According to the Windows Live Blog, Microsoft has closed down the leaked accounts; also the list with the passwords is no longer available. Affected users should fill out a form to reclaim their account. The company also recommends some security measurements in their Blog entry to avoid successful phishing.

Another recommendation is to change the password in any case – Microsoft advises to change it every three months. How bad passwords look like and how to choose a good one can be read in this recent Blog article.

Update (October 7th): Meanwhile, also hacked Google Mail accounts as well as accounts from Yahoo Mail, AOL and other providers were found on the net. Some of them are old, unused or even fake. This seems to confirm that the account data was gathered with phishing. The number of accounts found on the net raised to more than 30.000.

Dirk Knop
Technical Editor

From: USA Visa Program
Sent: Wednesday, August 26, 2009 4:22:28 PM
Subject: Congratulations From U.S Embassy!!
Dear,

Read the attached copy of the Visa winning notification,

Reply this winning notification massages to the claim agent assigned to handle your visa documentation. He will guide you through your visa and flight ticket documents processing.

Thanks,

Mrs. Christine Thompson
(Secretary General)
Asia-Pacific HQ.

start: 0000-00-00 end: 0000-00-00

Fig. 1: The attached image of the scam email.

And now, as usual, comes the funny part, as in any scam attempt we’ve seen.

• Despite the fact that it is mentioned in the picture the “Asia-Pacific agent” for the VISA processing, the contact email addresses are in … Europe. They belong to a free web mail system in the Czech Republic. Come on guys, be more creative…
• The text is very hard to read because it is full of grammatical mistakes and sentences which don’t make too much sense.

This scam pretends about 1000 USD for a single visa and 1500 USD for a family visa. Considering the fact that you get also a flight ticket and the accommodation is also arranged in USA, this can be considered “too good to be true”.
As all things which fit into the category “too good to be true”, this is a scam. We advise everybody not to fall for such things because you will be very disappointed.

Sorin Mustaca
Manager International Software Development

The levels are computed by comparing the amount of threats (malware and phishing separately) received in the last 24 h (called 24h threat value) to the average value from the last 30 days (called average threat value). These levels are computed every 15 minutes.

This is how the graphs with the values per day for the last 30 days looks like:

Fig. 1: Statistics per day, last 30 days

The graph with the values per hour for the last 24h:

Fig. 2: Statistics per hour, last 24h

Level 1 – Normal (Green)

Risk: Low – there is much less activity than the average we have seen in the last 30 days. This condition corresponds to no discernible malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings.

Level 2 – Average (Yellow-Green)

Risk: Low to Moderate - there is relatively less activity than the average we have seen in the last 30 days. This condition corresponds to some malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings. This risk level is usually “the calm before the storm”, so we advise our customers to keep an eye on our website for information and updates.

Level 3 – Suspicious (Yellow)

Risk: Moderate – there is the same activity as the average we have seen in the last 30 days. This condition corresponds to clear signs of malicious activity for the type of threat for which the risk level is issued. The Avira products should function with heuristics and generic settings enabled because it might be possible that there is a new variant of a known malware. This risk level means that some unknown malware might be starting to spread, so we advise our customers to keep an eye on our website for information and updates. Please keep the logfiles of the security products under careful observation.

Level 4 – Alert (Orange)

Risk: High – there is the more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update both the signatures and the engine. This risk level means that known malware are spreading, and we strongly advise to keep the logfiles of the security products under careful observation.

Level 5 – Outbreak (Red)

Risk: Very High – there is much more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update the signatures, the engine and the products. This risk level means that known malware are currently active, creating a severe risk to the infrastructure and normal operations. We strongly advise to keep the logfiles of the security products under careful observation.

Sorin Mustaca
Manager International Software Development

Fig. 1: This is how the phishing mails for World of Warcraft accounts look like

The user is requested to fill out an online form, to verify that she is the legitimate owner of the account. Of course, the online form is on a fake, rogue website that has no connection with Blizzard whatsoever. (http://battlenet.account-verification.***.rehash.net/). This makes it fairly easy to spot that the message is a scam.

The message is well conceived; it starts with “Greetings”, as many legitimate messages from Blizzard do. Unlike many other phishing messages, its content is also grammatically correct and without spelling mistakes. Maybe the phishers finally managed to find someone who can write correctly?

Vlad Dinulescu
Software Engineer (International)

Our statistics show that 14.43% from the Phishing and 15.04% from the Malware URLs (for which we have geo IP information) are hosted on servers located in Germany. The numbers of malicious URLs which are advertised in Germany (not necessarily hosted) can’t be computed, since no one is able to count all the emails which contain the URLs.

Fig. 1: The countries where phishing URLs are hosted

What do we do to stop them?
The most common way of spreading the URLs is the email. Avira is actively in fighting these threats in two different ways:

Avira’s security products

• detect the phishing emails and mark them as such.
• block the access to the URLs which point to phishing and malware websites.

Fig. 2: The registrars which receive notifications to remove dangerous files

Our Labs collaborate with institutions and organizations which send warning information to the registrars and ISPs hosting the dangerous files.

We actively monitor the most phished institutions and issue alerts to the readers of this blog (Figure 3). Of course, not all the names on the list are relevant for the German Users, but once Avira has reached the users all over the world, these information will be very useful.

Fig. 3: Most phished institutions

Sorin Mustaca
Manager International Software Development

When we tried to report the abuse, this turned out to be close to impossible. See for yourself:

When trying to report an abuse, you have to fill out an online form.

Microsoft needs to know which site we want to report. Oh, and a CAPTCHA to solve to divide us from Spam-Bots.

Of course they need to know what is offensive - images, the messages...

...and we're still not done yet. Now we need to classify which kind of abuse we detected.

Finally! We can send the report. We also get a ticket-number from the support.

That is quite a torture for reporting spammers and phishers. For sure not too many people are willing to go through such a long form. On the other hand, we wanted to report a spammer’s site two weeks ago and did it this way. Until now we didn’t receive an answer.

This example shows that companies tend to make abuse-reports really complicated. It could be as easy as adding a permanent link on each live-com site which is labeled “Report Abuse” – just like the usual “Contact”-links.

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

This misuse of the feature made Facebook an extra step in the redirect.

Fig. 1: Redirecting to avira.com: http://www.facebook.com/l.php?u=http://www.avira.com

We would like to urge the Facebook users to never click on links in the emails which seem to go to facebook.com.  Always write the address by yourself in the browser or use a bookmark created by yourself.

Sorin Mustaca
Manager International Software Development

If you know any brand owners, takedown providers, or ISPs that might be interested in using this document, please feel free to forward this document to them or notify them of its existence.

Here is the document:
http://www.apwg.com/reports/APWG_WTD_HackedWebsite.pdf

Many thanks to APWG (www.apwg.org) for their continuous fight against this Internet plague.

Sorin Mustaca
Manager International Development

Many credit card owners, who make online purchases, are not familiar with cyber frauds and they cannot avoid becoming targets of these attacks. That’s why, the phishers are taking advantage of the banks’ lack of security measures, customers’ lack of malware knowledge and last but not least, the naivety of people, in order to conceive these phishing scams.

Fig. 1: The email (Romanian)

A new massive spam attack was spotted on the Internet starting with 5th of February with the following subject: „SSL-Secure, Siguranta utilizatorului Internet banking“ („SSL-Secure, The internet banking user’s security”).

This spoof email, sent under the pretext of a false security alert, contains a hidden link, which redirects the users to this fake website.

Fig. 2: The fake website

Usually, the fraudulent website is an identical copy of the original one, but this time the link used by scammers doesn’t even exist on the orginal Raiffeisen website.

Fig. 3: The original website is not available

After submitting some information in the above website (Figure 2), there is an attempt to a redirect to the original website. But, something went wrong this time and the browser goes into an infinite loop:

Fig. 4: Wrong redirect

Avira warned the owners of the websites used for hosting the phishing pages to delete those pages and reminds the users to be extremely careful with suspicious emails and to remember that the banks will never request the PIN card or any other bank details.
The users of Avira AntiVir Premium and Avira Premium Security Suite are automatically protected against these threats. Both are blocking the links and the AntiSpam module detects the email as phishing.

Laura Dobre
Marketing Officer

Sorin Mustaca
Manager International Software Development

Fig.1: Phishing mail

There are at least 10 different target websites with the same graphical interface. This shows us that some kind of generator has been used to spread the code of the website.

Fig.2: Volksbank Phishing website

Fig.3: Sparkasse Phishing website

Avira customers which use the Mailguard (with Antispam-Antiphishing) and Webguard modules are protected against this kind of websites. Mailguard will mark the email as “Phishing” and Webguard will block the link because it recognizes it as a phishing URL.

Sorin Mustaca
Manager International Software Development