Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

Summary: This week's Malware Watch features four campaigns, spamvertised fake Amazon orders, followed by ZeuS crimeware serving email campaign using "Adobe Security Update" as a theme, Adult content themed "Watch Video" campaign, and the "sexiest video ever" rogue Facebook application.

SHARE:

This week's Malware Watch features four campaigns, spamvertised fake Amazon orders, followed by ZeuS crimeware serving email campaign using "Adobe Security Update" as a theme, Adult content themed "Watch Video" campaign, and an overview of the "sexiest video ever" rogue application campaign, spreading across Facebook.

- Fake Amazon order emails malware campaign

This currently spamvertised campaign, attempts to trick the end user into executing the attached .zip, which when executed drops a copy of the ZeuS crimeware, next to additional malicious payload:

In the latest scam, the message appears to be an order confirmation from Amazon.com for the purchase of an expensive consumer electronics item, or a contract (spelled, tellingly, “conract“) for expensive home improvement work, purportedly to be done on the recipient’s home.

Although they've switched to a new theme, the campaign is launched by the same gang which was behind last week's "Look at my  CV", and the "iTunes gift certificate" campaigns.

- ZeuS crimeware serving "Adobe Security Update" themed emails

Yet another spamvertised campaign, which significantly differentiates itself from the others in the sense that, the social engineering theme, as well as the actual PDF file, would look and sound pretty convincing to a potential victim.

The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe.  The message from the Adobe associate states that the update link is to patch CVE-2010-0193.  There are two links in the message which lead to the same IP address hosting a PDF file for instructions and an executable which is meant to be the patch to apply.

Moreover, according to WebSense, in an attempt to avoid detection, instead of sticking to the well proven tactic of using a malicious PDF, the actual PDF file is clean from exploits, and only included the actual download link for the malware, which the gullible end user is supposed to execute manually. And with millions of users opening spam emails, and clicking on links found within, the malicious attackers will easily succeed.

- Massive Facebook rogue application campaign serving adware campaign

What's particularly interesting about this campaign, is that it keeps reemerging using a different message over the past few weeks. However, both the individual/gang that's behind it, and the adult theme, remain the same.

According to AVG, the campaign was achieving 40,000 hits per hour, demonstrating just how fast a well organized from a social engineering perspective, campaign can spread across Facebook. Although the application was shut down, the cybercriminals behind it quickly introduced a new one, once again tricking the end user into installing a bogus video player, which in reality is adware.

- Watch Video adult content themed malware campaign

This currently ongoing spam campaign, is also related to the gang behind the fake Amazon orders. The social engineering theme once again relies on the popular adult theme, offering naked videos of celebrities and related adult themed topics.

Opening spam emails, and clicking on the links within is one thing. But falling victim into a video scam that's redefining the process of video encoding, and archive compression by sending small sized .zip files, is entirely another.

Topics: Amazon, Collaboration, Enterprise Software, Malware, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Ironic

    Kind of ironic that your first reader feedback today is spam. Keep up the good work (the reporting, not the spam). Your column is always among the most interesting - and scariest - reading on the web.
    kidtree
  • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

    Yes, so funny that spammer got through zdnet.com to post their junk on this page.
    To make another interesting read today, I was doing checking using Whois of some links of spam messages I got on my mail server and found this one:
    emailfriendz.com

    Look at the Technical Contact's email address and Name Servers and Contact. At least this person is "honest".
    phatkat
    • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

      @phatkat

      I ran that domain also, and did you notice the email address???? Like you said, at least he is `honest`!

      I also ran the address on Google maps? Contact at a hotel??

      Hmmm, is he really `honest` now???
      fatman65535
  • Danchev is a terrible writer

    I'm sorry, but this is the third Danchev article I've tried to read and he's such a terrible writer that I can't tell what he's talking about half the time. And I'm an experienced software engineer who runs his own Internet site so I'm already well versed in these topics; I can't begin to think of what problems a less knowledgeable person would have reading Danchev's stuff.

    The section on the Adobe spoof was clear, but in his next section about some kind of rogue facebook app, he starts talking about "what's particularly interesting" about it and never defines what it is!

    His third point about some kind of adult video makes no sense whatsoever. Not only does he not say what it actually is, but the grammar is incorrect and that makes it doubly confusing. Only indirectly by reading his final comments do I get a vague notion that something was compressed in some kind of video.

    With Danchev's writing, you have to guess at everything. This is really childish, selfish writing -- writing just to hear yourself talk, not to effectively communicate anything. With the glut of people out of work these days I'm surprised ZDNet can't find better writers.
    InspectorGadget
    • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

      @InspectorGadget
      Wow, bit of an axe to grind... bitter about something.
      The article was easy to read and understand.
      Problem with your prescriptions...
      Dr.Joe
    • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

      @InspectorGadget
      Tell you what - you write articles in some other language than English and see how well you do, since i believe Dancho is not a native English speaker.

      Yes, sometimes his phrasing is a little stilted with inverted syntax, but i have no problem figuring out what he means.

      (Well, no more than i do with other ZDNet bloggers and columnists...)
      fairportfan
    • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

      @InspectorGadget

      "I'm an experienced software engineer who runs his own Internet site". It's 2010, my grandparents have a bigger collection of PSD templates, than I do.

      Stop hating, start participating.
      ddanchev
  • Danchev's poor writing is unfortunate at best.

    I agree with "InspectorGadget" Mr.Danchev writes like a semi-literate high school dropout; he is obviously distracted, unfocused and uncomfortable with the English language. Z.D. could easily do a lot better.
    materva
  • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

    When I first read the article, I saw nothing bad in Mr Danchev's syntax, usage, nor idiom. After I read the complaints about the writing, I reread his article and I STILL SEE NOTHING that should evoke such vitriol. His ideas are sequential, logical. The vitriol is uncalled for, and says more about the complainer than Mr Danchev or his writing.
    davidbteague@...
  • RE: Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane
  • good idea about facebook

    A good post. Do you know tattoo? It is quite amazing. We supply kinds of tattoo kits, tattoo machines, tattoo needles, tattoo ink and so on. Please buy<a href="http://www.dealingway.com/Wholesale-rotary-tattoo-machines_c278">custom rotary tattoo machine</a>at wholesale price from us.cnkM0
    gavin.chan