Your Cyber Intelligence Source

There has been no shortage of press regarding malware on the Internet over the past several months. Malware continues to grow in volume and evolve in complexity. As security companies continue to address the problem, the number of Web sites that distribute the unwanted downloads is growing out of control.

What classifies a malware download as a drive-by download? While there is no one standard definition, the problem can be described simply as a file downloaded to a user’s computer without permission or user action when visiting a Web site. This feat is typically accomplished by exploiting a vulnerability in the web browser or operating system.

So, with the exploding growth of malware on the Internet, how many malicious web sites distribute malware via drive-by downloads? Based on a sample of hundreds of thousands of malware distribution web sites discovered in the past 60 days, sixty-eight percent of malware distribution sites deliver malware via drive-by downloads.

Think about it, there are millions of malicious web sites on the Internet. Not only do you have the fear of your AV software not detecting malware on your computer as described in an earlier Cyveillance report (http://www.cyveillance.com/web/forms/request.asp?getFile=111), but simply visiting a web site could infect your computer.

Users can minimize the risk of being infected by a drive by download through several ways. One of the most effective protective measures is to use the more secure settings on your web browser. This action may cause some inconvenience by requiring users to respond to security prompts when visiting feature rich web sites, but it will reduce potential malware infections. Another common sense protective measure is simply to avoid going to unfamiliar or disreputable Websites.

Additionally, security companies that provide user protection through desktop clients can significantly improve protection against drive-by downloads through the use of Cyveillance Malware Protection™. The service evaluates web sites by both signature-based and behavioral-based technologies. This multi-pronged approach to detecting online threats allows Cyveillance to collect the most comprehensive and up-to-date intelligence regarding new malware and attack methods

What is a “scad”? Scads are deceptive sponsored search results that usually appear at the top and along the side of a web page. Deceptive sponsored search results (scam ads or scads) happen when advertisers misrepresent themselves by using brand names they aren’t affiliated with or authorized to use. This unauthorized use of a well-known brand can lead to consumer confusion, lost brand equity or worse.

Studies have shown that the majority of online consumers, over 90%, do not recognize the difference between a paid search result and a natural search result. While most online advertising using another company’s trademark is fairly innocuous and may eventually lead a consumer to a corporate website, many divert traffic away from the intended location.

Some online ads even go beyond simple brand misuse to blatantly deceptive ad language and positioning. In some cases, the purpose of the scad is to commit identity theft. By positioning bogus, or easily compromised, reservation or purchase pages criminals can easily capture personal credentials for illegal use. Even more alarming is the presence of malware. It has begun to appear in the underlying URLs of some advertisers; the exact rate of malware presence is unknown.

Recently, Cyveillance gave official support to an organization focused on combating this form of bait-and-switch and educating consumers. The Alliance Against Bait and Click (AABC), www.stopscads.org, launched in late July 2008 with the purpose of educating the average consumer about scads and ways to combat them.
The AABC is comprised of a diverse group of leading experts, organizations, and companies working together to stop bait and click and to make deceptive sponsored search results a thing of the past. Currently, many of the member organizations come from the hospitality industry but is quickly expanding to others that are sensitive to this issue. If your company is interested in joining, watch for upcoming meetings on the subject.

Cyveillance has long been aware of these scams and continually educate our clients about this form of brand dilution and traffic diversion.  For several years now Cyveillance has offered a Paid Placement Monitoring Solution to assist clients in identifying individuals or companies who bid on their trademarks and/or are using their brand without authorization.

For more information on Cyveillance or the AABC, please contact your Cyveillance Analyst or visit the AABC website at www.stopscads.org.

Cyveillance has recently observed an increase in the volume of spam email related to a domain registration scam. This scam typically targets individuals in Fortune 500 companies and attempts to create a sense of urgency around the need to register country code top-level domains (ccTLDs) before a fictitious holding company purchases them, making them unavailable. Many of the ccTLDs we have seen include:

•    net.cn
•    org.cn
•    hk
•    tw
•    com.tw
•    asia

The scammers portray themselves to be good corporate citizens by informing companies of the registration inquiry. However, we know better. Their agenda is to try to entice the target company to register the Asian domains quickly at a superficially high rate.

Cyveillance recommends the following actions if/when someone in your organization receives one of these emails.

1.    Follow your company’s Domain Registration Policy. If you would like to own any of the domain names listed in the scam email, contact a reputable registry to purchase these domains though your normal channels.
2.    Delete and ignore the messages as you do with conventional spam. You are not required to take any action, so do not respond or engage in negotiations with the scammers at all.
3.    It is still your trademark/brand and you have a right to defend it. You should not be extorted into buying domains prematurely. If any of the domains listed in the emails are ever registered by companies that do not have a relationship with you, you have the right to send Cease & Desist letters or to engage in the UDRP process to recapture that domain.

Shown below is just one example of the emails received.

From: xxxxxxxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, August 20, 2008 5:18 AM
To: xxxxxxxxxxxxxxxxxxxxxxx
Cc: Platinum Card Mailbox
Subject: xxxxxxxxxxxxxxxxx Domain Names

Dear CEO,

We are SK Net Service Company Ltd, which is the domain name register center in China.I have something need to confirm with you.
we have received an application formally,one company named “MAIRHK Holdings Limited” applies for the domain names
xxxxxxxxxxxxxxxx.net.cn
xxxxxxxxxxxxxxxx.org.cn
xxxxxxxxxxxxxxxx.hk
xxxxxxxxxxxxxxxx.tw
xxxxxxxxxxxxxxxx.com.tw
xxxxxxxxxxxxxxxx.asia
and the internet Brand Name(xxxxxxxxxxxxxxxx)on the internet  Aug 19, 2008. We need to know the opinion of your company, because the domain names and keywords may relate to the usufruct of brand name on internet.
we would like to get the affirmation of your company, please contact us by telephone or email as soon as possible. Please let someone in your company who is responsible for trademark or intellectual right contact me freely.

Best Regards,

Rock.Tian
Sponsoring Registrar:
SK Net Service Company Ltd
Add: 3A, Units 20/F, Far East Consortium Bldg,
121 Des Voeux Road, Central, Hong Kong
Tel: +852-3075 9838
Fax:+852-3177 1510  +852-3177 1520
website:www.sknetservice.hk