Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 30 January 2013

ALERT: Wonga phish

Strange choice of companies to impersonate in a phishing scam if you ask me, but never the less, this just arrived in my inbox;

Customer Satisfaction Survey 2013
At Wonga.com, we sincerely value your opinions.
As part of our continuous improvement process, we're conducting a survey to benchmark the opinions of our customers.

We will use the resulting information to better serve the needs of
our customers.

We kindly ask you to take part in our quick and easy 3 questions customer survey. In return, we won't charge you ANY INTEREST on your next loan application!

Here is how you proceed:
• Download your personal survey attached to this email.
• Select the desired answers on your survey.
• Log in to your Wonga.com account to validate your survey.
We thank you in advance for your time and effort in making Wonga the best payday lender in the United Kingdom.

Sincerely,
Wonga.com Customer Service
Message ID:


This came with an attachment that housed the phish itself;



With the stolen details being sent to;

URL: hxxp://190.90.23.130/recordings/misc/wongalogin.php
ASN: 28032 190.90.23.0/24 INTERNEXA S.A.

Email headers:

Return-Path: <sharecash_org_donotreply@wonga.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 2.937
X-Spam-Level: **
X-Spam-Status: Yes, score=2.937 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, MIME_QP_LONG_LINE=0.001, TO_IN_SUBJ=3.01,
T_OBFU_HTML_ATTACH=0.01] autolearn=no
Received: from mail.dfsv51.com (mail.dfsv51.com [91.103.216.32])
by [REMOVED] (Postfix) with ESMTP id 45B043598600
for <[REMOVED]>; Thu, 31 Jan 2013 06:26:44 +0000 (GMT)
Received: from wonga.com ([200.5.118.70]) by dfsv51.com with MailEnable ESMTP; Thu, 31 Jan 2013 06:26:30 +0000
From: "Wonga.com" <sharecash_org_donotreply@wonga.com>
To: [REMOVED]
Subject: [SPAM] Customer Satisfaction Survey for [REMOVED]
Date: 31 Jan 2013 03:26:38 -0300
Message-ID: <20130131032638.3E188E97ABA81272@wonga.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_9040D09C.54545B51"



Owner of the IP housing the phish has been notified, as have the owners of the IPs the email originated from (Telefonica) and went through (Dataflame Internet Services Ltd)

Microsoft Toolkit: Download Toolkit to Disable Automatic Delivery of Internet Explorer 10

To help our customers become more secure and up-to-date, Microsoft will distribute Windows Internet Explorer 10 as an important update through Automatic Updates for Windows 7 SP1 and higher for x64 and x86 and Windows Server 2008 R2 SP1 and higher for x64.This Blocker Toolkit is made available to those who would like to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates is enabled. The Blocker Toolkit will not expire.

Note:
  1. For computers running Windows 7 or Windows Server 2008 R2, the Blocker Toolkit prevents the machine from receiving Internet Explorer 10 via Automatic Updates on the Windows Update and Microsoft Update sites.
  2. The Blocker Toolkit will not prevent users from manually installing Internet Explorer 10 from the Microsoft Download Center, or from external media.
  3. Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 10, within their environment.
  4. Even if you used the Blocker Toolkit to block Internet Explorer 8 or Internet Explorer 9 from being installed as a high-priority or important update, you will still need to use the Internet Explorer 10 version of the Blocker Toolkit to block Internet Explorer 10 from being installed. There are different registry keys used to block or unblock automatic delivery of Internet Explorer 8, Internet Explorer 9 and Internet Explorer 10.
See the "Additional Information" section on the page linked to below for detailed instructions on configuring and deploying the Blocker Toolkit. The same information is also provided in the Help file included in the download.


Download Toolkit to Disable Automatic Delivery of Internet Explorer 10 from Official Microsoft Download Center:
http://www.microsoft.com/en-us/download/details.aspx?id=36512

Misleading marketing: Adf.ly whack-a-mole

Yep, yet another round of misleading marketing, and yep, also via adf.ly (not entirely their fault), with the exception of one, that was via Google.

