Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Social Engineering Attack. Show all posts

Cyber Scammers now Experimenting With QR Codes


Microsoft started limiting macros in Office files by default in February 2022, making it more difficult for attackers to execute malicious code. According to data gathered by the HP Threat Research team, attackers have been changing their methods since Q2 2022 in an effort to identify new ways to hack devices and steal data. 

The Rise of QR Scan Scams 

The research findings were based on data collected from millions of endpoints using HP Wolf Security: 

Since October 2022, HP has witnessed QR code “scan scam” campaigns almost daily. These frauds persuade users to scan QR codes with their mobile devices while connected to their PCs, potentially exploiting the lack of phishing protection and detection on such devices. Users can access fraudulent websites that request credit and debit card information by scanning QR codes. Examples from Q4 include phishing attempts that pose as parcel delivery services seeking money. 

38% Rise in Malicious PDF Attachment: 

The recent assaults avoid web gateway scanners by using embedded images that link to malicious ZIP files that are encrypted. The PDF instructions fool the user into providing a password to unpack a ZIP file, allowing QakBot or IcedID malware to gain access to systems unauthorization and serve as beachheads for ransomware. 

42% of Malware was Delivered Inside Archives Files Like ZIP, RAR, and IMG: 

Archives have gained a whooping 20% rise in popularity since Q1 2022, as threat actors use scripts to execute their payloads. In contrast, 38% of malware is distributed via Office documents like Microsoft Word, Excel, and PowerPoint. 

Alex Holland, Senior Malware Analyst at HP Wolf Security threat research team said, “We have seen malware distributors like Emotet try to work around Office’s stricter macro policy with complex social engineering tactics, which we believe are proving less effective. But when one door closes, another opens – as shown by the rise in scan scams, malvertising, archives, and PDF malware.” 

“Users should look out for emails and websites that ask to scan QR codes and give up sensitive data, and PDF files linking to password-protected archives,” added Holland. 

Threat Actors Still Rely on Social Engineering 

HP researchers also discovered eight malware families imitated in 24 popular software projects in Q4's malvertising efforts, as compared to just two such operations in Q3's. The attacks rely on people clicking on search engine adverts that take them to malicious websites that resemble legitimate websites nearly identity. 

Dr. Ian Pratt, Global Head of Security for Personal Systems, HP says “While techniques evolve, threat actors still rely on social engineering to target users at the endpoint.” 

“Organizations should deploy strong isolation to contain the most common attack vectors like email, web browsing and downloads. Combine this with credential protection solutions that warn or prevent users from entering sensitive details onto suspicious sites to greatly reduce the attack surface and improve an organization’s security posture,” concludes Pratt.  

Twitter Data Breach Indicates How APIs Are a Goldmine for PII and Social Engineering


A Twitter API vulnerability that was detected in June 2021, and was later patched, has apparently been haunting the organization yet again. 

In December 2022, a hacker claimed to have access to the personal data of 400 million Twitter users for sale on the dark web markets. And only yesterday, the attacker published the account details and email addresses of 235 million users. 

The breached data revealed by the hacker includes account names, handle creation data, follower count, and email addresses of victims. Moreover, the threat actors can as well design social engineering campaigns to dupe people into providing them their personal data. 

Twitter: A Social Engineering Goldmine 

Social media giants provide threat actors with a gold mine of user data and personal information that they can utilize in order to perform social engineering scams. 

Getting a hold of just a user name, email address, and contextual information of a user’s profile, available to the public, a hacker may conduct reconnaissance on their targeted user and create phishing and scam campaigns that are specifically designed to dupe them into providing personal information. 

In this case, while the exposed information was limited to users’ information available publicly, the immense volume of accounts exposed in a single location (Twitter) has in fact provided a “goldmine of information” to the threat actors. 

The Link Between Social Engineering and API Attacks 

Unsecured APIs allow cybercriminals direct access to users’ Personally Identifiable Information (PII), such as username and password, which is captured when the user connects to any third-party service API. API attack thus provides threat actors with a window to collect large amounts of personal information for scams. 

An instance of this happened just a month ago when a threat actor leveraged an API flaw to gather the data of 80,000 executives throughout the private sector and sell it on the dark web. The threat actor had applied successfully to the FBI's InfraGard intelligence sharing service. 

The data collected during the incident included usernames, email addresses, Social Security numbers, and dates of birth of victims. This highly valuable information was utilized by the threat actors for developing social engineering dupes and spear phishing attacks. 

How to Protect APIs and PII? 

One of the main challenges faced while combating API breaches is how modern enterprises need to detect and secure a large number of APIs. A single vulnerability can put user data at risk of exfiltration, therefore there is little room for error. 

“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use […] It’s a lot for organizations to manage, but the risk is too great not to,” says Chris Bowen, CISO at ClearDATA.  “In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport, exchange security, and trusted connectivity.”

It has also been advised to the security team to not rely solely on simple authentication options like username and password in order to secure their APIs. 

“In today’s environment, basic usernames and passwords are no longer enough […] It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth,” says Will Au, senior director for DevOps, operations, and site reliability at Jitterbit. 

Moreover, measures such as utilizing a Web Application Firewall (WAF), and monitoring API traffic in real time can aid in detecting malicious activities, ultimately minimizing the risk of compromise.  

Social Engineering forum hacked, data shared online






A website that deals with topics of social engineering has been hacked about two week ago, and tens of thousands of data have been leaked and sold online. 

The owner of the SocialEngineered.net shared a post in which he admitted that the website had been breached via a security flaw in the  MyBB software.

The hacked database contains personal information of more than  55,121 users which includes their usernames, passwords, email addresses, IP addresses, and private messages.

The database is available on multiple number of websites from where hackers could get access to them. 

However, there is no clarity how much data the hackers were able to retrieve, but it appears that they got hold on more than this data. 

One of the rival forum informed that the leak also includes  the website source code, data, and activity.

SocialEngineered website moved to another platform XenForo forum to avoid a similar incident in the future. 


The company advised its users to immediately change the login passwords. 

The Dyre Wolf of cyber street is after your money


The Dyre malware affecting the corporate banking sector has successfully stolen upwards of million dollars from unsuspecting companies since its inception in mid-2014, according to IBM's Security Intelligence report.

In a span of seven months the global infection rate has shot up from 500 to more than 4000 with North America being the most affected region.

While such a threat is not new to the banking sector what sets Dyre apart is its wealth of features that combines Spear phishing, malware (initial infection via Upatre), social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS) alongside the constant updates that makes its detection tough.

The malware works in multiple steps.

Spear phishing: An organization  is as strong as its weakest link. Dyre uses this adage to the full as it targets employees of an organization with mails that contains the malware delivered in a zip file. Unsuspecting employees might download the zip file having a scr or an exe file which is actually the  malware known as Upatre (pronounced like “up a tree”), which begins the initial infection of the target machine.

First Stage Malware: Upatre then establishes contact with the Control and Command servers and downloads and installs Dyre to the system and deletes itself.

Second Stage Malware: Dyre establishes persistence in the system and connects to nodes at Invisible Internet Project that would enable it to communicate information without revealing destination or content.It also sends emails to victim's contact list aiming to increase its list of potential victims.It then hooks to the victim's browsers to intercept log in credentials by routing them to fake pages when the victim tries to visit web sites of the targeted bank.

Advanced Social Engineering: Social engineering is the alarming aspect of Dyre Wolf campaign. In addition to providing fake pages to extract log in data from individuals, it can at times display a message to the consumer asking them to call the bank at a specified number. Dyre wolf operators at the other end of the line act professionally and extract information under the guise of verification. This is done to circumvent bank's two stage authentication processes.

Wire Transfer and DDoS: After obtaining credentials, they log into the accounts and request for wire transfer of large sums. The money is moved from account to account quickly to make tracing and reversal impossible. Following this the affected consumer faces DDoS from the bank pages which hinders detection and investigation.

Dyre is operated by a highly organized and well funded group of cyber criminals in Eastern Europe.

The only way to prevent this seems to be to avoid the first infection of the system arising from a vulnerable employee. Employees need to be trained well on regarding such malwares, spear-phishing campaigns. Other preventive measures include stripping executables from email attachments, preventing installation from temp folders, using updated anti-virus, two factor authentications etc.

Syrian Electronic Army hacks Forbes website and twitter accounts

Forbes, american business magazine, is appeared to be the latest victim of the Syrian Electronic Army.  The group has managed to post articles entitled "hacked by syrian electronic army".

The group is experts in phishing attack -targeting employees of the organization with a fake emails.  We believe hackers used the same method for compromising Forbes' employees also.

It appears they have gained admin access to the wordpress panel that allowed them to post stories.

The group appears to have compromised one twitter account of forbes (@forbestech) and two twitter accounts(@thealexknapp, @samsharf) belong to their employees.  At the time of writing, Samantha sharf account still shows the hackers tweet.

The hackers said the reason for hacking forbes is because the publication posted  many articles against syrian electronic army, with muchnhate for syria.

Target data breach started with a Spear phishing attack targeting HVAC firm

A latest information on Target data breach published by security blogger Brian Krebs shows the power of Social Engineering attacks. 

It appears everything began from a spear phishing attack in which employees of HVAC company Fazio Mechanical Services targeted with an email containing a piece of malware.

Sources have told Krebs that the malware used in the attack is Citadel- a notorious banking trojan capable of stealing login credentials and other information.  However, Krebs isn't able to confirm the information.

The reason why the company didn't get chance to identify the malware is because it is using a free version of Malwarebytes Anti-malware to protect is internal systems.

Malwarebytes is one of good tool capable of scanning and removing threats from infected machines.  However, unlike the Pro version(just $25), it doesn't offer any real-time protection.

Furthermore, the free version is meant for individuals not for companies, also the license for free version prohibits corporate use. 

Hacker manipulates Paypal and Godaddy to extort a twitter account worth $50,000


We aware that one of the powerful attack method in the hacking world is Social Engineering.  Here is a story how social engineering attack helped a hacker to extort a twitter account worth $50,000.

Naoki Hiroshima, an app developer, registered his one letter handle @N in 2007.  He says since he registered the account, he faced several troubles.  One letter twitter handles are rare, worth a lot of money.  

He says that even he got an offer up to $50,000 for his twitter handle.  However, he declined to sell it.  But, not all attempts to obtain the account have been friendly.  Hackers have often attempted to steal his account by sending phishing emails.

But this time, Naoki got bad luck.  A Hacker managed to compromise his website with social engineering attack.  The main target of the hacker is the twitter handle.  He threatens Naoki that he will never his domain, if he fails to hand over his twitter handle.  So, Naoki finally agreed to give the twitter handle to the hacker.

After get access to the @N, hacker explained how he was able to compromise his website and provided few security tips to prevent himself from being victim in future.

Manipulated employees at Paypal and Godaddy:
The attack started from Paypal.  The hacker called up Paypal and social engineered an employee into handing over the last four digits of Naoki's card.

He then called up Godaddy and said he lost his card data but he remembers the last four number.  Godaddy let the attacker to guess the first two digits of the card.  He successfully guessed the digits and has been given access to the account.

Naoki was using email ID hosted in his website for the Twitter account.  The attacker attempted to reset the twitter password.  Meanwhile, Naoki realized the attack and immediately changed the email id of Twitter to gmail.  So, the attacker was not able to get access to twitter account. 

He also attempt to trick the Twitter into handing over the account but Twitter asked the attacker to give more info.  So, he dropped the plan and blackmailed the Naoki to give his handle.

As the domain's registrant details have been changed and Godaddy is not helping Naoki, he finally agreed to exchange the twitter handle for his godaddy account.

Naoki said that he is disappointed with the Godaddy & paypal and he is planning to leave them as soon as possible.

"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person. Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card. " Naoki said in his blog.

Currently, the attacker has control of the twitter handle @N.  Naoki is using N_is_Stolen for his account.

Microsoft confirms phishing attack compromised the employee's email account

Social Engineering attacks is one of the most successful attack method- Even the system which is claimed to be 100% secure can be hacked, if an attacker is able to manipulate one employee.

We recently covered a news about the recent Microsoft's twitter account hack in which Syrian hackers compromised the email accounts of Microsoft's employees through a phishing attack.

Microsoft has finally admitted that the Syrian Electronic Army has hacked into several Microsoft employee email accounts via phishing attack. 

"A social engineering cyberattack method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted." Microsoft spokesperson said in an email sent to Geekwire.

Microsoft said that the compromised accounts have been recovered.  They also claimed that no customer info stolen in the attak. 

"We continue to take a number of actions to protect our employees and accounts against this industry-wide issue."

8 Telegraph Twitter accounts and Facebook hacked by Syrian Electronic Army

The Daily Telegraph , UK based international news portal, is the latest victim to the social media hacks of Syrian Hacker group. Earlier today, the Syrian Electronic Army has hijacked 8 Twitter accounts Telegraph news and facebook account.

As usual hackers started to tweet from the hacked account. "#FSA terrorits executed innocent citizens: on.ft.com/10VkxZk #SEA Syria" one of the tweets posted by the group reads.




The list of hacked accounts:
  1. https://twitter.com/TelegraphNews
  2. https://twitter.com/TeleTheatre
  3. https://twitter.com/TelegraphOpera
  4. https://twitter.com/TelegraphArt
  5. https://twitter.com/TelegraphFilm
  6. https://twitter.com/Tele_Comedy
  7. https://twitter.com/TelegraphSport
  8. https://twitter.com/TelegraphBooks

In addition to the twitter account hack, they also hijacked the official Facebook Page : https://www.facebook.com/TELEGRAPH.CO.UK

"We are aware that some of our accounts have been compromised and are working to resolve the issue. Many thanks for your patience." The telegraph responded to the hack.

Phishing Scam alert: Samantha very hot scene from Telugu Movie

The recent report from Symantec shows that, even Cyber criminals became a fan of Telugu actresses Kajal agarwal and Samantha.  Cybercriminals started to use these actresses' name in their phishing campaign.

Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.

"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "


The phishing page requests the internauts who visit the page to log in for watching the video.  When a user give the login credentials, they will be redirected to the legitimate movie website.

" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.

Celebrities Hacked and Doxed ! (Exclusive:Hack analysis)



The private details of many Celebrity's have  been leaked on a website :" http://www.exposed.su/ (Currently Going in and out of service)"

This is the list of celebrities exposed: Michelle Obama, Kim KardashianJoe BidenRobert Mueller (FBI Director)Hillary ClintonEric Holder (U.S. Attorney General)Charlie Beck (LAPD Chief)Mel GibsonAshton KutcherJay ZBeyonceParis Hilton,Britney SpearsSarah PalinHulk HoganDonald TrumpArnold SchwarzeneggerAl GoreKanye WestKris JennerStacia Hylton (U.S. Marshals Director)Mitt RomneyTiger Woods ,Sandusky, Chris Christie, Bill Gates  

When this site went viral online and gained lots of media attention the FBI got involved and is now investigating.

Data seems to be from credit reporting agency's TransUnion, Experian and Equifax. All of them admitted they were compromised.

TransUnion, Equifax and Experian have a common website called annualcreditreport.com, where customers can get a free copy of their credit report by entering personal information – such as address, social security number and date of birth –, and by answering a few multiple-choice questions.

“What it appears happened is that personal identifiable information was evidently accessed or somehow obtained by the fraudsters who therefore were able to go into annualcreditreport.com and get some pieces of information on some individuals,” Equifax representatives told Ars Technica.

Here is an exclusive analysis of the site:

The website is running behind Cloudflare (CDN). Using Cloudflare has a lot of advantages .

  • It hides the actual IP address of the site thus it will slow down attempts to trace and take down the original server.
  • Keeps the site content on cache even if it is taken down by DDOS etc.  
  • Even a small server will be able to handle lots of traffic.
Note: Cloudflare was also used by the infamous "Lulzsec" before they were shutdown

The hacker seems to be a fan of the TV series "Dexter" which is about "A likeable Miami police forensics expert who moonlights as a serial killer of criminals who he believes have escaped justice" .

First the Quote on the main page "If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve"

It is from the same TV show (Episode 12: "The British Invasion")

Second the background music embedded in the site links to : (Music from the TV show) https://www.youtube.com/watch?v=e2xxizpHuoo

The website also does not contain any images hosted within itself . All the images are taken from other sites that have already hosted them.

The use of  .su domain seems be an diversion to try to shift the attention to Russian hackers.

Whois data:

domain:        EXPOSED.SU
nserver:       dave.ns.cloudflare.com.
nserver:       fay.ns.cloudflare.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        exposed@allperson.ru
registrar:     REGTIME-REG-FID
created:       2013.03.06
paid-till:      2014.03.06
free-date:     2014.04.08
source:        TCI

The some of the pages also have youtube videos embedded in them (Most of them have something to do with the person exposed in the page)

Michelle Obama -- https://www.youtube.com/watch?v=rhN7SG-H-3k

Robert Mueller -- https://www.youtube.com/watch?v=ANeWYnArWXk

Charles Beck    -- https://www.youtube.com/watch?v=1M8vei3L0L8

Paris Hilton      -- https://www.youtube.com/watch?v=srP5twK-9Dw

Britney Spears  -- https://www.youtube.com/watch?v=kHmvkRoEowc

Donald Trump  -- https://www.youtube.com/watch?v=WD729yIKskU

Arnold Schwarzenegger -- (Broken Link in site) 

Mitt Romey -- (Broken Link in site) https://www.youtube.com/watch?v=DrR4G5HHPxY (recovered)

Though the attack is very well planned the website itself seems be done in a hurry. And there seems to be no "pattern" to the hacks except that all of the victims are celebrities.

Note: Will update this post if I find anything else.

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.

South Carolina Department of Revenue hacked by Social Engineering attack


social engineering attack scdor hack

End of the last month, we reported that the South Carolina Department of Revenue website breached and hackers steal sensitive information. The Cyber crime investigation reveals the reason behind the security breach.

After the Security breach, the state hired an information security firm to investigate the intrusion.

According to the report , the hacker tricked a user in the Department of Revenue's system into opening a malicious file that allowed the hacker to access the system.

Also the investigation discovered that the Department of Revenue’s login system for the computer also did not have the strongest protections available to verify users trying to get in.

By using the stolen credential , the hacker then remotely accessed the revenue department’s database and stole the information.

Hackers hijack Gizmodo Reporter's iCloud account via Social Engineering attack


Yesterday, we report that Gizmodo's twitter account hijacked after hackers compromised the iCloud account of Mat Honan, a former Gizmodo employee. At the time it was assumed that the hackers had used bruteforcing attack ,  but it turns out that Apple gave the hackers access to his iCloud account.

"I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions."Mat Honan said in the blog post.

"Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were. "

Social engineering” is a fancy word for tricking the person on the other end to do what you want by making them believe that they are you.

Even if you have Strong passwords , hackers can convince the tech support person that they are you, they can walk past all that security. Nothing can protect you from this kind of targeted attack. 

UGNazi hacked WHMCS by Social Engineering attack

UGNazi hacke group have manage to break into the WHMCS, a company that provides billing and customer support tech to many web hosts . They leaked data and deleted all the files from the firm’s server.

The data leak contains 500,000 records including customer credit card details, username, passwords and IP addresses.

According to report, The hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers.

UGNazi also gained access to WHMCS's Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm's customer records and other sensitive data might be downloaded.

"Following an initial investigation I can report that what occurred today was the result of a social engineering attack. The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions," Matt Pugh, WHMCS founder and lead developer explained.

“And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details.”

Hacktivists justified the attack by making unsubstantiated accusations that WHMCS offered services to shady characters, via an update to WHMCS's compromised Twitter feed:

Many websites use WHMCS for scams. You ignored our warnings. We spoke louder. We are watching; and will continue to be watching. #UGNazi

After the incident, WHMCS reported the breach on its systems to the FBI.

Fraudster conned Citibank to get Paul Allen's Debit Card



FBI charged an alleged Army deserter 'Brandon Price' of Pittsburgh, Pennsylvania
with the  bank fraud in connection to the social engineered hijacking of Microsoft co-founder Paul Allen's debit card.

According to the Wired report, the suspect made a phone call to Citibank on January, impersonated Allen and request bank to change the address on his account. Later, he called the Customer service department of Citibank and stated that he had misplaced his debit card at his residence ,but didn't want to report it stolen. After Citibank send him a new debit card via UPS.

It just reminds me one of 'White Collar' TV series.

After UPS delivered it, the suspect made a payment $658 to his Armed Forces Bank loan account in Fort Leavenworth, Kansas. 

He also attempted to perform $15,000 transaction through Western Union and the following day, tried to make a $278 purchase from a Gamestop store in Pittsburgh, the authorities said. Those two transactions did not go through.

Hackers steal millions of pounds from Xbox Live customers using Phishing Attack


CyberCriminals used phishing attack on Xbxo Live Accounts and stolen millions of pounds. The average loss to gamers in 35 countries hit by the scam is around £100, but many lost £200.

Attackers send mail to Xbox Live Customers with Phishing page that claims "offering free Microsoft points that can be used to buy games." The gamers entered the personal info without knowing that it was phishing page. These criminals take small amounts from credit cards over several weeks so that victims can not detect theft. Other victims lost money when passwords were accessed.

The victims only realised when their online profile became "locked out" , meaning someone else had used it.

Microsoft confirmed there had been no breach in the security of Xbox Live itself. Microsoft is investigating and says a small percentage of users are affected. Microsoft spokesman said:
"We take the security of the Xbox Live service seriously and work to improve it against evolving threats.

Very occasionally, though, we are contacted by members regarding alleged unauthorized access to their accounts by outside individuals.

We work closely with impacted members directly to resolve any unauthorized changes to their accounts and, as always, highly recommend all Xbox Live users follow our account security guidance in order to protect their account details."


New Facebook scam leads to Youtube Phishing page

Microsoft spotted a spam that leads to Youtube Phishing page, which suggest to update browser with a bogus Active object(setup.exe. Of course, it is malware, detected as Backdoor:Win32/Caphaw.A.


This malware installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project.
One infected user reported that money had been transferred from his bank account by an unknown party.

 The backdoor "calls home" to domains such as commonworld*****.cc or web****es.cc to get the data that it posts on the friends' Facebook walls. Its main module, in the meantime, is hosted on ****youtube.com.

If you see these type of spams, you can mark the post as spam to help prevent others from downloading the backdoor;