click to enlarge

The message goes: PLEASE READ CAREFULLY

This message is for every Girl Who Goes to college or office alone. If u find any child carrying on road showing his/her address n asking u to take him/her to that address,take that child to police station n plz don’t take it to that address . IT IS A NEW WAY GANGS TO STEAL, RAPE, and KIDNAP GIRLS . plz circulate to all .don’t feel shy to copy This as ur status .

OUR ONE MESSAGE MAY SAVE A GIRL

This Facebook wall post has been live in public since Q4 of last year, so before it picks up steam and encourage more sharing within the platform, please do realize, dear Reader, that this is a hoax—all fake, from the image to the story behind this message.

Variations of this hoax have been circulating the Internet for years. Would you believe that the lure tactic—about children being used to lead women to their prey—might have stemed from an urban legend set in World War II decades ago?

Helping people on Facebook by sharing things that you deem important is a good cause; however, spreading hoaxes such as this one can only lead people to needless worrying and panic. That said, I implore you not to share this further, within Facebook and outside it. Before you click “Share”, research.

Also, please do not be alarmed (much less believe) if you see something like this on the Internet:

click to enlarge

Jovi Umawing (Hat tip: Facecrooks.com)

“The resurrection highlights the difficulty of permanently severing botnets from the Internet.” writes Dan Goodin of Ars Technica. “Because Kelihos used peer-to-peer technology, it was disrupted—or “sinkholed,” in takedown parlance—by seeding the network with machines that caused their peers to take orders from benign channels under the control of white hats. The takedown process never actually removed the underlying malware from infected machines, making it possible for the attackers to one day regain control of them.”

You can read more about it here. Take note of the Update section at the end of the article.

Related article:

• The Microsoft-Kelihos Tango Continues

Jovi Umawing

Click to Enlarge

It’s a typical “Get free Steam games by giving us your login” site, distracting users by asking them to select the games they think they’re going to receive for free. It also goes one step further by claiming that 490, 682, 111 people “Already get gift”. If visitors to the website have Steam Guard enabled, they advise those users to “just turn off Steam Guard” which is up there with the author of some Malware advising somebody to turn off their security tools before running fakefile.exe.

Never turn off Steam Guard. If someone manages to grab your Steam login credentials, they’ll still need to access your email to input the one time use code into the Steam application to steal your account. Steam Guard is such a big deal where protecting accounts is concerned that in a recent Christmas competition one of the reward objectives was enabling Steam Guard protection.

Anyway, this is supposed to be the funny part. You know how sometimes a scam website will try to convince you that what they’re offering up is the real deal? Well, this is what passes for the truth, the whole truth and nothing but the truth in fake free games land:

Amazing. I smell a meme in the making…

Christopher Boyd

Click to Enlarge

The Tumblr user is promised “2 free Southwest tickets” via a fake “Tumblr Staff Blog”, and everyone affected has this written underneath the image file:

“Just printed out my tickets to California!! WoooHoo!!! heres the link!!!”

The link in question will take you to various offers depending on which region the end-user is located in, but this would be the ideal match:

Click to Enlarge

 As before, the end-user is required to fill in “two reward offers from each of the silver and gold page options and nine reward offers from the platinum reward page and refer three friends to do the same”.

Good luck with that.

Tumblr users should avoid any and all instances where an “Adult Verification” popup asks for login credentials, and removing popups from their own compromised Tumblrs can be done by following these simple steps.

Christopher Boyd

When a user visits the said dot-org site, they see this:

click to enlarge

Notice that it notifies users/visitors that their “…browser is out of date. We recommend to update it. The new browser version will protect your computer from different internet-dangers and make it safer”. With this notice comes the Firefox logo and the all-too-familiar “webpage supposedly scanning your system” splash, which we commonly see on rogue AV pages.

It then prompts users to install the malicious file, update.exe, which we detect as Trojan.Win32.Generic!BT. Running this executable allows the download and installation of a program called Driver, which creates a folder named Driver before dropping two files in it: uninstall.exe and app.exe. The latter file is also malicious; we detect it as Trojan-Spy.MSIL.Popclik.A.

click to enlarge images

When app.exe runs, an Internet browser window/tab opens in order to direct users to various survey page:

click to enlarge

click to enlarge

Based on multiple tests, minutes after the said pages load, this executable connects to various websites to download and install random programs, some of which may be legitimate.

app.exe executes whenever the infected system starts Windows, enabling it to download and install new programs that are potentially harmful to the already infected system.

Other that vkernel(dot)org, here are more sites that appear to house fake browser updates:

• aveonix(dot)org
• smolvell(dot)org
• stocknick(dot)org

Stay safe!

Jovi Umawing (Thanks, Matthew)

Here’s an example of a site compromised in the last hour or so:

Click to Enlarge

“We are happy to announce that Tumblr and Starbucks have joined together in a promotion to give away FREE $50 Starbucks gift cards to each of our users.

CLICK ON THE LINK BELOW TO GET YOUR OWN

Be sure to reblog this post so that others will have the same opportunity to get their own card. Nothing better than starting 2012 off with a blast of frappucino. We hope you enjoy!”

…oh dear.

Clicking the link takes the user to a site offering up gift cards in return for email addresses and the promise that they’ll complete “two reward offers from each of the silver and gold page options and nine reward offers from the platinum reward page and refer three friends to do the same”.