We'll do the Google one first. This was found advertised on cacaweb.com (owned by a friend, will be dropping him an email about it);



And where does it lead to? Well, let's take a walk through the redirection path shall we;

1. hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=C6rPZ4IkJUe6UNK-gigaGpoCwAeXHm_8C1dKHlErAjbcBEAEgk_HIGVCG55ChA2C7vq6D0AqgAdPbzdoDyAECqAMByAPdBKoE5wJP0LmXU8fILKUoOTJozx_hzUAr9GHOUgvXxKiJO-zJ3Azi3ruKrpx90ASyY9-6PUu35PnzxwpAV2m5QQbp8bd5FGbABH1MotOdgV4xwZ59kdpcOFAX6npIVwOcwD_aaZ7TPS7CdvfGturFwjw3pszG3Hj6iBR3-1a-mGXxwAA9RHgik8oLtzaCVF-g3__SjuJ54dnrmmhA08viu6YVfu-MRfQ-kCdh9f0ljK1tF3nQN7r7NJ0Pp6Q4jJK-TPM-cTHw5UTUb3dfGVKVQmAuHNFrkx1WhfoeYyFLhc-RcJ5UPUzmDK4nlN3mcWc9tcYIqLEI95BKoJwv53N583PJG3E3LR06rf-mGTw5wl2Jo61_-xRr37hR169GUgPvqGyCJRyg0nJqBooXRDe_v-AU7mEVKb2YZDnh5HFjVIrDFobiW-gyIsUY9qHNG5KXuWI_CvUiwgC3QnHhRas6w6eKyUhEXCEJA_EPgYgGAaAGAoAHlaSyJQ&num=1&cid=5Gg2MCDI-KLCkLnNK9bBebEM&sig=AOD64_0poU8mt2k5agY0RTidIoxUfEfRCw&client=ca-pub-9591453353849676&adurl=http://downloadangels.com/utilities%3Fcountry%3Duk%26placement%3Dtranslate.googleusercontent.com&nm=10&nx=333&ny=18&mb=2

2. hxxp://downloadangels.com/utilities?country=uk&placement=translate.googleusercontent.com&gclid=CMqV-q7-kLUCFXHLtAodin0AZg
3. hxxp://downloadangels.com/utilities/?country=uk&placement=translate.googleusercontent.com&gclid=CMqV-q7-kLUCFXHLtAodin0AZg
4. hxxp://www.utilitychest.com/install_js.jhtml?v=3&partner=ZOxdm037&sub_id=pd

The download you get will vary, but will typically be one of the following (and nope, you're not seeing things, some of those are actually Symantec products)

hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/genieo/v9/InstallMyHomepage.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricewise/v9/PriceWiseSetup(ms-coupon).exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricewise/v9/PriceWiseSetup(ms-weather).exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/priceblink/v4/PriceBlinkSetup_3_1_silent_min_101.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/priceblink/v4/PriceBlinkSetup_3_1_silent_min_102.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/ciuvo/v2/ciuvo-1.3.664-ms01-win.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/ciuvo/v2/ciuvo-1.3.664-ms02-win.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/W3i/v3/trs_5277199.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/bunndle/v3/BunndleOfferManager.exe
hxxp://ak.exe.imgfarm.com/images/nocache/mindspark/offers/symantec/v2/SymcPCCUInstaller.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricefinder/v3/PriceFinder.exe
hxxp://ak.exe.imgfarm.com/images/nocache/mindspark/offers/symantec/v5/SymcPCCUInstaller.exe
hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.exe

Needless to say, you don't want any of them, or indeed, anything from *.imgfarm.com.

And the Adf.ly one? well, this is what I like to call Adf.ly whack-a-mole, due to the fact, all you've got to do is change one letter/number, at the end of the Adf.ly URL, and you'll be served yet another misleading advert of one description or another. This time, it was;



And the redirection path?

1. hxxp://ad.xtendmedia.com/clk?3,eJytjc1uwjAQhJ-GW0CxE1NHVg8OJBUVtqBYbcPNzq8LTiLk1rRP34RUPEFHq53Rpx0tCIiCMlIBjGSpZIWgT0CQ4wJWUuHC8wkhIQjxEvkhijz9-T1PDvmOO.r-0OCYjmJu9VLTSTfPprzD407SSi1f9xNaPceK.o-Mc91f3Nz-1mtM57L--hAuvl-tN4j9nE.MZP5WHDV721sm0jPToMkMQ1uRh0fBNReJ408M8frefPS8xtp-FtAZTIe5gqgtresup0XemQFczHXEtmyLwXVrF33T.wLLHGGV,
2. hxxp://ad.yieldmanager.com/clk?3,eJytjc1uwjAQhJ-GW0CxE1NHVg8OJBUVtqBYbcPNzq8LTiLk1rRP34RUPEFHq53Rpx0tCIiCMlIBjGSpZIWgT0CQ4wJWUuHC8wkhIQjxEvkhijz9-T1PDvmOO.r-0OCYjmJu9VLTSTfPprzD407SSi1f9xNaPceK.o-Mc91f3Nz-1mtM57L--hAuvl-tN4j9nE.MZP5WHDV721sm0jPToMkMQ1uRh0fBNReJ408M8frefPS8xtp-FtAZTIe5gqgtresup0XemQFczHXEtmyLwXVrF33T.wLLHGGV,
3. hxxp://network.adsmarket.es/click/kGNslo2ce5yMYpiVjZupnY1qbZhfynyYiWRqxF-dfpaJkG-XYZt7?dp=RMX_A6000648_P5634806_V297725066_RSheffield_S3608359_C18869783_B297569&dp2=iuy-EScPNwAX7h8BAAAAAMwCRgAAAAAAAgAAAAYAAAAAAP8AAAAEFfb6VQAAAAAACJBbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmwwoAAAAAAAIAAgAAgD8AewpTjTwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJxLjfIqKg1yzMqNCA1Lj0j0z.ZwqYqILPK0TEwuy6.wiDBJ19UFAPDEDJk=&dp3=Uhttp://x19network.com/rmx/xtend/int.php
4. hxxp://mflashplayer.com/l6/en/landing.php?utm_medium=cpa&utm_source=l6&ce_cid=201VrF3LBIYjruTV3SXlqR1u.F2U000.

which brings you to;



This serves up adware via;

hxxp://dh23ln0908oyi.cloudfront.net/n/508ea05d-c990-4641-92b3-34e95bc06f2f/FlvMPlayer.exe
-> hxxp://dl01.socdn.com/n/2.2.54/5112244/flvmplayer.exe

And you've guessed it - you don't want that either.

mflashplayer.com for those wondering, is owned by bechiroapps.com

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: BECHIROAPPS.COM
Created on: 20-Sep-12
Expires on: 20-Sep-14
Last Updated on: 20-Sep-12

Registrant:
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain

Administrative Contact:
Castillo, German germancastillocom@gmail.com
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain
608964389

Technical Contact:
Castillo, German germancastillocom@gmail.com
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain
608964389

Domain servers in listed order:
NS-1443.AWSDNS-52.ORG
NS-1579.AWSDNS-05.CO.UK


I'm still working on identifying the rest of the domains and IPs they've got, but in the meantime, you'll want to block 91.192.110.162-255

Tuesday 22 January 2013

IAC Toolbars and Traffic Arbitrage in 2013

Beginning in 2005, I flagged serious problems with IAC/Ask.com toolbars -- including installations through security exploits and through bundles that nowhere sought user consent, installations targeting kids, rearranging users' browsers to invite unintended searches, and showing a veritable onslaught of ads. IAC's practices have changed in various respects, but the core remains as I previously described it: IAC's search advertising business exists not to solve a genuine user need or provide users with genuine assistance, but to prey on users who -- through inattention, inexperience, youth, or naivete -- stumble into IAC's properties.

