Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1267 replies to this topic

#651 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 06 April 2012 - 05:29 AM

FYI...

Olympic SPAM arrives...
- http://blog.trendmic...-2012-olympics/
Apr 5, 2012 - "... Users dreaming of watching the closing ceremonies of the London 2012 Olympics live may find the said offer hard to resist as Visa Golden Space is supposedly inviting users to join a lottery for a chance to win a travel package for the said event. Note that the said offer is non-existent. We also spotted a malware that arrives as a file named Early Check-In 2012 London Olympics.doc. This file, detected as TROJ_ARTIEF.XPL, exploits the RTF Stack Buffer Overflow Vulnerability found in several versions of Microsoft Office components. If it’s successful, it drops several other -malware- on your system, which Trend Micro detects as TROJ_DROPHIN.A and TROJ_PHINDOLP.A. This is not the first scam that uses this event to get users clicking. As early as 2008, Trend Micro has spotted a spammed message purporting to be a lottery drawn by the London 2012 Olympics committee. In May 2011, we also reported on a -spam- campaign that used London 2012 Olympics as bait. In addition, our social engineering e-guide mentions seasons and events as jump off points used by crooks. Online deals that look like they’re too good to be true, suspicious email messages promoting great but non-existent offers are also some of the tools used to lure users. All these tactics may lead to you inadvertently giving out your personal information, or for malware to be downloaded on your computer. Your personal information is not worth the risk of a chance to win a non-existent chance to win a lottery. Before clicking on that email link, investigate."
___

Fake AT&T wireless bill links to malware
- http://blog.commtouc...ink-to-malware/
Apr 5, 2012 - "Large outbreaks of phony AT&T wireless emails* have been distributed in the last 2 days. The emails describe very large balances ($943 in example), that are sure to get aggravated customers clicking on the included links... Every link in the email leads to a different compromised site that has malware hidden inside. In the example below** this means -9- (!) different URLS – most emails with links to email limit themselves to one or two links.
** http://blog.commtouc...omised-site.jpg
The index.html file tries to exploit at least the following known vulnerabilities:
Libtiff integer overflow in Adobe Reader and Acrobat – CVE-2010-0188
Help Center URL Validation Vulnerability – CVE-2010-1885
Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses 2 very different URLs. The fully functional homepage of one of the compromised sites is shown below. For more information about compromised websites see Commtouch’s report*** compiled in association with StopBadware."
* http://blog.commtouc...-to-malware.jpg

*** http://www.commtouch...tes-report-2012
___

Verizon-themed SPAM emails lead to ZeuS
- http://blog.webroot....zeus-crimeware/
March 29, 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 08 April 2012 - 07:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#652 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 07 April 2012 - 05:23 AM

FYI...

Fake HP scan SPAM email leads to malware
- http://blog.dynamoo....anjet-spam.html
6 April 2012 - "Another fake HP scan spam email leading to malware. This one follows the new technique of putting a malicious HTML (HP_Scan.htm) file inside a ZIP file to reduce the risk of it being blocked, and then it has multiple payload sites to try to get a higher infection rate. Nasty.
'Date: Fri, 6 Apr 2012 08:29:34 +0200
From: "Hewlett-Packard Officejet 70419A" [JaysonGritten@ estout .com]
Subject: Scan from a Hewlett-Packard ScanJet #02437326
Attachments: HP_Document-12-Z1380.zip
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 45211A.'
The payload can be found at:
hxxp :// 211.44.250.173 :8080/navigator/jueoaritjuir.php
hxxp :// 62.85.27.129 :8080/navigator/jueoaritjuir.php
hxxp :// 219.94.194.138 :8080/navigator/jueoaritjuir.php
hxxp :// 78.83.233.242 :8080/navigator/jueoaritjuir.php
... Anti-virus detection* is pretty poor at the moment...."
* https://www.virustot...2fb09/analysis/
File name: HP_Scan.htm
Detection ratio: 10/42
Analysis date: 2012-04-06 10:24:37 UTC
___

- http://blog.webroot....ts-and-malware/
March 31, 2012
> https://webrootblog...._malware_01.png
* https://www.virustot...365f0/analysis/
File name: Invoice_NO_Mailen.htm
Detection ratio: 21/42
Analysis date: 2012-04-02 05:40:03 UTC

:grrr: :ph34r:

Edited by AplusWebMaster, 08 April 2012 - 07:03 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#653 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 09 April 2012 - 07:32 AM

FYI...

EU tax invoice trojan...
- http://blog.mxlab.eu...ontains-trojan/
April 8, 2012 - "... started to intercept a new trojan distribution campaign by email with the subject “invioce” and is sent from the spoofed address “European Commissions’s Office<info@infoeu.eu>” and has the following body:

Please open the attached file for your income tax invoice.From the European
Commission’s office .This message is for all the European Union citizens.
Note: European Union citizens Tax invoices are provided Once a year.
please refer to your tax Confirmation email. Attachment: Tax Invoice.
For Better Understanding.
Regards
Mr Jeff Black

The attached file is named invoice.exe and is approx. 170 kB large. The trojan is known as a variant of Win32/Injector.PWG (NOD32), W32/Obfuscated.D!genr (Norman), Trojan.Win32.Generic.pak!cobra
( VIPRE). At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1333886755/
File name: invoice.exe
Detection ratio: 9/41
Analysis date: 2012-04-08 12:05:55 UTC

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#654 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 12 April 2012 - 05:37 AM

FYI...

Dutch phishing emails target domains in Belgium/Netherlands
- http://blog.mxlab.eu...he-netherlands/
April 10, 2012 - "... increase of phishing emails, compared to the previous days, weeks and month, in the Dutch language that is sent to domains .be and .nl in Belgium and the Netherlands. The phishing emails are sent on behalf of ABN Amro and ING.
Here are some subjects for ING phishing emails:
- Mijn ING Breidt
- Belangerijk Mijn ING Nieuws
- Je hebt 1 ongelezen beveiligd Alert.
Here are some subjects for the ABN AMRO Bank:
- Beveiliging Message Alert van ABN AMRO Bank
- 2012 ABN AMRO VERIFICATIE ..."
(Examples of complete phish text at the URL above.)

:!: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#655 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 12 April 2012 - 05:59 AM

FYI...

Android "GoldDream" malware server still alive
- http://community.web...till-alive.aspx
12 Apr 2012 - "Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar .gicp. net)... hosts this -malware-... this C&C server is still alive after several months and is still serving users with "GoldDream" malware... Websense... has blocked the malware server sites, out of the 19 vendors listed by VirusTotal*... The malware site mainly targets users in China, masquerading as a normal Android apps distribution site. The site makes use of a fake certificate and registration... information to lure more customers, and is placed at the bottom of the listed app sites in a bid to advertise itself as a good reputation site... We have analyzed all the available free Android apps on the site (23 in total). 18 of these apps contain "GoldDream" malware. These are normal game apps which are re-packaged to include malicious code... We strongly suggest that users refrain from downloading and installing apps from untrusted 3rd party sources..."
* https://www.virustot...acb51/analysis/
Normalized URL: http ://lebar .gicp .net/
Detection ratio: 1/25
Analysis date: 2012-04-12 09:32:49 UTC
___

- http://google.com/sa...?site=gicp.net/
"... 222 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-12, and the last time suspicious content was found on this site was on 2012-04-12. Malicious software includes 206 scripting exploit(s), 121 exploit(s), 30 trojan(s). Successful infection resulted in an average of 2 new process(es) on the target machine. Malicious software is hosted on 90 domain(s)... 92 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 15 network(s) including AS32475 (SINGLEHOP), AS4134 (China Telecom backbone), AS4837 (CNC)... Over the past 90 days, gicp.net appeared to function as an intermediary for the infection of 13 site(s)... It infected 9 domain(s)..."

- http://centralops.ne...ainDossier.aspx
... canonical name - gicp .net
aliases
addresses 74.82.185.218

Recommended add to BLACKLIST

:grrr: :ph34r:

Edited by AplusWebMaster, 12 April 2012 - 09:33 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#656 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 12 April 2012 - 10:21 AM

FYI...

Ransomware - multiple types/discoveries

1) http://blog.trendmic...es-mbr-hostage/
Apr 12, 2012 - "We have encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection take effect..."
(More detail at trendmicro URL above.)

2) https://www.f-secure...s/00002347.html
April 12, 2012 - "We are receiving reports of a ransom trojan, it's been circulating during the last two days. When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50€. It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted. Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums..."
(More detail at f-secure URL above.)

:grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#657 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 13 April 2012 - 07:24 AM

FYI...

Android malware poses as Angry Birds...
- http://nakedsecurity...rds-space-game/
April 12, 2012 - "Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular "Angry Birds" series of games. SophosLabs recently encountered malware-infected editions of the "Angry Birds Space" game which have been placed in -unofficial- Android app stores. Please note: The version of "Angry Birds Space" in the official Android market (recently renamed "Google Play") is *not* affected... With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone's browser. Effectively, your Android phone is now part of a botnet, under the control of malicious hackers..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#658 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 17 April 2012 - 07:56 AM

FYI...

Fake Verizon emails follow fake AT&T emails ...
- http://blog.commtouc...-emails-attack/
April 16, 2012 - "Less than 2 weeks ago we reported* the use of perfectly formatted AT&T Wireless emails that included multiple links to malware infested sites. These have now been followed up with similar emails – but the “carrier” has switched to Verizon Wireless...
> http://blog.commtouc...ource-email.jpg
... The Verizon emails also lead to sites hosting malware – although there are far fewer links in the email – and the same compromised site is used repeatedly in each email (in the AT&T attack, up to 9 different sites were used). The same gang appears to be behind both attacks since the link structure is identical:
<compromised domain>/<8 random numbers and letters>/index.html.
The same vulnerabilities are once again exploited via the scripts on the sites. The fully functional homepage of the compromised site is shown below."
> http://blog.commtouc...timate-site.jpg

* http://blog.commtouc...ink-to-malware/

:grrr: :ph34r:

Edited by AplusWebMaster, 17 April 2012 - 07:57 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#659 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 17 April 2012 - 02:54 PM

FYI...

CEIEC doc exploits ...
- http://www.shadowser...lendar/20120416
16 April 2012 - "In recent weeks thousands documents have been released online by a hacktivist going by the online moniker of "Hardcore Charlie." These documents appear to have potentially been sourced and possibly stolen from various businesses and governments in different countries including the United States, the Philippines, Myanmar, Vietnam, and others... the documents are purported to have been stolen by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). If true, that would mean that the documents were stolen at least twice. These are allegations that CEIEC has strongly denied and condemned... one thing we do have are words of caution and some interesting information about a handful of the documents found in this dump. Within the document dump in a folder related to Vietnam are 11 malicious documents (8 unique) that exploit vulnerabilities (CVE-2010-3333 and CVE-2009-3129) in Microsoft Office to install malware. These documents installed four different types of backdoors that reported back to six distinct command and control servers. Two of the backdoors were unfamiliar two us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage... At the time of this writing... hosts names resolve to 123.120.105.120... 112.112.147.16 and 222.172.238.174... The single Microsoft Excel exploit in the packet dropped malware that beaconed back to 64.56.70.254 and likely a variety of other embedded IP addresses... Two out of the nine unique samples installed the popular Poison Ivy RAT upon successful exploitation... Although many questions remain, the following facts are clear:
• A small subset of the documents contained in the purported CEIEC dump are malicious.
• These malicious documents drop a mix of malware families including Poison Ivy, Enfal/Lurid and two unnamed families.
• Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.
These documents just go to show that malicious files can end up pretty much anywhere. We are stating the obvious but remember to exercise caution when viewing files you downloaded from the Internet. Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087. Malicious documents that exploit vulnerabilities in Microsoft Office, Adobe Acrobat [Reader], or components loaded by these pieces of software are still some of the most common ways in which cyber espionage attacks are conducted. Staying current with the latest versions and security patches for any software you run is highly recommended."

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#660 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 18 April 2012 - 07:55 PM

FYI...

Trojan pilfers Hotel credit cards...
- https://www.trusteer...it-cards-hotels
April 18, 2012 - "Our intelligence center researchers recently uncovered a fraud “package” being sold in underground forums that uses a remote access Trojan to steal credit card information from a hotel point of sale (PoS) application. This scheme, which is focused on the hospitality industry, illustrates how criminals are planting malware on enterprise machines to collect financial information instead of targeting end users devices. In this particular scenario, a remote access Trojan program is used to infect hotel front desk computers. It then installs spyware that is able to steal credit card and other customer information by capturing screenshots from the PoS application. According the seller, the Trojan is guaranteed not to be detected by anti-virus programs... This fraud package is being offered for $280. The purchase price includes instructions on how to set-up the Trojan. The sellers even offer advice on how to use telephone social engineering techniques via VoIP software to trick front desk managers into installing the Trojan... criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises..."

:grrr: :ph34r:

Edited by AplusWebMaster, 19 April 2012 - 07:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#661 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 19 April 2012 - 07:06 PM

FYI...

Fake LinkedIn reminders connect with malware...
- http://blog.commtouc...with-malware-2/
April 19th, 2012 - "Phony LinkedIn invitations are not a new phenomenon. What tends to change is the underlying delivery method used for the malware distribution – In this case compromised websites that unknowingly host malicious scripts. The LinkedIn reminders that are included in the attack include several variables such as names, relationships, and the number of messages awaiting response. As usual the giveaway that something strange is occurring is the link...
> http://blog.commtouc...are-email-2.jpg
Recipients that click on the link reach a rather bland looking “notification” page that provides no further links or instructions...
> http://blog.commtouc...e-message-2.jpg
... In the background, several scripts seek out software with vulnerabilities that can be exploited including:
> Adobe reader and Acrobat:
http://web.nvd.nist....d=CVE-2010-0188 - 9.3 (HIGH)
> Microsoft Windows Help and Support Center in Windows XP:
http://web.nvd.nist....d=CVE-2010-1885 - 9.3 (HIGH) ..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#662 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 20 April 2012 - 09:53 AM

FYI...

Fake Skype encryption software cloaks DarkComet Trojan
- http://blog.trendmic...rkcomet-trojan/
Apr 20, 2012 - "... We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria... the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications... The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3.... We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet... Note that Skype uses AES encryption on calls and instant messages, as well as its video conversations..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#663 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 23 April 2012 - 07:19 AM

FYI...

Bogus Olympics email w/malware
- http://blog.trendmic...s-with-malware/
Apr 22, 2012 - "... recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory... this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. The mail contains the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines that include deleting and creating files and shutting down the infected system... As London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of -any- message before downloading the attachment or clicking links included in it..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#664 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 23 April 2012 - 08:02 AM

FYI...

Facebook emails with malware attachments...
- http://blog.commtouc...it-to-me-today/
April 23rd, 2012 - "A series of emails with malware attachments have been widely distributed in the last few days. The emails alert the recipient about a picture of themselves (or an ex-girlfriend) that has been circulated online. The text from three of the messages is shown below:
> Sorry to disturb you , – I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man
> Hi there ,But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter…The question is is it really you???.
> Sorry to disturb you , – I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.

... The “image” is attached to the emails for convenience and the filename in all samples was identical: “IMG0962.zip”. The unzipped file displays a PDF icon – which may confuse recipients whose computers do not display file extensions (the extension in this case is .exe)... detected attached malware within seconds of the start of the outbreak... the scale of the attack on Saturday – from 4am (Pacific Time) till 3am on Sunday morning... At its peak the attack averaged around 100,000 messages per second..."

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 23 April 2012 - 08:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#665 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 23 April 2012 - 02:07 PM

FYI...

BoA phishing emails ...
- https://www.net-secu...ld.php?id=12788
23 April 2012 - "Fake warning emails are currently targeting Bank of America customers and asking them to update their account. With "Bank of America Warning : Error Statement" in the subject line, the vaguely credible HTML email states that the targets' "Bank of America account showed unusual activities this morning." "What to do next? Sign in now to verify your logon details," urges the email. Unfortunately, -all- the links included in the email take the recipients to a -spoofed- Bank of America website, where they are asked to sign in by entering their banking login details and are prompted to share additional personal and financial information in order to "verify" their accounts. "The care and detail with which the scam email has been created makes this phishing scam attempt a little more sophisticated than some other such attacks and may fool at least a few bank customers into supplying the requested details," Hoax-Slayer points out*. Users are advised to ignore the message and to always log in to their bank's website by entering its web address into the browser's address bar instead of following links included in email."
* http://www.hoax-slay...phishing-12.jpg

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#666 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 24 April 2012 - 01:40 PM

FYI...

Phishing and malware meet Check Fraud
- https://www.trusteer...eet-check-fraud
April 24, 2012 - "... a SCAM in an underground forum that shows how data obtained through phishing and malware attacks can be used to make one of the oldest forms of fraud – check forging... The scam involves a criminal selling pre-printed checks linked to corporate bank accounts in the USA, UK and China. The criminal is selling falsified bank checks made with specialized printing equipment, ink and paper. For $5 each, he/she will supply checks that use stolen credentials (e.g. bank account) provided by the buyer. However, to purchase checks that use stolen credentials supplied by the counterfeiter the cost is $50 – a tenfold increase. This is a clear indicator that stolen credentials are a key enabler of check fraud. Check data fields include personal information (e.g. name, address and phone) and financial information (e.g. bank account, routing code and check number). To obtain all the required data fraudsters typically need to get their hands on a physical or scanned version of a real check in circulation. Many banking web sites provide access to scanned versions of paid and received checks. Online banking login credentials obtained through malware and phishing attacks can easily be used by fraudsters to access a victim’s account and collect all the required information to commit check fraud. In addition, before using the checks, fraudsters could potentially ensure account balance is sufficient to approve the transaction... Buyers are also encouraged to carry fake identification cards that match the stolen credentials on the check. The check counterfeiter offers to provide these as well. This is the latest example of the how criminals can use malware and phishing techniques to make traditional physical fraud schemes more effective..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#667 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 25 April 2012 - 07:01 AM

FYI...

SPAM Scams spoof Social Networking sites - peddle Malicious sites
- http://blog.trendmic...alicious-sites/
Appr 25, 2012 - "... email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, MySpace, and Pinterest. These spam contain links that direct users to -bogus- pharmaceutical or -fraud- sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam... We uncovered spammed messages masked as notifications from Foursquare, a popular location-based social networking site... The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification... Both messages use the address noreply @foursquare .com in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the -malicious- URLs... also spotted sample messages that are purportedly from LinkedIn and Myspace... we have identified that the senders’ info were forged. We also did not find any pertinent details that could identify these messages as legitimate LinkedIn and MySpace email notifications. These mails also used cloaked URLs that redirect to the fake site 'Wiki Pharmacy'... we found fake Pinterest email notifications that contain a URL, a purported online article on weight-loss. Users who click this link are instead lead to sites that were previously found to engage in fraud activities... Users are advised to always be cautious of dubious-looking messages and avoid clicking links or downloading the attachment included in these."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#668 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 25 April 2012 - 07:24 AM

FYI...

Blackhole obfuscated JavaScript
- https://isc.sans.edu...l?storyid=13051
Last Updated: 2012-04-25 11:44:21 UTC - "... Most of the current obfuscation methods make heavy use of objects and functions that are only present in the web browser or Adobe reader. Since it is unlikely that a JavaScript analysis engine on, for example, a web proxy anti-virus solution can duplicate the entire object model of Internet Explorer, the bad guys are hoping that automated analysis will fail, and their JavaScript -will- make it past the virus defenses to the user's browser, where it will run just fine. Often, this actually works. The current wave of Blackhole (Blacole) exploit kits are a good example - it took Anti-Virus a looong time to catch on to these infected web sites. Even today, the raw malicious JavaScript block full of exploit attempts comes back with only 14/41 on Virustotal*..."
* https://www.virustot...sis/1335349187/
File name: b.js
Detection ratio: 14/41
Analysis date: 2012-04-25 10:19:47 UTC

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#669 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 25 April 2012 - 11:43 AM

FYI...

Yahoo phishing via compromised WordPress sites
- http://blog.commtouc...press-websites/
April 25, 2012 - "Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email. Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss*...
* http://blog.commtouc...shing-email.jpg
... The phishing pages are very authentic looking. Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail. A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress**. In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites..."
** https://wordpress.org/download/
April 20, 2012 - WordPress v3.3.2 released

:ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#670 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 30 April 2012 - 07:55 AM

FYI...

Brazilian banking malware ...
- http://blog.spiderla...l-slacker-.html
26 April 2012 - "... part of a Brazilian phishing attack... VirusTotal reports... the sample as being detected by 5/42*... the malware is a straightforward PE executable that is made to look like a word document. In addition to being named boleto.doc.exe, the file also comes with a Microsoft Word icon
> http://npercoco.type...f6348970b-800wi
... This was actually one of the few instances where Google Translate failed... knowing the file size (1.5 MB) alone told me it was going to be packed with "goodies"... the malware is ensuring persistence by setting itself in the 'Run' registry key. This will cause the malware the run every time that user logs into their machine... look forward to the (hopefully) increased detection by antivirus in the coming days."
* https://www.virustot...0c5be/analysis/
File name: 188477e8f2a9523b0a001040982942ff9c5ba13c88b823d3b6a0b9f1d8b0c5be
Detection ratio: 5/42
Analysis date: 2012-04-26 15:31:50 UTC

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#671 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 30 April 2012 - 12:09 PM

FYI...

BlackHole SPAM runs underway
- http://blog.trendmic...-runs-underway/
Apr 30, 2012 - "... high-volume spam runs that sent users to websites compromised with the BlackHole exploit kit... spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:
> http://blog.trendmic...ackhatspam1.jpg
> http://blog.trendmic...ckhatspam2a.jpg
... conclusions about these each of these attacks are broadly similar:
• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.
... more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages... The goal of these attacks is to install ZeuS variants onto user systems..."

