to inform you that Lloyds TSB Bank has been subject to recent phishing attacks.

HSBC Internet Banking

We recently upgraded our security server wiht a newly established security server in which guarantee's maximum security and safety for all our account holders.

Western Union® has been receiving complaints from our customers for unauthorised use of theWestern Union® accounts.

Your Account Access Is On Red Alert

You have received 1 new message waiting in your inbox folder.

Hsbc Bank Plc is committed to making sure that your online experience is safe and secure.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the web site of Erste Securities in Poland is hosting malicious code. Erste Securities Polska S.A. represents the Erste Bank group in Poland - one of the largest Austrian banking groups and a leading financial services provider. Erste Bank is a retail bank in Central Europe based in Vienna, Austria, and operating in Austria, Bosnia and Herzegovina, Croatia, Czech Republic, Hungary, Romania, Serbia, Slovakia, and Ukraine.

The malicious code is named foto.exe, but uses the default JPG icon on Windows XP to disguise itself from appearing as a Windows executable. Upon execution, the malware (SHA1: 0f7151400dbb7ecf5f9e7a4dc7947891) downloads a keylogger/password stealer Trojan banker, that steals personal financial information.

Screenshot of the web site's main page: 
 

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new phishing campaign targeting American Airlines AAdvantage(R) Program customers.

Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more.

Screenshot of Email:

Screenshot of Phishing Site:

 

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new spam campaign using YouTube profiles to advertise products and services.

In the past, we have seen user invites sent within YouTube containing URLs to spam sites. Also, we have seen emails sent that spoof YouTube user invites but contain a link directly to the spam site. This time around, spammers and malware authors are combining to send out spoofed YouTube user invites that link to a profile on the legitimate YouTube Web site. The spam link is then advertised on that profile. From a spammer's perspective, the chance of success is increased with such attacks, because they make use of the clean reputation of YouTube services.

Here is a screenshot of some sample spam emails: 




Clicking on the link in the email directs the user to a user (spammer) profile on a legitimate YouTube site. When users visit the profile page, they are encouraged to visit the spammers's advertised domain.

Here is a screenshot of YouTube profiles used for advertising a spam domain: 

 

Here is a screenshot of the actual spam domain: 

 

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event. 

It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse. 

A login page to Facebook is included in the body of the email. We have previously alerted on our discovery via our HoneyJax system about a viral Facebook phishing campaign, and thus would not be surprised if the login page presented was merely a fake front to a phishing site. 

However, an examination of the HTML form's source code shows that it was indeed passing the user name/password to Facebook itself. This may be to increase the legitimacy of the email to evade reputation-based spam filters. 

Screenshot of the email: 

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp://homemade*snip*.com/. While the video plays for 14 seconds, malicious applications are installed on the victim's machine.

Screenshot of example email:

The email encourages users to download and run obama-*snip*.exe The MD5 of the Trojan Dropper is 26B861DF715549C537C28E4D60D8D0B7.

Screenshot of pornographic video ran through Windows Media Player:

The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp://*snip*-hotel.com/

Screenshot of code locations pointing to compromised Web site:

Websense customers are proactively protected against this latest attack as our ThreatSeeker Network identified a malicious IRS scam hosted on the same domain only last week:

Websense Messaging and Websense Web Security customers are protected against this attack.

 Websense® Security Labs™ ThreatSeeker™ Network has discovered a developing "reverse Vishing" attack in China.

The attackers have been posting to BBS fake telephone numbers against the names of legitimate organisations in an attempt to associate those numbers with the customer support numbers for famous Web properties. The use of search engine optimisation (SEO) poisoning techniques in this manner shows the increasing sophistication behind traditional telephone lottery scams. If users search for customer support information, the highest ranking Web sites are returned in Baidu or Google search results with the fake phone numbers.

The attackers are using this in two ways. First, they send out spam email suggesting the recipient has been successful in a lottery. Before sending on the requested contact details the user would wish to verify these claims. Upon conducting a search in popular search engines, the user would see the association of fake telephone numbers with the customer support details.

Second, the high-cost telephone numbers are an additional revenue generator for the scam artists, and they add a layer of authentication to the scam. Unlike traditional Vishing where automated voice sytems call the victims in order to gain information this attack prompts uses social engineering to prompt the user into calling the fraudalent phone line. As of this morning, our China-based Security Labs team has proven the fake telephone numbers are still active. The messages provide details to convince the user the lottery fund is genuine.

As we have found so far, most of these numbers belong to the Hainan province in China. Many high profile names like Sina, Taobao, QQ, Tencent, etc., from portal sites to shopping sites, have been used as part of the attack. Dozens of fake telephone numbers are being used to lure users into dialing. This makes association with a single attack source more difficult. The scam artists post these fake phone numbers to some popular BBS and message boards because those BBS and message board Web sites have a high ranking returned in search engine results.

An example blog spam post to a high profile forum:

To illustrate the scale of the blog spam / comment spam technique used in this attack, Google and Baidu are currently indexing tens of thousands of Web sites containing the fraudulent telephone numbers.

Screenshot of the search results in the first page of Google:

Screenshot of the search results in the first page of Baidu:

Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to 'MSNBC.com Breaking News' and 'Bogus CNN Custom Alerts ', these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.

Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.

Here is a screenshot of a sample spam email:

The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe.

Here is the screenshot of index97.html page showing the popup and download window:

The obfuscated source code from index97.html:

The source code from index97.html, deobfuscated by ThreatSeeker:

Here are a few examples of the varied subjects we have seen in this campaign:

Sensational news. Check the message.
Breaking news! Be the first to know.
Very important news.
Astonishing Please take a look.
Sensational information inside.
Check this out. This is a bomb
This is really great news. Please check.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from nine different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world. (Please refer to the Sunkist entry on Wikipedia).

It is interesting to see how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites, because they target their peers, their own users, and other visitors.

Screenshot of the infected site:

Screenshot of the infected site's source:

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.

When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.

The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:

Unaffected name server:

Poisoned DNS server:

A user querying an unaffected DNS server is taken through to a clean site:

A user querying a poisoned name server is taken to a malicious site under the attacker's control:

The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new campaign of malicious spam posing as FedEx notifications.

The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader.

This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector.

Here is a screenshot of the malicious email:

 

Websense Messaging and Websense Web Security customers are protected against this attack.