Sponsored by..

Showing posts with label Google. Show all posts
Showing posts with label Google. Show all posts

Friday, 1 August 2014

NatWest "You have a new Secure Message" spam uses goo.gl links to spread malware

This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:
From:     NatWest [secure.message@natwest.com]
Date:     24 July 2014 10:39
Subject:     You have a new Secure Message

You have received a secure message from NatWest Bank

To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope
The link in the email goes to goo.gl/dGDi7l and the downloads a ZIP file from berkleyequine.com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of  just 1/54. The CAMAS report shows that the malware calls out to the following URLs;

94.23.247.202/0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108uk1/SANDBOXA/1/0/0/
94.23.247.202/0108hk1/SANDBOXA/1/0/0/
94.23.247.202/0108ok1/SANDBOXA/1/0/0/
acanthe.be/css/01u1.rar
dirbeen.com/misc/01u1.rar
porfintengoweb.com/css/heap_61_id3.rar
sso-unidadfinanzas.com/images/heap_61_id3.rar
theothersmag.com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar

The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.

Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.

Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it (I would recommend giving it a go).

Recommended blocklist:
94.23.247.202
acanthe.be
dirbeen.com
porfintengoweb.com
sso-unidadfinanzas.com
theothersmag.com
firstfiresystems.com
berkleyequine.com

Thursday, 31 July 2014

"New fax" spam using goo.gl shortening service

Here are a couple of variations of a fax spam using the goo.gl shortening service:

From:     Fax [fax@victimdomain]
Date:     31 July 2014 11:23
Subject:     You've received a new fax

New fax at SCAN5735232 from EPSON by https://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/1rBYjl

(Google Disk Drive is a file hosting service operated by Google, Inc.)

------------------------------

From:     FAX [fax@qcom.co.uk]
Reply-to:     FAX [fax@qcom.co.uk]
 fax@localhost
Date:     31 July 2014 10:53
Subject:     You have received a new fax message

You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI

Download file at google disk drive service - dropbox.

https://goo.gl/t8jteI

_________________________________
File is scanned image in PDF format.
Adobe(A) Reader(R) can be downloaded from the following URL: https://www.adobe.com/
There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware.

I've seen three different URLs:
goo.gl/1rBYjl
goo.gl/t8jteI
goo.gl/RmGnbr


These lead to the following download locations:
pinkfeatherproductions.com/wp-content/uploads/2014/06/Document-95722.zip
autoescuelajoaquin.com/images/Document-95722.zip

esys-comm.ro/images/Document-95722.zip

Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54. The CAMAS report shows that the malware reaches out to the following locations to download further components:
andribus.com/images/images.rar
owenscrandall.com/images/images.rar


Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:



164 clicks isn't a lot, but there are multiple URLs in use.

Recommended blocklist:
andribus.com
owenscrandall.com
esys-comm.ro
autoescuelajoaquin.com
pinkfeatherproductions.com

Wednesday, 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.
I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/


An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

Monday, 28 October 2013

Google Ads and #FFF7ED.. what's wrong with this picture?

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).

The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?

The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.

Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.

Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.

Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.

The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.

Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.

There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?



No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.

And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.

Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?

Wednesday, 14 August 2013

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.


The new compose experience attempts to be minimalist, but in reality it's either too small, or too big. If you are reply to a message then you get a tiny box at the bottom of the screen, a long way from the top of the email you are trying to reply to. And all the usual buttons have been hidden away because.. well, goodness only knows. It's a mess.

With these latest bodged updates, I really think that Google is jumping the shark and changing applications for no good reason at all. Android in particular is becoming a disaster area with important apps being screwed up completely. Perhaps it's time to buy a Lumia?

Thursday, 9 May 2013

Experiment: There may be confidential content in your search results. Please do not share outside Google.

Well.. this is a weird thing to see when searching YouTube..


"Experiment: There may be confidential content in your search results. Please do not share outside Google." Yeah, I think something went a bit wrong there..

Monday, 23 April 2012

I love this..

St George's Day and the 30th Anniversary of the ZX Spectrum.. Google have managed to combine both into one logo.. I love it!

Friday, 13 May 2011

New Blogger logo

Google unveiled a new Blogger logo today to reflect their two day outage (another triumph for cloud computing).

Wednesday, 6 October 2010

F35 Fighters.. going cheap!

The F35 is an advanced US built fighter that the UK may or may not buy to put on aircraft carriers that it may or may not build. These things cost £70 million a pop and given the current budget constraints, it looks likely that some or all of the order will be cut.

Fear not.. there's a way of getting F35's cheaper than the list price.. simply Google 'em and you'll get an ad saying:
F 35 Fighters Cheap
Best Value for F 35 Fighters.
Find NexTag Sellers' Lowest Price!
www.NexTag.co.uk

Problem solved! Simply go to a shopping comparison site. Apart from the fact that NexTag don't have such things in their inventories (they do have a scale model though.. whoo!). Indeed, NexTag does run an awful lot of crappy ads for products that they don't have.. so why does Google tolerate them? And how much do you have to pay to advertise a £70m aircraft anyway?

Friday, 5 February 2010

www.dynamoo.com/blog is now blog.dynamoo.com

Because of Google's sucky decision to terminate their sucky FTP publishing service, you might notice that the URL of this blog has changed from www.dynamoo.com/blog to blog.dynamoo.com.

Everything is lashed together with symbolic links and .htaccess files for now, if you notice anything odd then contact me.

Thursday, 4 February 2010

Using Google Images to fight fraud

A great post from the guys at F-Secure about how an employee used Google Images to stop being ripped off. Probably a good tip to stop getting defrauded at auction sites.

Tuesday, 2 February 2010

Pathetic


A multibillion dollar company operated by a bunch of f*cking amateurs.

In particular.. the bit that says "We are building a migration tool", but for some unfathomable reason we have decided to kick off this change before it's ready. Sure, Blogger is a free platform and I could always ask for my money back.

Another favourite is: "only .5% of active blogs are published via FTP".. and the reason for this is that for the past couple of years Blogger's FTP service has become increasingly unreliable for no particular reason.

Unfortunately, anyone who had business dealings with Google that involve real money will know that the the f*ck you attitude to customer service is very much ingrained in Google. To a certain extent, being jerked around when you are not paying for the service is one thing.. but business partners in things like advertising, YouTube and enterprise applications also suffer the same thing.

Yes, Google is still often awesome. But sometimes, like this time, it's just pathetic.

Friday, 15 January 2010

Aurora

According to McAfee, the attack on Google and several other tech companies that led to the likelihood that Google will quit China was called "Aurora" by the bad guys.

The cruiser "Aurora" signalled the start of the Russian Revolution in St Petersburg in 1917.. I wonder if this name was chosen deliberately when the attackers targeted some of the West's biggest tech companies?

Image source

Friday, 27 November 2009

Mystery Google Toothbrush Mystery

Mystery Google is old news for many.. basically you get the search results that the previous person had typed in, and the possibility of being redirected to a malware site seeded by the previous person is a legitimate concern.



Just out of curiosity, I was poking around at it and got the folllowing message:
mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com
Of course, there are no matches for "mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com".. except there are now I blogged about it.

Now, only a complete nutjob would actually follow these instructions. So here's my effort:
There was an old battered toothbrush
It was ancient and didn't get used much
You'd be willing to bet
That because of neglect
The owner's teeth surely are now mush
Well.. it sort of rhymes. Let's see if that mailbox actually exists.. it does! :)

Wednesday, 4 November 2009

Monday, 19 October 2009

Google indexing private Google Voice transcripts?

A disturbing item from the Boy Genius Report indicates that seemingly private Google Voice transcripts are appearing in Google search results with a seemingly simple search string. Although some of these are "test" messages, one or two do seem to be the real deal. Oops.









Tuesday, 14 July 2009

43.gs: massive Google SERPs poisoning

I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the 43.gs domain as you can see from this search.

It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.

For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.

As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.

It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?

43.gs is showing a small bump in traffic recently, perhaps as a result of this?

Presumably there is a way of telling your web server to reject this kind of request.

Tuesday, 23 September 2008

T-Mobile G1

It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.

Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.

Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.

Thursday, 5 June 2008

Googling for SQL injection infected sites

A very rough and ready Google search shows (warning: results may lead to malware) 792,000 pages that were infected when Google visited the site. Sites that say "This site may harm your computer." can be considered as persistent offenders. Note also that the search results may have some false positives.

All very interesting, you might think. But if you work in an IT department, it can be very useful to find sites that your users might visit so that you can take action.. or perhaps you can even check your own business.

In this current round of attacks, the bad javascript file is called b.js, so you can find a lot of infected sites by Googling for "script src" b.js (you need to include the quotes). That gives hundreds of thousands of matches.

One obvious check is to add your company name, for example "script src" b.js "oceanic airlines", but Google is cleverer than that. If you use the "inurl" function, then you can search for sites in certain TLDs or with certain names. For example "script src" b.js inurl:gov lists several government sites, "script src" b.js inurl:oceanic would find results on sites such as oceanic-air.com, oceanicair.net, oceanic-air.co.uk.

You can narrow down results by country by using the Advanced Search (or you could just use the "national" Google site such as google.co.uk, google.ca etc). You can use other search engines too, but really Google has the most powerful searching options.

Of course, if you want to confirm if the site is still infected, then you will need to visit it. If you don't want all the hassle of firing up a Linux box, then one safe tool is SamSpade for Windows which allows you to look at the underlying HTML safely. It's a pretty old tool, and not perfect, but very useful for a number of tasks. Alternatively, WGET for Windows is more powerful and it allows you to download files in a command line (although care needs to be taken once they are on your machine). I tend to use both.