:grrr: :ph34r:

Edited by AplusWebMaster, 30 April 2012 - 12:14 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#672 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 01 May 2012 - 07:30 AM

FYI...

Service automates boobytrapping of Hacked Sites
- https://krebsonsecur...f-hacked-sites/
May 1, 2012 - "Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware... one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites... another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits... A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials... Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site... the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password...)."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#673 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 01 May 2012 - 12:38 PM

FYI...

Ransomware - Fake G-Men attack Hijacks computers ...
- https://www.trusteer...omputers-ransom
May 01, 2012 - "... new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims’ computers. This ransomware, named Reveton, freezes the compromised machine’s operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform... Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution. The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server. Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen* claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.
* https://www.trusteer...e Gmen blog.png
In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard... Independent of the Reveton ransomware secondary payload, Citadel continues to operate on the compromised machine on its own. Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform’s man-in-the-browser, key-logging and other malicious techniques. It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack. Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information... cyber-crime and cyber-security protection begins with the endpoint now more than ever."

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#674 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 01 May 2012 - 04:23 PM

FYI...

Multi-Layer malware attack uses same exploit as Flashback
- http://atlas.arbor.n...ndex#1402527155
Severity: Elevated Severity
Published: Monday, April 30, 2012 16:24
Yet another malware is using the recent Java flaw to exploit both OSX and Windows systems.
Analysis: The malware determines which OS is being attacked and then delivers the proper payload... case in point that there are many copycat attacks that take place when a serious flaw emerges and organizations must anticipate multiple threats rather than the threats that get the most media attention.
Source: http://nakedsecurity...on-malware-mac/
> Python-based malware attack targets Macs - Windows PCs also under fire
April 27, 2012 - "... there may still be some users whose computers are not patched against the Java vulnerability - and are at risk of attack. The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using... The downloaded programs will then install further malicious code... This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge... The backdoor Python script allows remote hackers to steal information... We have a free Mac anti-virus for home users*, if you think it's time to take your computer's security more seriously..."
* http://www.sophos.com/freemacav
> https://www.avira.co...ee-mac-security

OSX.Flashback.K – motivation behind the malware - $$$
- http://www.symantec....-behind-malware
Apr 30, 2012

:!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#675 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 03 May 2012 - 08:07 AM

FYI...

Bogus invoices set virus trap
- http://h-online.com/-1567059
3 May 2012 - "Criminals are currently sending out a large number of bogus order confirmations that are designed to make recipients open the attached malware. The attackers appear to be using stolen online store customer data to address email recipients by their real names. The criminals pretend that the email recipient has placed an order worth several hundred euros at an online store. To make things difficult for spam filters, they vary the store names... Users who receive an order confirmation or invoice that they can't associate with a purchase should -not- open these file attachments under any circumstances. Unfortunately, virus scanners don't offer reliable protection in this case... it isn't just invoices in ZIP or EXE format that should make users suspicious: attackers have also been circulating bogus Deutsche Telekom and Vodafone invoices as PDF attachments that try to infect computers via an old security hole in Adobe Reader. This attack scenario is also possible using Office documents."
* https://www.virustot...0e294/analysis/
File name: Rechnungsdaten.zip
Detection ratio: 9/42
Analysis date: 2012-05-03 10:55:17 UTC

:grrr: :ph34r:

Edited by AplusWebMaster, 03 May 2012 - 08:45 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#676 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 03 May 2012 - 10:39 PM

FYI...

Mapping cybercrime by country
- http://hostexploit.c...by-country.html
3 May 2012 - "All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem. How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map* displays global hot spots for cybercriminal activities based on geographic location... The Global Security Map* is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide. HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest). At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks. With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity..."
(More info at the hostexploit URL above.)

* http://globalsecuritymap.com/

> English report (PDF) here: http://hostexploit.c...april-2012.html

:!: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#677 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 04 May 2012 - 12:16 PM

FYI...

Fake Facebook emails...
- http://msmvps.com/bl...4/1809472.aspx?
May 4 2012 - "The pictured emails (below) are not real Facebook emails – look at the URLs that are exposed when you hover your mouse cursor over the “sign in” and “reactivate” links..."

> http://msmvps.com/cf...00_2B858634.png

> http://msmvps.com/cf...00_0F64A17C.png
___

-13- million US Facebook users not using, or oblivious to, privacy controls
- http://nakedsecurity...ivacy-controls/
May 4, 2012

- https://www.consumer...ok-privacy.html


:grrr: :ph34r:

Edited by AplusWebMaster, 04 May 2012 - 12:24 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#678 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 05 May 2012 - 05:58 AM

FYI...

SPAM - BBB assistance e-mails w/malware...
- http://nakedsecurity...-strikes-again/
May 4, 2012 - "Once again, cybercriminals have spammed out emails claiming to come from the Better Business Bureau (BBB), with the intention of infecting Windows computers with malware... widespread malware attack that is being spammed out as an attachment to an email claiming to come from the BBB. The emails vary in their wording, but -all- claim that a consumer has complained about the company receiving the email. The details of the complaint, naturally, are contained inside the attached "BBB Report.zip" file (which, of course, contains malware)..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#679 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 06 May 2012 - 11:29 AM

FYI...

