Thursday, February 27, 2014

2013 FTC Consumer Sentinel Report - Identity Theft By U.S. City

Each year the Federal Trade Commission publishes a detailed report on the Fraud and Identity Theft complaints they received during the previous year, not just at the FTC, but throughout their Consumer Sentintel Network.

Some of the leading members of that network include the Better Business Bureau and the FBI's Internet Crime and Complaint Center (

You can review the entire 2013 Consumer Sentinel Network Data Book on your own if you want to look up more about your state.

Just like last year, fraud that began by telephone/telemarketing was the top category, but 33% of all Fraud complaints started with an email!

Complaints by category were:

14% - Identity Theft
10% - Debt Collection Fraud
7% - Banks and Lenders
6% - Imposter Scams
6% - Telephone and Mobile Service Scams
4% - Prizes, Sweepstakes and Lottery Scams
4% - Auto-related Fraud
3% - Shop-at-home and Catalog Sales fraud
3% - Television and Electronic Media fraud
2% - Advanced Payment for Credit Services fraud

In the Fraud categories, over 1 million complaints were filed including $1.6 billion in fraud, where the median reported amount paid was $400. (Only 61% of those alleging fraud stated a loss amount.)

Within the category of Identity Theft, the top categories were:

34% - government documents/benefits fraud
17% - Credit Card Fraud
14% - Phone/Utilities Fraud
8% - Bank Fraud
6% - Employment-related Fraud
4% - Loan Fraud

In 2012, there were 369,145 Identity Theft Complaints registered by Consumer Sentinel.
In 2013, there were 290,056 Identity Theft Complaints.

That's a 21.5% reduction in Identity Theft Complaints! Does this indicate that Identity Theft improved from 2012 to 2013? Or does it indicate that Identity Theft has become so common place that people don't get irate and call the Better Business Bureau or the FTC when it occurs?

Wire Transfer Tops the Fraud Losses List

American consumers are just DESPARATE to throw their money away in Wire Transfers. Even though every wire transfer place I've visited in the last two years has big warning signs about the various forms of fraud involving sending your money away in a wire transfer, it continues to be the top way in which fraudsters separate their victims from their money.

YEARComplaintsMoney Wired Out
Western Union and MoneyGram both have warning pages to help protect consumers! Follow their advice to not lose the average $4836 that more than 100,000 complained about last year!

Western Union has Eight Tips at their Knowledge Center:

  1. Never send money to people you haven't met in-person
  2. Never send money to pay for taxes or fees on lottery or prize winnings
  3. Never use a test question as an additional security measure to protect your transaction
  4. Never provide your banking information to people you don't know
  5. Never send money in advance to obtain a loan or credit card
  6. never send money for an emergency situation without verifying that it's a real emergency. (Gee - like a London Traveler Scam?)
  7. Never send funds from a check in your account until it officially clears - which can take weeks
  8. Never send a money transfer for an online purchase

MoneyGram has a great page called The 11 Most Common Wire Transfer Frauds that include:

  1. The Vehicle Purchase Scam
  2. The Fake Loan Scam
  3. The Lottery or Sweepstakes Scam
  4. The Internet Romance Scam
  5. The Mystery Shopper Scam
  6. The Charity Scam
  7. The Relative in Need Scam
  8. The Internet Purchase Scam
  9. The Newspaper Ads Scam
  10. The Check or Money Order Scam
  11. The Elder Abuse Scam
They even have a nice Dodge the Scams Game to help you get it down pat!

Green Dot MoneyPak

In the most significant change in fraud payment behavior, this year 28% of fraud losses occurred via Prepaid cards, which was almost exclusively Green Dot Money cards. Two years ago this category of fraud losses didn't even exist! From 2012 to 2013 the number of victims went up 500% and the amount of money lost went up 600%!!

YEARComplaintsPrepaid Card Fraud Losses

(image from, click to visit)

How much of this fraud was due to the CryptoLocker and PoliceLock Ransomware? We can't be sure, but this is a PROFOUND shift in fraud loss behavior and a great deal of it is certain to be based on those two malware campaigns. We blogged about CryptoLocker using Greendot late in the year in our story Tracking CryptoLocker with Malcovery and IID, but the FBI's Donna Gregory reported on the malware as far back as this August 2012 FBI Ransomware Story where she said "We’re getting inundated with complaints!" referring to the complaints coming in to the FBI's complaint form, which is one source of Consumer Sentinel Data.

2013 - Top Cities for Identity Theft

Last year, 16 of the top 25 Identity Theft Metropolitan area were in Florida. This year it has fallen to 13.

13 of top 25 in Florida (16 in 2012)
4 of top 25 in California (0 in 2012)
3 of top 25 in Georgia (6 in 2012)
1 each in Alabama, Arkansas, Michigan, Tenessee, and West Virginia

RankMetro/Micropolitan AreaPer 100,000
1Miami-FortLauderdale-WestPalmBeach, FL340.4
2Columbus, GA-AL214.7
3Naples-Immokalee-MarcoIsland, FL214
4Jonesboro, AR190.9
5Tallahassee, FL179.4
6CapeCoral-FortMyers, FL174.9
7Atlanta-SandySprings-Roswell, GA170.7
8PortSt.Lucie, FL163.9
9Beckley, WV160.9
10Tampa-St.Petersburg-Clearwater, FL155.5
11Orlando-Kissimmee-Sanford, FL149.6
12Detroit-Warren-Dearborn, MI142.9
13Lakeland-WinterHaven, FL140.2
14Stockton-Lodi, CA133.1
15Montgomery, AL132.2
16Vallejo-Fairfield, CA128.2
17Jacksonville, FL125.7
18Memphis, TN-MS-AR125.5
19Valdosta, GA125.4
20Ocala, FL125
21Gainesville, FL122.6
22Sebastian-VeroBeach, FL122.4
23LosAngeles-LongBeach-Anaheim, CA119.1
24Deltona-DaytonaBeach-OrmondBeach, FL118.9
25Fresno, CA118.2
26Albany, GA117.6
27SanFrancisco-Oakland-Hayward, CA116.8
28NorthPort-Sarasota-Bradenton, FL116.6
29Bakersfield, CA116.5
30Macon, GA116.2
31Riverside-SanBernardino-Ontario, CA115.2
32Savannah, GA115.1
33PuntaGorda, FL115
34Dallas-FortWorth-Arlington, TX114.8
35Crestview-FortWaltonBeach-Destin, FL112.4
36PalmBay-Melbourne-Titusville, FL111.3
37Flint, MI109.7
38Lynchburg, VA108.1
39Jackson, MS107.4
40Washington-Arlington-Alexandria, DC-VA-MD-WV106.3
41HomosassaSprings, FL105.5
42Niles-BentonHarbor, MI105.2
43Houston-TheWoodlands-SugarLand, TX104.7
44Fayetteville, NC102.9
45Sacramento--Roseville--Arden-Arcade, CA101.3
46Modesto, CA101.1
47Phoenix-Mesa-Scottsdale, AZ101.1
48LasVegas-Henderson-Paradise, NV100.8
49Chicago-Naperville-Elgin, IL-IN-WI100.4
50Killeen-Temple, TX99.4
51Auburn-Opelika, AL98.4
52NewYork-Newark-JerseyCity, NY-NJ-PA97.7
53SanJose-Sunnyvale-SantaClara, CA96.4
54Reno, NV96.1
55Philadelphia-Camden-Wilmington, PA-NJ-DE-MD95.5
56Chico, CA95.5
57Napa, CA94.5
58Pueblo, CO94.3
59Baltimore-Columbia-Towson, MD93.4
60SanDiego-Carlsbad, CA93.4
61Milwaukee-Waukesha-WestAllis, WI92.8
62Madera, CA92.8
63RockyMount, NC92.5
64Laredo, TX92.3
65Beaumont-PortArthur, TX92
66Denver-Aurora-Lakewood, CO92
67Cleveland-Elyria, OH91.7
68SantaCruz-Watsonville, CA89.6
69Brownsville-Harlingen, TX89.4
70Goldsboro, NC88.9
71Mobile, AL88.6
72Merced, CA88.4
73SantaMaria-SantaBarbara, CA88.2
74AnnArbor, MI88.2
75Tucson, AZ87.9
76Augusta-RichmondCounty, GA-SC87.8
77AtlanticCity-Hammonton, NJ87.4
78Redding, CA86.9
79Greenville-Anderson-Mauldin, SC86.6
80Athens-ClarkeCounty, GA86.2
81McAllen-Edinburg-Mission, TX85.6
82CorpusChristi, TX85.5
83BatonRouge, LA85.4
84SierraVista-Douglas, AZ85.3
85Austin-RoundRock, TX85.2
86Florence, SC85.1
87Albuquerque, NM85
88Boulder, CO84.9
89Pensacola-FerryPass-Brent, FL84.9
90ColoradoSprings, CO84
91California-LexingtonPark, MD83.7
92Dalton, GA83.7
93Hattiesburg, MS83.3
94SanAntonio-NewBraunfels, TX83.2
95WarnerRobins, GA83
96Oxnard-ThousandOaks-Ventura, CA82.8
97Trenton, NJ82.7
98Houma-Thibodaux, LA82.6
99Dover, DE82.6
100St.Louis, MO-IL82.1

Alabama Identity Theft: 2012 compared to 2013

Forgive me, dear reader, for focusing on my own state just this once . . .

In 2012, Alabama's top cities for Identity Theft, and their Per Capita complaints received, were:

#15 - Columbus, GA/AL (205.9 per 100,000)
#16 - Montgomery, AL (203.7 per 100,000)
#42 - Auburn-Opelika, AL (124.1 per 100,000)
#62 - Birmingham-Hoover, AL (111 per 100,000)
#91 - Enterprise-Ozark, AL (97.8 per 100,000)
#97 - Huntsville, AL (95.5 per 100,000)
#100 - Mobile, AL (93.5 per 100,000)
#118 - Anniston-Oxford, AL (90.2 per 100,000)
#125 - Tuscaloosa, AL (88.4 per 100,000)
#132 - Dothan, AL (87.2 per 100,000)
#145 - Gadsden, AL (84.3 per 100,000)
#195 - Decatur, AL (72.8 per 100,000)
#198 - Daphne-Fairhope-Foley, AL (72.4 per 100,000)
#303 - Florence-Muscle Shoals, AL (56.4 per 100,000)

How does that compare to 2013's numbers?

The Columbus, Georgia/Alabama Metro area rose 13 places in the national rank to be the second worst city in America for Identity Theft.
Montgomery, Alabama had a very slight rise in rank (from #16 to #15), although the number of complaints per capita fell, it is still one of the worst cities in America for Identity Theft.
Mobile, Alabama rose in rank by 29 places, moving from #100 to #71.

All other cities in Alabama FELL in their national rank for Identity Theft -- but one must ask, as above, is that because crime is declining? or is apathy increasing? Have we become so desensitized to Identity Theft that we no longer feel the need to complain?

#2 +13 - Columbus, GA-AL (214.7 per 100,000) = +8.8 per 100,000
#15 +1 - Montgomery, AL (132.2) = -71.5 per 100,000
#51 -9 - Auburn-Opelika, AL (98.4) = -25.7 per 100,000
#71 +29 - Mobile, AL (88.6) = -4.9. per 100,000
#117 -55 - Birmingham-Hoover, AL (77.7) = -33.3 per 100,000
#131 +1 - Dothan, AL (74.8) = -12.4 per 100,000
#152 -55 - Huntsville, AL (68.5) = -27 per 100,000
#167 -42! - Tuscaloosa, AL (65.2) = -23.2 per 100,000
#226 -81! - Gadsden, AL (57.5)
#234 -116! - Anniston-Oxford-Jacksonville, AL(56.5)
#268 -70! - Daphne-Fairhope-Foley, AL (52.1)
#316 -121! - Decatur, AL (44.2)
#357 -54! - Florence-MuscleShoals, AL (36.7) -

Do YOU Know How to File an Identity Theft, Fraud, or Phishing Complaint?

If someone scammed you out of your money or stole your identity, that is a CRIME! What should you do? CALL THE POLICE!

But there are some other guidelines as well.

The Federal Trade Commission has two web pages that help you understand what to do if you have been the victim of identity theft:

FTC: What to do if you have been a victim of Identity Theft
FTC: How to file an Identity Theft Complaint with the FTC

FTC: March 2-8 is National Consumer Protection Week - tips and videos you can share with your friends are on this site!

You STILL want to call your local Police to let them know about the crimes against you. If someone stole YOUR identity or scammed you, they are likely targeting others as well! Besides your local law enforcement, it would be helpful if you could take the time to share what happened to you with the FBI Internet Crime & Complaint Center ( This unique center in West Virginia gathers hundreds of thousands of cybercrime complaints per year into a database that can be accessed by law enforcement across the country. Perhaps you will only be another drop in the bucket, but you MAY provide the missing link that ties many smaller losses together into a major investigation!

For PHISHING EMAILS, be sure to report that phish to Malcovery's PhishIQ system! By sending us the address of that suspicious or fake bank website, our automated systems will preserve forensic evidence about the phishing website and work on linking it to other websites that may have been created by the same criminal!

Appendix: The rest of the list (Top Identity Theft Cities by Rank)

101NewOrleans-Metairie, LA82
102Charlotte-Concord-Gastonia, NC-SC81.7
103Prescott, AZ81.5
104SantaFe, NM81.2
105Tyler, TX80.6
106VirginiaBeach-Norfolk-NewportNews, VA-NC80.4
107Monroe, MI80.3
108LittleRock-NorthLittleRock-Conway, AR80.2
109Gainesville, GA80.1
110Hammond, LA80.1
111Bridgeport-Stamford-Norwalk, CT80.1
112LakeHavasuCity-Kingman, AZ78.9
113Seattle-Tacoma-Bellevue, WA78.4
114OklahomaCity, OK77.9
115Columbia, SC77.8
116Vineland-Bridgeton, NJ77.8
117Birmingham-Hoover, AL77.7
118ElPaso, TX77.4
119Muskegon, MI77.2
120NewHaven-Milford, CT77.2
121Midland, TX76.9
122Burlington, NC76.8
123Spokane-SpokaneValley, WA76.7
124Odessa, TX76.6
125HiltonHeadIsland-Bluffton-Beaufort, SC75.9
126Indianapolis-Carmel-Anderson, IN75.3
127Yakima, WA75.2
128Concord, NH75.1
129SanLuisObispo-PasoRobles-ArroyoGrande, CA74.9
130Reading, PA74.9
131Dothan, AL74.8
132Brunswick, GA74.8
133Lumberton, NC74.5
134Allentown-Bethlehem-Easton, PA-NJ74.3
135Wichita, KS74.2
136Charleston-NorthCharleston, SC73.7
137Richmond, VA73.1
138Akron, OH72.4
139KansasCity, MO-KS71.9
140Racine, WI71.6
141Rockford, IL71.5
142Scranton--Wilkes-Barre--Hazleton, PA71.5
143SantaRosa, CA70.9
144Topeka, KS70.6
145Dayton, OH70.4
146Spartanburg, SC69.9
147Salinas, CA69.9
148Shreveport-BossierCity, LA69.8
149Show Low, AZ69.8
150YubaCity, CA69.5
151PanamaCity, FL68.8
152Huntsville, AL68.5
153FortCollins, CO68.4
154Raleigh, NC68.4
155Portland-Vancouver-Hillsboro, OR-WA68.1
156Durham-ChapelHill, NC67.8
157Charleston, WV67.4
158Greeley, CO66.8
159Medford, OR66.4
160Yuma, AZ66.4
161Gulfport-Biloxi-Pascagoula, MS66.4
162Wilmington, NC66.3
163Springfield, MA65.8
164Columbus, OH65.7
165NewBern, NC65.5
166Boston-Cambridge-Newton, MA-NH65.4
167Tuscaloosa, AL65.2
168Flagstaff, AZ64.7
169Lawton, OK64.5
170Saginaw, MI64.4
171Hartford-WestHartford-EastHartford, CT64.4
172Minneapolis-St.Paul-Bloomington, MN-WI64.2
173Wausau, WI64.1
174Duluth, MN-WI64
175Amarillo, TX63.9
176Olympia-Tumwater, WA63.8
177Youngstown-Warren-Boardman, OH-PA63.8
178Asheville, NC63.8
179Toledo, OH63.8
180Bremerton-Silverdale, WA63.7
181Kankakee, IL63.5
182Chattanooga, TN-GA63.4
183Madison, WI63.4
184Bend-Redmond, OR63.4
185Greensboro-HighPoint, NC63.1
186Greenville, NC63
187Rochester, NY62.7
188MyrtleBeach-Conway-NorthMyrtleBeach, SC-NC62.6
189Pittsfield, MA62.5
190BattleCreek, MI62.4
191Visalia-Porterville, CA62.4
192EastStroudsburg, PA62.4
193Kingsport-Bristol-Bristol, TN-VA62.3
194Winston-Salem, NC62.3
195Sherman-Denison, TX62
196Nashville-Davidson--Murfreesboro--Franklin, TN61.9
197ElCentro, CA61.9
198Jacksonville, NC61.9
199Alexandria, LA61.7
200FortWayne, IN61.3
201Kalamazoo-Portage, MI61.2
202SouthBend-Mishawaka, IN-MI61.1
203Tulsa, OK60.8
204Sumter, SC60.5
205LasCruces, NM60.2
206Ashtabula, OH60.1
207York-Hanover, PA60
208Albany, OR60
209Champaign-Urbana, IL59.9
210Cincinnati, OH-KY-IN59.6
211BoiseCity, ID59.5
212Missoula, MT59.5
213Wooster, OH59.4
214Dunn, NC59.3
215Salisbury, MD-DE59.1
216Omaha-CouncilBluffs, NE-IA59.1
217Eureka-Arcata-Fortuna, CA58.7
218Elizabethtown-FortKnox, KY58.6
219Anchorage, AK58.3
220Elkhart-Goshen, IN58.2
221Jackson, MI58
222Hagerstown-Martinsburg, MD-WV58
223Pittsburgh, PA58
224PineBluff, AR57.9
225Providence-Warwick, RI-MA57.8
226Gadsden, AL57.5
227Lafayette, LA57.4
228IowaCity, IA57
229BarnstableTown, MA57
230Waco, TX57
231Springfield, MO56.8
232Springfield, IL56.6
233Worcester, MA-CT56.6
234Anniston-Oxford-Jacksonville, AL56.5
235Kingston, NY56.4
236CollegeStation-Bryan, TX56.4
237Lubbock, TX56.4
238Hanford-Corcoran, CA56.2
239Cleveland, TN56.1
240Monroe, LA56.1
241Longview, TX56
242SaltLakeCity, UT55.9
243Canton-Massillon, OH55.9
244Louisville/JeffersonCounty, KY-IN55.8
245Lexington-Fayette, KY55.5
246Lima, OH55.5
247Lansing-EastLansing, MI55.4
248Peoria, IL55.1
249Decatur, IL55.1
250Erie, PA54.9
251Clarksville, TN-KY54.9
252GrandRapids-Wyoming, MI54.8
253Bloomington, IL54.8
254Weirton-Steubenville, WV-OH54.6
255Kennewick-Richland, WA54.5
256Roanoke, VA54.1
257Buffalo-Cheektowaga-NiagaraFalls, NY54.1
258DesMoines-WestDesMoines, IA54.1
259Lebanon, PA53.9
260Williamsport, PA53.4
261Harrisburg-Carlisle, PA53.3
262Bellingham, WA53.2
263FortSmith, AR-OK53.1
264Norwich-NewLondon, CT52.9
265Albany-Schenectady-Troy, NY52.8
266Morristown, TN52.7
267Winchester, VA-WV52.2
268Daphne-Fairhope-Foley, AL52.1
269BayCity, MI52
270Longview, WA51.8
271Salem, OR51.4
272Lawrence, KS51.4
273Meridian, MS51.2
274St.Joseph, MO-KS51
275Texarkana, TX-AR50.9
276WichitaFalls, TX50.9
277London, KY50.6
278Ogden-Clearfield, UT50.1
279Hickory-Lenoir-Morganton, NC50.1
280Billings, MT49.7
281Lincoln, NE49.6
282Manchester-Nashua, NH49.4
283Coeurd'Alene, ID49.1
284Charlottesville, VA48.9
285MountVernon-Anacortes, WA48.8
286JeffersonCity, MO48.7
287Jackson, TN48.5
288MichiganCity-LaPorte, IN48.4
289Syracuse, NY48.3
290Chambersburg-Waynesboro, PA48.1
291Cookeville, TNMicropolitan48.1
292Lafayette-WestLafayette, IN48.1
293Janesville-Beloit, WI48
294Logan, UT-ID47.8
295Evansville, IN-KY47.8
296Bluefield, WV-VA47.5
297Knoxville, TN47.3
298Whitewater-Elkhorn, WI47
299Rochester, MN46.9
300Torrington, CT46.9
301Sheboygan, WI46.8
302Claremont-Lebanon, NH-VT46.7
303Davenport-Moline-RockIsland, IA-IL46.6
304LakeCharles, LA46.6
305Lancaster, PA46.6
306Pottsville, PAMicropolitan46.5
307JohnsonCity, TN46.3
308Danville, VA46
309Carbondale-Marion, IL45.8
310Tupelo, MS45.5
311Springfield, OH44.8
312Provo-Orem, UT44.8
313Roseburg, OR44.6
314Joplin, MO44.4
315Fayetteville-Springdale-Rogers, AR-MO44.3
316Decatur, AL44.2
317Abilene, TX44.2
318Huntington-Ashland, WV-KY-OH44.1
319Morgantown, WV43.9
320SiouxCity, IA-NE-SD43.9
321Johnstown, PA43.8
322CedarRapids, IA43.8
323Eugene, OR43.8
324GrandJunction, CO43.6
325Salem, OH43.6
326Mansfield, OH43.4
327Blacksburg-Christiansburg-Radford, VA43.2
328Jamestown-Dunkirk-Fredonia, NY43
329Portland-SouthPortland, ME42.8
330IdahoFalls, ID42.8
331Kahului-Wailuku-Lahaina, HI42.6
332Cumberland, MD-WV42.6
333FondduLac, WI42.3
334Wheeling, WV-OH41.9
335GlensFalls, NY41.9
336Wenatchee, WA41.5
337Gettysburg, PA41.4
338TraverseCity, MI41.2
339LaCrosse-Onalaska, WI-MN41.1
340SiouxFalls, SD40.7
341Columbia, MO40.6
342Watertown-FortDrum, NY40.4
343SanAngelo, TX40.2
344RapidCity, SD40.1
345Owensboro, KY40.1
346St.George, UT39.1
347Binghamton, NY38.9
348Tullahoma-Manchester, TN38.9
349Bloomington, IN38.9
350GreenBay, WI38.9
351TerreHaute, IN38.9
352UrbanHonolulu, HI38.8
353Utica-Rome, NY38.7
354Ithaca, NY38.4
355Muncie, IN38.2
356Burlington-SouthBurlington, VT37.9
357Florence-MuscleShoals, AL36.7
358EauClaire, WI36.6
359Ottawa-Peru, IL36.2
360BowlingGreen, KY35.9
361Holland, MI35.9
362Appleton, WI35.9
363Hilo, HI35.7
364Lewiston-Auburn, ME34.4
365Oshkosh-Neenah, WI33.5
366Staunton-Waynesboro, VA32.9
367Waterloo-CedarFalls, IA32.8
368Ogdensburg-Massena, NY32.2
369Fargo, ND-MN32.1
370St.Cloud, MN31.7
371Bangor, ME31.2
372Farmington, NM30.8
373Altoona, PA30.7
374Harrisonburg, VA29.5
375StateCollege, PA29.2
376Augusta-Waterville, ME28.7
377Bismarck, ND27.9

Monday, February 24, 2014

WhatsApp Spam: a malware distribution scam

On February 19, 2014, Facebook Announced the purchase of WhatsApp for $4 billion in cash and 183,865,778 shares of Facebook stock ($12 Billion in current value) plus an additional $3 billion in shares to the founders that will vest over four years, for a total purchase price of $19 Billion. Within 24 hours, spammers were using WhatsApp lures to attract traffic to counterfeit pharmaceutical websites! Journalists in the United States were scurrying trying to figure out what WhatsApp even is, let alone why it should be worth $19 Billion.

Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a malware lure since at least September 19, 2013. I asked Brendan to give me a list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top Threats" list. This campaign has been solidly in the top ten on:

SEPTEMBER 19, 23, 24, 25, 26
OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
JANUARY 9, 13, 15, 20, 28

As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013, WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via spam for the quarter. (See ComputerWorld - Senior executives blamed for a majority of undisclosed security incidents.) Curiously, when I asked Brendan about the email I saw THIS WEEK imitating WhatsApp he said that was an example of spammers using the WhatsApp notoriety to drive traffic to counterfeit pharmaceutical websites!

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

We've seen tremendous variety in both the malware being delivered and in the method of delivery over the course of so many spam runs. The first day we made note of the WhatsApp malware, September 19, 2013, we observed 52 different websites being advertised in the emails. Each of these websites had a file called "info.php" that was being called with a very long unique "message" parameter, such as:

(a couple digits have been tweaked for privacy)

Websites used for malware delivery,September 19, 2013

Visiting the link from any of of those websites resulted in code on the server resolving your IP address and creating a customer malware name based on your geographic location. For example, when we visited from Birmingham, Alabama IP addresses, we received a file called "VoiceMail_Birmingham_(205)" - 205 is the Area code for Birmingham, Alabama, so both the city name and the telephone number provided were intended to enhance the believability that this was a "real" VoiceMail message that we should open and listen to!

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

This malware delivery mechanism, with the geographically labeled secondary malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also known as DoFoil, is delivered as the second phase of a malware delivery scheme that begins by having computers that are part of the ASProx botnet sending spam. This is the same campaign that delivered Walmart/BestBuy/CostCo delivery messages around the Christmas holiday, and that delivered Courthouse, Eviction, and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky, NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well as the FakeAV label, are likely due to tertiary malware. When secondary malware "drops" (a term that just means that ADDITIONAL malware is downloaded from the Internet after the initial infection) it is common for AntiVirus vendors to apply the label for the "ultimate intention" to all of the malware samples seen in that particular infection chain.

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz's role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar's paper is well worth reading as he explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

Malcovery Security analysts also called attention in our September 19, 2013 report that the WhatsApp spam, when visited from an Android device, detected the OS and dropped a file called "WhatsApp.apk". .apk files are Android's "application package file" which is used to distribute and install Android apps. Examination of the .APK file confirmed thta this was Fake antivirus for your Android phone, containing descriptions of each supposedly detected malware in both English and Russian, as exhibited by this snip from the .APK file:

The URLs used to drop the infection shifted constantly. For example, these are the URLs from September 24th, each using "app.php" instead of "info.php":

And these were the sites for September 25th:

WhatsApp Spam Used by Cutwail Botnet to deliver Upatre => Zeus Malware

More recently, the WhatsApp malware has been used by an entirely different spam sending malware team. This group, which favors the Cutwail spam botnet, uses spam messages to deliver a malware family known as UPATRE. UPATRE is a tiny malware file that is repacked constantly to ensure deliverability and that has little malicious behavior itself. The only function of UPATRE is to drop additional malware. In this case, the malware is attached as a .zip file that, when executed by the recipient in order to "play their missed message" will cause Zeus to be downloaded as the secondary malware.

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

zubayen . com / up / wav.enc
or from inspireplus . org . uk / images / banners / wav.enc
(spaces added for your safety)

WhatsApp Spam Delivering Canadian Health & Care Mall links?

As WhatsApp reaches the pinnacle of awareness among American spam recipients, it is only natural that the Pharmaceutical spammers would get in on the game. On February 20, 2014, the spammers sent out "Missed Voice Message" spam with a huge number of random URLs belonging to compromised webservers. Each of the compromised webservers, usually the spammer has harvested Userids and passwords for their FTP credentials in previous malware runs, has a newly created .php or .pl file that contains an encoded redirector to a pharmaceutical website.

On February 20th, the advertised spam all redirected to one of more than fifty compromised webservers, each of which then redirected to a Canada Health & Care Mall websites. The advertised URLs have a simple Javascript obfuscation to try to hide the true destination, such as this page:


When interpreted as Javascript, the "setTimeout" portion says "make the "" equal to "gjhqv1". The top portion says "set gjhqv1" equal to, and do it in "0" milliseconds.

Reviewing 50 URLs of this type, with names such as "reactivates.php" or "" or "gaelicizes.php", there were only the four redirections:

each of which looked like this:

Monday, February 17, 2014

Interac Phishers try their hand at IRS

Last week Malcovery Security had an interesting phish show up claiming to be related to the IRS. This one turns out to be a great example of the (activate 1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE (/activate). Here's what the website looked like:

Phish from: / profiles / interac /

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish: First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as:

href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"

href = navy/index.htm
img src = imgs/nfculogo.png  .... but with "alt=President's Choice Financial"

href = suntrust
img src = imgs/suntrust.png  .... but iwth "alt = RBC Royal Bank"

etc . . . 

Phishing Cross-Brand Intelligence

It seems fairly clear that we should be able to find more phishing sites that used the original Interac code, and of course we can in the Malcovery PhishIQ system.

Here is a phish that was seen on June 21, 2013 on the website / wp / interacsessions /

And another first seen on May 28, 2013 on the website / interac / (note the common path on both of these that matches the current IRS phish = "interac/" is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

An interesting thing about phishing emails that differentiates them from standard spam. While normal spam is often sent via botnets, phishing emails tend to be sent from the same IP address over a period of time. When we use Malcovery PhishIQ to examine the IRS version of the Interac phish, which attempts to steal money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust, Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised URL was actually " / irsjspmessageKey-IG09210358i /". That URL forwarded visitors to the website " / Connections / irsonlinedeposit /" which then forwarded the visitors to " / profiles / interac /" which is where the screenshot at the top of this article was captured.

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (" with an email subject of "New Insurance Document Online".

Two of the emails were sent from (Philippines) and one email was sent from (Cox). What other emails were sent from those IP addresses?