Crucially, IAC remains substantially dependent on Google for monetization of IAC's search services. A rigorous application of Google's existing rules would put a stop to many of IAC's practices, and sensible updated rules -- following the stated objective of Google's existing policies -- would end much of the rest.

In this piece I examine current IAC toolbar installation practices (including targeting kids and soliciting installations when users are attempting to install security updates), the effects of IAC toolbars once installed (including excessive advertising and incomplete uninstall), and IAC's search arbitrage business. I conclude by flagging advertisements with impermissibly large clickable areas (for both toolbars and search arbitrage), and I call on Google to put an end to Ask's practices.


Read more
http://www.benedelman.org/news/012213-1.html

References

Misleading marketing: SparkTrust has a go
http://hphosts.blogspot.co.uk/2013/01/misleading-marketing-sparktrust-has-ago.html

Malwarebytes Unpacked: Misleading advertising
http://blog.malwarebytes.org/intelligence/2012/12/misleading-advertising/

Comodo replace malware with err - malware?
http://hphosts.blogspot.co.uk/2009/07/comodo-replace-malware-with-err-malware.html

Twitter spam: IAC WebFetti
http://hphosts.blogspot.co.uk/2009/12/twitter-spam-iac-webfetti.html

IAC: Still not stopping "rogue affiliates"
http://hphosts.blogspot.co.uk/2010/11/iac-still-not-stopping-rogue-affiliates.html

Mindspark/IAC: Misleading marketing (again)
http://hphosts.blogspot.co.uk/2010/05/mindsparkiac-misleading-marketing-again.html

Misleading marketing: Fake IM advert - Déjà Vu
http://hphosts.blogspot.co.uk/2010/05/misleading-marketing-fake-im-advert.html

IAC/MindSpark: Scamming with a twist
http://hphosts.blogspot.co.uk/2010/02/iacmindspark-scamming-with-twist.html

Symantec - we knew they weren't trustworthy, but this is a new low
http://hphosts.blogspot.co.uk/2009/03/symantec-we-knew-they-werent.html

Thursday 17 January 2013

Misleading marketing: SparkTrust has a go

Seems on the subject of misleading marketing, that SparkTrust is having a go at using misleading marketing methods.

First was the advert found on Google;


Let's start with this. Firstly, it's not a fix for the Windows Installer, and not "3 steps", and definitely not "highly recommended" (not by anyone other than SparkTrust anyway), as it claims, and finally - IT'S NOT EVEN CLOSE TO BEING FREE!!

Then on to the page it leads you to;


See anywhere here where it mentions the fact it's not free? Oh hang on, it says "free download", so it must be free - WRONG. It's just the download that is free, NOT the software itself.

And to add insult to injury, just with previously mentioned software of its ilk, this one;

1. Once installed and launched, the software started scanning automatically, leaving the user no choice as far as seeing what was to be scanned, or the option of changing settings to for example, reduce F/P's, or stop it scanning areas it has no business scanning
2. Scanned the entire system in 10 seconds flat
3. Decided it had found 268 "problems" on a clean install of Windows 7 SP1 in those 10 seconds
4. Decided one of them was "critical" (absolute rubbish), and 2 were "serious" (absolute rubbish)
5. When going to have such issues "fixed", ONLY THEN, do you find out it is a demo, and you need to pay for the software
6. Finally, at no time, was an option provided for the user to create a log of such items found, so they could have the so-called "problems" verified by anyone.


In short, this is blatant scareware, and highly misleading marketing, bundled with unethical practices in the software itself.

Sunday 13 January 2013

Java 0day: CVE 2013-0422

Patch is finally out folks. Personally, I'd recommend you rip Java out of your systems entirely (highly unlikely you'll ever need it), but in the meantime, get updating asap;

http://java.com/en/download/index.jsp

http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html