Click to Enlarge

Click to Enlarge

I think I could probably busk $50 worth of Starbucks in half the time, but whatever.

At this point, there’s no clear indication as to how these Tumblr accounts are being hijacked, but throughout the 1,000 or so Google results for one of the t.co URLs used, we can see this:

Click to Enlarge

Look familiar? It should, because someone took the full screen “Adult Verification” splashpage from the last successful bout of Tumblr phishing in June and turned it into a nifty scrolling overlay which nags you regardless of how far you scroll down the page.

Tumblr users should steer clear of free Starbuck gift card claims – there’s absolutely no mention of it on the Official Tumblr Staff Blog which should be the first clue that something isn’t quite right here.

If you wake up to find your Tumblr has a collection of posts about Starbucks stretching back at least nine hours that you didn’t make, be sure to change your login details and check your custom page code in case the attackers have overlaid what I like to call “garbage” over your spangly hipster background.

Christopher Boyd

Given that lots of people probably want to take a peek at the FBI Anti-Warning currently pasted across the front of Megaupload.com (or maybe even just see if the site is back online), it’s a fair bet that Ye Olde Typo Fairy will be called into action and some of them will end up going to Megaupload(dot)cm.

You can see what they did there.

On the basis that Wikipedia hasn’t gone dark for a day or covered itself in pictures of Jimmy Wales, we can see that the .cm TLD is intended for domains connected with Cameroon. Typosquatting seems to be a bit of a thing:

 In a report published in December 2009 by McAfee, “Mapping the Mal Web – The world’s riskiest domain”, .cm was reportedly the riskiest domain in the world, with 36.7% of the sites posing a security risk to PCs. [5] It is widely assumed that malicious domain programmers rely on inadvertent misspellings of well-trafficked websites ending in “.com” to lure unsuspecting users to their domains.

Registered back in 2009, Megaupload(dot)cm takes you a site located at surveytakelive(dot)com, which tells us via the method of popup box that there are prizes up for grabs and you’ll have to fill in some personal information.

Click to Enlarge

Next up, you have to pick one of the three options presented. I went with the Love Thermometer, mainly because it’s called the Love Thermometer and also has a graphic of a baseball bat.

Click to Enlarge

Hitting the Love Thermometer button takes us to a promo located at enterfactory(dot)com, which turns out to be a mobile phone promotion costing various amounts of cash per day until the user unsubscribes.

Click to Enlarge

The adverts served are region specific – the above are what you’ll see if in the Philippines, whereas visiting from the US will result in iPad, Walmart and Visa giftcard offers instead.

Be mindful of what you’re typing into the URL bar, and let me know if you discover what the Love Thermometer actually does…

Christopher Boyd

The software giant filed a complaint on Monday, January 23, against Andrey N. Sabelnikov for “controlling the ‘Kelihos’ botnet using twenty-one (21) Internet domain names … including, in particular, the 3,723 ‘cz.cc’ Internet sub-domains…”. Also according to the said report, Sabelnikov “worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.” You can read more here.

Kelihos—otherwise known as Waledac—is a botnet capable of sending out 3.8 billion spam emails each day. The botnet was also used for other malicious acts while leveraging the “fast flux” hosting method to hide locations of infected machines, including the command and control (C&C) center of the botnet.

Despite the botnet being inactive, Richard Boscovich, Senior Attorney at the Microsoft Digital Crimes Unit, asserts that “thousands of computers are still infected with its malware.” If you think that your system might be one of the millions infected, make sure that you have an antivirus software installed on your system to clean off the infection. If you already do, make sure that the software is updated to its latest security pattern and engine. Most importantly, be wary of certain emails in your inbox that might have escaped your spam catcher. Never open its attachment or click links on its message body.

Jovi Umawing

Here’s the site in question – halo4beta(dot)net:

Click to Enlarge

I mean, as fake Beta invite sites go it certainly looks nice. “Get your Halo 4 Beta key and installer now”, they say. They also wave a “Get your code” button at you, so it’d be rude not click it. Right?

Click to Enlarge

You have to “Like” the page, share it with your friends and even give it a +1 on Google Plus. Way to increase those verticals or whatever. What is your reward for jumping through rings of Social Networking fire?

I’ll tell you this much, it isn’t a Halo 4 Beta invite. But there isn’t anything phishy taking place either.

Click to Enlarge

Yes, it’s a survey because “This Beta key has been temporarily locked”. You know the drill: select one, fill it in, send your info to some random marketing guy and get your hands on absolutely nothing at all.

Don’t bother with sites claiming to offer up Halo 4 beta keys – when the time comes, it’ll be Microsoft you hear it from and not a random website asking for likes, linkbacks and survey submission. At least you won’t be troubled by the example above, because the poor thing succumbed  to an inevitable Boom, Headshot fatality:

Click to Enlarge

No Recon Armour for you.

Christopher Boyd

They follow the same pattern as before – claiming the recipient of the mail has had complaints from a customer, with a link provided to see what all the fuss is about.

Click to Enlarge

End-users should continue to be vigilant and steer clear of these scam mails. If in doubt, contact the BBB directly and establish if what you’ve been sent is the real thing.

Christopher Boyd (Thanks Robert)