Targeting OWA users - A report from the Mailbag
We received a report from Ted of an email campaign targeting OWA users that leads to malware infections, thanks Ted!
UPDATE: Additional information has been provided, there are changing "Subject;" lines and changing obfuscated links for users.
UPDATE 2; ISC contributor Martin Ireland reports message mispelling - "If the OWA message received by server or a user is html text, the word "autentication" can be detected and user alerted, or message be deleted by server etc". Thanks Martin!
UPDATE 3; We've received a few more ISC contributor reports from targeted organizations, and contributor Andrew Yourtchenko had a comment for blocklist mainters and a pointer to a related post last year at Gary Warner's site. His comment was since the ISC "is probably frequented by those who handle these kinds of blocklists, may be useful to draw their explicit attention that there might be users reporting "goodsite.com" - and they should verify before blocking".
Ted's contribution;
Current status: Loading ... queuedwaitingscanningfinishedNOT FOUNDSTOPPED
McAfee
|
5854
|
2010.01.07
|
-
|
McAfee+Artemis
|
5854
|
2010.01.07
|
Artemis!3025B97428A1
|
McAfee-GW-Edition
|
6.8.5
|
2010.01.08
|
Heuristic.BehavesLike.Win32.Trojan.H
|
Current status: finished
Microsoft OfficeOnline, Searching for Trust and Malware
Several readers have commented on today's Websense alert, found here ==> http://securitylabs.websense.com/content/Alerts/3519.aspx?cmpid=slalert
Websense discusses how, if you are on http://office.microsoft.com and use the search functions, you may receive links to sites that are not on Microsoft's domain.
This in itself is not too troubling, but the real issue is that these links are all referral links, which start with http://office.microsoft.com - so they look like they're Microsoft links (if you don't look too closely). Clicking on links within these referred pages may then navigate away from the office.Microsoft lead url.
What Websense reports is that they've found malware, specifically "Fake Antivirus" malware within some of these referral links.
What makes this an issue is that, on the face of it, you might expect a web filtering application to allow these links, as they start with "office.microsoft.com". The Websense apps figure this situation out correctly, but it is an easy thing to miss for the user driving the keyboard and mouse, and I suspect might be an easy thing to miss if you are coding a content control application.
What this highlights is that on the internet, "trust" is often misplaced. When you search on Google, Yahoo or some other large search engine, you do not expect that all the results that you get on a search will be "safe". But in this case of Microsoft's "captive" search function on this page, you can see how people might trust the results based on the url, especially as the search function is worded as "Search Office Online", not "Search the Internet" or "Search for the Answer"
So I guess the message of the day is, be careful who you put your "trust" in !
Surf Safe all !
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago