Cyber Crooks All Set to Crash the British Royal Wedding

This guest post originally appeared on the Symantec Connect blog. The post was written and researched by ymantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info—created on January 14, 2011—before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring”
From: “British Heirloom Ring”

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos“ and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:
Here are some other search terms currently returning poisoned links:

• william and kate movie cast
• prince charles age
• princess diana death facts
• prince harry last name
• william and kate movie on lifetime
• royal wedding guest list bush
• royal wedding guest list snubs
• prince charles siblings
• the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques—such as keyword stuffing, cloaking, and link farming—to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp:///-

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below—as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.

* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and—shockingly—that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

April 28, 2011 | Filed Under Uncategorized | Leave a Comment 

Norton Cybercrime Index – Six Weeks On

Nearly two months later and the Norton Cybercrime Index has been tracking the changes in cybercrime activity across the web. Looking at the data, we can see that the index tracked around the 60 data point until March 15. And between then and now, we’ve seen the index rising, peaking at 141 on 27 March.

To give you some analysis into what has been happening, we’ve essentially seen “standard” cybercrime for the first four weeks. Then throughout March some significant events, in the world of cybercrime at least, happened.

Newsjacking
Firstly the terrible disaster in Japan. Japan experienced one of the worst earthquakes in its history on 11 March. The earthquake registered 8.9 on the Richter scale, which triggered an enormous tsunami. It was the worst earthquake and tsunami in the past century.

Unfortunately in these catastrophic cases, unscrupulous cybercriminals surface almost immediately. Spammers take on the guise of charitable institutions or government organisations, or appeal for personal aid.

In this case, Symantec noted several email scams, for example those marked as URGENT and pleading with you for “monitory help” [sic] or a phishing mail urging you to donate to the rehabilitation of those affected by the quake and tsunami.

In addition to spam, within the first few hours of the earthquake and tsunami, Symantec researchers observed more than 50 domains with the names of either “Japan tsunami” or “Japan earthquake.” These domains are either parked, available for sale, or are linked to earthquake sites. These domains may be used in phishing and spam attacks.

These events contributed to the rise in the Cybercrime Index between March 15 and March 27.

Botnet Bottoms Out
Interestingly we noticed a slight dip in the index on March 17, from 75 to 70, when the Rustock botnet was shut down.

Rustock was responsible for almost half of the world’s spam, according our research. The botnet was believed to control a network of more than a million computers, enabling them to send out as many as 40 billion spam emails per day selling everything from software to discounted drugs like Viagra and Cialis, although many of the products were said to be counterfeit. The botnet was shut down thanks to a widescale operation involving Microsoft, industry partners, academics and law enforcement agencies.

Loose Data
Finally, data breaches impacted the index. Play.com had its website hacked on 22 March, a popular travel website had its database hacked on 25 March and finally the website of popular open source database engine hacked and sensitive info exposed. This happened on March 27 which is when the index peaked at 141.

It’s fascinating to watch the index rise and fall, and track what is happening around the world which directly impacts the world of cybercrime.

Today, the index stands at 87, with threats from each of these segments plus others (social networks, phishing scams on tax, a breach on an email marketing service). Who knows where it will move next? It’s always good to be aware, and take steps to protect yourself.

April 12, 2011 | Filed Under Security | Leave a Comment 

Lying With Numbers

Guest post from Marian Merritt, originally posted on Ask Marian

This UK headline screamed at me from my inbox last week: One in four pupils admit swapping porn images of themselves by text message and 40% young kids are sexting.

Could this possible be true? There’s very little reliable data about how many people engage in the practice known as “sexting”, less still about children’s level of participation. First, what is sexting? Even the definition of the term seems to vary in important ways. Some describe it as sending sexual content in words, images and videos. By some more relaxed definitions, you are “sexting” if you are talking dirty, even as mildly as saying “you are hot.” For others, “sexting” is only the distribution of nude or partially nude photos or videos. Keep that variability in mind as we discuss this story.

The UK newspaper story can be found here. The newspaper quotes a new sexting study done in the UK by a researcher at a non-profit that provides broadband in Southwestern England.  (You can read about the study here. You can download the full study here.) The shocker in the headline, that 40 per cent of 11- to 14-year-olds have used their mobile phones or computer to send pictures of themselves or receive naked or topless images of friends is bound to get attention. And that more than half of youngsters who sent these images did so knowing the pictures would be passed on to a number of recipients.

And here’s what the research ACTUALLY shows:

“Among the main findings are the fact that around 40% of respondents say that they know friends who have been involved in sexting. Over a quarter (27%) of respondents said that sexting happens regularly or all of the time.” So instead of 40% of kids actively sexting, what we discover is the 40% of kids know someone who has done it, or perhaps seen a sexting message or received one themselves. Big, big difference.

More from the study: “Over half (56%) of respondents were aware of instances where images and videos were distributed further than the intended recipient, but only 23% believe this distribution is intended to cause upset.” Again, instead of learning that most kids who sext are purposely spreading around the dirty photos to all their friends, we discover instead merely that most of the kids knew of cases where that happened! This doesn’t diminish the cruelty of a private image or message being shared with others but it clarifies what the study found.

Further on, teachers are concerned that a minority (24%) would turn to a teacher in a sexting incident. I’m not surprised  that so few young kids would trust their teacher to handle the situation well. The legal situation with sexting is difficult to figure out. In some cases, the kids get into big trouble not only for creating sexting images but for sending, viewing or receiving them. Some leaders in the cyberbullying research community currently would recommend a youth involved in sexting simply delete the images and not report it.

As confusing as these situations are for the kids involved, it most definitely DOES NOT HELP if the media takes what little data we have and twists it around to make a scary headline. The takeaway here is that while we know kids are mimicking adult behaviors and using cell phones to create inappropriate material and distribute it, sexting is still an activity engaged in by the minority of youth and it’s still one that is poorly defined or understood.

April 11, 2011 | Filed Under Uncategorized | Leave a Comment