Nov 222014
 

my new photo malware and Google’s webp images

We have been seeing a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish
Until 2 days ago the zip attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected

Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https://developers.google.com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs

We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser ( if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file.

Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected
I have been charting the progress of this malware for some time now, since it first appeared at end of August 2014 http://myonlinesecurity.co.uk/new-photo-malware/

To clarify this 100% and make it clear for those who don’t have English as a first language
The post is not about preventing malware attacks as such but to inform everybody about the new format being used, particularly the increasing use of Google’s webp format, which explains why we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it does in chrome OR why they cannot view or edit a downloaded jpg

The zip file contains 2 files
1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on. That is an old trick and we have advised a user how to overcome that for ages.
The problem, is the second file in the zip which has a jpg extension and icon and is a genuine image file. BUT is not a standard jpg but a google developed “new” webp format image
Windows by default will NOT display webP images and no default windows image viewers display them. Google chrome ( and Opera) do display them. IE does NOT display them

The biggest concern is that a user will not see a preview of the image in his windows explorer and when he double clicks that image file to view it also see nothing except a big x
We can start to expect requests for help in forums asking why they can’t see jpg images
We did see a similar thing a few months ago when Faceboook tried a short lived experiment of using webp images instead of standard jpgs. They soon stopped because of complains, but scuttlebutt is they want to bring them back because of better compression and consequent bandwith cost savings.

Malware authors ( and sex sites) are always the first ones to adopt new technology and once they start to push the tech, others follow suit

You can see the difference here . The first image is a standard jpg  image ( 61 kb) . The second image is  a  standard png image (735 kb) which is used on many websites to avoid  going blotchy when cut down in resolution to save on bandwith but the original, is a much larger file size. The 3rd is the Google webp image (29kb) that will only display in Chrome browser and not in IE or Firefox.  Unless you are using Google chrome all you will see is the first and second  images. The third image ( which is identical to the other 2 ) will just appear as a blank spot with a small x and the words “webp image of my new photo” . You can see from this why many web developers and website owners want to use webp to cut down file sizes and still get very high quality images to display.

jpeg version of my new photo

jpg_version of  2my_photo

webp image of my new photo

 

 

 

 

 

 

 

 

 

 

 

If you open the image files in a hex editor or analysis program you will see the file type headers information

for jpg they are ……JFIF…..`.`……Exif..MM

for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….

For Webp they are RIFFhs..WEBPVP8

Nov 192014
 
Lloyds Bank We're improving your current account - phishing

There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like : We’re improving your current account There have been unauthorised or suspicious attempts to log in to your account, please verify Your account has exceeded its limit and needs to be verified Your account will be suspended ! You have received a secure message from < your bank> New Secure Message We are unable to verify your account information Update Personal Information Urgent Account Review Notification We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address Confirmation of Order This one is Lloyds bank We’re improving your current account pretending to come from Lloyds Banking Group Plc <info@emails.very.co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html ( webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually do allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out

Read More....
Nov 182014
 

Out-of-band release for Security Bulletin MS14-068 On Tuesday, November 18, 2014, at approximately 10 a.m. PST, ( 6pm GMT /UT) we will release an out-of-band security update to address a vulnerability in Windows. We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin. More information about this bulletin can be found at Microsoft’s Advance Notification Service page. Tracey Pretorius, Director Response Communications   We will wait with baited breath to see what it does. This is one of the updates that was postponed from Last Tuesday’s ( 11 November 2014) big patch Tuesday because it wasn’t up to the required standard Lets hope that it does fix what ever vulnerability it is supposed to fix and doesn’t break  anything. After reading the advanced notice more deeply, I find it does not affect  Vista, Windows 7 or Windows 8/8.1 which are the main desktop and consumer versions of windows in common use Notes for MS14-068 Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update. [1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any

Read More....
Nov 182014
 

voice message from 685-869-9737 for mailbox 226 pretending to come from Voice Mail <voicemail_sender@voicemail.com>  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad

Read More....
Nov 182014
 

INCOMING FAX REPORT : Remote ID: 999-745-5477 pretending to come from Incoming Fax <no-reply@efax.co.uk> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys

Read More....
Nov 182014
 
This email contains an invoice file attachment  Invoice #1633370 May - Word doc malware

Invoice #1633370 May with a malicious word doc attachment saying This email contains an invoice file attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The

Read More....
Nov 172014
 
Investment Opportunities in Ireland - malware

Investment Opportunities in Ireland pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with  link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have

Read More....
Nov 172014
 
BT Account- Payment Declined  - Phishing

Any phishing attempt wants to get as much personal and financial information from you as possible. This BT Account- Payment Declined  pretending to come from BT.com <noreplymail@btc.com>phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details. Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.   The original email looks like this, You have 1 new Message Alert! Your BT Account has generated an Important update alert. This measure has been adopted because we been unable to process your payment for your recent Bill. You must verify your information to avoid disconnection of service. Upon verification,your account will automatically update,click on the link below to complete this process. Log in to My BT Account follow the instructions on your screen. *Important* Please update your records on or before 24hours,a failure to update your records will result in a temporary disconection of service.  

Read More....
Nov 172014
 
Failed Fax Transmission to 01616133969@fax.tc<00441616133969> - Word doc malware

Failed Fax Transmission to 01616133969@fax.tc<00441616133969> pretending to come from Interfax <uk@interfax.net> with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously

Read More....
Nov 172014
 
Barclays Bank Your account might be compromised - phishing

Your account might be compromised pretending to come from Barclays Bank Plc <natalie.beecham@barclays.com> is one of the latest phish attempts to steal your Barclays Bank, debit card and personal details. This one only wants your Barclays log in details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. The original email looks like this It will NEVER be a genuine email from Barclays or any other bank so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Barclays website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email.   Dear Customer,  We recently have determined that different computers have logged in your Barclays account, and multiple password failures were present before the logons. For your security we have temporary suspended your account. Please download the document attached to this email and fill carefully.   If you do not restore your account by November 17, we will be forced

Read More....
Nov 142014
 
Amazon Your account has been frozen temporarily - Phishing

Your account has been frozen temporarily pretending to come from Amazon <auto-confirm@amazon.co.uk> is one of the latest phish attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. Please read our How to protect yourselves page  for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. The original email looks like this It will NEVER be a genuine email from Amazon or any other company so don’t ever  click the link in the  email. If you do it will lead you to a  website that looks at first glance like the genuine Amazon website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you  fill in the html ( webpage) form that comes attached to the email.   If you open the attached html file you see a webpage looking like:   When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They

Read More....
Nov 112014
 
Duplicate Payment Received - Word doc malware

 Duplicate Payment Received pretending to come from various random names with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found. 

Read More....
Nov 112014
 
Bank Payments pretending to come from Accounts Finchley  - Word doc malware

Bank Payments pretending to come from Accounts Finchley <accounts.finchley@nazarethcare.com>  with a damaged  malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found. 

Read More....
Nov 102014
 
Kate Williams  invoice 6330089 November - Word doc malware

invoice 6330089 November pretending to come from Kate Williams with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The

Read More....
Nov 072014
 
Sue Morckage inovice 0394508 November - Word doc malware

 An email saying This email contains an invoice file attachment  pretending to come from  Sue Morckage with a subject of   inovice [random number] November   is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have

Read More....