Yesterday we told you about an Android trojan used to send SMS spam. Currently, the versions of this malware being distributed by the spammer are:

• angrybirds.apk MD5 = a0e7a47c6b3582f9c9a4c5166eb0eace
• gtavicecity.apk MD5 = a8de900d9ff269455f4344b8e8409699
• needforspeed.apk MD5  = c18bc53d74e8a6926453a8c86355501a

The Command and Control server has moved to pinktrash.mobi, though imperialistic.mobi is still functional for the handsets infected with the older versions of the trojan.

Lookout Mobile Security have published an interesting blog post on this attack, which they call SpamSoldier. They discuss the techniques used to escape detection. Firstly the app attempts to remove its icon, so that you will not be aware that it is even there. It also attempts to block incoming messages unless they are from someone on your contacts list. This prevents the people your phone is spamming from complaining to you about the spam they received.

So, if you do get SMS spam, don’t bother replying  STOP to the sender, just forward that message to 7726 (that’s S-P-A-M on your keypad). Replying STOP will only work for commercial contacts from legitimate companies.

We’re continuing to monitor this attack, so watch the blog, or add it to your RSS feed, if you want to keep up to date.

Mashable did a video spot about the blog post we did earlier this week: Cyber Monday UPS package not delivered email fraud

http://mashable.com/2011/11/28/ups-package-not-delivered-scam/

Take a look at this message and see if you can tell if it came from PayPal or not?

This email is NOT from PayPal.  It’s from a spammer, who wants you to go to your browser and open the “AccountValidation.html” page that he or she has attached.

Why should you immediately be suspicious of this email?

• Be suspicious if the “From” address is not paypal.com.
• Also, be suspicious if they don’t use your real name.  If they say “Dear Valued Member” instead of addressing it to your first and last name, it is very likely to be fraud.
  • Unfortunately, the opposite is not true.  Spammers have ways of getting both your real name and your email address.  For instance, sometimes they hack into an unrelated system, that has less security than PayPal, that also stores your name and email address.   So just because they use your real name, does not mean you should automatically trust them.
• Always be suspicious of downloading attachments.  PayPal, your bank and your other accounts are never going to send you an attachment to download and run.

What should you do when you get an email like this?

If you get an email about your Paypal account and you think there might be a real issue with your account then:

• Do not download any attachments.  The attachments may contain a virus or a redirect to a fraudulent site. Or they may contain a fake account verification page, as this email does.
• Avoid clicking on any links in the email, as the links may take you to a fraudulent site.
• Instead, go to your browser and type in the url: www.paypal.com
  • If you do have a legitimate issue, Paypal will inform you when you login.
• Never reply to an email with your username, password or credit card number.  Legitimate sites will never ask you for your password or credit card number via email.

More details about how to avoid PayPal scams can be found on the PayPal site.  Click on “Security and Protection” and hit the “Explore Topics” button. https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=security/phishing

What will happen if you open AccountValidation.html in your browser?

You should avoid opening attachments that you suspect are from spammers, as they may contain viruses which can infect your computer.

In this particular case, the AccountValidation.html page is a phishing page.  Phishing is when a spammer pretends to be a legitimate institution such as PayPal, in order to trick you into giving away your personal information.

If you were to open this page in your browser, then in this case you would see the page below.

The page is asking for all your personal information including your credit card number.  Remember, this “AccountValidation.html” page is not from PayPal.  The spammer wants it to look like it is from PayPal, so that you’ll be tricked into giving away your personal information.  It even pulls many of the images on the page from PayPal servers.

However it was sent by a spammer.  If you were to fill in the information and push the “Save Profile”, then the page would send all the data that you entered to an IP address of a computer in the Ukraine.

What do legitimate emails from PayPal look like?

Below is another example of a PayPal email.  This one is legitimate (with the name and email address changed to protect the real recipient).  Sometimes it’s challenging to tell that a legitimate email is actually legitimate.  But when you’re in doubt, you can always type the url www.paypal.com into your browser, and login directly.  When you login to www.paypal.com, PayPal will let you know when there is something you need to deal with.

They say things come in threes so, on the back of the Rustock and Coreflood takedowns in recent weeks, it has emerged that last week the UK’s Police Central e-Crime Unit has, as part of a larger international investigation, arrested 3 men in connection with using the SpyEye trojan.

This particular trojan is used primarily to steal banking details from compromised PCs.

Full details are light at this time due to reporting restrictions since the case is ongoing. It is possible that this group were quite low level or indeed were acting on their own since you can get customised versions of the SpyEye kit for the same price as a high-end PC. However, it is always welcome news to hear law enforcement getting successful outcomes to their investigations.

A recent article by Brian Krebs, SpyEye, ZeuS Users Target Tracker Sites, makes for interesting further reading on this topic and how the efforts of the ‘good guys’ do go some way to making a difference, even if it isn’t always obvious to the average Internet user.

Quickly following the Rustock Botnet takedown (see “Will Microsoft’s Takedown of Rustock Drive Spammers Outside the United States?”), the Department of Justice and the FBI, again in coordination with Microsoft, have taken the Coreflood Botnet offline.  Coreflood, a trojan able to conduct massive Denial of Service attacks, also steals sensitive information from an infected computer.  It has been around since at least 2002.  Stolen information included usernames and passwords for bank accounts, credit cards, email accounts, and more.

The press release from the Department of Justice says that today’s actions are the result of a collaboration between Microsoft, the US Marshals, and the FBI as part of an ongoing investigation.  Much like the Rustock Botnet takedown, a temporary restraining order (TRO) as part of a civil investigation seems to have been used by the US Marshals to seize Command and Control machines from a number of hosting facilities in the United States.

There is a big, very interesting, difference between this action and the Rustock takedown.  The government has been granted, by the TRO, the ability to signal infected botnet hosts and essentially deactivate Coreflood without permission from the owner of the infected host.  The owner has the ability to “opt out” of the TRO and say they don’t want the government to deactivate Coreflood.  Per the press release, the DOJ and the FBI will attempt to notify users whose computers are infected with Coreflood.  “At no time,” continues the press release, “will law enforcement authorities access any information that may be stored on an infected computer.”

If Coreflood is truly offline this marks another significant victory by Microsoft’s collaboration with the US Marshals and is more evidence of the value of strategic offensive action.