In the last few weeks we have observed a drastic increase in “penny stock” spam emails. In 2011 Symantec published a blog entitled Global Debt Crises News Drives Pump-and-Dump Stock Scams, which also dealt with this type of spam.

Penny stocks, also known as cent stocks, are shares in small companies that trade at low prices, often as low as a few cents per share. Penny stocks are a very popular topic used by spammers. The spam emails advertise the cheap shares and state that the company is on the verge of becoming very successful and that the value of the shares will rise significantly. The emails make out that the company is more valuable than it actually is and implies that they have just created some major product or are on the verge of a breakthrough and that the share value is tipped to rise dramatically. The aim is to increase sales of the stock, which in turn raises the value, then the fraudster can sell their penny stocks for significantly more than they paid for them. This stock fraud method is known as “pump and dump.”

We are seeing various spam methods being used in stock spam such as broken words, obfuscation with irrelevant line spaces, and insertion of randomized characters in the header or body of the emails etc.

Figure 1. Penny stock spam emails

Symantec is observing an increase in spam volume related to stock spam, which can be seen in the below graph.

Figure 2. Volume trend of stock spam email

Below are the most frequently observed subject lines in these attacks:

• Subject: Stock Picking Contest, Sign Up Today
• Subject:"Before The Close" From Standout Stocks!
• Subject: A Royal Treat To Start The Week
• Subject: Expect More from this Bull
• Subject: Explosive Pick Coming
• Subject: It Is Our Hot New Trade Alert!
• Subject: Its trading levels could be Set to Explode!
• Subject: Let`s Do It Again! Tonight We Have Another Breaking Bull!
• Subject: This Company Shows Gains
• Subject: This Company shows Strength
• Subject: What a Fantastic Week! Our Members had the Opportunity to Make Some Serious Gains!

Symantec advises users to be cautious when handling unsolicited or unexpected emails and to update antispam signatures regularly. Symantec is closely monitoring these “pump and dump” spam attacks and will continue monitoring this trend to keep our readers updated.

Symantec Messaging Gateway 10.5 Pre-release Evaluation

On June 25th, 2013 Symantec will be launching the pre-release evaluation of Symantec Messaging Gateway 10.5. This new version of Symantec Messaging Gateway plans to introduce new features including.

• Remove Zero Day Malware and Targeted Attacks from Office and PDF attachments with new “Disarm” technology.
• Block more Spam and Malware with Expanded Threat URL Reputation
• Simplify management with LDAP Authenticated Administration
• Enhanced management of Unscannable Messages
• Communicate securely with trusted partners using enforced inbound TLS encryption
• Increase security with TLS encrypted delivery to Symantec DLP
• Control Spam attacks and message volume from inside the your environment with Outbound Sender Throttling Capability
• Deploy using new Hyper-V support

The Symantec Enterprise External Test Program is designed to ensure that customers have a central location to download builds and access to post feedback on the Symbeta forum for Symantec technology experts to review. You can sign up for the evaluation by navigating to the following link.

https://symbeta.symantec.com/callout/?callid=81D33E0A55A4448181A05240646AA75C

A Webinar will also be scheduled to discuss and field questions around this pre-release evaluation. Details regarding the date and time of the webinar will be provided as an update to this invitation. As with prior pre-release evaluations for Symantec Messaging Gateway, Symantec will be offering incentives for customers who participate in the evaluation. The following are the incentives offered for this testing period.

• Testers will receive a copy of Norton AntiVirus based on the below criteria:
  • Install pre-release evaluation version of SMG 10.5
  • Provide wall ID to the Symantec Messaging Gateway team (Please provide Name, Company and ID when submitting).
  • Return answers from relevant sections of beta script

• A US$200 value gift card will be given away to the 5 customers who provide the most comprehensive testing feedback for below features within three weeks of Beta commencement. Providing early feedback for multiple sections will increase your chances of winning.
   
• 4 iPads will be provided to customers based on the following criteria:
  • 1 to the tester who runs the most production traffic (based on stats received by Symantec)
  • 3 to the testers who provide the most comprehensive testing feedback for below features. Providing feedback for multiple sections will increase your chances of winning.
  • Features:
    • Disarm technology
    • Better Anti-Spam Effectiveness (Expanded Threat URL Intelligence)
    • LDAP Authenticated Administration
    • Granular Unscannable message verdicts
    • Hyper-V virtual platform
    • Enforced inbound TLS encryption
    • TLS  encrypted delivery to DLP
    • Outbound Sender Throttling 

If you would like to participate in this pre-release evaluation please sign up at the above Symbeta link and reply to this email with the following information:

1. Will your deployment be in tandem with Production or in a Lab environment?
2. Will your deployment be physical or virtual? If virtual which platform VMWare or Hyper-V?
3. Are there any specific areas that you want to focus on testing?

If there are any questions regarding the upcoming pre-release evaluation, please reply to this email or send an email to smg-beta@symantec.com, and a Symantec team member will respond to you shortly.

Thank You

Symantec Messaging Gateway Team

Symantec Messaging Gateway 10.5 for Service Providers (Software Edition)
Formally known as Symantec Brightmail Message Filter
Pre-release Evaluation

On June 25th, 2013 Symantec will be launching the pre-release evaluation of Symantec Messaging Gateway 10.5 for Service Providers. This new version of Symantec Messaging Gateway for Service Providers (Software Edition) plans to introduce new features including.

• Name change from Symantec Brightmail Message Filter to Symantec Messaging Gateway for Service Providers
• Block more Spam and Malware with Expanded Threat URL Reputation and Customer Specific Rules creation capabilities
• Submit missed Spam and False Positive Emails with new CLI Message Submission process
• Block Marketing and Newsletter Messages with newly available dispositions
• Enhanced management of Unscannable Messages

The Symantec Enterprise External Test Program is designed to ensure that customers have a central location to download builds and access to post feedback on the Symbeta forum for Symantec technology experts to review. You can sign up for the evaluation by navigating to the following link.

 https://symbeta.symantec.com/callout/?callid=A36EAC98B7B24D8DBC46CE963243E62F

A Webinar will also be scheduled to discuss and field questions around this pre-release evaluation. As with prior pre-release evaluations for Symantec Brightmail Message Filter, Symantec will be offering incentives for customers who participate in the evaluation. Details regarding the official start date, date and time of the webinar and incentive offerings will be provided as an update to this invitation.

• Testers will receive a copy of Norton AntiVirus based on the below criteria:
  • Install pre-release evaluation version of SMG 10.5 for Service Providers
  • Return answers from relevant sections of beta script

• 2 iPads will be provided to customers based on the following criteria:
  • 1 to the tester who runs the most production traffic (based on stats received by Symantec)
  • 1 to the tester who provides the most comprehensive testing feedback. Providing feedback for multiple sections of the testing script will increase your chances of winning.

If you would like to participate in this pre-release evaluation please sign up at the above Symbeta link. If there are any questions regarding the upcoming pre-release evaluation, please reply to this email or send an email to smg-beta@symantec.com, and a Symantec team member will respond to you shortly.

Thank You

Symantec Messaging Gateway Team

Contributor: Avdhoot Patil

Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on a free Web hosting site.

The phishing site prompted for Facebook login credentials that called the video a “social plugin”. The phishing page contained an image of a fake YouTube video of Rita in the background. The title of the video in question described it as an adult video of Rita Ora. A recent event involving an accidental exposure of Rita instigated phishers into devising this bait. The phishing site gave the impression that users could view the video shown in the background when login credentials are entered. In reality, after login credentials are entered, users are redirected to a legitimate site containing adult images of Rita Ora. The purpose of redirecting users to a site containing images of the video is to convince them that the login was valid and so avoid suspicion. If users fall victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages
• Do not provide any personal information when answering an email
• Do not enter personal information in a pop-up page or screen
• Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
• Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
• Exercise caution when clicking on enticing links sent through email or posted on social networks

The long awaited pcAnywhere hotfix is finally here.

Please review "Symantec pcAnywhere 12.6.7 Hot Fix (HF1) readme" (http://www.symantec.com/docs/DOC6435) for full details.

今月のマイクロソフトパッチリリースブログをお届けします。今月は、33 件の脆弱性を対象として 10 個のセキュリティ情報がリリースされています。このうち 11 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

• ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
• ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
• 未知の、または疑わしいソースからのファイルは扱わない。
• 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
• 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 5 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms13-May

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

1. MS13-037 Internet Explorer 用の累積的なセキュリティ更新プログラム（2829530）

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1306）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   JSON 配列の情報漏えいの脆弱性（CVE-2013-1297）MS の深刻度: 重要

   Internet Explorer に情報漏えいの脆弱性が存在するため、攻撃者は JSON データファイルにアクセスしてその内容を読み取れる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1309）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1307）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1308）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1310）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-0811）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1311）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-2551）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1312）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1313）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

2. MS13-038 Internet Explorer 用のセキュリティ更新プログラム（2847204）

   Internet Explorer の解放後使用の脆弱性（CVE-2013-1347）MS の深刻度: 緊急

   削除されたオブジェクト、または正しく割り当てられていないオブジェクトに Internet Explorer がアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が Internet Explorer における現在のユーザーのコンテキストで任意のコードを実行できる場合があります。攻撃者は Internet Explorer を介して、この脆弱性の悪用を目的として特別に細工した Web サイトをホストし、ユーザーを誘導してその Web サイトを表示させる可能性があります。

3. MS12-039 HTTP.sys の脆弱性により、サービス拒否が起こる（2829254）

   HTTP.sys サービス拒否の脆弱性（CVE-2013-0005）MS の深刻度: 重要

   HTTP プロトコルスタック（HTTP.sys）が悪質な HTTP ヘッダーを正しく処理しないことが原因で、Windows Server 2012 と Windows 8 に、サービス拒否の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受ける Windows サーバーまたはクライアントに特別に細工した HTTP ヘッダーを送信し、HTTP プロトコルスタックに無限ループを発生させる可能性があります。

4. MS13-040 .NET Framework の脆弱性により、なりすましが行われる（2836440）

   XML デジタル署名のなりすましの脆弱性（CVE-2013-1336）MS の深刻度: 重要

   Microsoft .NET Framework が特別に細工された XML ファイルの署名を正しく検証できない場合に、なりすましの脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、ファイルに関連付けられている署名を無効にせずに XML ファイルの内容を変更できる可能性があります。

   認証回避の脆弱性（CVE-2013-1337）MS の深刻度: 重要

   カスタム WCF エンドポイント認証を設定するとき、Microsoft .NET Framework が認証のためのポリシー要件を正しく作成しないために、セキュリティ機能回避の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、認証された場合と同じようにエンドポイント機能にアクセスし、情報を盗み出したり、認証されたユーザーと同様の操作を行ったりできる可能性があります。

5. MS13-041 Lync の脆弱性により、リモートでコードが実行される（2834695）

   Lync RCE の脆弱性（CVE-2013-1302）MS の深刻度: 重要

   Lync コントロールがメモリ内の削除済みのオブジェクトにアクセスしようとする場合に、リモートコード実行の脆弱性が存在します。攻撃者は、Lync または Communicator セッションで特別に細工されたコンテンツを起動するように標的のユーザーを誘導することにより、この脆弱性を悪用する可能性があります。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーと同じユーザー権限を取得する可能性があります。

