Tag Archives: Urban Schrott

The Smiling Assassin (shaken not stirred)

 

I recently saw this article from Mark Stockley for Sophos entitled Ransom email scam from ‘hitman’ demands: pay up or die and assumed – as I suspect many people will – that it was some particularly horrible example of ransomware. In fact, while it is pretty horrible in its way, it turns out that there’s no real malware as such involved, just social engineering of the 419 persuasion, where the scammer claims to be an assassin ordered to kill the person who receives the email. In fact, I’ve written about this particular 419 sub-species several times before.

While the version noted by Mark Stockley rather more polished and up-to-date technologically (it wants payment in Bitcoin!) than most of the 419 scam messages I’ve seen that use a similar approach, it’s not much different, fundamentally. Here’s an extract from a particularly crass example I came across some years ago.

I want you to read this message very carefully, and keep the secret with you till further notice, You have no need of knowing who i am, where am from, till i make out a space for us to see, i have being paid $50,000.00 in advance to terminate you with some reasons listed to me by my employers, its one i believe you call a friend, i have followed you closely for one week and three days now and have seen that you are innocent of the accusation

[…]

You will need to pay $15,000.00 to the account i will provide for you, before we will set our first meeting, after you have make the first advance payment to the account, i will give you the tape that contains his request for me to terminate you, which will be enough evidence for you to take him to court (if you wish to), then the balance will be paid later.

Sometime later, my friend and colleague Urban Schrott drew my attention to a spam campaign that had been causing some hilarity over at ESET Ireland. The message had the subject “YOUR LIFE IS IN DANGER,” and apparently came from someone calling himself Spike Dwaggin, though later he signs himself Dai Teatime. A commenter on one of my earlier blogs pointed out that Spike Dwaggin is a dragon from My Little Pony, that the name Dai features the 4th, 1st, and 9th letters of the alphabet (419 – geddit?), and told me that Dai Teatime is the assassin from Terry Pratchett’s ‘Hogfather’. (In fact, Pratchett’s assassin is Jonathan Teatime, but close enough.)]

While it’s not unusual for purveyors of 419 scams to use noms de plume reminiscent of famous people (real or fictional), this one is notably rich in popular cultural references. The article cited above references a few more, if you’re interested. But here’s the message from Spike/Dai, with some comments from me.

As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.

[Given the subsequent references to SMERSH, I can only assume that this would be a vodka martini (shaken not stirred).]

I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules…

[Interestingly, the killer’s modus operandi seems to have been influenced by a story relating to the Russian empress Catherine the Great, who was said (quite untruthfully) to have died as a result of being somewhat over-intimate with a horse. And could this particular horse be the Henry who ‘of course dances the waltz’ in the Beatles song ‘Being for the benefit of Mr Kite’?]

There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.

[If your acquaintanceship with James Bond is limited to the movies, you may be unaware that a fictionalized version of SMERSH (a real Russian counter-intelligence agency that was wound up in 1946) plays a significant part in the very early novels.  Oddly enough, a lot of commentary on 419-related forums relating to this particular example misses the fact that SMERSH and SPECTRE (a purely fictional criminal organization) are by no means the same thing, though there seems to be a certain amount of traffic from one to the other in terms of personnel. A bit like the AV industry…]

Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.

Toodle Pip!

Dai Teatime
International Assassin

When I first saw the message on ESET Ireland’s site, I assumed it was some kind of spoof intended to amuse rather than threaten. However, after checking on one or two scam-baiter forums, it seemed that Mr Teatime was probably quite willing to take money from anyone who appeared to have fallen for his shtick. And however funny this particular message may seem to people who are security-savvy, there are others who will find messages from self-described assassins as genuinely frightening. Sadly, I suspect that not all of them will come across articles like Mark Stockley’s (or even this one) to reassure them that it’s just another scam, mailed out more or less at random.

Still, sometimes all you can do with stuff like this is laugh at it.

David Harley

 

Japan Disaster: Commentary & Resources

[Further links added March 13th 2011 (and a couple more on the same day). Extra links and commentary appended March 14th. More commentary re the Bing chaintweet subsequently added. And yet more  on related scams added March 15th. More miscellaneous resources and commentary on 16th and 17th March. Additional links on 23rd March]

This is an attempt to bring together a number of disparate blogs highlighting resources I’ve been collecting over the past couple of days, relating to the Japanese earthquakes and tsunami. Apologies if there’s nothing here that’s new to you, but I think it’s important to spread this information as far as possible. This will now be my primary resource for putting up any further information I come across. I don’t, of course, claim that it will cover a fraction of the coverage that’s out there.

  • Some blogs of mine:
  • http://blog.eset.com/2011/03/11/japanese-earthquake-inevitable-seo 
  • http://chainmailcheck.wordpress.com/2011/03/12/earthquaketsunami-scam-resources/
  • http://blog.eset.com/2011/03/12/disaster-scams-and-resources
  • http://blog.eset.com/2011/03/11/disasters-getting-involved
  • And one more that I’ve referenced below…
  • Urban Schrott of ESET Ireland on do’s and don’t’s for safe browsing and disaster scam avoidance: http://esetireland.wordpress.com/2011/03/11/security-warning-japanese-earthquake-scams-will-send-tremors-through-the-web/
  • Paul Ducklin at Sophos on clickjacking by ibuzzu.fr: http://nakedsecurity.sophos.com/2011/03/12/japanese-tsunami-video-exploited-by-clickjackers/
  • Norman Ingal at Trend with some detail on observed BHSEO and fake AV: http://blog.trendmicro.com/most-recent-earthquake-in-japan-searches-lead-to-fakea/ 
  • Robert Slade at Securiteam with an older post (from the time of the Haiti earthquake – but still relevant) on training for disaster: http://blogs.securiteam.com/index.php/archives/1346
  • More analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.html
  • Paul Roberts at Threat Post: http://threatpost.com/en_us/blogs/experts-warn-japan-earthquake-tsunami-spam-031111
  • Guy Bruneau at Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10537&rss
  • Sean at F-Secure:  http://www.f-secure.com/weblog/archives/00002119.html 
  • Mike Lennon at Security Week: http://www.securityweek.com/massive-influx-scams-surrounding-japans-earthquake-and-tsunami-expected
  • spamwarnings.com is showing examples of spam related to this event: http://www.spamwarnings.com/tag/devastating-tsunami 
  • IRS online charities search: http://www.irs.gov/app/pub-78
  • Charity Navigator offers independent evaluation of charities: http://www.charitynavigator.org/
  • Google’s crisis response page: http://www.google.com/crisisresponse/japanquake2011.html
  • An old but much-to-the-point article on disaster scams from PC World: http://www.pcworld.com/article/61946/beware_of_online_scams_for_disasterrelief_funds.html
  • Phil Muncaster: http://www.v3.co.uk/v3-uk/news/2033668/google-twitter-facebook-step-help-japan-earthquake-survivors
  • Google’s People Finder service: http://japan.person-finder.appspot.com/?lang=en
  • Bing’s response page including several organizations offering relief initiatives: http://www.microsoft.com/about/corporatecitizenship/en-us/our-actions/in-the-community/disaster-and-humanitarian-response/community-involvement/disaster-response.aspx. A useful page, but there’s an aspect to Bing’s retweeting PR effort (see http://www.twitter.com/bing) that I can’t quite like, as explained at http://chainmailcheck.wordpress.com/2011/03/12/faith-hope-charity-and-manipulation/.
  • US-CERT: Japan Earthquake and Tsunami Disaster Email Scams, Fake Anitvirus and Phishing Attack Warning [Yes, the Anitvirus typo is on the web site: some useful links, nonetheless] 
  • Latest news from NHK World: http://www3.nhk.or.jp/nhkworld/ 
  • Graham Cluley: Japanese Tsunami RAW Tidal Wave Footage – Facebook scammers trick users with bogus CNN video
  • Morgsatlarge on Why I am not worried about Japan’s nuclear reactors
  • Real photos of the damage (hat tip to Rob Slade: http://www.nytimes.com/interactive/2011/03/13/world/asia/satellite-photos-japan-before-and-after-tsunami.html?hp; http://www.cbc.ca/news/interactives/japan-earthquake/index.html. Not exactly security-related, but the sort of thing that’s being used to decoy people onto unsafe sites.
  • One from the Register that I missed at the time, though it’s basically a pointer to the Trend article above: http://www.theregister.co.uk/2011/03/11/japan_tsunami_scareware/
  • World Nuclear News: Battle to stabilise earthquake reactors
  • Lester Haines for The Register: Threat to third Fukushima nuke reactor: Authorities using seawater to battle overheating
  • Apparently I wasn’t the only person upset at Microsoft’s use of the disaster to promote Bing: BingDings* Force Change of Tune.