Recent badware stats
- http://blog.stopbadw...-badware-stats/
April 27, 2012 - "... Enterprise users experienced an average of 339 Web malware encounters per month in 4Q11 (205% year over year).
• Avg. 20,141 unique Web malware hosts per month in 2011 (vs. 14,217 in 2010)...
• Approx. 30,000 new malicious URLs each day in 2H11; 80% of those are legitimate. 85% of malware comes from the web.
• Malicious sites up 240 percent in 2011...
• 40% of malnet entry points are via search engines/portals...
• 23% of malicious domain registrations could be blocked with basic validation of contact info
• Rogue AV campaign infected 200,000 Web pages, 30,000 unique hosts... geographically dispersed visitors.
• On average, -two- popular websites (among the Alexa top 25,000) serve drive-by downloads each -day-. An estimated 1.6 million vulnerable users were exposed to drive-by downloads in one month across 58 popular (Alexa top 25,000) sites."
(Links to sources available at the stopbadware URL above.)

:grrr: :ph34r:

Edited by AplusWebMaster, 06 May 2012 - 12:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#680 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 09 May 2012 - 08:57 AM

FYI...

Malware attacks on hotel net surfers...
- http://www.ic3.gov/m...012/120508.aspx
May 8, 2012 - "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms. Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad..."

> https://krebsonsecur...ccess-bad-idea/
May 11, 2012 - "... avoid updating software while using hotel or other public Internet connections... There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups..."

:ph34r: :grrr:

Edited by AplusWebMaster, 11 May 2012 - 07:21 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#681 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 09 May 2012 - 03:03 PM

FYI...

Bogus emails: Amazon.com - Your Cancellation
- https://isc.sans.edu...l?storyid=13177
Last Updated: 2012-05-09 17:49:29 UTC - "There are bogus order cancellation emails going around claiming to be from Amazon... copy I received linked to the URL... which contains this is in the body:
<script type="text/javascript">window.location="http ://leibypharmacylevitra .com";</script> ... It is probably safe to assume that the content of that site is -not- user friendly..."
(More detail at the ISC URL above.)

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#682 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 11 May 2012 - 06:55 AM

FYI...

Gh0st RAT served on compromised Amnesty International UK website...
- http://community.web...ompromised.aspx
11 May 2012 - "Between May 8 and 9, 2012... Websense... detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site. In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback... screen shot of the detected code injection:
> http://community.web...55.sshot001.png
... we can see the similarities between this injection and the INSS injection* we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507... we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT**, which is used mainly in targeted attacks to gain complete control of infected systems... The Remote Administration Center commands to the compromised system originate from this address: shell .xhhow4 .com. At the time of this writing, the address is still active."

* http://community.web...ction-flow.aspx

** http://en.wikipedia.org/wiki/Ghost_Rat

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#683 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 11 May 2012 - 07:50 AM

FYI...

Fake Flash Player for Android = Malware
- http://blog.trendmic...er-for-android/
May 10, 2012 - "... social engineering tactic using Adobe‘s name...
> http://blog.trendmic...ndroid011_1.jpg
... This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version... When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats*. Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme..."
* http://blog.trendmic...ts-infographic/

> http://about-threats...ed-smartphones/

:grrr: :ph34r:

Edited by AplusWebMaster, 11 May 2012 - 07:55 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#684 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 11 May 2012 - 10:00 PM

FYI...

Spamvertised ‘Pizzeria Order Details’ ...
- http://blog.webroot....ts-and-malware/
May 11, 2012 - "... Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made. Once the user clicks on the link, they will be -redirected- to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.
Malicious URL: hxxp ://oldsoccer .it/page1 .htm?RANDOM_STRINGS
... The Russian domains are -fast-fluxed- by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following campaign – "Spamvertised ‘Your tax return appeal is declined’ emails* serving client-side exploits and malware..."
(More detail at the webroot URL above.)

* http://blog.webroot....ts-and-malware/

Global Fast Flux
> http://atlas.arbor.n...ummary/fastflux
___

spamalysis - VALERIO Pizza Order Confirmation
- https://spamalysis.w...r-confirmation/
"... malicious page contained javascript that redirected victims to a Phoenix Exploit kit..."

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 13 May 2012 - 09:00 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#685 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 13 May 2012 - 09:49 AM

FYI...

IC3 2011 Internet Crime Report released
- http://www.ic3.gov/m...012/120511.aspx
May 10, 2012 - "The Internet Crime Complaint Center (IC3) today released the 2011 Internet Crime Report* — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million...
In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams — schemes in which a criminal poses as the FBI to defraud victims — identity theft, and advance-fee fraud. The report also lists states with the top complaints, and provides loss and complaint statistics organized by state..."
* http://www.ic3.gov/m...1_IC3Report.pdf

:grrr: :grrr: :ph34r: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#686 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 14 May 2012 - 07:07 AM

FYI...

Gh0st RAT served on compromised Amnesty International Hong Kong website...
- http://community.web...ompromised.aspx
May 14, 2012 - "... Update: Websense... detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack..."
> http://community.web..._2D00_550x0.png

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#687 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 16 May 2012 - 10:34 AM

FYI...