6. MS13-042 Microsoft Publisher の脆弱性により、リモートでコードが実行される（2830397）

   Publisher の負の値割り当ての脆弱性（CVE-2013-1316）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher のインターフェースポインタの破損の脆弱性（CVE-2013-1318）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の整数オーバーフローの脆弱性（CVE-2013-1317）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher のバッファオーバーフローの脆弱性（CVE-2013-1320）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の戻り値処理の脆弱性（CVE-2013-1319）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の戻り値検証の脆弱性（CVE-2013-1321）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の無効な範囲チェックの脆弱性（CVE-2013-1322）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の誤った NULL 値処理の脆弱性（CVE-2013-1323）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher の符号付き整数の脆弱性（CVE-2013-1327）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher のポインタ処理の脆弱性（CVE-2013-1328）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Publisher のバッファアンダーフローの脆弱性（CVE-2013-1329）MS の深刻度: 重要

   Microsoft Publisher が Publisher ファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

7. MS13-043 Microsoft Word の脆弱性により、リモートでコードが実行される（2830399）

   Word の図形破損の脆弱性（CVE-2013-1335）MS の深刻度: 重要

   Microsoft Word が Word ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

8. MS13-044 Microsoft Visio の脆弱性により、情報漏えいが起こる（2834692）

   XML 外部エンティティ解決の脆弱性（CVE-2013-1301）MS の深刻度: 重要

   外部エンティティを含む特別に細工された XML ファイルを Microsoft Visio が解析する方法に、情報漏えいの脆弱性が存在します。

9. MS13-045 Windows Essentials の脆弱性により、情報漏えいが起こる（2813707）

   Windows Essentials の不適切な URI 処理の脆弱性（CVE-2013-0096）MS の深刻度: 重要

   特別に細工された URL を Windows Writer が適切に処理できない場合に、情報漏えいの脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、Windows Writer のプロキシ設定が無効にされ、標的システム上でユーザーがアクセスできるファイルが上書きされる可能性があります。

10. MS13-046カーネルモードドライバの脆弱性により、特権が昇格される（2840221）

    DirectX グラフィックカーネルサブシステムにダブルフェッチの脆弱性（CVE-2013-1332）MS の深刻度: 重要

    Microsoft DirectX グラフィックカーネルサブシステム（dxgkrnl.sys）がメモリ内のオブジェクトを適切に処理しない場合に、特権の昇格の脆弱性が存在します。

    Win32k のバッファオーバーフローの脆弱性（CVE-2013-1333）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、システムが不安定になる場合があります。

    Win32k のウィンドウハンドルの脆弱性（CVE-2013-1334）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、昇格した特権で任意のコードを実行できる場合があります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

ここ数週間で、「ペニーストック」関連のスパムメールが急増していることが確認されています。2011 年に「世界的な信用危機のニュースで株価操作詐欺が急増」というタイトルのブログを公開しましたが、そこでもこの種のスパムに触れています。

ペニーストック（セントストックとも呼ばれます）とは安値で取引される小型株のことで、1 株あたり数セントで取引されることも珍しくありません。ペニーストックは、スパマーによって頻繁に利用されています。スパムメールで安値の株を宣伝し、「この会社はもうすぐ大成功するから株価が急騰する」と謳うのです。そこには、会社が実際よりも価値が高く、何らかの目玉商品が完成したか、あるいはもうすぐ大躍進を遂げるはずであり、株価の急騰が予想されると書かれています。この手の詐欺の目的は、株の人気をつり上げ、その結果株価が上がったところで、持ち株を購入時よりもはるかに高い値段で売り抜けることです。このような株価操作詐欺の手法を「パンプアンドダンプ」と呼びます。

株に関連したスパムで利用されている手法には、単語の間に空白を挿入する、不要な改行で不明瞭化する、電子メールの件名や本文にランダムな文字を挿入するなど、さまざまなものがあります。

図 1. ペニーストック関連のスパムメール

シマンテックでは、次のグラフに示すように、株に関連したスパムの量が増えていることを確認しています。

図 2. 株に関連したスパムメールの量の傾向

こういった攻撃で頻繁に見られるメールの件名として、次のようなものがあります。

• 件名: Stock Picking Contest, Sign Up Today（株争奪、今すぐ登録を）
• 件名: "Before The Close" From Standout Stocks!（「締切間近」の目玉株!）
• 件名:  A Royal Treat To Start The Week（週明けのお楽しみ）
• 件名: Expect More from this Bull（この強気筋は期待大）
• 件名: Explosive Pick Coming（争奪戦来たる）
• 件名: It Is Our Hot New Trade Alert!（最新取引のお知らせ!）
• 件名: Its trading levels could be Set to Explode!（取引レベル急騰の可能性あり!）
• 件名: Let`s Do It Again! Tonight We Have Another Breaking Bull!（再び! 今夜新たな強気筋あり!）
• 件名: This Company Shows Gains（この会社は儲かる）
• 件名: This Company shows Strength（この会社は強い）
• 件名: What a Fantastic Week! Our Members had the Opportunity to Make Some Serious Gains!（最高の週! 会員様に大儲けのチャンス到来!）

迷惑メールや心当たりのない電子メールには注意し、スパム対策のシグネチャは定期的に更新するようにしてください。シマンテックでは、このような「パンプアンドダンプ」スパム攻撃を厳重に監視しており、この傾向の監視を続けて読者の皆さまに最新の情報をお届けする予定です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play.

