Bredolab Botnet Still Active

More Tax Payment malware news today, with a resurgence of the Bredolab botnet.

Our MessageLabs Anti-Virus Service reported a suspicious email, similar to the Tax Spam Malware Warning yesterday. The message title once again was Your Tax Payment ID [Random Number] is failed

This time Symantec reported it as Trojan.Bredolab, which is a likely resurfacing of a Bredolab botnet.

The Bredolab botnet was partially dismantled in November 2010 through the seizure by Dutch law enforcement agents of 143 command and control servers, effectively removing the botnet herder’s ability to control the botnet centrally. Although the botnet’s size and capacity has been severely reduced by the law enforcement intervention.

A PC infected with Bredolab shows a number of effects as the malware:

  • Downloads more malware on to the compromised computer
  • Lowers the security settings on the infected computer
  • May result in file deletion

If your anti virus software or mail gateway informs you that it has detected Bredolab, follow the instructions and do not open any affected files. To make sure that your machine does not get infected keep your anti virus software switched on and the signatures up to date.

Further resources

Tax Spam Malware Warning

The spam filters are currently working overtime catching dubious email messages about tax payments having failed. As you might expect, this is a Tax Spam Malware Warning, so take care before opening anything that tells you that Your Tax Payment failed.

This email, which purports to be from US tax payment service Electronic Federal Tax Payment System (EFTPS), claims that the recipient’s tax payment has been rejected due to a submission error. The message, which includes a sender address and link that are seemingly valid EFTPS addresses, asks the recipient to click a link in order to review details about the error.

Obviously the email is not from the EFTPS, and the link in the message has been disguised so that it appears to point to the genuine EFTPS website. In fact, it is a phishing scam designed to steal personal information from recipients. A sample of the email appear below:

Your Tax Payment ID [random number] is failed

Your Federal Tax Payment ID: 32127292 has been rejected.
Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.

Please, check the information to get details about your company payment in transaction contacts section:

attach name = report.18653.pdf

In other way forward information to your accountant adviser.
EFTPS:
The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

Attempting to open the attached file will result in a malware loader executing. This is detected by Sophos Anti-Virus as ‘Virus/Spyware Mal/FakeAV-OQ.

The gramatical errors should give you a clue to the bogus source of this Tax Spam Malware. Do not click on any links in this email or download any attachments. Flag as spam and press delete!

Malware Scripts Added To Websites

A couple of our customers have experienced hacks to their websites this last week, with malicious code (or malware) added to several pages. Normal visitors to the site have a little extra script added when they load the page, which good antivirus software will identify as a malware script. Kaspersky Labs identifies the Trojan loader as Heur: Trojan Script Generic, which is a generic Trojan loader identified by a heuristic algorithm. Alternatively, it may be identified as as Blackhole Exploit kit by other AV products.

Analysis of samples of the inserted code show some common strings, which can be used to find the script on an infected website. This appears to have been inserted by an automated script loader, probably a bot using brute force to guess FTP passwords.

< b o d y>< d i v id="w3stats">
< s c r i p t language="JavaScript" type="text/javascript">
window.w3ssss=function(){
=== Script Link and other code removed ===
CheckBody();
< / s c r i p t >< / b o d y >< / h t m l >

A quick Google search reveals that quite a few sites have had this little addition. If you find that you have been infected, carry out the following actions as soon as possible:

  • Search the code on each page for the string “window.w3ssss”
  • Remove the offending code from all of the pages where it has been installed
  • Change all your site passwords, including FTP
  • Monitor the site regularly for reinfection

Thousands of website owners are unaware that their sites are hacked and infected with malware scripts. Here are a few useful links to help:

Pigeon Loft Metaphors and IE6

Sometimes when we want to challenge an injustice or right a wrong, we face up to the perpetrator, and tell it like it is. This can work if you can identify a single individual or group to address, and it certainly can make us feel better. But what happens if the injustice is systematic or institutional? What about when the problem is government bureaucracy or faceless corporations?

Some decisions by bureaucrats can leave us dazed and confused, like the persistent use of IE6 when there are better and safer browsers out there, downloadable for free. There is no point writing a letter to our MP, because it will never reach the decision makers. We can blog about it but our readership will probably be people who agree with our point of view. We can stage a rooftop protest and make the tabloid newspapers but even if the decision makers read our opinion then it is just the opinion of a crank.

In fact there is only one way that the decision makers will change their minds and come to their senses; when they come to our point of view of their own accord! So does that mean we just have to wait patiently? No that means we use the subtle power of metaphor.

What is a Metaphor?

