Mobile Malware Scam iSexPlayer Wants Your Money

A bogus media player (iSexPlayer.jar) targeting Symbian S60 3rd edition devices according to several affected parties, is currently being spammed through blackhat search engine optimization. Once infected upon confirming its execution since it's doesn't seem to be exploiting a specific vulnerability besides "bargain hunters" desire for free adult material, the malware attempts to trick the user into participating by becoming a member, however, a quick peek the source code reveals interesting facts about the scam.

For instance, once providing them with your credit card details and basically wanting to try out the service, it appears that there's no way out of it which is a problem since "Trial membership recur at $US 29.95 unless cancelled, Monthly membership recur unless cancelled" and also, "Do you want full access to all pictures and videos? Cost is 2 Euros, charged 100% descreet on your phone bill over SMS. Please allow iSexPlayer to send SMS".

The spammed through blackhat SEO sites are currently active, and perhaps a bit ironic, once you make any transaction with these people, anything that goes on at a later stage such as automatic calling or sms-sing to squeeze your bill, may be in fact legal since you authorized it.

Symbian Freak has some details, as well as an affected party :

"Last week, I had lend my N73 to one of my friends for use as he had lost his phone. I did not know what he did, but I checked my bills today and see some International calls made that amount to around 20USD. That is around 800 Indian rupees. To check, I called the number and learnt that it was a phone sex line. Now it was time for my friend to answer. The thirteen calls were made during a period spanning two days. On an average there were 7 calls a day. Now, the thing that struck me is, going by the call records, the calls on the second day were made when I had the phone with me. I am pretty sure no one dialled the numbers. I called my buddy and asked him if he had downloaded something. He then spilled the beans informing that he did go to some adult website and installed a software (I do not recall the name)."

The name of the "software" as I've already pointed out is iSexPlayer. Let's dissect the scammers and their sites currently spammed across 100,000 sites using blackhat SEO tactics. Related domains sharing the same IP and internal pages :

3g6.se
3gx.se
conn2.3g6.se
conn2.3g6.se
test.3gx.se

83.241.194.132 (83.241.194.128-83.241.194.191 DGC-DIRECT2-01 Direct2Internet AB - Internet Access Located in Johanneshov, Sweden)

3g6.se/dstream.php
3g6.se/newplayerdl.php
3g6.se/chrono/callback.php
secure.chronopay.com/index.cgi

The scammer's pitch :

"Free access to: - 500 Hardcore scenes - 100 Full lenght movies - Picture galleries Important! To install iSexplayer you must be at least 18 years old. You must install and run iSexplayer™ access module to watch the videos on Nintendo DS, You must install and run iSexplayer™ access module to watch the videos on Apple iPhone, Install iSexplayer"

Upon attempting to download the .jar file from the mobile page, the iSexPlayer.php does the magic like that :

"MIDlet-1: iSexPlayer,/icon.png,Easyloader
MIDlet-Install-Notify: http://3g6.se/install_notify.php?id=1322451
MIDlet-Jar-Size: 101313
MIDlet-Jar-URL: http://3g6.se/iSexPlayer.jar
MIDlet-Name: iSexPlayer
MIDlet-Vendor: Vendor
MIDlet-Version: 1.0
MicroEdition-Configuration: CLDC-1.0
MicroEdition-Profile: MIDP-2.0
did: 1322451
did2: 9416755"

Who's behind the scam?

"c_javax_microedition_lcdui_Form_fld.append("\niSexPlayer is owned by: ");
c_javax_microedition_lcdui_Form_fld.append("\nEnit Invest S.L. "); 
c_javax_microedition_lcdui_Form_fld.append("\nweb: enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nemail: support@enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nTel: 1-800-845-4951 ");"

Enit Invest S.L.
Av. Machupichu 26, S 18
28043 Madrid
email: support@enitinvest.com
Tel: 1-800-845-4951

And since I'm sure that there are more juicy details within the source code further exposing their scammy practices, which you should not authorize in any way, just like you wouldn't really like making a long call on a premium rate number thanks to having a malware infected phone, once more details are gathered, particularly its compatibility with devices, they'll be posted.

Storm Worm's U.S Invasion of Iran Campaign

The Storm Worm-ers are keeping themselves busy, with two campaigns in less than a week, following the latest on the 4th of July. Now, they are spreading rumors of a U.S invasion in Iran :



"Just now US Army's Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran's Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us."



The campaign is using the following domains :

statenewsworld .com

morenewsonline .com

dailydotnews .com

dotdailynews .com

newsworldnow .com

All registered by the same individual :

ONLINE  CO REANIMATOR (dfgdgf@gmail.com)

REVA 13-27 Deribaska 3565,198346 DZ Tel. +321.3568872



Sample detection rate :

iran_occupation.exe

Scanners Result: 4/33 (12.13%)

File size: 118273 bytes

MD5...: 19ab8f1dddb743c1dc2924cb61d3f877

SHA1..: e0915f377020479ba95ffed0fcb07a2b2aec72f4



Storm Worm domains used in recent campaigns, still parked on infected hosts :



superlovelyric .com

bestlovelyric .com

makingloveworld .com

statenewsworld .com

wholoveguide .com

gonelovelife .com

loveisknowlege .com

lovekingonline .com

lovemarkonline .com

wholefireworksonline .com

morenewsonline .com

makingadore .com

greatadore .com

yourfireworksstore .com

loveoursite .com

dayfireworkssite .com

musiconelove .com

knowholove .com

whoisknowlove .com

theplaylove .com

lovelifecash .com

wantcherish .com

shelovehimtoo .com

makeloveforever .com

bellestarfireworks .com

yourfireworks .com

worldbestfireworks .com

greatfireworkslaws .com

dailydotnews .com

dotdailynews .com

wholovedirect .com

newsworldnow .com

thefireworksjuly .com

grupogaleria .cn

polkerdesign .cn   

nationwide2u .cn

activeware .cn

grupogaleria .cn

likethisone1 .com

lollypopycandy .com

nationwide2u .cn

polkerdesign .cn

verynicebank .com

thefireworksjuly .com

wholefireworksonline .com

worldbestfireworks .com

yourfireworks .com

bellestarfireworks .com

dayfireworkssite .com

greatfireworkslaws .com

yourfireworksstore .com



The "best" is yet to come.



Related posts :

Storm Worm Hosting Pharmaceutical Scams

All You Need is Storm Worm's Love

Social Engineering and Malware

Storm Worm Switching Propagation Vectors

Storm Worm's use of Dropped Domains

Offensive Storm Worm Obfuscation

Storm Worm's Fast Flux Networks

Storm Worm's St. Valentine Campaign

Storm Worm's DDoS Attitude

Riders on the Storm Worm

The Storm Worm Malware Back in the Game

Fake Porn Sites Serving Malware - Part Two

This summary is not available. Please click here to view the post.

The Risks of Outdated Situational Awareness

It's been two months since I analyzed the proprietary email and personal information harvesting tool targeting major career web sites - "Major career web sites hit by spammers attack", received comments from Seek.com.au and Careerbuilder.com, communicated all the actionable intelligence in terms of the bogus accounts used and the related IPs to the career web sites that bothered to show interest in the attack, to come across a ghost story today - Jobsite hack used to market identity harvesting services :



"A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX."



All your CV are NOT belong to us, All your CV are ALREADY belong to us.

The ICANN Responds to the DNS Hijacking, Its Blog Under Attack

Last week, the ICANN has issued an official statement regarding last month's DNS hijackings of some of their domains :



"The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.



It would appear the attack was sophisticated, combining both social and technological techniques, but was also limited and focused. The redirect was noticed and corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the redirect to be entirely removed from the Internet. ICANN is confident that the lessons learned and new security measures since introduced will ensure there is not a repeat of this situation in future."



They also mentioned that their Wordpress blog has also been a target of a recent attack automatically exploiting vulnerable Wordpres blogs :



"In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted."



Go through the complete coverage of the incident, the technical details regarding it, and the actionable intelligence obtained for the NetDevilz hacking group, in case you haven't done so already.

Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced

Last week's mass defacement of over 300 Lithuanian sites hosted on the same ISP, an upcoming attack that was largely anticipated due to the on purposely escalated online tensions out of Lithuan's accepted legislation banning communist symbols across the counry, once again demonstrates information warfare building capabilities in action.



Moreover, the attack is again relying on common prerequisites for a successful information warfare campaign, used in the Russia vs Estonia cyberattack last year. These very same Internet PSYOPS tactics ensure the success of the information warfare as a whole :



- start publicly justifying upcoming attacks based on nationalism sentiments, which in a bandwidth empowered (botnets) collectivist society ensures a decent degree of cyber mobilization. In Lithuania's case, the discussions across web forums were on purposely escalated to the point where "if you don't take action, you're not loyal to your country"



-  the media as the battleground for winning the hearts and minds of the bandwidth empowered botnet masters, and position the insult against loyal nationalists next to the daily basis, thereby putting the nationalists in a "stand by" mode prompting them to take actions and to break even. In Estonia's case for instance, news broadcasts of the riots on the streets were on purposely broadcast as often as possible, mostly emphasizing on the nationalist sentiments within the crowds



- prioritizing the attack targets, distributing the targets list and ensuring the coordination in terms of the exact time and data for the attacks to take place is something that didn't happen in the public domain for the mass defacement of Lithuanian sites, the way it happened in the Estonia attack



- utilizing a people's information warfare tactic known as the malicious culture of participation, when everyone's consciously contributing bandwidth to be used/abused by those coordinating the attacks



Also, it's important to point out that by the time they announced their ambitions to attack Lithuania and other countries such as Latvia, Ukraine, and again Estonian sites, they literally put these countries in a "stay tune" mode. Here's a translated statement :



"All the hackers of the country have decided to unite, to counter the impudent actions of Western superpowers. We are fed up with NATO's encroachment on our motherland, we have had enough of Ukrainian politicians who have forgotten their nation and only think about their own interests. And we are fed up with Estonian government institutions that blatantly re-write history and support fascism," says the appeal that is being circulated on Russian Internet forums."



But why would they signal their intentions, compared to keeping them quiet and attack Lithuania surprisingly? Another relevant use of PSYOPS, namely the biased exclusiveness and keeping a non-existent status bar for the upcoming attacks. And since they can launch a coordinated attack at the country at any time without warning about it, this warning was aiming to cause confusion prompting country officials to make public statements that could later on be analyzed and a better attack strategy formed on the basis of what they said they've done to ensure the attacks don't succeed.



If they did launch DDoS attacks compared to defacing over 300 sites hosted on a single ISP, and had warned about the upcoming attacks about a week earlier, successfully shutting down the country's Internet infrastructure would have achieved a double effect, since they did warn them about the attacks, and despite that  they countries couldn't prepate to fight back even though fighting back was futile right from the very beginning.



At least, that's the level of confidence they've build into capabilities.



Related posts:

Right Wing Israeli Hackers Deface Hamas's Site

Monetizing Web Site Defacements

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The Rise of Kosovo Defacement Groups

A Commercial Web Site Defacement Tool

Phishing Tactics Evolving

Web Site Defacement Groups Going Phishing

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists