Beginning on May 5th, ScanSafe has observed numerous instances of a variant of the SpyEye family of trojans being delivered via email. The overwhelming majority of these are delivered via corp mail; very little have been observed via free webmail services.

The rate of encounter suggests the mail may be getting through corp spam filtering at the affected locations. The body of the email contains a link that downloads a zip file containing the malware. The malware appears to be hosted on compromised websites in the following folder location:

compromiseddomain\order\Order.zip

The zip itself extracts into an executable. However, a double extension ruse combined with multiple spaces makes it appear as if the file is actually a .doc file. (The spaces push the .exe extension off the screen). Obviously this could trick many users into attempting to open the “doc” in which case they will actually infect their PC with the SpyEye trojan.

ScanSafe detects and blocks this malware as:

Mal/BredoZp-B
Mal/EncPk-YJ
Trojan.Win32.Menti.gjgn
Trojan-Spy.Win32.SpyEyes.hdy

First observed encounter was 05-may-11 at 11:38:05GMT.

The Lizamoon SQL injection attack is not new; it’s actually part of a continuous SQLi attack that spans the past seven months. Lizamoon.com is just one of the more recent of the 40+ malware domains that have been used in the ongoing injection attacks. Here are some quick facts regarding the SQLi / Lizamoon compromises:

• A total of 42 malware domains have been observed during the 7 months this attack has been ongoing;
• The first encounter Cisco ScanSafe recorded was 20-sep-10 21:58:08 GMT;
• Only 0.15% (zero point one five percent) have involved encounters with functional / active malware domains;
• 99.85% of encounters have involved malware domains that were non-resolvable (shutdown / offline) at the time of encounter;
• 55% of the encounters occurred on March 25th when the Lizamoon domain was added;
• The high rate of encounters on the 25th was solely due to a single high profile website that was compromised;
• Of the Lizamoon encounters on March 25th, only 0.13% were encounters with the live domain. 99.87% were non-resolvable (i.e. the domain was offline / not delivering content).

Here's the current list of domains we've observed in these attacks, from September 2010 through March 31, 2011:

agasi-story.info
alexblane.com
alisa-carter.com
ave-stats.info
books-loader.info
eva-marine.info
extra-911.info
extra-service.info
general-st.info
google-stat50.info
google-stats44.info
google-stats45.info
google-stats47.info
google-stats48.info
google-stats49.info
google-stats50.info
google-stats54.info
google-stats55.info
google-stats73.info
lizamoon.com
milapop.com
mol-stats.info
multi-stats.info
online-guest.info
online-stats201.info
people-on.info
pop-stats.info
security-stats.info
social-stats.info
sol-stats.info
star-stats.info
stats-master11.info
stats-master111.info
stats-master88.info
stats-master99.info
system-stats.info
t6ryt56.info
tadygus.com
tzv-stats.info
urllizamoon--com.rtrk.co.uk
world-stats598.info

The Telegraph reports "Royal memorabilia industry prepares to cash in" -

The battle to cash in on Prince William’s impending marriage to Kate Middleton has already begun, with an array of royal memorabilia set to flood the market.

My first thought on reading this was that malware and scammers will be even quicker to cash in. Indeed, many are proclaiming that Prince William's and Kate Middleton's wedding (set for sometime next spring) will be the biggest marital event since Princess Di and Prince Charles. With that in mind, it's important to remember three important thingst:

1. Major breaking news events are favorite themes for malware purveyors and scammers;
2. Clicking unsolicited links in email and IM are a frequent path of infection;
3. Criminals work fast - expect your favorite search engine to already be sprinkled liberally with malicious results regarding the engagement and upcoming nuptials.

Cisco ScanSafe research indicates that 3 out of every 100 malware encounters results from people clicking unsolicited malicious links in email, IM and social messaging, and 10 out of evey 100 encounters occur via search engine results. Bottom line - think before you click, consider the source, and pay attention to the destination URL. By following this advice, hopefully you can toast to the happy couple without toasting your computer.

Looks like the latest Bank of America phishing scam is springboarding off a couple of compromised websites. First, here's a look at the predictably worded phishing email:

 Dear Bank of America Customer,

We recently have determined that different computers have logged in your Bank of America Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by July 31st, 2010, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. In order to confirm your Online Bank records, we may require some specific information from you.

To restore your account, please Sign in to Online Banking.

Here's where victims get sauced. The link behind "Sign in to Online Banking" actually points to gramsbbq.org/bain. Now grambbq.org is the legitimate website for Gram's Mission Barbecue Palace in Riverside, CA. The gramsbbq.org/bain page is a 302 redirect that leads to a phishing page hosted on a second compromised site: chasingarcadia.com (the website for Canadian band Chasing Arcadia). The actual phishing page is at:

http://www.chasingarcadia.com/channel/safe.sslbankofamerica.com/index.htm

This use of compromised sites as redirectors and phishing host enables the attackers to bypass reputation filters and/or community-based trust reporting. And it increases the collateral damage, because if/when the compromised sites are blacklisted, those businesses could suffer as a result.

As mentioned earlier this week, about 7k pages (not sites) have been struck by SQL injected iframes pointing to malware on robint.us. (That number has been over-inflated by over 100k or even a million due to poorly constructed search queries, which was the subject of the previous post on the topic).

Anyway, in some of the reports, one of the sites claimed to be compromised was that of the Wall Street Journal (WSJ.com). However, ScanSafe investigation reveals the SQL injection attack that appeared on certain pages of the WSJ site weren't the result of compromise on WSJ directly, but rather the result of compromise of a third-party partner.

That partner, adicio.com, provides real estate listings that are in turn displayed on certain pages of the WSJ.com website.

Of course, from a site visitor's perspective, this might seem a bit semantic. But still, it is worth pointing out that it wasn't really wsj.com that was compromised.