A psychologist walks into a tool store and asks the assistant for a hamerfor. “Whats a hamerfor?” asks the assistant. “Driving in Nails!” replies the psychologist. “I will also take a Metaphor” adds the psychologist and so the assistant, playing along, responds “Whats a Metaphor?”. “Driving in Ideas” smiles the psychologist.

Pigeon Loft Metaphors and IE6
For a subtle metaphor involving pigeon lofts, faceless corporations and bureaucracy, click here to read It Could Never Happen Could It?

Spear Phishing Attack Warning

A warning which is currently circulating in security circles concerns a Spear Phishing attack masquerading as a company virus warning. The object is to trick users into installing malware on their computers which would compromise their security.

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Named after Fishing, (baiting a hook) the message could claim to be from a bank, online payment processor or a social media site.

Spear Phishing (sometimes written as Spearphishing) is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. This is usually by impersonating a company employee via e-mail to steal usernames and passwords from colleagues and gain access to the company systems. Spear phishing is commonly used to refer to any targeted email attack, not just limited to phishing.

The particular attack which is currently circulating attempts to trick users into believing they are downloading an approved anti-virus update from the company’s IT department, to combat a new kind of virus. However, if they do succumb to temptation, they will install a Trojan horse. According to the Sophos Naked Security blog post, Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.

If you ever receive an odd email recommending that you click on a link to install something, check with your IT department to see if the instruction is genuine. They would much rather you checked than put the network at risk from malware infection.

For more details of the Spear Phishing Attack Warning, including a sample email message, click here to view the Sophos Sneaky fake company virus warning

What has Leprechaun Repellent to do with SEO?

The Leprechaun Repellent Keyphrase Guarantee is a popular Search Engine Optimization (SEO) example given by SEOs claiming the moral high ground in the search for customers. So What has Leprechaun Repellent got to do with SEO anyway?

Leprechaun Repellent and SEO
If you are looking into SEO companies, then you probably already know that your business will be looking to rank high in the search engines for a particular Keyword or Keyphrase. Because people love a guarantee, it is easy for an unscrupulous SEO to offer to get you at the top of Google, Yahoo, or MSN, and demonstrate their competence by using obscure phrases. They will give an example like “Search Google for Leprechaun Repellent and see who comes up top!”. Well News Flash!

What has Leprechaun Repellent to do with SEO?
Any company willing to offer a guaranteed SEO service will be keen to show examples of their work. As a SEO customer, you want competitive keyphrases not obscure and meaningless ones. In other words keyphrases that people are actually searching for.

Once upon a time Googlewhacking was considered great entertainment, but you would not necessarily want to hire a Googlewhacker for SEO!

Historical Note: A Googlewhack is a type of a contest for finding a Google search query consisting of exactly two words without quotation marks, that returns exactly one hit.(Wikipedia)

Good SEO companies will avoid obscure phrases, while Leprechaun Repellent practitioners will tout them as examples.

So in summary, Leprechaun Repellent is an example of a Keyphrase which is uncompetitive, and so easy to claim a top ranking. Good SEO companies will avoid such phrases, while weaker SEOs will use them as examples of their work. Next time you are thinking about researching SEO companies, ask yourself are their key phrase guarantees competitive, or just Leprechaun Repellent?

Really Useful Resources for dealing with dodgy SEOs:

Block Spam from WordPress Contact Page

Have you been having trouble with Spam from your Contact Page on your WordPress blog? This is a quick way to Block Spam from a WordPress Contact Page.

Every good website has a Contact page to ensure that users can get questions answers, and customers can engage before buying goods and services. The trouble is that every bad robot spider trawling the web knows that too, and targets input forms and contact pages. Pretty soon after putting your Contact Page live you can expect to start receiving emails about Viagra, poorly crafted meaningless comments containing back links, or just random strings of characters. While the delete key handles these things quickly and efficiently, the net effect is to dilute our energy which should be directed a answering the real questions from our customers. What we need is a better solution.

What Stops The Bots?
To stop the spiders from even posting the contact form we need to install a WordPress CAPTCHA plugin. A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to ensure that the response is not generated by a computer or Bot. It can be as simple as identifying if a picture of an animal is a cat or a dog, which is easy for a human, but a challenge for a Bot. The most common forms use distorted images of letters and numbers, which the human eye can easily distinguish due to pattern matching capabilities within our brains. Go humans!

How To Block Spam from a WordPress Contact Page
If you are using the Contact Form 7 plugin, there is a Really Simple CAPTCHA plugin which integrates right in to the Contact Form 7. While not strongly secure, it will at least stop the script kiddies and bots having an open door. To install it carry out the following steps:

  • In the Plugins section of the Dashboard, click on Add New
  • Search for plugins by keyword Term Really Simple CAPTCHA
  • Next to Really Simple CAPTCHA, click on Install Now

What Else Can Block Spam
If the Really Simple CAPTCHA plugin does not meet the requirements, there are a number of other measures we can use to block Spam from WordPress contact pages, including:

  • Secure CAPTCHA, which uses hard to break and easy to read secure CAPTCHA images from SecureCAPTCHA.net.
  • Contact Form by ContactMe.com, which is a fully customizable contact form which automatically adds your contacts to a free online contacts database.
  • Fast Secure Contact Form which supports sending mail to multiple departments, and redirects to any URL after the message is sent.

Hopefully using one of these methods we can see the back of spam contacts from the contacts page, and get back to the business of responding to or customers and genuine visitors.

Finally, some useful Resources to help block Spam from a WordPress Contact Page

What is Conversion Rate Optimization?

OK so we have seen SEO, so what is Conversion Rate Optimization or CRO? In the language of Internet Marketing, the process of improving the experience of the visitor in order to convert them into a paying customer is called conversion optimization, or sometimes conversion rate optimization.

So when we have just managed to get our heads round the idea of SEO, why do we need to think about Conversion Rate Optimization? Remember, the primary purpose of web advertising is to get people who might be interested in buying something from you to visit your web site. In other words, to get the greatest number of visitors to email you or call you with their contact information, and ultimately to buy your products and services.

Conversion Rate Optimization is the process of increasing website leads and sales without spending money on attracting more visitors by reducing your visitor attrition or bounce rate. Another way to look at it is to make more use of the visitors to your site by turning them into customers. Conversion Rate is the ratio of visitors to committed customers, and we optimize our page or site to improve this ratio.

There are two main approaches to conversion optimization, the first focuses on testing as an approach to discover the best way to increase conversion rates for a landing page, website, or campaign. The second approach focuses on understanding the audience and then creating a targeted message that appeals to that particular demographic. Both approaches are equally valid, and some CRO Experts advise us to use both methods as part of our strategy to convert visitors to customers.

Look out for future marketing postings where we will be taking Conversion Rate Optimization a stage further, and looking at some simple tools to help you turn your visitors into paying customers.

Keylogger virus infects drone plane command centre

The hot news on the blogosphere at the moment is the revelation that a Keylogger virus has infected the drone plane command centre at Creech air force base in Nevada.

Keylogging (or Keystroke logging) is the action of tracking (or logging) the keys struck on the keyboard, typically in a covert manner so that the person using the keyboard is unaware. The Keylogger virus is used to capture users’ passwords, credit card details and bank account numbers as people type them in. The data is then sent over the web to fraudsters. Security officials are currently unable to completely remove the virus, as it keeps reinstalling itself, suggesting that the attack vector has not been plugged.

Creech air force base in Nevada is the command centre for the remotely piloted aircraft used in Afghanistan including the Predator drone spyplane-bomber. The Predator is a medium-altitude, long-endurance unmanned aircraft system which is used in Afghanistan and, more controversially, across the border in Pakistan.

This is the latest security breach for the hi-tech remotely piloted vehicle system; the US military has previously found out that Iraqi insurgents were able to capture and record the footage being sent to troops and back to the airbase by cameras on the drones. The insurgents hacked into video feeds, which were not encrypted, using a $26 piece of Russian software named SkyGrabber. Apparently The encryption for the feeds were removed for performance reasons.

How to change your Email Address on LinkedIn

A fellow linkedIn colleague recently asked me How do I change my Email Address on LinkedIn. As this is not the first time we have been asked this, then there are likely more people out there who would like to know to make this simple change. The good news is that linkedIn recognize that people need to change their email address from time to time, or even have multiple email addresses, and have made it quick and easy. In fact LinkedIn recommend you add at least one personal address and one work address.

How to change your Email Address on LinkedIn
To add a new email address, when logged in to your LinkedIn account, take the following simple steps:

  • Under your name at the top right of the page click on Settings
  • In the right text column click on Email Addresses
  • Next to Primary Email, click on Change
  • Add your new email address in the email address field, and click Add email address

After adding the new address, go to the email account and click the link in the confirmation email. Add as many addresses as you’d like, and just follow the instruction for each account. Once an email address is validated, you can choose it to be you primary address by selecting it from the list and clicking on Make Primary.

If you are not yet a linkedIn member and are wondering what this is all about, Click here to Join LinkedIn Today