Fortinet Reviews Malicious Code Activity In July 2006

This month, the Fortinet Research team uncovers new threats and dissects cybercrooks’ intentions, delivering insights on the freshest scams around.

This month's highlights:

• Top Three Phishing Social Engineering Strategies this Month
• eBay Scamming 101: Bot Talk

July, by the numbers:

Top 10 threats caught by Fortinet’s FortiGate security appliances in July 2006:

Netsky remnants, Bagle, Grew, BetterInternet... Different month, same figures. Cyber criminals are pursuing a constant and stable goal making cash without attracting too much attention - and virus activity tends to reflect the same stability.

While the most technically gifted hackers peacefully breed their bot cattle, milking them once or twice a week (we demonstrated how botnet herders generate regular cash via massive spyware installation in some of our previous roundups), cyber con-artists are turning to phish and other scams to make pocket money. By doing so, in even the best cases they are being a nuisance to other users, and in the worse case they literally empty their wallets.

In this month’ roundup, Fortinet’s Research team chose to address this aspect of cyber criminality through various short stories.

Top Three Phishing Social Engineering Strategies this Month

July has been a prolific month for phishing scams. We have intercepted all kinds of phishing letters flying from phishers to our customers, and although the "flavour" of each letter may feel unique to the connoisseurs’ eyes, the underlying social engineering strategy is usually easily categorized. As a matter of fact, most letters rely on basic emotions all human beings may be inclined to feel, a tactic that has been used for centuries by crooks to trick and rob people. According to Guillaume Lovet, threat intelligence and response team leader for EMEA, three of these basic emotions were used extensively this month as phish levers:

1. Fear

A vast number of phishing letters employ a threatening, very formal tone, on a "update your account now, otherwise we’re gonna suspend it" basis.

Astonishingly, this strategy is now almost always coupled with a perverted use of phishing awareness campaigns effects, which are still in an early stage of development today. The general impression, the "trace" that such campaigns may leave in a typical user’s mind, is leveraged to increase the success rate of phishing letters; this is achieved by employing a similar tone and evoking the dangers described in awareness campaigns.

Again, very often, the "fear factor" is strengthened by a bold deadline, acting as a "we ain’t kiddin’, dude" line in the potential victims’ minds.

2. Cupidity

A universal classic, cupidity is known to have made and unmade empires. It is therefore almost surprising to not see overwhelmingly more phishing attempts relying on this one. While in the past, we have witnessed IRS phishing scams attempting to con users by evoking generous mistakes in their favor, the last trend is to resort to a top-selling eBay item:

This is of course a tad more subtle than the typical, all too obvious, "you have won the prize" scam. Instead, the "prize" is meant to attract victims’ attention, before finishing them with a more classical "fear factor" scheme (see above).

Malicious use of top-selling items is a habitual quality of eBay scammers (people setting up auctions for bogus/non-existent items for real bargains), and one more hint that eBay phishers and eBay scammers work hand in hand - if not simply the same persons.

3. Compassion

Perhaps the most unexpected strategy, but yes, some "individuals" somewhere thought it would be a good idea to take advantage of their potential victims’ compassion in order to better rob them. The result looks somehow funny, to say the least, but the intention is nonetheless obnoxious.

Wouldn’t you help an 87-year-old grandma bidding on the armchair she can’t afford to buy new one with her pension? This pathetic strategy may only extort phish-aware users a smile or two, but the bill could be bitter for the others. Out of the phishing context, there is some poignancy in such a scheme - which may lead some users otherwise cautious to lower their defense.

If you have examples of other original social engineering strategies (we cannot recall seeing lust exploited for phishing purpose... anyone?), do not hesitate to e-mail us at fortiguard@fortinet.com, and we’d be happy to give you credit in next month’ roundup.

eBay scamming 101: bot talk

In a previous roundup, we pointed out that one of the easiest and quickest ways to make money on the internet is setting up an auction on eBay for a bogus item, cashing the money and then disappearing. Of course, this only works when done from a an account with a high positive-feedback rate - which explains the prevalence of eBay phishing scams.

However, according to Lovet, other strategies than plain phishing can be used to obtain accounts that "look real" - that is to say featuring a reasonably furnished transactions history and a 100-percent positive-feedback rate.

Indeed, numerous eBay sellers offer "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.). Let us consider the feedback profile of such a seller:

This is just a small excerpt, but the same striking pattern is repeated over pages and pages: most user names are made of six to eight random letters and bear around 15 evaluations. Having a look at these profiles reveal that they’ve bought roughly the same items - all for 1 cent. Let us compare the profiles of two of those shady buyers:

Again, a sharp eye may notice that feedback comments received from sellers are identical, and read almost in the same order. This is because most 1-cent-plus-no-delivery-cost sellers automate the whole transaction: should someone buy their eBooks for one cent each, some scripts email it automatically to the buyer, and leaves a standard feedback comment on the buyer’s profile.

So, if we recollect everything, the following is probably happening:

1. Someone is massively creating randomly named, fake user accounts (probably in a more or less automated fashion).
2. Those fake users, powered by automated web spider software, are set to scavenge eBay for 1-cent "buy it now" items and buy them.
3. Automatically, the 1-cent item seller script is emailing the buyer with the item, and posts its standard feedback on his profile.
4. The fake user automatically responds with a standard feedback comment on the seller’s profile.

In a nutshell: Two bots are talking. And doing business.

This is a good example of a "cyber" symbiotic phenomenon (aka a win-win situation): sellers are making cash without doing anything, and scammers owning the fake accounts are building positive feedback, again, while sleeping, watching porn, or chatting on IRC - and only for a fistful of bucks.

Indeed, With that 1 cent rate, building 100 accounts with 15 positive feedbacks each cost $15. And 100 accounts are a reasonably solid base to set up a good deal of bogus auctions...

Ironically, one of the most popular items among the 1- cent-buy-it-now-with-no-delivery-cost clique is an eBook called "The Secrets of The 1 Penny Auction." We do not know what wise advice it features, but one thing is for sure: it includes "put this eBook on auction for 1 cent." Anyone willing to waste a penny and report its contents?