We don’t see every day USA Visa lottery scams, but when we see them, there is a long text with many details in order to make the email very credible. This time the text is very simple because it refers to a 180KB attached JPG image. Interesting in this scam is the fact that the offer pretends to pay the flight ticket to US as well.

From: USA Visa Program
Sent: Wednesday, August 26, 2009 4:22:28 PM
Subject: Congratulations From U.S Embassy!!
Dear,

Read the attached copy of the Visa winning notification,

Reply this winning notification massages to the claim agent assigned to handle your visa documentation. He will guide you through your visa and flight ticket documents processing.

Thanks,

Mrs. Christine Thompson
(Secretary General)
Asia-Pacific HQ.

start: 0000-00-00 end: 0000-00-00

Fig. 1: The attached image of the scam email.

And now, as usual, comes the funny part, as in any scam attempt we’ve seen.

• Despite the fact that it is mentioned in the picture the “Asia-Pacific agent” for the VISA processing, the contact email addresses are in … Europe. They belong to a free web mail system in the Czech Republic. Come on guys, be more creative…
• The text is very hard to read because it is full of grammatical mistakes and sentences which don’t make too much sense.

This scam pretends about 1000 USD for a single visa and 1500 USD for a family visa. Considering the fact that you get also a flight ticket and the accommodation is also arranged in USA, this can be considered “too good to be true”.
As all things which fit into the category “too good to be true”, this is a scam. We advise everybody not to fall for such things because you will be very disappointed.

Sorin Mustaca
Manager International Software Development

Microsoft released two new knowledgebase articles in which it makes patches for all actual supported operating systems available. Those patches properly disable the Autorun and AutoPlay feature. This is important as previously it was possible to convince users to execute malware from for example USB sticks with AutoPlay entries and to automatically run malware via Autorun. Disabling Autorun didn’t work as expected before.

To improve the PC security it is advised to install the patches!

Dirk Knop
Technical Editor

Last week a virus that infects Delphi development environments and then the compiled Delphi programs was detected and got some media attention – infected programs were distributed on cover-mount CDs and DVDs on computer magazines and via Download Portals.

Our developers created a special version of our Avira Removal Tool which is capable of detecting and deleting infected programs. You can download the English version here and the German version here!

Dirk Knop
Technical Editor

First of all, the idea is not at all new. Bill Gates talked about a method to pay a very small fee for each sent email in 2004, but the idea proved to be not realistic. Yahoo’s CentMail does nothing else than to revive this idea in a new form: each sender pays 5$ for 500 virtual stamps and the money goes to a charity organization at user’s choice (a preselected list of charity organizations will be made available). Each email sent uses a unique virtual stamp plus a signature to promote the service. CentMail guarantees that the stamps cannot be faked nor reused, practically trying to destroy the business model of the spammers by making the sending of the emails too expensive for them.

So, one may ask : where is the catch? Will this idea really be the end of spam?
Of course not.

CentMail and Yahoo acknowledge this in their FAQ by providing answers to many legitimate questions. This is just a charitable twist on the old idea of email postage stamps which is simply not realistic because it hopes that everybody will pay. Of course, this is not going to happen, so this approach fails from the start.

CentMail says that the sender will only pay if the email is being received and read by the intended recipient.

What will happen to the massive mailings sent by commercial organizations? Will they accept to pay millions of dollars per year only because they send commercial email? Or, will an email notification service or a mailing list accept to pay for every notification it sends you? Of course not. The solution to this problem is to whitelist this category of senders (as CentMail suggested in their FAQ).

This means that the same rules do not apply for all email senders. The argument for this is that people and organizations donate anyway a lot of money per year to charity, CentMail being just an intermediary for this money.

As a conclusion, I have to admit that from time to time is nice to see an idea that wants to turn the world upside down in order to make good things. I like the idea, but I do not think that any user would ever pay for something that has been from the beginning free and that is sending emails for free!

Sorin Mustaca
Manager International Software Development

When I looked into one of our spam traps, one mail caught my eye: It was promising an expensive holiday trip to Turkey nearly for free, and I could even take 3 more persons with me! The trip is allegedly worth 1256,- Euros, so that would be quite a bang for a buck.

Fig. 1: The spam mail is baiting with a cheap holiday trip.

An access code in the mail should make the “win” look more serious – win? Yes, the mail claims that my mail address got chosen at a drawing amongst several service platforms. Strange thing is though that the mail address was never used to take part at anything, to register anywhere or even to order something.

The web address given in the mail is redirecting to another web site. This is another sign that something isn’t quite right with this “win”. At least on that web site the asterisks behind some inclusive offers get resolved (they aren’t in the spam mail). For all those nice trips the entrance fees – which can sum up to a few hundred Euros very fast – are not included. Also there is an explanation that you have to pay a “booking fee” of 49 Euros per person. How much those kerosin fees and taxes are, which also aren’t included, is missing as well.

Fig. 2: Some details of the "deal" are available at the spammed web site.

Overall this isn’t a real offer. The spammers are trying to make the offer look cheap, but in the end you pay a few hundreds Euros for getting some round trips with visits at carpet factories, jewelry outlets and so on – where you are supposed to buy stuff again.

One reason not to book such a journey is that it is advertised with spam. The other reason is that the costs aren’t clear. Please don’t fall for such offers and stop your friends and relatives who want to try it anyway.

Dirk Knop
Technical Editor

As announced before the weekend, Microsoft now released 9 security bulletins. The patches related to those bulletins close overall 19 security holes in Windows, Microsoft Office, Visual Studio, ISA- and BizTalk-Server, RDP client for Mac and the .Net framework.

According to the exploitability index of Microsoft, exploit code is likely to appear for all but one of those vulnerabilities. Therefore it is recommended to install the updates as soon as possible.

Dirk Knop
Technical Editor

Microsoft announced its August patchday: The Redmond company plans to release 9 security bulletins on the coming Tuesday. 5 of those Bulletins deal with vulnerabilities rated critical by Microsoft; they all allow for remote code execution. Of those, 4 affect the Windows operating systems (one also the Client for Mac) and one Office, Visual Studio, the ISA Server and the BizTalk Server.

The 4 other bulletins cover security holes which are considered “important”. They allow for privilege escalation in Windows, denial of service in the .Net framework and Windows, and again remote code execution.

Users and Administrators should get prepared to install those patches as soon as possible. A reboot of the computers will be necessary.

Dirk Knop
Technical Editor

The developers of the Mozilla Foundation just released Firefox 3.5.2 to close two critical rated security vulnerabilities. One flaw in the web browser could be abused to spoof certificates for web servers. This could happen as the browser didn’t parse the domain name in the certificate correctly and would stop parsing at a NULL sign. A CA would issue a certificate for <domainname><0×00><mydomainname> and the certificate would be valid for <domainname>, thus allowing for a hidden man-in-the-middle attack.

The second vulnerability could get abused to inject malicious code – for example a Trojan – into the victim’s computer by putting certain regular expressions into a certificate for SSL communication. This happened due to code that was meant to provide backwards compatibility to the non-standard regular expression syntax used by Netscape clients and servers. Now Firefox uses the current industry-standard wild-card syntax.

Update your Firefox as soon as possible by clicking on the Help menu and choosing “Search for Updates”. As other Mozilla products like Thunderbird and SeaMonkey are vulnerable too, apply updates ASAP as well when they get available.

Dirk Knop
Technical Editor

If you are a German user and receive an email coming from “Virenwarndienst” with the email address <Virenwarndienst@<Abzock-Webseite>.info> do not register there for downloading the software. This site is a price trap. The users who register there are closing a contract for 2 years where they have to pay 8 euro per month.

The text of the email is:

“Achtung – Wichtige Virenwarnung:

Nach Berichten des Bundesamts für Sicherheit in der Informationstechnik (BSI) ist derzeit ein besonders gefährlicher Virus/Trojaner im Umlauf.

Ihr PC ist ungeschützt und damit potentiell gefährdet. Bitte laden Sie unbedingt in Ihrem eigenen Interesse einen aktuellen Virenscanner herunter.

Die aktuellste Version erhalten Sie direkt hier:

http://www.<Abzock-Webseite>.info/

Mit freundlichen Grüßen

Ihr Virenwarndienst”

It says that the German government authority for IT Security has issued a warning because a dangerous Virus/Trojan is in the wild. It then advises all users to download a security solution (note: Avira AntiVir isn’t mentioned there) in order not to endanger their computer. Once following the link in the mail and trying to download the software, the unsuspecting users are forced to register:

Fig. 1: The fraudsters need the address data in order to send bills for downloading the free software.

Almost nobody reads the AGB (EULA) which specifies somewhere that you are signing a contract for two years, for 8 euro per Month.

The users who want to obtain the free version of Avira AntiVir, called Avira AntiVir Personal, can visit the website www.free-av.com and download the software for free.

Sorin Mustaca
Manager International Software Development