Cisco Blogs


Cisco Blog > Security

Fake German Bill Spam Campaign Spreads Malware

January 9, 2014 at 1:10 pm PST

Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU

Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity

English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have 

TRAC-tank-vertical_logoalso adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable  and Volksbank.

Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.

This heat-map represents the malicious URL activity we have detected and blocked:

newnewchart_large_cropped

Read More »

Tags: , , ,

“Feliz Natal” – Bank Theft by Proxy.

Proxy auto-config or PAC files are commonly used by IT departments to update browser settings so that internet traffic passes through the corporate web gateway. The ability to redirect web traffic to malicious proxy servers is particularly attractive for malicious actors since it gives them a method of intercepting and modifying traffic to and from websites from which they can gain financially.

Malicious PAC files have been described since 2005 [1], but this obfuscated example contains a timely festive message. The Portuguese phrase for “Happy Christmas”, “Feliz Natal” is used to encode the IP address of the malicious proxy, 199.188.72.87.
Read More »

Tags: , ,