Phishing pages trick Steam users to Upload SSFN file

Is Steam login page asking you to upload SSFN file? Think twice before uploading, because the legitimate steam site never asks you to upload SSFN file.

Steam Guard is extra layer of security.  It will ask you to enter a verification code sent to your email, whenever you try to log in from a computer you haven't used before.

This feature will prevent attackers from taking control of your steam account, even if they know your login id and password. 

However, there is new Phishing scam uncovered by MalwareBytes that bypasses the Steam Guard protection.  It tricks users into handing over their login credentials and the SSFN file.

What is SSFN File?
SSFN is the file that avoids you from having to verify your identity through Steam Guard every time you login to Steam on your computer.  If an user deletes this file, he will be asked to verify again and new SSFN file will be generated and stored in your pc.

If you upload your SSFN file to a phishing page, attackers can use this file with username &password to take control of your account.

In a reddit thread, several users have reported that they got fooled by this phishing scam.

"Steam will never ask you to provide any Steam Guard files. If you upload or give a user your Steam Guard .SSFN file, they can gain access to your account without accessing your email account. However, they must know your Steam account password and username to use this file" Valve article about Steam Guard reads.

European Apple users targeted with phishing emails

A new phishing campaign targeting European users of Apple store which promises to offer a discount.

Security researchers at Kaspersky have spotted a new spam mail targeting Apple users, tricks users into thinking that they can get discounts of 150 euros by just paying 9 euros.

"Apple is rewarding its long-term customers.  Your loyalty for our products made you eligible for buying an Apple discount card" The spam mail reads.

The spam mail asks users to download an attached HTML file and fill the form, where users are being asked to enter personal information as well as credit card information.

The scammers spoofed the email address such that it makes the email pretending to be from informs@apple.com.  They also promised to send the discount card within 24 hours, after filling the form.

If a recipient follows the instructions and fill the form, the phishing file will send the data to the attacker server.  The attacker will use the given financial data. 

Users targeted with large number of Spam mails containing Banking Trojan

 
A new massive spam campaign has been spotted by security researchers at AppRiver which sends large amount of spam mails to data centers in an effort to evade Email-filtering engines.

AppRiver's data centers received 10 to 12 times normal traffic.  Even though AppRiver managed to block the spam mails, tremendous volume of traffic caused some of its customers delays in sending and receiving emails.

CyberCriminals are targeting users with large amount of emails with varying premise.  One of the spam mails is targeting Bank of America customers.  A fake alert message pretending to be from Bank of America contains a Bredo malware.

Researchers say the malware is capable of recording the keystrokes and steal financial information.  It has also capabilities to do download additional malware on the victim's machine.  The spam mails reportedly detected only by 11 out of 51 antiviruses.

Another mail analyzed by AppRiver is pretending to be from "VISA/MasterCard" and informs recipients that their account has been blocked due to unusual activity.

Some of the malicious attached files have pointed to Andromeda botnet and some other pointing to Bredo Botnet.  This botnet activity being referred as TidalWave/TidalBotnet by AppRiver.

Facebook Scams: "Hacking any Facebook Account", "Facebook Music Theme"


A new facebook scam which is claimed to be a script to "Hack any Facebook account" is spreading like Wildfire.  Recently, i also came across a facebook scam post that promise a "Facebook Music Theme". I've been tagged in the spam posts by more than 20 friends within a week.

The post has a link to a script file which is randomly hosted in dropbox, pastebin, textuploader and other file hosting services.

The post tricks users into thinking that it is a script to hack any facebook accounts.  It urge users to use it before it is getting blocked by facebook.

It asks them to copy the script and paste in the "console" section of the "inspect element" option in your browser.  It claims you will get username and password once you done the process.


Here is what exactly happening:
When you execute paste the code in the console section, it will run the code on behalf you.  So, it will send several requests including "Like" & "comment" request".  It means that you are unknowingly "liked" and "commented" on the scammer's pages.


It also tag all of your friends in a comment so that it can spread the scam further and get more victims.

I can't believe that there are still plenty of people out there who still believe some stupid scripts can hack accounts.

