We don’t see every day USA Visa lottery scams, but when we see them, there is a long text with many details in order to make the email very credible. This time the text is very simple because it refers to a 180KB attached JPG image. Interesting in this scam is the fact that the offer pretends to pay the flight ticket to US as well.

From: USA Visa Program
Sent: Wednesday, August 26, 2009 4:22:28 PM
Subject: Congratulations From U.S Embassy!!
Dear,

Read the attached copy of the Visa winning notification,

Reply this winning notification massages to the claim agent assigned to handle your visa documentation. He will guide you through your visa and flight ticket documents processing.

Thanks,

Mrs. Christine Thompson
(Secretary General)
Asia-Pacific HQ.

start: 0000-00-00 end: 0000-00-00

Fig. 1: The attached image of the scam email.

And now, as usual, comes the funny part, as in any scam attempt we’ve seen.

• Despite the fact that it is mentioned in the picture the “Asia-Pacific agent” for the VISA processing, the contact email addresses are in … Europe. They belong to a free web mail system in the Czech Republic. Come on guys, be more creative…
• The text is very hard to read because it is full of grammatical mistakes and sentences which don’t make too much sense.

This scam pretends about 1000 USD for a single visa and 1500 USD for a family visa. Considering the fact that you get also a flight ticket and the accommodation is also arranged in USA, this can be considered “too good to be true”.
As all things which fit into the category “too good to be true”, this is a scam. We advise everybody not to fall for such things because you will be very disappointed.

Sorin Mustaca
Manager International Software Development

When I looked into one of our spam traps, one mail caught my eye: It was promising an expensive holiday trip to Turkey nearly for free, and I could even take 3 more persons with me! The trip is allegedly worth 1256,- Euros, so that would be quite a bang for a buck.

Fig. 1: The spam mail is baiting with a cheap holiday trip.

An access code in the mail should make the “win” look more serious – win? Yes, the mail claims that my mail address got chosen at a drawing amongst several service platforms. Strange thing is though that the mail address was never used to take part at anything, to register anywhere or even to order something.

The web address given in the mail is redirecting to another web site. This is another sign that something isn’t quite right with this “win”. At least on that web site the asterisks behind some inclusive offers get resolved (they aren’t in the spam mail). For all those nice trips the entrance fees – which can sum up to a few hundred Euros very fast – are not included. Also there is an explanation that you have to pay a “booking fee” of 49 Euros per person. How much those kerosin fees and taxes are, which also aren’t included, is missing as well.

Fig. 2: Some details of the "deal" are available at the spammed web site.

Overall this isn’t a real offer. The spammers are trying to make the offer look cheap, but in the end you pay a few hundreds Euros for getting some round trips with visits at carpet factories, jewelry outlets and so on – where you are supposed to buy stuff again.

One reason not to book such a journey is that it is advertised with spam. The other reason is that the costs aren’t clear. Please don’t fall for such offers and stop your friends and relatives who want to try it anyway.

Dirk Knop
Technical Editor

If you are a German user and receive an email coming from “Virenwarndienst” with the email address <Virenwarndienst@<Abzock-Webseite>.info> do not register there for downloading the software. This site is a price trap. The users who register there are closing a contract for 2 years where they have to pay 8 euro per month.

The text of the email is:

“Achtung – Wichtige Virenwarnung:

Nach Berichten des Bundesamts für Sicherheit in der Informationstechnik (BSI) ist derzeit ein besonders gefährlicher Virus/Trojaner im Umlauf.

Ihr PC ist ungeschützt und damit potentiell gefährdet. Bitte laden Sie unbedingt in Ihrem eigenen Interesse einen aktuellen Virenscanner herunter.

Die aktuellste Version erhalten Sie direkt hier:

http://www.<Abzock-Webseite>.info/

Mit freundlichen Grüßen

Ihr Virenwarndienst”

It says that the German government authority for IT Security has issued a warning because a dangerous Virus/Trojan is in the wild. It then advises all users to download a security solution (note: Avira AntiVir isn’t mentioned there) in order not to endanger their computer. Once following the link in the mail and trying to download the software, the unsuspecting users are forced to register:

Fig. 1: The fraudsters need the address data in order to send bills for downloading the free software.

Almost nobody reads the AGB (EULA) which specifies somewhere that you are signing a contract for two years, for 8 euro per Month.

The users who want to obtain the free version of Avira AntiVir, called Avira AntiVir Personal, can visit the website www.free-av.com and download the software for free.

Sorin Mustaca
Manager International Software Development

A few days ago we posted about Nigerian scam that is trying to get smarter. I was saying that they are trying without success to avoid common mistakes which are being done by the other scam authors. Well, it happened sooner than I imagined: I’ve seen two emails today, both overcoming these problems in different ways.

1. Scam with text and image

Usually, the scam emails do not contain images because they are just too expensive to be sent. This is why most of the filters have a kind of whitelisting system in place which reduces the spam score if they encounter large pictures (for example >= 200KB) attached to a message.

In the plain text part they still make use of some known words, like “Dear sir”, “seek your assistance”, “business opportunity”, etc. So, this text is easier to detect as a scam but not trivial. Still even so, there is no “story”, which makes the email useless. The real story behind the scam is attached in a JPG picture with the size of exactly 200KB. Did the scammers know about this limit? Of course they knew because there are a lot of antispam tools which can be downloaded and they can test with them.

Fig. 1: The scam mails try to circumvent email filters by using image attachments with the "hole story".

The text in the picture is a typical scam-text with references to real facts and so on. The email is sent via Gmail. Again, it is very unfortunate that Google doesn’t scan outgoing emails against spam, as they do for malware.

2. Bilingual Scam

This email is a 3K plain text message using the UTF-8 character set. Because of this, it comes encoded in base64. There are two text paragraphs in the body, the first one written in French and the second in English. They are different formulated, but basically they express the same idea: transfer of money to your account. There are some important differences between the two texts.

The English text is

• making use of the word “millions” while the French one is writing the sum in numbers
• not telling the story of the money, specifying a simple “lying dormant for eight years” when the French one is specifying that the money belongs to a dead relative of a customer of the bank.
• using the first name of the women when the French one is using the formal addressing with the full name.

The subject of the email is written only in French. I assume that the reason for this is the fact that the email has been sent from a free email provider from France (ifrance.com).

Fig. 2: Another twist is sending bilingual scam mails.

Both messages show a very clear trend in the Nigerian scam business: They are adapting to the fast changing rules of the game. They have to do this because we are in a deep economic crisis and now is the perfect moment for them to recruit new “customers”. In such hard economic times people are more susceptible to this kind of methods of gaining easy money.

Never respond to such requests no matter if they are written in your language or not, how credible and how well documented they are presented.

Sorin Mustaca
Manager International Software Development

We blogged already about Nigerian scams which make the usual mistakes associated with this kind of fraud. This time, we received an email which seemed to be adapted to the European civilization.

Fig. 1: Nigerian scam mails seem to get better adopted to the target audience.

I got really excited when I’ve seen that he is not “Mr.”, “Doctor” or “Barister”, his email address is not mr.something@host.com, he wants to invest Euros and not US dollars, and so on. But, this was only at the first sight.

A closer look reveals that it is the same old scam:

• Bad English language
• The country prefix of the telephone number is from Ivory Coast (I don’t know if the number exists)
• The headers show that the email was sent through a bot residing in Germany (see also our “Phishing and Malware Statistics” for Germany)
• They start the email with “Dear Sir” and any decent filter will penalize them for this
• The subject of the email is written with capital letters
• It mentions something about “account” and money “transfer”

An interesting thing showing how different our cultures are, is the fact that all these scams have something in common: They write the contact email address in the body of the email, even if they use the same address in either “From” or “Reply-To” field.

Would you write your email address in the body of the email if you expect the recipient of your email to get back to you?

Avira Antispam from the Premium Security Suite detects this message as Spam without even making use of the RBLs. As usual, we recommend that you never contact these guys and never believe offers which are too good to be true.

Sorin Mustaca
Manager International Software Development

Everyone knows about the already classic “Advanced Fee Fraud”, also known as the “Nigerian Scam” (http://en.wikipedia.org/wiki/Advance_fee_fraud). But, not everybody has seen the Japanese version of this scam (Figure 1).

Fig. 1: The Japanese scam

This is a very fancy scam: We usually see the same old story about very rich men who were killed by the government and the poor relatives trying to get the money out of the 3rd world country with your help. But this one is different.

