Symantec

According to Symantec’s latest State of Spam and Phishing
report, scam and phishing messages accounted for 21 percent of all
spam, which is the highest level recorded since the inception of the
report. For comparison, these types of spam represented only 10 percent
of total spam a year ago.

Historically, the primary vector for spam attacks was to blast out as
many messages as possible, hoping that someone would open a message and
click on the call to action. The call to action could be anything from
clicking on a link to purchase medications, to visiting an adult
website. While we continue to see high volumes of spam originating from
expansive botnets, spammers are also moving towards a sophisticated and
more targeted approach to spam. Two primary examples of this trend are
419/Nigerian type scams and phishing messages.

Symantec has been observing several spam and phishing attacks regarding
the recent Valentine’s Day. One such phishing attack was on an e-card
website that asked for user credentials in order to send Valentine’s Day
greetings to loved ones. The legitimate e-card website has partnerships
with several other brands and so accepts credentials from certain other
websites as well. Hence, attackers can steal user information from
several brands’ sites by phishing on just one e-card website. This
particular attack asked for users’ credentials for a popular information
services website. The phishing domain was hosted on servers in China
and has been reported as “domain tasting.” Domain tasting is a situation
in which a domain name is used for a small period of time and is
checked to see if it is making enough money. If it doesn’t earn enough,
the domain name is deleted and the registrant is refunded the entire
registration fee. This is a technique used by attackers to perform
phishing activity for small periods of time at low costs.

Fraudsters never seem to rest. They have now turned their attention
towards phishing using the Indian Income Tax Department’s name and
branding. It is the season of tax returns in India and it is well known
that people will file their income tax returns for the end of the fiscal
year in India. Hence, phishers have chosen the right time to phish the
market since most users will not be aware of these attacks.

Attackers are sending spam email messages with subject lines such as,
“Tax Return!“ with the below body text:

“Dear applicant, After the last annual calculation of your fiscal
activity we have determined that you are eligible a tax refund of XXX
Rupees. To access the form for your tax refund please click here.”

The link that is provided is titled “Tax Refund Online Form”
and it leads to a phishing site that is a spoofed version of the Indian
Tax Department site, incometaxindia.gov.in. The
phishing Web page asks customers to submit their sensitive information
such as personal information and bank or credit card details.

Below is a screenshot of one such phishing site:

Symantec has observed a new trend in phishing in which the phishing
Web page contains pornographic content. The phishing site states that
the end user can obtain free pornography after logging in or signing
up. These offers tempt users into entering their credentials in the
hopes of obtaining pornography.

The attackers use several offers of pornography as bait. Some of the
offers are adult chat, social networking with adult personals for
sexual favors, blogs with free pornography, and so on. The screenshot
below is an example of a phishing website using a leading information
services brand. The site states that they provide email alerts for sex
parties:

In January, new phishing attacks such as the above example continued
to be observed abusing legitimate brands. The phishing pages were
created using free Web hosting sites. Upon entering login credentials,
the site redirects to a pornographic website that then leads to a fake
antivirus website containing malicious code. To learn more about the
trends involved with fake antivirus software, please refer to Fake Antivirus Scans are so 2009.

Yesterday we saw SEO poisoning attacks when searching for keywords
such as "Apple Tablet". Now, after the product announcement has been
made, we are seeing the same attack with the actual name of the product
included in the search term.

Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are
likely to produce results from sites like youcanbesureforsafe.net,
antyspywarescanblog.com, or mastersmegasecurity.net, ultimately
compromising your computer with rogue security software.

At this stage we’ve looked at several features of Hydraq, including
its obfuscation techniques and how it remains on an infected system.
So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of: