Comment from the vendors
The Indian Premier League 2010 is a huge attraction for the cricket-crazy population in India. These matches are packed with all the ingredients to entertain, and are capable of satisfying viewers’ hunger for more and more cricket matches. People are ready to buy tickets in all possible ways just to watch their local and international cricket stars play. Symantec was anticipating a spamming campaign against ticket sales during the initial period of the sporting extravaganza; however, it is just halfway through the event and still not too late to lure email users with offers related to IPL tickets.
Symantec has now come across few spam samples that offer free tickets/passes to the recipients. In return, users need to register on a website. After registering with this website, spammers claim that users may receive a free IPL ticket through a lucky draw.
An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers and is described in detail here. It contains a function to redirect your connection to a specific proxy server.
Unfortunately this simple and smart proxy technique are (sic) being largely used by brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script”.
After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.
A lot of the Brazilian malware is using this trick nowadays. Not only Internet Explorer users are affected, but also users of Firefox and Chrome. The malware changes the file prefs.js, inserting the malicious proxy in it.
And finally to make sure the malicious proxy will be not removed by the user, a malicious DLL is inserted on initialization by rundll32.exe to always rewrite the proxy, if removed.
Earthquakes, Lawsuits Spam, Kids’ Choice Awards, Moscow bombings, Adobe Spoofs and IM attacks [There is a] rising popularity among hackers to exploit public interest in natural occurrences, disasters and social events. These days, our instinct is to use the Internet to direct us to the latest news on worldwide events, however, it’s becoming clear that cybercriminals will target and take advantage of this interest and curiosity for malicious gains in every way possible. Users should be wary of sophisticated tricks linking to familiar software like Adobe Acrobat, and on high alert for attacks via instant-messenger applications which are increasingly popular. We also recommend particular vigilance around periods of heightened attack, for example when youth-targeted events occur.