Here are the emails from

Date: Subject: From NameFrom Email
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@
Dec 14, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@
Dec 16, 2013Confirmation - personal information updateUSAAUSAA.Web.Services@
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 23, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 30, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Jan 5, 2014Notification of Limited Account AccessPayPalPayPal@
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
Jan 21, 2014Your dispute has been ended 01/20/2014: Get your money
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferTD Canada Trustnotify@
And here are the emails from

Date: Subject: From NameFrom Email
Jan 29, 2014New Insurance Document
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@
Feb 9, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@

The Power of Cross-Brand Intelligence

To summarize, we started with a new IRS phish, and through some comparisons in the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells Fargo, and Interac all being linked together. Investigators interested in learning more are encouraged to reach out!

Saturday, February 08, 2014

Highest Malware Spam Rate since April 2013

Since 2006, my lab at UAB, part of The Center for Information Assurance and Joint Forensics Research has been gathering spam and finding creative ways to analyze it to find new threats. Last December we licensed that technology to form Malcovery Security who have picked up the reins on the work of finding and reporting on new malicious threats in spam. Between the groups, we've evaluated nearly a billion spam messages, so when one of my analysts says they are seeing something "new" I pretty much listen to them.

This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!

The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!

DateMessages reviewedCountEmail Subject
Feb 5 1,066,187171,186 Bank of America Alert: Online Banking Security Measures
Feb 6 1,176,667303,646 ATTN: Important notification for a Visa / MasterCard holder!
Feb 7 1,113,739267,445 Some important information is missing
Those numbers indicate that for the last three days this single malware distributor was accounting for 16%, 25.8%, and 24% of all the spam we reviewed! How does that compare to normal? The previous day, February 4th, we considered the "Photos" malware campaign to be heavily spammed when it reached 5% of total spam volume for the day.

Microsoft's Security Intelligence Report (volume 15) showed spam message breakdown for the first half of 2013 like this:

Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...

Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.

Here are some more details about the spam messages that were seen in the past three days:

Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)

hYYp://   /srt/404.php
hYYp://   /ssd/usa.exe
hYYp://   /ssd/usa2.exe
hYYp://   /srt/404.php
hYYp://   /ssd/usa.exe
hYYp://   /ssd/usa2.exe
hYYp://   /ssd/usa.exe
hYYp://   /ssd/usa2.exe
hYYp://   /ssd/usa2.exe
hYYp://   /srt/404.php
hYYp://   /ssd/usa.exe

hYYp://    /srt/404.php
hYYp://    /ssd/usa.exe
hYYp://    /ssd/usa2.exe
hYYp://    /ssd/ust2.exe
hYYp://    /ssd/ust21.exe
hYYp://    /punta/gae.php
hYYp://    /srt/404.php
hYYp://    /ssd/usa.exe
hYYp://    /ssd/usa2.exe
hYYp://    /ssd/ust2.exe
hYYp://    /ssd/ust21.exe
hYYp://    /ssd/usa.exe
hYYp://    /ssd/usa2.exe
hYYp://    /ssd/ust2.exe
hYYp://    /ssd/ust21.exe
hYYp://    /punta/gae.php
hYYp://    /punta/gae.php
hYYp://    /srt/404.php
hYYp://    /ssd/usa.exe
hYYp://    /ssd/usa2.exe
hYYp://    /ssd/ust2.exe

hYYp://    /srt/404.php
hYYp://    /ssd/ust12.exe
hYYp://    /srt/404.php
hYYp://    /ssd/ust12.exe
hYYp://    /srt/404.php
hYYp://    /ssd/ust12.exe

The IP addresses that would be most critical to block to protect your network would be these. Most of these addresses are on a Cloud hosting service in Russia, "", some on the ASN - St. Petersburg, Russia ( - AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.
The .exe that gets dropped is ZeuS, though current detection would make that a bit hard to tell. The main file being dropped this morning has the MD5 hash = b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as of this timestamp, which is showing greatly improved detection over my original run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other vendors list some form of "Generic" as the detection name.

Spamming Computers analysis

How often were the same computers used to send these campaigns? We first created three lists of IP addresses used to deliver the spam on each day. I called them ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP addresses we saw deliver the Bank of America spam on February 5. ss6ip was a list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx spam on February 7.

5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.

107,987 unique IPs were seen if we combine all three campaigns.

Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were (France, 158 messages) and (Peru, 142 messages).

I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware

 ES  3052 - Spain
 AR  2148 - Argentina
 US  1841 - United States
 CO  1387 - Colombia
 MX  1374 - Mexico
 IT  1263 - Italy
 DE  1025 - Germany 
 PE  915  - Peru
 RO  876  - Romania
 BR  833  - Brazil
 GB  666  - Great Britain
 CL  634  - Chile
 FR  537  - France
 IL  489  - Israel 
 CA   379  - Canada
 PL  342  - Poland
 TR  325  - Turkey
 BG  267  - Bulgaria
 PT  259  - Portugal
 GR  238  - Greece
 VE  238  - Venezuela
 AT  183  - Austria
 RS  180  - Republic of Serbia
 EC  131  - Ecuador
 CH  118  - Switzerland
 IN  116  - India
 CZ  104  - Czech Republic
 PA  104  - Panama

Sunday, February 02, 2014

GameOver Zeus now uses Encryption to bypass Perimeter Security

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable ".ENC" file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Malcovery Security's malware analyst Brendan Griffin let me know about this new behavior on January 27, 2014, and has seen it consistently since that time.

On February 1st, I reviewed the reports that Malcovery's team produced and decided that this was a trend we needed to share more broadly than just to the subscribers of our "Today's Top Threat" reports. Subscribers would have been alerted to each of these campaigns, often within minutes of the beginning of the campaign. We sent copies of all the malware below to dozens of security researchers and to law enforcement. We also made sure that we had uploaded all of these files to VirusTotal which is a great way to let "the industry" know about new malware.

To review the process, Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing UPATRE malware via Social Engineering. The spam message is designed to convince the recipient that it would be appropriate for them to open the attached .zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.

As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people. With the change last week, the new detection rate for the Zeus downloads has consistently been ZERO of FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50. Why? Well, because technically, it isn't malware. It doesn't actually execute! All Windows EXE files start with the bytes "MZ". These files start with "ZZP". They aren't executable, so how could they be malware? Except they are.

In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.

I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three researchers who jumped in to help look at this with us. Hopefully others will share insights as well, so this will be an on-going conversation. (UPDATE: Boldizsár has published details of how the encoding works -- the file is first compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to create the .exe file)

UPATRE campaigns that use Encryption to Bypass Security

Here are the campaigns we saw this week, with the hashes and sizes for the .zip, the UPATRE .exe, the .enc file, and the decrypted GameOver Zeus .exe file that came from that file. For each campaign, you will see some information about the spam message, including the .zip file that was attached and its size and hash, and the .exe file that was unpacked from that .zip file. Then you will see a screenshot of the email message, followed by the URL that the Encrypted GameOver Zeus file was downloaded from, and some statistics about the file AFTER it was decrypted.

ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.

Campaign: 2014-01-27.ADPMessages Seen: 2606Subject: Invoice #(RND)
From: ADP - Payroll
Invoice.zip9767 bytesb624601794380b2bee0769e09056769c
Invoice.PDF.exe18944 bytes8d3bf40cfbcf03ed13f0a900726170b3 bytes OFFLINE
decrypted bytes bytes 09ced08856101f86c02890f4373623a4
decrypted 338432 bytes b63415efcc70974269bd9d8da10b3ac1

Campaign: 2014-01-27.BBBMessages Seen: 776Subject: FW: Complaint Case (RND)
From: Better Business Bureau(Random)
Case 463252349343.zip9762 bytes1ed259d9e7474cfe56df485be479ea97
Case 463252349343.exe18944 bytes809ae1af04ab921aa60efeb7083d21d7 bytes OFFLINE
decrypted bytes bytes OFFLINE
decrypted bytes

Campaign: 2014-01-27.HMRCMessages Seen: 302Subject: Important Information for Employers
From: HMRC Employer Alerts &
Employer_Bulletin_Issue_46_79520EEE31.zip7218 bytes413cda07e774a5ed7f98279dd9e8a087
Employer_Bulletin_Issue_46_79520EEE31.exe17920 bytes2616babcdf0c5b9086ff63fa6682fe07 bytes 9d1b8f296b5bfb0f4817c2aacb8815a3
decrypted 289280 bytes fa4d35b63a8485bc7c0b167ca9358b76

Campaign: 2014-01-27.HSBCMessages Seen: 404Subject: FW: Payment Advice - Advice Ref:[GB(RND)] / ACH credits / Customer Ref:[pay run 14/11/13]
From: HSBC Advising Serviceadvising.service.(RND).(RND).RND)
PaymentAdvice.zip7162 bytesc17396cddadf201f83074615824240c0
PaymentAdvice.exe17920 bytese0595c4f17056e5599b89f1f9cf52d83 bytes 414755f65ebbaf52669aaab649b3f274
decrypted 289280 bytes 5a393b283f42edd17c7da2625b8e1045

Campaign: 2014-01-27.SkypeMessages Seen: 275Subject: Skype Missed voice message
From: Administratordocs(#)@(many)
Skype-message.zip10147 bytes79fb2e523fe515a6dac229b236f796ff
Voice_Mail_Message.exe18944 bytes6e4857c995699c58d9e7b97bff6e3ee6 bytes OFFLINE
decrypted bytes

Campaign: 2014-01-27.VoiceMessageMessages Seen: 271Subject: Voice Message from Unknown
From: Administratordocs(#)@(many)
VoiceMessage.zip7273 bytesd2070f6a15312dec7882ca0d9ec7f431
VoiceMessage.exe17920 bytes8a739776cf8316eba1bfae50e020c8f1 bytes 73c811d0794de15906225d7d936fc6b7
decrypted 289280 bytes 2b0db77ac980be10b9ef4562269d8db4 bytes 1d30d5fe55585d24cd15ef97afb7322c
decrypted 289280 bytes b993b4cb332b979d6f8509f5765abfd4

Campaign: 2014-01-28 DeptTreasuryMessages Seen: 223Subject: Department of Treasury Notice of Outstanding Obligation - Case (RND)
FMS-Case-(RND).zip9462 bytes067617d990a861f87304bb08b6628524
FMS-.exe18944 bytes40afe219c14a0a5f3a4ddd6c8e39bc23 bytes 41d57ca4b8705247186e2f30d911d811
decrypted 387584 bytes 7178a455ee9a0d6e42465ad9967a177a bytes 41d57ca4b8705247186e2f30d911d811
decrypted 387584 bytes 7178a455ee9a0d6e42465ad9967a177a

Campaign: 2014-01-28.IRSMessages Seen: 192Subject: Complaint Case (RND)
Complaint_RND.zip7240 bytesf20768ed9f771a92950a5f5ab14bf57f
Complaint_.exe17408 bytes8163d272c4975b1d7ed578b4d24b3d2a bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332 bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332

Campaign: 2014-01-28.NewVoiceMessageMessages Seen: 165Subject: New Voice Message
From: Voice Mail(RND)@(reflective)
VoiceMail.zip6502 bytes2a048dfb3429155d552cb0c37b499b51
VoiceMail.exe17920 bytesdc2e2f04a01009f3193b0df4ba0f6e81 bytes 11a55dd1a756dbba6e7d404a7c22544a
decrypted 289280 bytes cae9c9614affac694320215228efcf27 bytes 11a55dd1a756dbba6e7d404a7c22544a
decrypted 289280 bytes cae9c9614affac694320215228efcf27

Campaign: 2014-01-28.RingCentralMessages Seen: 7720Subject: New Fax Message on 1/22/2013
fax.zip9929 bytesafa90762f6412173cf6e0e6d1d57531d
fax.doc.exe18944 bytes81e425646f68d3adaddca0cf398f595f bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0 bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0

Campaign: 2014-01-28.WhatsAppMessages Seen: 767Subject: Missed voice message, "(timestamp)"
From: WhatsApp
Missed-message.zip6492 bytes494d6095b540dbc9f570e22b717a32df
Missed-message.exe17920 bytesa4c01917b7d48aa7c1c9a2619acb5453 bytes 33070eda34ccea632c3b4007a1e2beee
decrypted 289268 bytes dc5b998fd7a6f29ebac6365654d57609 bytes 33070eda34ccea632c3b4007a1e2beee
decrypted 289268 bytes dc5b998fd7a6f29ebac6365654d57609

Campaign: 2014-01-28.Skype Messages Seen: 574Subject: Skype Missed voice message
From: Administratordocs(#)@(many)
Skype-message.zip9163 bytesdfa3db3c14ae1e369a4a9df6cb82832f
Skype-message.exe18944 bytesab703881cb4b3fbd5ee13df30b7bb8d7

Campaign: 2014-01-29.RingCentral1Messages Seen: 3811Subject: New Fax Message on 1/29/2013
From: RNDRND@*.ru
fax.zip9473 bytes0842e4bcc8af1f0d54519a99834be218
fax.pdf.exe18432 bytesd309df26dd91294dc4acd5fb78aa98f5
Campaign: 2014-01-29.RingCentral1Messages Seen: 2887Subject: New Fax Message on 1/22/2013
fax.zip9929 bytesafa90762f6412173cf6e0e6d1d57531d
fax.pdf.exe19968 bytes5db38bd493ef2f9b35bb0015822b493d
Campaign: 2014-01-29.RingCentral1Messages Seen: 2353Subject: New Fax Message on 1/29/2013
From: RNDRND@*.ru
fax.zip9994 bytes2d65747503e7b251ad597a650f352f4e
fax.doc.exe18944 bytes81e425646f68d3adaddca0cf398f595f bytes OFFLINE
decrypted bytes

Campaign: 2014-01-29.eFaxMessages Seen: 1016Subject: Fax transmission: (RND-RND-RND-RND).zip
From: eFax
( bytes9f2613dabe2a89ac21e9b55b6df51ebc
{fax num123}.exe17920 bytes89f45f68a0568996a6a109a1d04b6670 bytes 42dda6f13b2c8df96321570e1fa84fe8
decrypted 289785 bytes ee038bdd137f518614599275add5b9bb bytes OFFLINE
decrypted bytes

Campaign: 2014-01-29.LloydsTSBMessages Seen: 551Subject: January Spending
January.zip9586 bytesea42b883dab711810243e8f138438733
January.exe17920 bytesc28d9a0b3b2643a01fd3f3250a39a511 bytes 9c790bfd6def569362483192d6e1b9ba
decrypted 289800 bytes 82dd0f87007fc0149183e1de8f0913f2 bytes OFFLINE
decrypted bytes

Campaign: Messages Seen: 166Subject: Voice Message from Unknown
From: Administratordocs(#)@(many)
Message.zip8748 bytesff2c3e6b875803945b320e438304f506
VoiceMessage.exe17920 bytes13d6046c575abe9c3072067135a57996

Campaign: 2014-01-30.BanquePopulaireMessages Seen: 259Subject: Numero de cas: RND
Cas_RND.zip9476 bytesa21cd2697687ae6eb1b15175a8fb0ae2
Cas_01302014.exe17920 bytes968779b34f063af0492c50dd4b6c8f30 bytes 8cce7406f943daa81ef31411247491d3
decrypted 300544 bytes 092eb58dce516414908ecf6f3156372a bytes OFFLINE
decrypted bytes

Campaign: 2014-01-30.RemitMessages Seen: 206Subject: FW: Last Month Remit
From: Administratordocs(#)@reflective
Remit.(domain).zip9465 bytes145d3da149cc8fa3bef38af648713fb6
Remit.exe17920 bytes84a6030c8265b33c3c4e68d29975bd76 bytes 5c7d5797e1f46c29dd9c7a9976d9d359
decrypted 299008 bytes aaf1097da1e50b7fd8d8c5e1a95acd80 bytes 5c7d5797e1f46c29dd9c7a9976d9d359
decrypted 299008 bytes aaf1097da1e50b7fd8d8c5e1a95acd80

Campaign: 2014-01-30.SkypeMessages Seen: 42Subject: Skype Missed voice message
From: Administratordocs(#)@reflective
Missed voice message.zip9336 bytes40453639a6fbd58b1d30099666ad32a
Missed voice message.exe18944 bytes30e5d9d4d7da572fdef6f7253950a53c bytes 75a9d6fd9fe34a4ff737c987938a8f6c
decrypted 386048 bytes f2bef403482c4dd70bd4e1be1fd4af8f bytes 75a9d6fd9fe34a4ff737c987938a8f6c
decrypted 386048 bytes f2bef403482c4dd70bd4e1be1fd4af8f

Campaign: 2014-01-30.AssortedFax Messages Seen: 2410Subject: Corporate eFax message from (RND)
jConnect fax from (RND) - (RND) pages, Caller_ID (RND)
From: eFax Corporate
Dun & Bradstreet
message /
FAX_001_RND.zip10293 bytes18b72825aecde011bdc92c1526491571
FAX_001_20143001_814.exe18944 bytes915fdc8403b26bac79801fa1a341495d

(These three all use the same binaries)

Campaign: Messages Seen: 1627Subject: New Fax Message on 01/29/2013
From: RNDRND@*.ru
fax.zip10095 bytes8627ce01daaebc35610d05cdbdbde612
fax.pdf.exe18432 bytes465c2656c07ab05e9349920f53dd0deb
Campaign: 2014-01-30.LaPoste Messages Seen: 101Subject: Scan de (RND)
Scan_RND_RND_RND.zip9494 bytesdaaf11e91c3cc3506042d633373aabd3
Scan_301_30012014_001.exe17920 bytes968779b34f063af0492c50dd4b6c8f30

Campaign: 2014-01-30.StaplesMessages Seen: 245Subject: Your order is awaiting verification!
From: Staples Advantage
Order_RND.zip9465 bytese669d0ff0238ed2f3601c01f1a532728
Order.exe17920 bytes84a6030c8265b33c3c4e68d29975bd76

Campaign: 2014-01-31.RingCentral1Messages Seen: 3488Subject: New Fax Message on 01/29/2014
From: RNDRND@*.ru
fax.zip9815 bytesd373a3e96519612896facb6f18e89785
fax.pdf.exe19968 bytes9a836550c9e74a46076a7292fb0d4ab1 bytes ded1b7f7ea934faf84a8dcc5011316cd
decrypted 390144 bytes f07d3afab1eb150e8a315596b5fb23f9 bytes ded1b7f7ea934faf84a8dcc5011316cd
decrypted 390144 bytes f07d3afab1eb150e8a315596b5fb23f9