Certainly, phishing is not going away, but during the last several weeks, viral activity has increased sharply, and especially for the string of plug-and-play (PNP) malware campaigns, malware via social engineering has become the new king.
Just how active are the scammers? In the first three weeks of August, we are approaching a new record in virus rule creation; a record that was originally set two years ago in August 2008. With several days left in the month, the record is definitely not safe.
The plug-and-play malware campaigns continue to spoof popular brands, including Amazon, eBay, Newegg, Digg, Facebook, Amazon.com, WordPress and Xerox. Scammers are also making their messages more sophisticated while also being more targeted with their campaigns. As we have seen, cyber-criminals have taken great care in creating a look and feel that is consistent with emails that people receive from the host of brands they use on a regular basis. They are also starting to use emails and tactics that spoof lesser known organizations such as an NPR.org newsletter confirmation.
The major new point of interest for these campaigns is the use of what is suspected to be the scraping of emails (essentially emails stolen from the hard-drives of people who have been infected). These are selected in such a manner that they trick the recipient into clicking on a link or an attachment.
I have become fairly astute at identifying a phishing scam, malware threat and other spam simply by looking at it. I have a pretty good grasp of the kinds of language that can be expected from spammer-constructed messages, but these new waves of messages are nowhere near what are commonly found. The style is far too varied, detailed and idiomatic to have been generated by spammers.
Compromised Multiply.com Account
This site is one that we identified in a press release as a possible source for zombies to acquire spam templates used in these malware campaigns. It is still one of a few sources that contains this kind of content online, and unfortunately, the compromised blog pages are still active.
The examples are a combination of service generated notification emails, as well as person-to-person emails that are being used as spam templates. All of them reference a link or attachment in some natural way.
This newer technique is not being used in lieu of traditional old-school techniques such as bogus news headlines. The distribution of the malware is accomplished either through links with drive-by-downloads (PNP), obfuscated JavaScript attached as HTML (essentially the PNP without the link), and direct executable attachment. All three forms take turns and have overlapped to some extent with new campaigns throughout the past few weeks. Most of the PNP sites I’ve looked into have still been redirecting to the FakeAV sites, but there may be others, as there are a few variants going around.
I strongly believe that there is a deep connection among exploit kits, malware/crimeware-as-a-service, the PNP campaigns that we have been writing about and this recent explosion of malicious email. It is clear that the criminal underground doesn’t seem to have been impacted by the recession, and their ability to pump out malware is steadily increasing.
One last thing… an article speculated recently that this wave of malware could be attributed to the Rock Phish gang that was widely reported as having produced two-thirds of all phishing activity for the second half of 2009. This makes a lot of sense and was also something we considered early on due to the way they spoofed brands; among other similarities. It also makes sense that phishing would begin to trend down as malware trends up. As long as malware can be reliably implanted, gaining credentials through phishing becomes a second-class crime.
While I’m not predicting the end of phishing, scammers are probably asking themselves, “Why bother?”… Especially since compromising hosts nets them everything they could have gotten from phishing and a whole lot more.