  • Here’s another clickjack scam brought to my attention by Graham Cluley: as he rightly says, it’s not likely to be the last. Japanese Tsunami Launches Whale Into Building? It’s a Facebook clickjack scam 
  • While Lewis Page describes in The Register how the Fukushima plant is actually performing “magnificently”, given the unexpected scale of the stress to which Japanese nuclear facilities have been subjected in the past few days: http://www.theregister.co.uk/2011/03/14/fukushiima_analysis/ Even if you’re not totally convinced that this is an argument for more nuclear powerplants, it’s certainly a welcome corrective to the FUD-exploiting scareware SEO that I suspect we’ll see over the next few days.
  • Graham Cluley on an SMS hoax: Fukushima radiation hoax SMS message spreads in Philippines (clue: it’s the hoax that’s spreading, not radiation…)
  • Nuclear Energy Institute: Information on the Japanese Earthquake and Reactors in That Region
  • Lester Haines: Fukushima reactor core battle continues: May be heading for meltdown, but no Chernobyl likely
  • Stan Schroeder for Mashable: AT&T, Verizon offer free calls and texts to Japan from US 
  • Ben Parr for Mashable:  Japan Earthquake & Tsunami: 7 Simple Ways to Help
  • Technet Blog: Microsoft Supports Relief Efforts in Japan
  • USA.answers.gov summary: Current Situation in Japan
  • Christopher Boyd, GFI Labs: Another “Whale smashes into building” Tsunami scam on Facebook 
  • Allan Dyer has mentioned that SMS “BBC FLASHNEWS” hoaxes like the one Sophos flagged at http://nakedsecurity.sophos.com/2011/03/14/fukushima-radiation-scare-hoax-text-message-spreads-in-philippines/ have also been circulating in Hong Kong.
  • Urban Schrott with some more scam info from Facecrook and elsewhere
  • Sophos on tsunami charity scams
  • Lots more links suggesting that radiation risk is way overblown, but I think we have enough of those to get the gist. Just be sceptical about alarmist reports that you can’t verify from reputable sites.
  • Business Standard on Cybercrime sets sail on tsunami sympathy
  • Symantec on Phishers Have No Mercy for Japan describing a fake American Red Cross donation site.
  • I’m also seeing a number of posts and articles suggesting that the situation regarding affected nuclear facilities is getting worse: I’m not qualified to separate fact and fiction in many of these cases, so I won’t try to track them here.
  • Allan Dyer describes one of the SMS hoaxes and a donation scam message pretending to be from AT&T: http://articles.yuikee.com.hk/newsletter/2011/03/a.html
  • Graham Cluley describes several Japan-related video links that actually lead to malicious javascript and a Java applet, plus some fake twitter email notifications: Spammed-out Japanese Tsunami video links lead to malware attack. See also Chet Wisniewski’s post SSCC 52 – Twitter HTTPS, net neutrality, car hacking, tsunami scams and Pwn2Own.
  • Jimmy Kuo forwarded a reliable donation link at at http://www.jas-socal.org/, and here’s a post from Tracy Mooney on charitable giving .
  • A series of other blogs from McAfee: http://blogs.mcafee.com/mcafee-labs/world-record-for-disaster-scam-site; http://blogs.mcafee.com/consumer/robert-siciliano/tsunami-scam-warnings-keep-coming-in; http://blogs.mcafee.com/consumer/consumer-threat-alerts/japan-earthquake-scams-spreading-quickly
  • Christopher Boyd on Japan “Miracle Stories” scams on Youtube… and Rogue AV results lurk in contamination comparison searches and ICRC Japan donation scam mails and .tk URLs offering surveys, installs and fake Tsunami footage and Tips for avoiding the endless Japan disaster files and A Japan-themed 419 scam…
  • Crawford Killian is tweeting a lot of more general Japan-related stuff that might be useful to you as background rather than as direct security stuff. http://twitter.com/Crof (hat tip to Rob Slade.)
  • Nicholas Brulez: Japan Quake Spam leads to Malware
  • John Leyden for The Register: Fake Japan blackout alerts cloak Flash malware: Scumbags continue to batten on human misery
  • Not directly security-related, but I can see it being used as a social-engineering hook: Timothy Prickett Morgan on Japanese quake shakes semiconductor biz: Boards and chip packages hit too.
  • An article by Amanda Ripley that has no direct security implication that I can see offhand, but I thought was interesting anyway: http://www.amandaripley.com/blog/japan_and_the_cliche_of_stoicism/
  • I probably won’t continue to add too many resources to this page that don’t have a direct and compelling security dimension, but if you are interested in the sort of footage of exploding reactors, tsunami hits and so on that blackhats use as bait for fake AV and clickjacking, the BBC has quite a few relevant videos: I know that because I watch the news. 🙂 I haven’t looked up individual links, but a quick Google search brings up several at http://www.bbc.co.uk/: no doubt searches of CNN etc. would bring up similar results. There’s lots of this stuff out there: no need to click on dubious links from unknown sources!

    David Harley CITP FBCS CISSP
    AVIEN COO
    ESET Senior Research Fellow

    

    My Not-So-Funny Valentine

    I’d like to start off with something really soppy and sentimental but my heart’s not in it. 😉

    Clearly, we can expect more Valentine exploitation as the weekend draws nearer, but some malicious sites have already been flagged. (Apologies to those of you who’ll have seen some of this before at ESET or Mac Virus.)

    ESET blogged (well, I did, actually) on “Valentine Scams: Romancing the Stony-Hearted”, listing some malware-populated domains Pierre-Marc Bureau had noted and citing an earlier blog by Dancho Danchev (http://ddanchev.blogspot.com/2010/02/how-koobface-gang-monetizes-mac-os-x.html) that includes quite a few dating scam sites and the like.

    A number of us, including my colleague Urban Schrott at ESET Ireland, are seeing Russian bride spam , but when don’t we get that stuff? I guess it goes with being such hunks.

    So it’s not surprising that David Marcus, at McAfee Labs, is reporting lots of SEO poisoning: these are some of the terms they report as being used to attract Googlers to malicious web sites:

    • Valentine’s Day Screensavers
    • Valentine’s Day Downloads
    • Valentine’s Day Wallpaper
    • Valentine’s Day Rolex
    • Valentine’s Day eCards
    • Animated Valentine’s Day
    • Valentine’s Day Greetings
    • Valentine’s Day Cupids
    • Valentine’s Day Gift Ideas

    The McAfee blog is here:

    http://www.avertlabs.com/research/blog/index.php/2010/02/10/valentines-day-searches-lead-to-malware/ 

    And I’ve just received a link from my colleagues at ESET Latin America: it’s in Spanish, but includes some images cloaking malicious links, so that you can enjoy some pictures without risking the badware. 😉 (Thanks, Cristian!)

    David Harley FBCS CITP CISSP
    Security Author/Consultant at Small Blue-Green World
    Chief Operations Officer, AVIEN
    ESET Research Fellow & Director of Malware Intelligence

    Also blogging at:
    https://avien.net/blog
    http://www.eset.com/threat-center/blog
    http://smallbluegreenblog.wordpress.com/
    http://blogs.securiteam.com
    http://blog.isc2.org/
    http://dharley.wordpress.com
    http://macvirus.com