First of all, it thinks big. Very big… really, I have never seen such an idea before: “I made this money through a contract awarded to me by the ministry during the relocation of OSAKA AIRPORT”. And it gets even better: “I am not safe if I go back to Japan because I did not finish the contract“. So now the Osaka airport should be somewhere… on the road? This is really nice, isn’t it?

If you have a look at the main header, you see the From, Reply-To and Sender fields. The sender field isn’t seen in an email very often because it is somehow in a gray area. According to RFC 822, this field should be used only when the person submitting the message to the network is different than shown by the “From” header field. Because of this, it should be authenticated, but what kind of authentication is not clear. Some mail clients expect that the email address used in this field can be used to reach the sender, others do not. Because of this uncertainty, most email clients prefer either to remove this field completely or to add a hidden field in the headers with the name “X-Sender”.

So, is our “Japanese contractor” using deprecated mass mailing software?
Note that there is no “To:” field. Of course, any decent anti spam product will penalize this email when it detects something like this.

According to the other headers, the email is supposed to have been sent though Gmail. There are even the DKIM headers and a new header called “X-Google-Sender-Auth”. Google doesn’t add something like this though. All these indications show that the spammer has used a special software to send mass mailing though the Gmail. It is really sad to see that Google doesn’t enforce a clear email sending policy though its servers.

But, because of these twists in the email, I assume that the spammers thought it wouldn’t be so bad to have an escape route. This is why the Reply-To email address points to yahoo.com.hk (Yahoo! Hong Kong).

Unfortunately for the spammer, after all this trouble just to send the email, it made the same mistakes which all the Fee Fraud emails make: It uses known keywords like “million dollars”, “Att: My name is”, it tries not to add the formal way of addressing in the From text (“Mr. ”) but then uses an email address called mr.otoya22@gmail.com and the formal addressing in the Subject. These are also other important hints which can help an automated system for spam detection to safely mark this email as a scam.

Avira Antispam detects this email with a “Very High” spam probability without even calling any Realtime Blacklists – no wonder since we see so many spam indicators. As usual, Avira advices to never respond to such emails and never trust such persons who promise huge amounts of money.

Sorin Mustaca
Manager International Software Development

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

A new wave of phishing messages targeted at World Of Warcraft players has appeared these days. The messages follow the same pattern: the “From” field is spoofed (trying to make the user believe that the message comes from Blizzard) and the body of the message talks about the user account being under investigation and suspended. The messages also say that all this happened because the user presumably violated the Terms of Service or the Blizzard EULA.

Fig. 1: This is how the phishing mails for World of Warcraft accounts look like

The user is requested to fill out an online form, to verify that she is the legitimate owner of the account. Of course, the online form is on a fake, rogue website that has no connection with Blizzard whatsoever. (http://battlenet.account-verification.***.rehash.net/). This makes it fairly easy to spot that the message is a scam.

The message is well conceived; it starts with “Greetings”, as many legitimate messages from Blizzard do. Unlike many other phishing messages, its content is also grammatically correct and without spelling mistakes. Maybe the phishers finally managed to find someone who can write correctly?

Vlad Dinulescu
Software Engineer (International)

Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

According to http://www.internetworldstats.com/eu/de.htm, 61.1% from the Germany’s population in 2007 had Internet access. From these users, 56% are online every day or almost every day. Having such a widespread Internet usage, it is no surprise that there is quite a lot of activity in the Germany’s Internet scene.

Our statistics show that 14.43% from the Phishing and 15.04% from the Malware URLs (for which we have geo IP information) are hosted on servers located in Germany. The numbers of malicious URLs which are advertised in Germany (not necessarily hosted) can’t be computed, since no one is able to count all the emails which contain the URLs.

Fig. 1: The countries where phishing URLs are hosted

What do we do to stop them?
The most common way of spreading the URLs is the email. Avira is actively in fighting these threats in two different ways:

Avira’s security products

• detect the phishing emails and mark them as such.
• block the access to the URLs which point to phishing and malware websites.

Fig. 2: The registrars which receive notifications to remove dangerous files

Our Labs collaborate with institutions and organizations which send warning information to the registrars and ISPs hosting the dangerous files.

We actively monitor the most phished institutions and issue alerts to the readers of this blog (Figure 3). Of course, not all the names on the list are relevant for the German Users, but once Avira has reached the users all over the world, these information will be very useful.

Fig. 3: Most phished institutions

Sorin Mustaca
Manager International Software Development