Are you one of the victim who followed the stupid instructions? 
No need to panic.  As far as i know, the script only "likes"& "comments" on behalf you.  So, you can simply go to "Activity" log page in your account and unlike & uncomment them.  If you are reading this article, make sure you are not doing the same mistake again.

Facebook Scam: World's Largest Snake Video and Shark Eating Man Videos

Facebook Survey Scam
Attention Facebook users ! If you are seeing a Facebook post promising outrageous videos, for instance"Shocking video: World's Largest Snake Video, Don't click it, It is nothing other than Survey Scam.

There are various facebook posts circulating with different bogus title in facebook that leads to a survey scam page.

So far, the topics used in the scam campaign are " SHOCKING VIDEO World’s Largest Snake Found In [Brazil /Mexico ]", "Exclusive: Shark eats the swimming man in an Ocean!! Watch the video".

Facebook Scam post
The user who clicks the link in the post will be taken to a web page where they are asked to complete the survey in order to view the video and share the video in their facebook account.

At the end, you will get nothing other than being a victim of the scam.  Remember, there is no such videos.  If you come across these kind of posts, just ignore it /report it to Facebook.

Spam mail promising Adobe License key delivers Trojan

 Adobe has issued a warning about a new spam email campaign which is purporting to deliver License key for a variety of Adobe products.  

Security researchers at MX Lab, have come across the spam emails with the subjects such as "Download your License Key", "Than you for your order" that distributes a new Trojan.

The attacker managed to spoof the email address so that it will appear to be from Adobe Inc.  The email thank the recipient for buying a various Adobe products and informs them "License Key" is attached with the email.


Those whose eagerly searching for a new License key definitely open the attachment.  The attached file "License_Key_OR8957.zip" is nothing but a malware.

At the time of writing, 27/49 Antivirus engines detect it at VirusTotal.  It appears the cyber criminal use the same technique from 2011.

Nigerian man jailed for $1.5 m phishing scam targeting students

A Nigerian man has been sentenced to three years and nine months for taking part in a $1.5 m phishing scam targeting UK students.

Olajide Onikoyi, 29-year-old, from Manchester, was one of the person of a criminal group who targeted students by sending phishing emails inviting them to update student load details.

According to SKY News, he laundered £393,000 from 238 victims in total, including one student who had £19,000 taken from his account.

When Metropolitan police central e-crime unit seized his computers, they found a chat logs that revealed he was conspiring with criminals in Russia, Lithuania and UK.

A number of other people have also been jailed in connection with the scam.

Users are all advised to be extreme caution when clicking links in unsolicited emails, log into the websites directly by entering the url of the site instead of clicking the link.

Halifax Bank phishing email claims "3rd party Intrusion detected"


A phishing email targeting UK-based Halifax Bank users attempt to trick recipients into handing over their sensitive information.

The email informs the recipients that "3rd party intrusions" have been detected and their account has been limited for security reasons, according to Hoax-slayer.

To restore the account, it asks recipients to confirm their identify and verify that their account has not been used for fraud purposes, by filling an online validation form.

Once the victim opened the link provided in the email, it will take them to a fake Halifax Bank website where it will ask them to log in.  Then, it will ask victims to enter their personal information such as name, phone number, birth dates.

In next form, they will be asked to enter sensitive information such as Account Number, sort code, card number, expiration date and security code.

As usual in phishing scams, once the form is filled, the victim will be automatically redirected to the legitimate Halifax Bank website.

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.

Scammers once again take Advantage of Deepavali Festival

CyberCriminals always try to take advantage of festivals.  As expected, cyber criminals have started to sending Diwali themed scam emails.  Diwali/Deepavali is a Hindu festival which is being celebrated in Nov 2,this year.

One of the scam email spotted by Symantec experts which is purportedly from Reserve Bank of India(RBI) informs the users that they have been awarded a prize of 4 crore and 70 Lac Indian rupees(US$763,609) as a Diwali celebration promotion.

"Dear Lucky Winner, The Reserve Bank of India(RBI) Governor, Secretary-General of the United Nations met with the Senate Tax committee on Finance RBI Mumbai/Delhi branch. You have been awarded the total sum of 4 Crore, 70 Lac Indian Ruppes in the up-coming diwali celebration promotion " The scam email reads.

The recipients are asked to contact the RBI Regional director by sending email to a given email address to claim their winnings.   Keep in mind, there is no such kind of promotion.

Those who contact the scammers either will be asked to pay certain fees to get the prize money or will be asked to give certain personal/financial information.

Twitter Accounts of Jordana Brewster, Zach Roerig and Pentagram Hacked

@
#Exclusive: Jordana Brewster, a Brazilian-American actress, best known for his role in Fast & Furious Movies, admitted that her twitter account was hijacked by cybercriminals.

According to followers report, the cyber criminals who hijacked the account has posted a spam tweet from her account.  The incident was first reported by Eduard Kovacs at Softpedia.

"please ignore tweets ( except for this one) my account seems to have been hacked" recent tweet from @JordanaBrewster reads.  "all good now".

Jordana Brewster twitter account hacked - Image : E Hacking News


I found she is not the only celebrity who fell victim to the twitter account hijack in this month.

Zach Roerig, an American actor who is best known for roles of Casey Hughes on As the World Turns, admitted that his twitter account was hacked.

"Burn 2 + inches off your waist losing up to 20 lbs of body fat in 28 days with hxxx://tinyurl. com/klwcpwq" The spam tweet reads. 

The recent tweet from @zach_roerig "Once again being hacked sucks" apparently shows that this is not the first time his account being hijacked by cyber criminals.


Zach Roerig twitter account hacked - Image : E Hacking News

The story does not end here, the official twitter account of Pentagram, a design studio that was founded in 1972 , is also got hacked.  Hackers posted the same spam tweet used in the Zach Roerig twitter hack.

"Dear Twitter followers, if you receive a direct message from us, please don't click on the link. We caught something that's going around."  The recent tweet from pentagram reads.

Pentagram official twitter account hacked - Image : E Hacking News

*Update*:
I just found the following twitter accounts also fell victim to the spam attack: Hart Hanson (@HartHanson), @NewsBreaker, Jane Ellison MP(@janeellisonmp).





*Update 2:
Twitter account of Justin Bethel (@Jbet26), an American football cornerback for the Arizona Cardinals of the National Football League, also got hacked and spreading spam tweets.


Update 3:
ESPN Reporter,  Mike Massaro also admitted that his account abused for spreading spam:


ESPN NFC East twitter account (@espn_nfceast ) is unavailable after hackers hijacked the account.

*Update 4:
 Graham DeLaet(@GrahamDeLaet ) ,a Canadian professional golfer who plays on the PGA Tour, also got hacked by the same group. 

Facebook spam abuses Microsoft Translator

We recently investigated the facebook spam that abuses McAfee URL Shortener and Google Translator and published our report.

Today, we have come across a new facbeook spam campaign that abuses Microsoft Translator for redirecting victims to the spammer's site.  I have come across different variants of this spam campaign within last 24 hours.

The list of variants used in this campaign includes the old profile viewer trick " Profile Viewer version 4.6 : Check who views your profile at link in Description".

Facebook profile viewer spam

Facebook SPAMs

Unfortunately, i can't share the screenshots of other variants as it contains adult images.  So , here i am sharing only the description in the SPAM picture:

  • Look what she did after drinking , Video link in description
  • Looks like she enjoyed it, Video link in description
  • They gone too far 
  •  Massive japanise org* sports, Follow the link to watch video
  • Beautiful girl on facebook, click on the link to know about her
  • Got caught making hot video on cam, Video link in description
  • You can't believe she did it in bus,  Follow the link to watch video
  • Got caught in library, Video link in description
  • "She was seduced by her own uncle, find video link in description
All of the spam posts contain a "j.mp" link (url shortener) that redirects the victim to the Microsoft Translator page.  The Microsoft Translator is abused to hide the original spammer website and is used for redirecting to spammers website.

What's worse about these spam campaign is even security researchers fall victim to the spam.  Today, one of my friend fell prey to a post that promising "Free Gift Card to spend at Starbucks!".  So, it is useless to blame a normal users.  I believe they will realize their mistake once they find them-self victim to the attack.

Please share this article with your friends and spread the awareness about facebook spams.

Stay tuned..! I'm starting my investigation on this new campaign ;) This article will be updated if i find anything interesting.

Facebook Spam abuses McAfee URL Shortener and Google Translator


We yesterday got a notification about a new facebook spam from one of EHN's reader.  What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.

The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape"  and "Link in the description".


Clicking the link will take the victim to the Google Translator page.  Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "altervista.org".

As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.

Facebook Access token stealing - Image Credits: E Hacking News


Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.

The spammers didn't ask your birthday for not sending birthday wishes :P .  The collected information will be used in future spam or for any other malicious purpose.

Permission to Access personal Information - Image Credits: E Hacking News

In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.

We have already warned you that Facebook is not the right place to watch porn.  Please spread this article and create awareness about the facebook spams.

Update:
We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.

Update 2:
Redirection flow:
Url shortener link-->Google Translator --> fiddle.jshell.net --> plgngl.info -->ngltoken.altervista.org

The whois details of plgngl.info:
  • Registrant Name: Ngl Power
  • Street : Nonteladico 23
  • City : Roma
  • Email address: ngl@live.it

Other Domains registered by the same person:
buzzingcl.info
buzzingam.info
worldwarez.info
2fun4u.info

The 2fun4u.info has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".

The plgngl.info has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.

*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs.  Here, I am sharing with you what we have found.

We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.

He is distributing malicious facebook spam scripts to other cyber criminals.  From our investigation, we found that he is doing the distribution of malicious scripts since 2010.  It appears he is the criminal behind several Facebook spam campaigns.



He has provided malicious script for following SPAM campaigns:
  • "RIHANNA'S BIGGEST SCANDAL", 
  • "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
  • "Busty Heart - The woman that can smash things with her br****ts!"
  •  Man accused of trying to hide stolen TV in his pants 
  • Find Your Facebook Stalkers
  • Dad walks in on daughter... EMBARRASING!!! 
  • This is what Happend to his Ex GirlFriend
  • John Cena  died of a head injury
  • Justin Bieber Sex Tape

Janne found one of the thread posted in the forum by another cyber criminal  "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.



However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.

Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.

One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".

One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx://static.tumblr.com/c5apoln/7Prmiktpx/cena.html? 93561071".  Following the Tumblr link leads us to the "hxxx://plgngl.info/tkn".  Yes it is the same domain used in the recent attack.


Following profiles might be associated with the spammer:

YouTube Profile: hxxx://www.youtube.com/user/nglyt2

Spammer's Blogger

Blogger  : hxxx://www.blogger.com/profile/11389969837864256446


Spammer's Twitter account

Twitter :  hxxxx://twitter.com/ngltw

We are still investigating the campaign.  If we find anything interesting, we will update.

Adriana Lima FuckTape! - Another Facebook spam campaign use New Trick

Here we go, E Hacking News have come across a new facebook spam campaign titled "Adriana Lima FuckTape! ".   I became aware of this spam after few Facebook friends got infected by this campaign.

According to Wikipedia, Adriana Lima is a Brazilian model and actress who is best known as a Victoria's Secret Angel since 2000. (Sorry i didn't know about her before Cybercriminals started to use her name :P )

Unfortunately, i can't post the screenshot of the spam post as it contains adult pictures.  "Adriana Lima FuckTape! Watch: hxxx://xxx-videotube.com/"  The spam post reads.

At first, i thought it is real porn website( The name made me to believe and they didn't use any URL-shortners).  So i didn't follow the provided link and asked friends how users are getting infected.  Suddenly , i realized that it is the spam website ;) 

I followed the link and the website invited me with a gif image mimicking an embedded YouTube video player.   The video player displayed an error message saying "Sorry, you must be 18+ to view this video.  Click to verify".

Here comes the interesting part.  CyberCriminals implemented a new method to trick facebook users.

Once you click the image, it will ask you to "Move the favicon out of the box".  I hope you know what will happen when you follow the instructions-  Your account will be compromised.


When you drag the favicon, it actually drags the URL Opened in the small browser(The url contains the facebook access-token).  You are unwittingly handing over the Faecbook access token to the cyber Criminals.  Using the stolen token, they can post from your facebook account.

This new method is quite different from the previous method used by the spammers in recent spam campaign titled "She went inclusively nuts and lost all control of the razor-sharp axe".

Facebook Spam: "She went inclusively nuts and lost all control of the razor-sharp axe"

A new spam that preys on people's curiosity is circulating in Facebook.  Today, E Hacking News has come across a new spam campaign.  The spam post has a picture of women that looks like a video.

"she went inclusively nuts and lost all control of the razor-sharp axe Well, Watch what happened..in..this..video:_:: [Tiny_URL]" The spam post reads.


Facebook spam post


Following the link provided in the post takes the users to a page where it says "She did this at the tender of age 15" and the site displays an image mimicking an embedded video player.

After clicking the image, i am really inspired by the clever work done by the CyberCriminals.  When a user click the image, it asks users to press three shortcuts one by one - Ctrl+L, Ctrl + C, Ctrl +W .

I know what the last two shortcuts do but not sure about the first one.  I've managed to find the usage of the Ctrl+L shortcut in browsers.  It is being used for selecting the URL.

So the shortcuts are for selecting&copying the url and closing the windows.  But wait a second, i failed to notice one thing.  When i clicked the image , the page opens a new window.

Small window -1

Small window  -2


Interestingly, the new window is so small and not visible.  So pressing the shortcut keys copies the URL of the new-window and closes the window.  The URL contains the victim's authentication token.


A victims who fail to notice the window and follow the instructions soon find them-self victim to the Facebook spam post.  The spam will be posted in the victims' wall using the hijacked authentication token. 

Twitter Spammers abuse Google search


We reported few days ago about a new spam campaign that abuses open-redirect vulnerability in popular websites including CNN, Yahoo and Ask.com.

Today, Security researcher Janne Ahlberg discovered another spam campaign that abuses the google search to spread the scam websites.

"check google hxxx://www.google.com/search?q=17 Pounds site:theconsumerhealth.com&wjuyoqlvxz … and learn the right way to reduce 20 lbs in less than 29 days" One of the spam tweet reads.


"see google hxxx://www.google.com/search?q=%43%6C%65%61%6E%73%65%20%73%69%74%65%3A%74%68%65%63%6F%6E%73%75%6D%65%72%68%65%61%6C%74%68%2E%63%6F%6D&dkjgosnihm … and find out the best way to lose 22 lbs within just 29 days" another tweet reads.

"lol already lost 4 pounds in 5 days!! that web page I found at google hxxx://www.google.com/search?q=Burns site:theconsumerhealth.com&yfmnqzfvpr … is truly beneficial"

Unlike the previous spam campaigns, cybercriminals lure victims to visit their site by tricking them to look at the Google search. The spammers cleverly used the "site:" keyword to restrict the results to the specified domain.


"site:" is keyword to search only in a particular site and list all the results for that site.  For eg: "spam site:ehackingnews.com" will find pages about spam within ehackingnews.com

So, when a victim follows the link, he is only going to see the results from the spammers website.  The technique helps cyber criminals to bypass the malicious URL filtering.

Diet Spam now exploits ask.com open redirect vulnerability


Yes, One can not simply ignore Open Redirect vulnerability.  Those who think open-redirect vulnerability is not a critical bug , the recent spam campaign will be the best example for how the low severity bugs can be abused by cybercriminals.

"These issues are not a direct threat to the site itself. Users are targets - sites should protect them, " Security researcher Janne Ahlberg said.

A few days ago we reported spammers exploits the CNN's open redirect vulnerability to spread the diet spam. CNN successfully fixed the bug after we have managed to contact CNN with the help of Mikko Hyppönen.

However, I know fixing the bug in CNN is not going to stop the campaign. There are plenty of top websites are vulnerable to Open-redirect security flaw.  So, CyberCriminals always find another open door once we close the door.

Today, We got notified by Janne that attackers are now exploiting the open redirect bug in Ask.com - One of the Top web search engine which has alexa rank 29.


The attackers are using the same tweets content but have managed to change the link.

"I plan to lose atleast 40 pounds with your diet program! hxxx://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&sv=0a5c407b&ip=5f19241a&id=94E847AC91F239E2B20A30571533AFB0&q=How+long+did+Mark+Twain+insist+his+life+story+go+unpublished%3F&p=1&qs=3045&ac=254&g=1a39vz0X%y%zxm&en=qotd&io=0&ep=&eo=&b=a001&bc=&br=&tp=171&ec=1&pt=hxxx://tumblrhealth.me&ex=&url=&u=hxxx://tumblrhealth.me …"

Apparently, the vulnerability was reported by a security researcher sony in 2010 to the company , but they failed to fix it. 

I have also discovered CNN has one more unfixed open redirect security flaw :
"http://cgi.money.cnn.com/tools/redirect.jsp?url=http://www.google.com"

There are plenty of websites fail to take care of their website security.  They don't even have an email address or a contact form to send our bug reports.  It is time to create an email address especially for reporting bugs.  Eg: Security@ Your-site .com

CyberCriminals leverage CNN Open Redirect vulnerability for spreading spam

Today, I(@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

"The diet porgram you told us about yesterday is soo good! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me" One of the tweets posted from the spammers' twitter account reads.

The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.


"I love myself even more after I started your diet porgram [link]" spam tweets read.  "Yahoo made an article about how amazing your new diet program is!! You look amazing" 

The technique provides several advantages to the cybercriminals including 
  • Getting trust of users
  • URL filtering won't block users from accessing the url because the request goes to CNN.  CNN website then redirects the user to scam website. 

 After further research, i discovered the spammers has also managed to exploit the open redirection security flaw in Yahoo.

"hxxx://us.ard.yahoo.com/SIG=15ohh3h62/M=722732.13975606.14062129.13194555/D=regst/S=150002347:R2/Y=YAHOO/EXP=1275539597/L=hnNys0Kjqbp5Cok8Sr10cAJDTPYa3UwHFG0AANhn/B=VSDoPmKJiUs-/J=1275532397077354/K=rS6pwy3MN2NPP7SBqBCOAQ/A=6097785/R=0/SIG=11o4aqdmv/*hxxx://bit.ly/HealthDiet2"
This is not the first time the CNN website is being abused by cyber criminals.  In 2010, the spammers managed to exploit the open-redirect vulnerability in "ads.cnn.com".

*Update: security researcher Janne Ahlberg ‏discovered @50Cent who has 7.6M followers fell victim to this spam campaign and retweeted the spam tweet:


The screenshot apparently shows the tweet posted on 23rd May 2013.  At the time of writing, the tweet still appears in the account.

*Update 2:
It appears cybercriminals' campaign getting success which mentions various celebrities and media organizations in their tweets - one more celebrity falls victim to the spam campaign.

"“@honshadey: @ChiefKeef So happy you released a diet program! THANKS! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me …”Bitch U Know i aint Got no Diet Program ��"  Keith Cozart better known by his stage name Chief Keef , American rapper from Chicago, replied to the spam tweet.

Unfortunately , more than 400 followers has retweeted the post that helps the spammers to spread their campaign.  

Amazon order confirmation spam promises 55" TV set but delivers malware

Cyber criminals are now sending out Amazon order confirmation mail that promises 55" TV set but instead leads recipients to malicious webpage.

Bit Defender Lab came across such type of crafted emails which appear to confirm the order of 55” TVs associated with brands ranging from Sony, LG, Samsung, Panasonic and Toshiba.

 The malicous lage attempts to exploit the vulnerability in the victim's system. It usually gets success, since many users fail to keep their software update. After successful exploitation, the page drops the malware.

Researcher also come across a spam mail that purportedly coming from Paypal regarding payments to chip Eubank.

Scammer who stole financial info arrested by CIB


An alleged scammer who is responsible for stealing personal data of more than 10,000k people through a spam mail pretending to be from the Bureau of National Health Insurance has been arrested in China.

Surnamed Pan, tricks victims into download and open the attachment that contained a malicious software allowing him to steal the personal data from the affected computers.

According to China Post report, he used few techniques to avoid the antivirus detection and tested his malware numerous time before launching the real attack.

Criminal Investigation Bureau (CIB) said he had stolen "vast amounts of classified financial information from location companies".  He then used those details for accessing the online banking accounts and committed credit card fraud.