Due to the number of incorrect login attempts, your Account has been locked for your security.

Message Updates.

The information about your account:

Your Online Banking is Blocked

Be informed that the access to your Account has been temporarily suspended due to some errors in your personal information and security details.

We are contacting you to remind you that our Account Review Team identified some unusual activity on your account.

Due to a several attempt to login your online alliance-leicester Bank by Fraudsters ,We de-activated your online account for security reasons, unexplained funds depletion or the likewise.

CLICK HERE TO VERIFY YOUR ACCOUNT DETAILS

Due to the number of incorrect login attempts, your Bank of America Account has been locked for your security.

Welcome to Alliance and Leicester Online Banking

Abbey Online Banking Services

We detected irregular activity on your Halifax Check Card on 18 November, 2008.

Abbey National plc.

During our routine check, our online security team observed multiple login attempts from a blacklisted i.p on your account.

You have one or more alerts from Visa Card Notification Service.

You have one or more alerts from Abbey Notification Service.

Unlock Your Profile

Your information for your account has recently been changed.

From: Payment Service Dept

Your Access To Internet Banking Has Been Suspended

As part of our security measures to protect your online banking account, Abbey has introduced a recent internet banking security upgrade.

We recently upgraded our Online Banking security system with a newly established security server in which guarantee's your maximum protection when accessing your account online.

Online Banking Fund Alert:

Financial institutions around the world have always been subject to attempts by criminals to try and defraud money from them and their customers.

Customer Service:

Dear Lloyds Customer:

*** Abbey National online services notification ***

At Lloyds TSB, your security is our major priority.

We have just completed a scheduled maintenance on our Abbey National plc Internet Banking System.

We recently reviewed your account, and we suspect an unauthorized transaction.

TKO NOTICE: Suspicious Activity.

For your security, we have temporarily prevented access to your account.

You can secure this profile online by selecting an option below:

This is to inform you that your Alliance and Leicester Bank Secure Messages Center has 1 new alert.

Please update your records before May, 20th 2008.

For your security, Your Abbey e-banking account has been locked because of too many failed login attempts.

Your Smiles Internet Banking Account has been suspended and needs to be Re-Activated to allow you have access to online banking safely.

Due to the fact that our Online Banking Security team has observed multiple logons on your internet banking account, from different blacklisted IP's, therefore been blocked, to prevent further unauthorized access for your safety.

Please add info@host.alliance-leicester.co.uk to your address book to ensure delivery

We're making some exciting changes that will make your online banking experience even better, We therefore request you to verify your location.

For your security, your online banking profile has been locked due to inactivity or because of too many failed login attempts.

We recently have determined that different computers have logged into your Alliance and Leicester account, and multiple password failures were present before the logons.

During our regualry scheduled accounts maintenance and verification procedures, we have detected a slight error regarding your American Express Account.

During the regular update and verification of the Alliance and Leicester® Online Banking Service, we could not verify your current information.

Abbey Online Banking

IMPORTANT internet banking fraud alert

We`ve made some exciting changes that will make your online banking experience even better!

Enhancing Your Online Security Access will allow Natwest bank to verify your identity from your computer anywhere you bank online.

Abbey National Bank is sending you this notification message because we seem to be having errors in the proper verification of your account On Our Database.

Account Locked !

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.

Websense quotes in the 2008 Threat Predictions report have been accurate. In our previous alerts, we have seen spammers and malware authors switching tactics to persevere with their attacks over a longer time, with an increased success rate through defeating antivirus vendors and content learning technologies. This attack is another instance of such tactics, which is an ongoing trend increasingly targeting Web 2.0 sites to carry out a wide range of attacks.

Screenshot of the message:

From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable, a Trojan Downloader named "regulamento_orkut.exe" (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3).

This malicious executable has a very low AV detection.

When run, the malicious executable downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.

While malicious code is being downloaded a browser window will also popup with objectionable material on it.

Screenshot showing "fox.exe" downloaded onto infected machine:

Screenshot showing user's machine infected:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Koobface social networking worm is again spreading on Facebook. Our HoneyJax systems picked up the following email this morning:

The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.

1. The Facebook link directs to a malicious account hosted at Geocities.com.
2. The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php
3. The .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.

Screenshot of the malicious Web site serving the Trojan downloader:
 

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ has received reports of a proof-of-concept (PoC) exploit code circulating in the wild, exploiting a vulnerability in Adobe Reader 8.1.2, and Adobe Acrobat 8.1.2.

The flaw is a stack buffer overflow that results when parsing specially crafted PDF files (CVE-2008-2992). Successful exploitation allows the attacker the same level of permission rights to the desktop as the victim who opened the PDF file.

We urge customers to update to the latest version of Adobe Reader and Adobe Acrobat. We will continue to monitor the development of this threat.

Screenshot of the PoC exploit's shellcode in memory: 
 

Screenshot of malicious JavaScript code used to spray the heap with the shellcode: 
 

Screenshot of a call to the vulnerable function util.printf() to trigger the error: 
 

References:

ADOBE READER JAVASCRIPT PRINTF BUFFER OVERFLOW (Core Security Technologies discovered this)

Security Update available for Adobe Reader 8 and Acrobat 8

Websense® Security Labs™ ThreatSeeker™ Network has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The "From" address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.

Websense quotes in the 2008 Threat Predictions report have been based on facts. In our previous alert Facebook "add friend" Malicious Spam campaign, we saw spammers including a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer's perspective, the likelihood of attack success decreases when antivirus software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.

In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer's perspective, using links consisting of compromised ‘legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.

Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasingly targeting Web 2.0 sites to carry out a wide range of attacks.

Screenshot of the malicious Facebook message: 
 

From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable named "update.exe" (SHA1: a4dc17d1bcb191af75afedddf60aecbc2af2a37f).

This malicious executable has a very low AV detection. When run, the malicious executable steals data from its victim, establishing a connection with an IRC botnet.

Screenshot showing the packet capture from a machine infected with "update.exe": 
 

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems that use the technique described below. In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks.

The email offers news of Barack Obama's speech, recorded the day after the election results were published. Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers.

Screenshot of email lure:

Screenshot of malicious Web site:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President.

The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified.

Major anti-virus vendors are not detecting this Trojan Horse.

The malicious email:

The malicious application:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the official Web site of the Brazil Embassy in India has been compromised and is infecting site visitors with malicious code. The Web site has been injected with obfuscated JavaScript, redirecting users to multiple, fake anti-virus removal software sites. These sites deliver malicious code.

The Embassy’s services include: issuing emergency passports, immigrant and non-immigrant visas; notarization and attestation; cultural exchange; consultant services for commercial ventures; representation of Brazilian citizens in dealings with local authorities; assistance in emergencies; and providing necessary tourist and local information for the needy.

Screen shot of infected site: 
 

Screen shot showing infected site source: 
 

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that an ECPAT NZ INC courtesy site is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site have been mass injected attempting to deliver malicious payloads from 20 different hosts.

ECPAT is a global network of organizations and individuals working together for the elimination of child prostitution, child pornography, and the trafficking of children for sexual purposes. ECPAT NZ plays a key role in liaising and bringing about cooperation between key government and sector groups involved in the areas of commercial sexual exploitation of children (CSEC).

In an effort to protect their visitors, Websense Security Labs is working closely with ECPAT NZ INC to advise on the threats on their Web site. The ThreatSeeker Network has been tracking how such attacks prevail over reputed and significant Web sites, targeting their peers and other visitors.

Screenshot of the infected site: 

 


Screenshot of the infected site source and malicious payloads: 

 


Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a scam that uses a fake Skype message about a lottery to get money from the victim. The scam is becoming widespread in China.

The scam uses a phony Skype message to trick the victim into believing that he or she has won a large prize in a lottery. The message includes the address of a phishing Web site and the telephone number of a phony support center. When the victim calls the support number, the operator directs the victim to fill out the form on the phishing Web site, including bank account information. This scam combines Web-based phishing with telephone-based human interaction, a technique that is becoming more sophisticated and popular in China.

Here is how it works:

Step 1:
The victim receives a fake message from a phisher disguised as Skype representative. The message states that the recipient has won a large prize. The message includes a fake Web site, like "http://sky63.xxxxx.cn/", and a phone number, such as "0898-881-44xxx". Often the prize is as much as 100,000 RMB, plus a new car.

Here is a typical fake Skype message:


Step 2:
The victim calls the number and goes to the phishing Web site to enter personal and bank account information.

Here is the phishing Web site:


Step 3:
This is where the scammers get the victim's money. After filling out the form, the victim is directed to another Web page that informs the victim that he or she must pay a fee, in advance, to get the prize. The fee is often several hundred RMB.

The combination of the Skype message and the real phone number makes the lottery scam look real. The promise of a big prize--100,000 RMB and a car--makes the lure hard to resist. The victim happily pays the money. But the result is that the victim loses his or her money and, of course, there is no prize.

This page asks for a fee:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit.

One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique.

The infected Web site:

 

The injected code:

Another example is a US-based retailer using the Halloween theme to promote its products. This Web site is infected with a redirection that points to a gpack exploit kit. The ThreatSeeker network is currently tracking over thirteen-thousand sites infected with these patterns.

The injected Web site:

 

Not only malware authors take advantage of seasonal events. Numerous recently registered proxy Web sites are using the Halloween theme to allow users to bypass traditional URL filtering solutions. For example:

Websense Messaging and Websense Web Security customers are protected against these threats.