Threat Intelligence Blog

Posted November 23, 2009

This past October, Cyveillance reported that cyber criminals were exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses were spoofed, the bogus messages were sent to addresses of the organizations’ personnel. The messages asked the recipients to click on a link in order to change the security settings. Once clicked, the users were routed to a fake Web site and if a user clicked on the link to the executable file on the site, then malware was downloaded to his or her computer. More info at: /general-cyberintel/a-dangerous-blend-of-phishing-methods

Unfortunately, cyber criminals are encountering success with this attack method because similar attacks continue today. Over the weekend, both Cyveillance and its customers received multiple emails similar to the one below:

continued

Like in the attack illustrated in our October posting, the email requests the user to click on a link to false Web page. The Web page instructs the user to download a file that contained . The malware in the attack above was downloaded and analyzed by the Cyveillance Security Lab. Once installed, the malware made several communication attempts to URLs at 193.104.27.42/livs/rec.php and 193.104.27.42/lcc/ip2.gif. The first URL received encrypted data from the infected host making it difficult for security researchers to analyze while the 2nd URL was a Zeus Binary used to capture banking credentials.

The lab also observed additional attempted TCP connections to 66.199.251.242 on hundreds of different port destinations. It appears that the infected host was scanning the IP address for other services that may be running. The scan was of low intensity to avoid IDS detection. In summary, it appears that server located at 193.104.27.42 is the command and control server, which instructed this infected host to port scan 66.199.251.242 for known services and report back with the collected data; a dangerous, but effective combination of attack methods.

IT departments should continue to monitor for suspicious activity related to the attack described above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Additional Posts

New York Times Gets It Wrong: Phishing Does Hurt Us All

The teaser appearing in the bottom corner of the New York Times print edition's Sunday Business ...

Google Search Results Significantly Poisoned

Hundreds of Thousands of Links Leading to Malware Found in Google Results Cyveillance has ...