Figure 1. Total number of developers and apps developed

Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication, but some, especially those published over weekends, tend to have a longer life and in some cases have download numbers in the triple digits. The scam attempts to lure users interested in adult videos to a site that attempts to trick them into registering for a paid service. Even if only one user falls for the scam and pays, that’s JPY99,800  (around US$1,000 at the current exchange rate) in the pocket for the scammers, which also means they can make more money by creating even more developers accounts to publish more fraudulent apps.

Figure 2. Developer page of the malware author

Recently, the scammers have come up with a new trick. A typical one-click fraud app uses Webview class to allow Web pages to be displayed within the app. Normally the adult-related sites leading to click fraud are displayed, but the new round of apps leads to a similar adult-related site that hosts an app that steals personal information, including Google account, phone number, International Mobile Station Equipment Identity (IMEI), Android ID, and the model details of the device. These apps act as downloaders for apps that need to be manually downloaded and installed.

Figure 3. Site hosting the malicious app

Figure 4. Fake Google Play site from where to the malicious app is downloaded

Figure 5. Data uploaded from the device

What is disturbing about the recent method used to attract potential victims is that the scammers have expanded their audience to a larger group by listing random keywords in the description of the app page whereas in the past, only words related to pornography were used. The scammers are hoping that someone searching for any type of app will come across these apps and find the icon attractive as the icons are all adult themed. The titles of the apps are also typically pornographic in nature, but some have random names.

Figure 6. App page for one of the malicious apps

Figure 7. Words listed in the description of one of the apps

We have yet to confirm how the personal information is being used, but it is likely that the victims will be contacted in one form or another from the scammers. Symantec detect the apps discussed in this blog as Android.Oneclickfraud. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

As the urban legend goes, the bank robber Willie Sutton was asked why he robbed banks. “Because that’s where the money is,” he is attributed as saying. While Sutton has long since distanced himself from the statement, the concept resonates with many people, to the extent that it’s been used to describe principles in accounting and even medicine.  

This principle also holds true in the world of Internet security. In the latest version of the Internet Security Threat Report we discussed the major trends in the spam world, where the percent of spam email continues to decline while more and more social networks are being targeted. Given the growth of social networking in recent years as a means to communicate, this comes as no surprise—it’s where the users are.

We’ve previously talked about how scammers are not only going after users on the most well-known social networks, as they have for years, but have begun targeting users on other networks, such as Instagram and Pinterest. Another popular social network has found itself in the crosshairs of spammers recently. The growth in popularity of Tumblr, particularly with younger Internet users, has also drawn the attention of spammers.

We’ve come across a spam campaign that is utilizing a feature on Tumblr similar to the type of commenting you might see on blogs or other social networks. Tumblr calls this feature “Ask,” where your followers can ask you questions, which can appear on your Tumblr blog. The feature is disabled by default, but you can enable it in your account settings and even allow anonymous comments. Spammers are attempting to take advantage of this feature to peddle their wares.

“WOW, I just lost a bunch of weight using the OFFICIAL TUMBLR DIET!! Are u using it as well? Check it out at [REMOVED][d0t]com”

Figure 1. Spam message utilizing Tumblr's Ask feature

Clearly, there’s no such thing as an official Tumblr diet. Instead, the URL provided in the spam message leads to a website that mimics a popular health magazine, espousing the benefits of a new diet pill.

Figure 2. Fake health magazine site promoting diet pill

The page is full of information about a “miracle pill,” along with testimonials and offers linking to sites where the user can get some. If the user clicks through, they are brought to an order page. However, the site appears to have a limited supply. Stock is set to run out, coincidentally, the same day the user is visiting the page.

Figure 3. Diet pill order page

The user is asked for a number of personal details, such as name, address, phone number, and email. The site will eventually ask for your credit card details as well.

Figure 4. Diet pill payment page

We don’t know for sure if the site will actually send you genuine diet pills that contain the supposed miracle ingredient, fake pills claiming to have it, or if the site will just make off with your credit card details. Regardless, we do not recommend attempting to purchase goods through offers like this.

This spamming technique is not limited to diet pills either. Other scams, such as the one below, attempt to play at a user’s desire to make money. In this case they don’t even bother to ask a question—skirting the primary purpose of Tumblr’s Ask feature altogether.

"I made $300 yesterday by Internet marketing and I'm looking at at least $450 today. So yeah. You need to do this. I found out about it from this news article on CBS. I'm just excited to share this with you because it actually freakin works! Tumblr won't let me post a link but if you want to read up and start making some money then head over to [REMOVED] [d0t] cоm - Spread this to fellow tumblree's and tumblrette's and lets get out of this recession together!"

The link in this case leads to a fake news page espousing a great way to make money from home, then to a page that asks for the same personal details as the scam above. In this case, besides gather personal details, it’s possible that the scammers here could be looking for cybermules—another precarious scam that is best avoided.

Figure 5. Page promoting "make money from home" scheme

What’s disconcerting about this scam is that Ask questions do not appear on Tumblr blogs by default, as traditional comments can. Instead, a user has to make the effort to answer the Ask, at which point both the question and the answer will appear on their Tumblr blog. Granted many users are answering these Asks sarcastically, while others do so with annoyance, seeing it as the spam it is. While we don’t suggest doing this, what’s perhaps most worrying is that some users actually go as far as to thank the Anonymous poster for the information, seemingly falling for the ruse. Regardless of how the user responds, the messages remain online, and anyone perusing these Tumblr blogs could feasibly visit the sites mentioned on their own accord.

It’s difficult to determine the number of Asks these spammers are sending out, but we have encountered hundreds of instances when looking into the issue. Since Anonymous Asks do not require a Tumblr account to submit, and determining if a Tumblr blog has the feature enabled is easily scriptable, spammers could easily send large volumes.

To its credit, Tumblr has implemented an Ignore feature, where you can block the account, IP, and/or computer sending them. Overall, this spam should be treated in just the same way as any other Ask or comment-related spam: do not answer such submissions, do not visit the URLs provided, and do not give any personal details to less-than reputable websites.

As the urban legend goes, the bank robber Willie Sutton was asked why he robbed banks. “Because that’s where the money is,” he is attributed as saying. While Sutton has long since distanced himself from the statement, the concept resonates with many people, to the extent that it’s been used to describe principles in accounting and even medicine.  

This principle also holds true in the world of Internet security. In the latest version of the Internet Security Threat Report we discussed the major trends in the spam world, where the percent of spam email continues to decline while more and more social networks are being targeted. Given the growth of social networking in recent years as a means to communicate, this comes as no surprise—it’s where the users are.

We’ve previously talked about how scammers are not only going after users on the most well-known social networks, as they have for years, but have begun targeting users on other networks, such as Instagram and Pinterest. Another popular social network has found itself in the crosshairs of spammers recently. The growth in popularity of Tumblr, particularly with younger Internet users, has also drawn the attention of spammers.

We’ve come across a spam campaign that is utilizing a feature on Tumblr similar to the type of commenting you might see on blogs or other social networks. Tumblr calls this feature “Ask,” where your followers can ask you questions, which can appear on your Tumblr blog. The feature is disabled by default, but you can enable it in your account settings and even allow anonymous comments. Spammers are attempting to take advantage of this feature to peddle their wares.

“WOW, I just lost a bunch of weight using the OFFICIAL TUMBLR DIET!! Are u using it as well? Check it out at [REMOVED][d0t]com”

Figure 1. Spam message utilizing Tumblr's Ask feature

Clearly, there’s no such thing as an official Tumblr diet. Instead, the URL provided in the spam message leads to a website that mimics a popular health magazine, espousing the benefits of a new diet pill.

Figure 2. Fake health magazine site promoting diet pill

The page is full of information about a “miracle pill,” along with testimonials and offers linking to sites where the user can get some. If the user clicks through, they are brought to an order page. However, the site appears to have a limited supply. Stock is set to run out, coincidentally, the same day the user is visiting the page.

Figure 3. Diet pill order page

The user is asked for a number of personal details, such as name, address, phone number, and email. The site will eventually ask for your credit card details as well.

Figure 4. Diet pill payment page

We don’t know for sure if the site will actually send you genuine diet pills that contain the supposed miracle ingredient, fake pills claiming to have it, or if the site will just make off with your credit card details. Regardless, we do not recommend attempting to purchase goods through offers like this.

This spamming technique is not limited to diet pills either. Other scams, such as the one below, attempt to play at a user’s desire to make money. In this case they don’t even bother to ask a question—skirting the primary purpose of Tumblr’s Ask feature altogether.

"I made $300 yesterday by Internet marketing and I'm looking at at least $450 today. So yeah. You need to do this. I found out about it from this news article on CBS. I'm just excited to share this with you because it actually freakin works! Tumblr won't let me post a link but if you want to read up and start making some money then head over to [REMOVED] [d0t] cоm - Spread this to fellow tumblree's and tumblrette's and lets get out of this recession together!"

The link in this case leads to a fake news page espousing a great way to make money from home, then to a page that asks for the same personal details as the scam above. In this case, besides gather personal details, it’s possible that the scammers here could be looking for cybermules—another precarious scam that is best avoided.

Figure 5. Page promoting "make money from home" scheme

What’s disconcerting about this scam is that Ask questions do not appear on Tumblr blogs by default, as traditional comments can. Instead, a user has to make the effort to answer the Ask, at which point both the question and the answer will appear on their Tumblr blog. Granted many users are answering these Asks sarcastically, while others do so with annoyance, seeing it as the spam it is. While we don’t suggest doing this, what’s perhaps most worrying is that some users actually go as far as to thank the Anonymous poster for the information, seemingly falling for the ruse. Regardless of how the user responds, the messages remain online, and anyone perusing these Tumblr blogs could feasibly visit the sites mentioned on their own accord.

It’s difficult to determine the number of Asks these spammers are sending out, but we have encountered hundreds of instances when looking into the issue. Since Anonymous Asks do not require a Tumblr account to submit, and determining if a Tumblr blog has the feature enabled is easily scriptable, spammers could easily send large volumes.

To its credit, Tumblr has implemented an Ignore feature, where you can block the account, IP, and/or computer sending them. Overall, this spam should be treated in just the same way as any other Ask or comment-related spam: do not answer such submissions, do not visit the URLs provided, and do not give any personal details to less-than reputable websites.

User Facing: Desktop

• Added a "Request split solution" option that gives the author of a forum post the ability to mark multiple comments as solutions to their problem. This feature also distributes the award points equally between the solution authors.
• Added code that emails the author of a solution when their comment is marked as such.
• Removed errant partner badges from posts made by Symantec employees.
• Added a redemption option to the Rewards Catalog for Amazon.cn (China).
• Added a redemption option to the Rewards Catalog for Amazon.jp (Japan).
• Updated "Known Issue" posts that were tagged with "language = unknown" to be tagged with the appropriate language.
• Fixed a few minor issues with the group notifications subscribe/unsubscribe checkbox on group home pages.
• Fixed an issue with a blank first line in RSS feeds.
• Fixed an issue with the calendar widget (part of the Event create and edit forms) not displaying the month name.

Admin Facing

• Adding an auditing/logging process to our Accreditation and Certification import script so it can notify admins of issues with a new import.
• Hardened automated workflow/approval system to keep spammers honest.
• Fixed an issue with the tool admins use to find a home for forum posts that have been accidentally posted to more than one product forum.
• Improved the process of manually granting a user points (for performing superhuman tasks). The new process is a single step (submit grant). The old process was multi-step (submit grant, navigate to approval queue, locate target grant, approve grant).

Behind the Scenes

• Upgraded the Organic Groups module to v6.x-2.4 (Security Update)

The increased use in the workplace of user-owned devices such as smartphones and tablets, often referred to as bring your own device (BYOD), provides businesses with significant productivity and cost benefits. However, it also presents a number of complex challenges related to security.

Due to the rise of smart media devices like smartphones, tablets and ultrabooks, it is estimated that potentially, as many as 30-35%* of endpoints connected to a company’s network could be unmanaged. These are more at risk than managed endpoints which are typically subject to software patching and endpoint security policies.

Of course unmanaged endpoints are still protected by your perimeter security, such as secure web gateways. However, these have typically evolved from caching proxies and URL filters. What you need is an additional layer of security that provides the best possible levels of protection for unmanaged endpoints.

Symantec Web Gateway (SWG) will unobtrusively co-exist alongside existing web proxies and block zero-day threats in real-time using technologies such as Symantec Insight. It will also monitor outbound traffic for signs of infected endpoint devices, helping you to identify and quickly remediate security events.

If you have SPS EE you already have a license to deploy SWG. See the guide here: http://www.symantec.com/business/support/index?page=content&id=DOC6298&key=57894&actp=LIST 

* Kevin Bailey, Research Director, European Security Software - Market Analysis & Strategies, IDC

A bank without money is not going to attract any customers. And while it’s unlikely that a sinkhole will suddenly appear and swallow up a vault, there is an important resource in business today that is all too vulnerable: information.

According to the latest State of Information Survey from Symantec, roughly half of an organization’s value can be attributed to the information it is generating and storing. And like the bank that needs to be able to loan out its funds to generate revenue through earning interest, information does companies no good if employees and customers can’t gain access to what they need.

There are a variety of factors that can put business information at risk today. Natural disasters, accidental deletions and malicious outsiders can all be as damaging to the average business as a robbery to a bank. In case disaster does strike, organizations need to know they have a solution that will quickly and effectively backup and restore their information. The Symantec Backup Exec 3600 Appliance is designed to help meet the needs of today’s business by providing easy, complete, and cost-effective backup and recovery.

Appliance vs. Traditional Backups

There are several drawbacks to a traditional approach to backup. Because software and hardware must be purchased, integrated and maintained separately, there is the potential for compatibility issues with the traditional approach. In addition, the backup performance may be less than ideal, and configuration can be a challenge. Resolving issues that arise can also be time-consuming, dealing with a multiple vendors and their products. These issues are mitigated by an all-in one appliance like Backup Exec, however. The hardware and software are designed to work together, automatically performing updates and eliminating the additional costs of configuration and maintenance created by discrete solutions. A simpler interface also makes it possible for non-technical employees to perform routine backup and recovery operations.

Virtual Integration

One of the significant challenges in backup today is the increasing mixture of physical and virtual elements. According to Symantec’s Avoiding the Hidden Costs of the Cloud survey, two-thirds of enterprises are using three or more backup solutions today. The Backup Exec 3600 appliance delivers the ability to back up physical and virtual resources, in one box. It’s optimized for both VMware and Hyper-V environments, supporting the latest platforms and delivering backup without the need for a proxy server. It allows organizations to perform full virtual machine recovery as well as granular restoration of applications, files and folders, saving time when a full restore is not needed.

Data Deduplication and Recovery

Another issue facing businesses today is the enormous increase in the data they are creating and storing. Contributing to this is a large amount of duplicate information. To reduce storage requirements while maintaining the availability of all information, the Backup Exec 3600 appliance includes deduplication technology that only stores one copy of each file, regardless of the number of copies throughout the network – even deduplicating the files on virtual machines.

The full granular restore capabilities of Backup Exec are available with single-pass backups, meaning there is no extra work needed in order to have the ability to restore individual files or entire machines. For VMware or Hyper-V machines, the appliance allows you to perform recoveries at the application level as well, including Exchange mailboxes, SharePoint files and SQL databases.

In addition to full or granular recovery options, Backup Exec customers can choose advanced recovery capabilities for physical Windows servers including bare metal recovery and dissimilar hardware recovery. They can also create customized recovery disks, modifying the base recovery image to incorporate additional drivers.

The Backup Exec 3600 appliance is ideal for businesses that want to simplify the process of backup. Whether they have remote offices that need consistent backups without an IT presence on site, or simply want to reduce the physical devices in their infrastructure, Backup exec is like money in the bank.

For a deeper dive into the key technologies of the Backup Exec 3600 appliance, be sure to check out:

• Google+ Hangout: A Good Hard Look at the Backup Exec 3600 Appliance

Social networking is a great way to find and keep customers. In fact, social media use by small businesses with fewer than 100 employees jumped from 44 percent to 53 percent last year, according to the SMB Group. But, brand building online can go horribly wrong quickly if cybercriminals hijack your accounts – the effects of which a number of well-known brands have experienced recently.

Attackers can do this any number of ways. They can go straight to the social network provider to try to steal your credentials, by pretending to be you. They may also try to exploit potential weaknesses in the lost password feature with information that can be obtained relatively easily on the Internet, such as where you were born or went to school. Attackers may also try using Trojans to pick-up login and password credentials and harvest passwords that are stored or cached in the Web browser. But by far the simplest way to steal account details is with a well-crafted phishing attack.

You may be looking out for phishing attacks asking for your bank account or credit card details online, but too few are as cautious when entering account details for social networking sites. Attackers know this and use it to their advantage – my colleague details a recent direct message phishing attack that spoofed a popular social network: http://www.symantec.com/connect/blogs/phishing-easy-way-compromise-twitter-accounts. Phishing on social network sites is an easy way to trick users into giving their credentials away. Attackers also use fake emails that purport to originate from a social network and contain a link and a message to pique the user’s curiosity into clicking on it. Attacks of this type have been tried and tested, and found to be effective. In fact, Symantec’s Internet Security Threat Report, Vol. 18 (ISTR) found that the number of phishing sites that spoofed social network sites increased 123 percent last year.

You may wonder if this is really a big deal. After all, it’s not likely that attackers can drain your bank account with the credentials to your Twitter login. However, the damage that can be inflicted depends on the machinations of the attackers. By hijacking your social network accounts, cybercriminals can run scams, send spam, post false messages or infect other users with malware. Your small business account could be used to promote wacky diet plans, which though a nuisance probably won’t put you out of business. But what if your customers find malware being installed after clicking-thru to a link sent from one of your or your employees’ accounts? Worse yet, that malware goes undetected for a period of time by your customer and siphons valuable information. Small businesses are the path of least resistance and attackers prey on them as a means to gain access to a larger company.

Security problems that originate with humans don't have easy technical solutions. However, with proper user education, you can reduce the risk of successful phishing attacks on the social networks you and your employees use both professionally and personally. Here are a few tips to consider:

1. Check the social networking site’s address – typo squatting sites are often used to attempt to capture user credentials.
2. Scrutinize the site’s security certificate to ensure you are logging into legitimate services and look for “HTTPS” in the address.
3. Be suspicious of links sent from unknown users and even emails that claim to come from a social networking site, as this is a popular phishing tactic. And, don’t click on links in messages, even direct messages from a known “friend” or “follower,” that seem strange or out of character. A common method used by attackers is to pose as a friend/follower and send messages with links to sites that are infected with malware.
4. Install security software on user machines that protects against phishing attacks.
5. Use different passwords for each account; that way, even if one account is compromised, the others will stay safe. Passwords or passphrases should be difficult to guess and not in the dictionary. Ideally a combination of upper and lower case letters, numbers, and special characters should be used. And remember to change your passwords regularly.
6. Don’t answer yes when prompted to save your password to a computer or browser. Instead, rely on a strong password committed to memory or stored in a dependable password management program. Using a phrase known to you with some combination of characters from the URL is one approach to creating an easily memorable password for each site.
7. When the site offers it, use two-factor authentication that requires not only your user name and password, but also a trusted device (like a mobile phone) that can be used to confirm the identity of the account holder.
8. Report any suspicious or potentially malicious activity to the social networking site’s administrators.

Looking forward, attackers will be smarter and their phishing attacks more convincing. We’ll see more sophisticated site replicas and SSL-encryption phishing sites. As your brand and your employees engage on these platforms, remember that social networks are a great way to make a connection, and ultimately a profit, but they are not without risk from attackers that exploit the medium’s virality and trusted messaging. With social networking you may only be as secure as the weakest password in your circle of friends and business partners. Remind employees of best practices for safe use of social networks and set clear policies for what kinds of company information can be shared.

ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies.

Figure 1. Telemetry data focused on South Asia

The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

Once exploited, the documents will drop malware that is used to steal information from the targets and send it back to the attackers’ servers.

Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Downloader and Infostealer.

Users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

寄稿: Avdhoot Patil

有名人のスキャンダルは注目度が高く、フィッシング詐欺師もサイトに利用しようとして常に狙っています。最近では、英国の歌手で女優のリタ・オラさんを利用したフィッシングサイトが確認されています。このフィッシングサイトは、無料の Web ホスティングサイトをホストとして利用していました。

このフィッシングサイトでは、ビデオを「ソーシャルプラグイン」と称して、Facebook のログイン情報を入力するよう求めてきます。フィッシングページには、背景にリタ・オラさんが映っている偽の YouTube 画像が貼り付けられていますが、問題のビデオには、彼女が登場するアダルトビデオと思わせるタイトルが付いています。リタさんが最近注目を浴びる出来事があったことから、フィッシング詐欺師がさっそくそれに目をつけたようです。フィッシングサイトは、ログイン情報を入力すれば背景に映っているビデオを見られると思わせる作りになっています。実際には、ログイン情報を入力しても、彼女のアダルト向け画像が載っているあるサイトにリダイレクトされるだけです。もちろん、ビデオの画像が載っているサイトにユーザーをリダイレクトするのは、ログインが有効であると思わせ、疑惑をそらすためです。この手口に乗ってログイン情報を入力したユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

• 電子メールメッセージの中の疑わしいリンクはクリックしない。
• 電子メールに返信するときに個人情報を記述しない。
• ポップアップページやポップアップ画面に個人情報を入力しない。
• 個人情報や口座情報を入力する際には、鍵マーク、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
• ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺およびソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
• 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

年明け以降、日本語のワンクリック詐欺が Google Play で猛威を振るっています。詐欺師たちは、1 月末から 700 個にも及ぶアプリを公開しています。新しいアプリは日々公開されており、Google Play にアプリを公開するために詐欺師たちは 25 ドルの登録料を払い、これまでにおよそ 4,000 ドルを費やしています。

図 1.開発者と開発されたアプリの合計

詐欺アプリへの対応はイタチごっこの様相を呈しています。アプリが Google Play から削除されると、詐欺師たちは別のアカウントでさらにアプリを公開します。それらもすぐに削除されますが、今度はまた別のアカウントでさらに多くのアプリを公開するのです。アプリの大半は公開された当日に削除されますが、特に週末に公開されたアプリの中には、ダウンロード数が 3 桁になるまで生き延びてしまうものもあります。こうした詐欺アプリは、アダルト動画に興味を持つユーザーを欺いて、有料サービスに登録させるためのサイトに誘い込みます。1 人でも詐欺に引っかかれば、99,800 円が詐欺師の懐に入るので、さらに多くの開発者アカウントを作って、詐欺アプリの数を増やせば、実入りも多くなるというわけです。

図 2.マルウェア作成者の開発者ページ

最近、詐欺師たちは新しい手口を思いついたようです。典型的なワンクリック詐欺アプリでは、アプリ内で Web ページを表示するために Webview クラスを使用します。通常、クリック詐欺へと誘い込むアダルト関連のサイトが表示されますが、新しいアプリでは、同じようなアダルト関連サイトでも、個人情報（Google アカウント、電話番号、国際移動体装置識別番号（IMEI）、Android ID、機種の詳細情報など）を盗み出すアプリをホストするサイトが表示されます。新しい詐欺アプリは、手動でダウンロードしてインストールする必要があるアプリのダウンローダとしての役割を果たします。

図 3.悪質なアプリをホストするサイト

図 4.偽の Google Play サイト。ここから悪質なアプリがダウンロードされる

図 5.デバイスからアップロードされるデータ

この新しい手口で気になるのは、詐欺師たちがアプリページの説明にランダムなキーワードを列挙していることです。従来はアダルト関連のキーワードだけが記載されていましたが、ここではより多くの人を標的にしようとしています。詐欺師たちの狙いは、アプリを探しているユーザーが詐欺アプリを偶然見つけて、アダルト風のアイコンに目を引かれてしまうことです。アプリのタイトルも、たいていはアダルト風のものですが、中にはランダムな名前のアプリもあります。

図 6.悪質なアプリのページ

図 7.アプリの説明に列挙されているキーワード

個人情報がどのように悪用されるのかについてはまだ確認できていませんが、被害者のもとに詐欺師から何らかの形で連絡が来るものと思われます。シマンテックは、このブログで説明しているアプリを Android.Oneclickfraudとして検出します。ノートン モバイルセキュリティや Symantec Mobile Securityなどのセキュリティアプリをデバイスにインストールすることをお勧めします。スマートフォンとタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト（英語）を参照してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

First-time install:

=============

You install Symantec Installation Manager on the computer where you plan to install the Symantec System Recovery 2013 Management Solution. Ensure the server has high speed internet connection.

For an offline installation, you install Symantec Installation Manager on a computer that has an Internet connection. You then use Symantec Installation Manager to create an installation package that you run on the computer that does not have an Internet connection

1. Log on to your computer by using either the Administrator account or an Account with administrator privileges.
2. Install Symantec Installation Manager (SIM).

1. To download SIM, visit http://www.symantec.com/products/downloads/?inid=us_ps_flyout_prdts_trialware
2. Under Infrastructure Operations, go to IT Management Suite
3. Click Download
4. Login through your SymAccount (If you don’t have, Register to create a new one)
5. When you click the option to download the product on the Software Download page, the Symantec Installation Manager EXE file is downloaded. The name of the file is symantec_sim.exe. Please refer this technote http://www.symantec.com/business/support/index?page=content&id=HOWTO54448  for SIM Installation pre-requisites
6. Install SIM and launch it (It will automatically launch post install. To launch manually, click Start>All Programs>Symantec> Symantec Installation Manager >Symantec Installation Manager).

Note: When you start Symantec Installation Manager, if a new version is available, you are prompted to update to the new version. Choose to update immediately. SIM version should be minimum at 7.1.238

3. Click Install new products.

4. Proceed with installation. A readiness check screen will be presented if any of the prerequisite missing with remediation suggested. Follow the steps and done!!!

 For more detail install instructions, please refer product administration guide at, http://www.symantec.com/business/support/index?page=content&id=DOC6257

Upgrade:

=======

1. Launch SIM (click Start>All Programs>Symantec> Symantec Installation Manager >Symantec Installation Manager)
2. Click Settings > Change Product Listings, choose global product listing which is present as “symantec_v2.pl.xml.zip”

 Note: This step is needed as we have discontinued shipping DVDs for Symantec System Recovery 2013 Management Solution to better leverage the new release(s) and hotfix(s) of Symantec Management Platform (formerly Altiris).

3. Click Upgrade installed products

4. Proceed with upgrade…Done!

For more detail upgrade instructions, please refer product administration guide at, http://www.symantec.com/business/support/index?page=content&id=DOC6257

Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

If exploitation is successful, the malicious documents drop the following files:

• smcs.exe
• SafeExt.dll
• SafeExt.org
• SafeCredential.DAT

SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT contains configuration information.

Our telemetry indicates that this is spread across the globe throughout multiple countries:

Symantec products detect the spear phishing word documents as Trojan.Mdropper and Trojan.Dropper, and the dropped files as Trojan.Fakesafe.

As we’re still seeing CVE-2012-0518 used in targeted attacks, users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

I had to wait for months to get a solution on this one. Today should be the day the fix is delivered trough 10.0.3 CH2.

What happened: I'm moving site-by-site mailboxes using the Move Archive wizard but interrupting the wizard was no option so moving BIG mailboxes which takes more then 24 hours was not possible because interruptions done casued by the backup-schedule. We've receive "the stub received bad data" if the job wants to continue the move but from that point on there was no way to hook again into the pending move. Only one option, delete the remote (new) archive and start all over again. But if you have to move 3000+ mailboxes and you choose to disturb your customers as less as possible you have to ask Symantec for a fix. Let's hope it will be fixed. I'll post my congratulations to the development team here if they fixed it and will place a link to the E-track.

Erik.