Zeus P2P variant exploits... steal Debit Card Data
- https://www.trusteer...debit-card-data
May 15, 2012 - "... recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the internet’s leading online services and websites. The attacks are targeting users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures. The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code, and PIN...
> https://www.trusteer...ware inject.png
Malware web inject presented to Facebook users ^
... In the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs. To complete an online transaction many merchants require cardholders to authenticate using their personal 3D Secure password... The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively... The victim is prompted to enter their debit card number, expiration date, security code, and PIN... leveraging the Verified by Visa and MasterCard SecureCode brands to make the scam more credible.
> https://www.trusteer...ware inject.png
Malware web inject presented to Gmail users ^
> https://www.trusteer...ware inject.png
Malware web inject presented to Yahoo users ^
... The attack against Hotmail users is similar to the Google Mail and Yahoo scam... The offer states that the service will prevent purchases from being made on the internet with the card unless the Hotmail account information and additional password are provided. The webinject requests the same information (debit card number, expiration date, security code, and PIN) as in the previous two scams.
> https://www.trusteer...ware inject.png
Malware web inject presented to Microsoft Hotmail users ^
... These webinjects* are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud... the fraudsters are using the fear of the very cybercrime they are committing to prey on their victims."
* http://www.trusteer....erground-market

:grrr: :ph34r:

Edited by AplusWebMaster, 16 May 2012 - 10:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#688 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 16 May 2012 - 11:57 AM

FYI...

If you see ads on Wikipedia, your computer is probably -infected- with malware
- https://blog.wikimed...fected-malware/
May 14, 2012 - "We -never- run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry... or anything but our fundraiser, then your web browser has likely been infected with malware...
> https://blog.wikimed...uit-700x273.jpg
One example that we have seen installs itself as a browser extension. The extension is called “I want this” and installs itself in Google Chrome. To remove it:
- Open the options menu via the “pipe-wrench” icon on the top right, and choose Settings.
- Open the Extensions panel and there is the list of extensions installed.
- Remove an Extension by clicking the Remove button next to an item.
There is likely other similar malware that injects ads into Chrome, Firefox, Internet Explorer and other popular browsers... Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on -all- sites you visit. Browsing through a secure (HTTPS) connection (which you can automate using the HTTPS everywhere extension**) may cause the ads to disappear, but will -not- fix the underlying problem. Disabling browser add-ins is a good starting point to determine the source of these types of ads. This does not necessarily fix the source of the problem either, as malware may make deep changes to your operating system. If you’re comfortable attempting a malware scan and removal yourself, there are various spyware/malware removal tools. Popular and well-reviewed solutions include Ad-Aware and Malwarebytes... If in doubt, have your computer evaluated for malware by a competent and qualified computer repair center. There is one other reason you might be seeing advertisements: Your Internet provider may be injecting them into web pages. This is most likely the case with Internet cafes or “free” wireless connections. This New York Times blog post by Brian Chen gives an example*. But rest assured: you won’t be seeing legitimate advertisements on Wikipedia. We’re here to distribute the sum of human knowledge to everyone on the planet — ad-free, forever..."
* http://bits.blogs.ny...-marriott-wifi/

** https://www.eff.org/https-everywhere/
___

- https://krebsonsecur...ser-extensions/
May 21, 2012

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 21 May 2012 - 06:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#689 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 17 May 2012 - 09:05 AM

FYI...

621 "Most Visited" sites are on Google's Black List
- https://threatpost.c...ack-list-051512
May 15, 2012 - "Legitimate Web sites that have been -hijacked- and used to serve malicious content greatly -outnumber- malicious sites on a list of the most-trafficked sites on Google's blacklist, according to analysis by security firm Zscaler*..."

* http://research.zsca...lacklisted.html
"Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results... I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious (charted at the Zscaler URL above). Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content. I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:
> http://1.bp.blogspot...per-country.png
... Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%)... Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser). No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point."

:ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#690 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 17 May 2012 - 05:51 PM

FYI...

Facebook worm spreads via Private Messages, Instant Messengers
- http://blog.trendmic...ant-messengers/
May 17, 2012 - "... recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www .facebook .com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www .facebook .com” and uses the extension “.COM”. Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself. Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites*..."
* http://about-threats...ocialmedia-101/

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#691 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 19 May 2012 - 08:04 PM

FYI...

PHP v5.4.3 - PoC remote exploit in the wild
- https://isc.sans.edu...l?storyid=13255
Last Updated: 2012-05-19 - "There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port. Since there is no patch available for this vulnerability yet, you might want to do the following:
• Block any file upload function in your php applications to avoid risks of exploit code execution.
• Use your IPS to filter known shellcodes like the ones included in metasploit.
• Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336* registered at the beginning of the month.
• Use your HIPS to block any possible buffer overflow in your system."
* http://web.nvd.nist....d=CVE-2012-2336

> Last: http://www.php.net/a...#id2012-05-08-1

PHP 5.4 (5.4.3) Code Execution (Win32)
> http://www.exploit-d...exploits/18861/
___

- http://web.nvd.nist....d=CVE-2012-2376 - 10.0 (HIGH)

:!: :ph34r: :ph34r:

Edited by AplusWebMaster, 22 May 2012 - 05:05 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#692 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 21 May 2012 - 12:31 PM

FYI...

Bogus Pinterest pins lead to Survey Scams
- http://blog.trendmic...o-survey-scams/
May 18, 2012 - "The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams... new wave of survey scams found came from search using “pinterest” as keyword... Upon clicking the link, users are -redirected- to a Pinterest-like webpage offering prizes, vouchers, gift cards and others... Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are -not- clickable... After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message... the fake site requires an email address...
> http://blog.trendmic...st_repins_4.jpg
Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#693 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 21 May 2012 - 06:03 PM

FYI...

ZeuS ransomware feature: win_unlock
- https://www.f-secure...s/00002367.html
May 21, 2012 - "... new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock... this slightly modified ZeuS 2.x includes a ransomware feature. When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs .com/locker /lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline. The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first. Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry. Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot
SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119 ..."

:!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#694 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 22 May 2012 - 06:30 AM

FYI...

Facebook cancellation malware poses as Flash update
- http://nakedsecurity...e-flash-update/
May 21, 2012 - "Have you received an email asking you to confirm that you wish to cancel your account? Be on your guard... reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook. Malicious email claiming to come from Facebook
Hi [email address]
We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
Thanks,
The Facebook Team
To confirm or cancel this request, follow the link below:
click here
... The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link -does- go to a facebook .com address - something might fool those who are not cautious. The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer... they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run... They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family... If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated... the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#695 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 23 May 2012 - 06:05 AM

FYI...

'LinkedIn Invitation’ SPAM serving exploits and malware
- http://blog.webroot....ts-and-malware/
May 22, 2012 - "... another round of malicious emails to millions of end and corporate users.
More details:
Once the user clicks on the link (hxxp ://hseclub .net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
• janisjhnbdaklsjsad .ru:443 with user janisjhnbdaklsjsad .ru and password janisjhnbdaklsjsad .ru – 91.229.91.73, AS50939, SPACE-AS
• sllflfjsnd784982ncbmvbjh434554b3 .ru – 91.217.162.42, AS29568, COMTEL-AS
• kamperazonsjdnjhffaaaae38 .ru – 91.217.162.42, AS29568, COMTEL-AS
• iiioioiiiiooii2iio1oi .ru – 91.217.162.42, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad .ru in particular..."
> https://webrootblog....its_malware.png
___

- http://www.google.co...c?site=AS:50939
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 26 site(s)... that infected 42 other site(s)..."

- http://www.google.co...c?site=AS:29568
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 668 site(s)... that infected 544 other site(s)..."

:grrr: :ph34r:

Edited by AplusWebMaster, 23 May 2012 - 06:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#696 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 23 May 2012 - 09:52 AM

FYI...

Trojan bypasses mobile security to steal from Online Banking users ...
- https://www.trusteer...g-users-germany
May 22, 2012 - "... a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account... Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction... By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker... they are blending multiple attack methods in a single fraud scam... However, they still need to compromise the endpoint with malware, which can be prevented."

:grrr: :ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#697 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 29 May 2012 - 06:20 AM

FYI...

Flame: Questions and Answers
- https://www.secureli...ons_and_Answers
May 28, 2012 - "... Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage..."
(More detail at the kaspersky URL above.)

> https://www.secureli...g/208193524.png

- http://www.symantec....ets-middle-east
May 28 2012 - "... Several component files have been identified. These are:
• advnetcfg.ocx
• ccalc32.sys
• mssecmgr.sys
• msglu32.ocx
• boot32drv.sys
• nteps32.ocx ..."

- https://www.f-secure...s/00002371.html
May 28, 2012
> https://www.f-secure...hives/flame.png

- http://community.web...r-skywiper.aspx
29 May 2012
___

- http://www.symantec....cture-w32flamer
30 May 2012 - "... Full understanding of W32.Flamer requires analyzing each of the approximately 60 embedded Lua scripts, reversing each of the sub-components, and then building this all back together..."
___

UN to warn member nations on risk of Flame virus
- http://atlas.arbor.n...ndex#-264998726
Severity: Elevated Severity
May 30, 2012
Analysis: ... the threat from this malware or any other malware with the same types of capabilities can be significant, depending upon the motives of those driving the attack campaigns. Nation states may be involved and using this toolkit for spying purposes, but there is no clear attribution at this stage.
Source: http://www.reuters.c...E8GT7X120120529

:ph34r: :ph34r:

Edited by AplusWebMaster, 31 May 2012 - 03:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#698 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 30 May 2012 - 06:40 PM

FYI...

CareerBuilder fake SPAM serves exploits and malware
- http://blog.webroot....ts-and-malware/
May 30, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links... they’re spamvertising a binary that’s largely detected by the security community...
Spamvertised URL: hxxp ://karigar .in/car.html
Client-side exploits served: CVE-2010-0188 and CVE-2010-1885
Malicious client-side exploitation chain: hxxp ://karigar .in/car.html -> hxxp ://masterisland .net/main.php?page=975982764ed58ec3 -> hxxp ://masterisland .net/data/ap2.php -sometimes- hxxp ://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection.
Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf
Upon execution it phones back to the following URLs/domains:
zorberzorberzu .ru/mev/in/ (146.185.218.122)
prakticalcex .ru – 91.201.4.142
nalezivmordu .in
internetsexcuritee4dummies .ru
Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#699 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 31 May 2012 - 04:50 AM

FYI...

Pharma SPAM on Dropbox
- http://www.gfi.com/b...rks-on-dropbox/
May 31, 2012 - "Pharma Spam pages sometimes pop up on Dropbox accounts (along with more dubious content*, if you’re really unlucky), and it seems we have another one lining up to sell you some pills.
> http://www.gfi.com/b...xpillspam11.jpg
Clicking through will take the end-user to a typically generic pills website:
> http://www.gfi.com/b...oxpillspam2.jpg
... the best advice would be “don’t bother” (especially if it involves random spam in your mailbox)..."
* http://www.gfi.com/b...sh-this-cheque/

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#700 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,994 posts

Posted 02 June 2012 - 06:27 AM

FYI...

Small 20K trojan does damage
- http://h-online.com/-1588948
1 June 2012 - "Security experts at CSIS* say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files. Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Tinba is a bot in the classical sense; it uses an encoded connection to deliver data it has collected to a command and control server, which in turn gives the bot new orders. According to CSIS, Tinba has only been used on a very small number of banking web sites so far, but its modular structure means that the perpetrators should not have any problems adding other sites to that list."
* https://www.csis.dk/en/csis/news/3566/

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button