Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1315 replies to this topic

#701 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 05 June 2012 - 07:12 AM

FYI...

Fake Facebook SPAM e-mails...
- http://blog.commtouc...t-wikipharmacy/
June 4, 2012 - "Using phony Facebook emails to draw recipients to pharmacy websites is not a new trick... this is no ordinary Viagra shop – it’s the WikiPharmacy! The phony Facebook emails and the pharmacy destination are shown below...
> http://blog.commtouc...macy-images.jpg
... the links in the emails above lead to compromised websites. These unknowingly host -redirects- to the WikiPharmacy...
Email text:
'You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 3 ago. This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team
...' "
___

Facebook privacy notice chain letter - hoax
- http://nakedsecurity...tter-is-a-hoax/
June 5, 2012 - "... messages are simply another chain letter type hoax pinned upon wishful thinking. If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information. If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes* or the Naked Security Facebook page** before propagating myths."
* http://www.snopes.co...ook/privacy.asp

** http://www.facebook.com/SophosSecurity

:grrr: :ph34r:

Edited by AplusWebMaster, 05 June 2012 - 09:19 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#702 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 07 June 2012 - 10:56 AM

FYI...

284,000 WordPress sites hacked? Probably not.
- http://blog.commtouc...d-probably-not/
June 6, 2012 - "This Amazon order confirmation email is a fake:
> http://blog.commtouc...phony-email.jpg
Every link leads to malware. Every link leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
http ://maximconsulting .us/wp-content/themes/twentyten/—e.html
http ://hampsteadelectrician .com/wp-content/themes/twentyten/—e.html
http ://mormonwomenvoices .com/wp-content/themes/twentyten/—e.html
http ://steppingstones-online .co.uk/wp-content/themes/twentyten/—e.html ... etc.
Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure:
> http://blog.commtouc...ress-themes.jpg
... this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it. The malware targets known Adobe Reader and Acrobat exploits."

:grrr: :ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#703 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 08 June 2012 - 10:03 AM

FYI...

Flame self-destruct cmd sent ...
- http://www.symantec....-urgent-suicide
6 Jun 2012 - "Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider. Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
The browse32.ocx module has two exports:
1. EnableBrowser — This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
2. StartBrowse — This is the part of the code that does the actual removal of the Flamer components.
The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection..."

:blink:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#704 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 08 June 2012 - 12:14 PM

FYI...

Spoofed Xanga malicious emails ...
- http://community.web...t-campaign.aspx
7 Jun 2012 - "Hot on the trail of yesterday's spoofed Craigslist malicious emails* comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal... a sample:
Subject: New Weblog comment on your post!
> http://community.web..._2D00_550x0.jpg
... the "Click here to reply" link goes to this URL:
hxxp ://www.1000sovetov .kiev.ua/wp-content/themes/esp/wp-local.htm
The target site contains obfuscated JavaScript that redirects to URLs like:
hxxp ://pushkidamki .ru:8080/forum/showthread .php?page=5fa58bce769e5c2c
Those are the sites that host the exploit kit.
Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base..."
* http://community.web...ist-emails.aspx

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 10 June 2012 - 01:21 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#705 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 14 June 2012 - 11:09 AM

FYI...

Pharmacy SPAM - Facebook/Digg app
- http://blog.commtouc...acebook-social/
June 14th, 2012 - "... a “Facebook Social Reader” for Digg – but “Facebook Social” is a neatly confusing invention of pharmacy spammers... The email welcomes users to the new service and invites them to “view profile details”:
> http://blog.commtouc...cial-email1.jpg
The links in the email lead to compromised websites ... Scripts hidden on these sites redirect users to the destination pharmacy site – the “Toronto Drug Store” which apparently is an “essential part of the Canadian RX Network”:
> http://blog.commtouc...pam-website.jpg
Email text:
Thank you for registering with us at Facebook Social. We look forward to seeing you around the site.
Your profile has two different views reachable through clickable tabs:
• View My Profile: see your profile as your network does
• Edit My Profile: edit the different elements of your profile
View profile details.
What is Facebook Social Share?
Enable Facebook social sharing, and share your Digg experience with your Facebook friends. Let your friends see what you’re reading as you discover the best news around the web. Click the Social button to turn this off.

___

FAKE Classmates.com email
- http://blog.commtouc...ates-com-email/
June 13th, 2012 - "Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
• Linking to multiple compromised sites which then redirect to the malware hosting sites
• Favoring WordPress sites (that can be exploited)
• Hosting the malware on various .ru domains
• Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
• Using the same Flash exploits in the malware
Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless. The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections:
> http://blog.commtouc...phony-email.jpg
Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks:
> http://blog.commtouc...alware-site.jpg
The malware on the final site checks for PDF and Flash versions on the target PC.
• If an appropriate version is found it then redirects to a malicious SWF flash file.
• If not it redirects to google .de"

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 14 June 2012 - 11:29 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#706 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 15 June 2012 - 10:50 AM

FYI...

LinkedIn SPAM serving Adobe and Java exploits
- http://pandalabs.pan...-java-exploits/
06/14/12 - "... email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack... If we verify the “To” and “CC” fields of this email, we see about -100- other recipients.... email in question:
>> http://pandalabs.pan.../2012/06/ss.jpg
Subjects of this email might be: 'Relationship LinkedIn Mail, 'Communication LinkedIn Mail', 'Link LinkedIn Mail' or 'Urgent LinkedIn Mail'. No doubt the subjects of this email will vary, and are not limited to these four.
- Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
- Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer: Adobe Reader / Java
In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens... the exploit will begin doing its work... seems to spawn a .dll file, which in turn spawns another file.. Your machine is executing malware and is in the process of being infected... a malicious executable which will start every time the computer boots. The exploits’ source is probably the Blackhole exploit kit. The exploits in question are: CVE-2006-0003 / CVE-2010-0840
Unknown (at this point) Adobe Reader exploit
- Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. The malware will try to phone home or connect to the following IP addresses: 188.40.248.150 / 46.105.125.7 . The IPs (188.40.248.150 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware... lesson is a very important one and is one of the basics of security... Keep ALL of your software up-to-date! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player...This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed..."
___

> http://centralops.ne...ainDossier.aspx
- 188.40.248.150
Registrant-Name:Felix Preuss
Registrant-Organisation:netcup GmbH
Registrant-Street:Griesbachstrasse 5
Registrant-City:Karlsruhe
Registrant-State/Province:Germany
Registrant-Postal-Code:76185
Registrant-Country:DE ...
- 46.105.125.7
person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France ...

:grrr: :ph34r:

Edited by AplusWebMaster, 15 June 2012 - 11:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#707 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 20 June 2012 - 09:29 AM

FYI...

9500 malicious sites a day found by Google
- http://h-online.com/-1621670
20 June 2012 - "Google's Safe Browsing programme, which searches for malicious sites and warns browser users when they attempt to visit them, is now five years old, and the problem of malicious sites is still as bad as ever with the system finding more than nine thousand dangerous sites a day. In a post* marking the five year anniversary, Google shared statistics on how effective the system has been... the problem of malicious sites is still growing. Google's own statistics show they are currently discovering over 300,000 phishing sites a month, the highest detection rate ever. These sites may be online for only an hour as they attempt to avoid being detected by services like Safe Browsing, and they have become more targeted both through spear phishing attacks which target particular groups of individuals and through attacks aimed at companies and banks. Phishing sites are also likely to try and get the user to install some malware. Malware distribution through compromised innocent sites is still commonplace, but according to Google, attack web sites built specifically to deliver malware to victims are being used in increasing numbers. While these attacks have used drive-by downloads and other technical mechanisms to deploy the malware, Google notes that social engineering attacks, while still behind drive-by attacks in frequency, are a rapidly growing category. Google asks that people don't ignore their warnings when they see them in the browser..."
* http://googleonlines...-users-for.html
(Charted)

:ph34r: :!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#708 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 22 June 2012 - 07:02 AM

FYI...

Zeus-SpyEye ATS module masks online Banking Theft
Automated attack bypasses two-factor authentication
- http://www.darkreadi...le/id/240002267
Jun 18, 2012 - "A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS..."
* http://www.trendmicr...nking_fraud.pdf

- http://www.infosecis...ne-Banking.html
June 21, 2012 - "... it is possible to detect various active ATSs in the wild that based on a common framework used by cybercriminals to conduct automated fraud. Typically the schemes use phishing emails with links to tainted pages, malware attachments or drive-by download attacks from malicious or even compromised legitimate sites..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#709 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 25 June 2012 - 10:03 AM

FYI...

AutoCAD malware - targeted for Industrial Espionage
- https://isc.sans.edu...l?storyid=13549
Last Updated: 2012-06-25 04:19:38 UTC - "A number of sites have published an analysis of relatively new malware, ACAD/Medre.A*... somewhat unique in that it seems to be highly targeted and specialized. The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it... Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups..."
* http://thehackernews...ad-perfect.html
6/24/2012

- http://www.gfi.com/b...-stealing-data/
June 25, 2012
___

> http://blog.eset.com...ical-analysis-2
June 22, 2012

Removal tool here: http://download.eset...edreCleaner.exe

:grrr: :!: :ph34r:

Edited by AplusWebMaster, 25 June 2012 - 12:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#710 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 26 June 2012 - 08:29 AM

FYI...

UPS delivery tracking SPAM emails serving client-side exploits and malware
- http://blog.webroot....ts-and-malware/
June 25, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails... Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507...
> https://www.virustot...sis/1339706944/
File name: Shipping, Freight, Logistics and Supply Chain Management from UPS.htm
Detection ratio: 2/42
Analysis date: 2012-06-14 20:49:04 UTC
... Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%\KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA - detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 123.49.61.59 /zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back..."
(More detail at the webroot URL above.)

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#711 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 26 June 2012 - 12:18 PM

FYI...

Fake PayPal account confirmation emails lead to phishing sites
- http://blog.webroot....phishing-sites/
June 26, 2012 - "... Phishers have just started spamvertising hundreds of thousands of legitimately-looking PayPal themed emails, in an attempt to trick users into entering their accounting data on the fraudulent web site linked in the emails...
Screenshot of the spamvertised PayPal themed campaign:
> https://webrootblog....png?w=458&h=250
... Sample spamvertised text:
Dear PayPal Costumer, It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records before June 12, 2012. Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Upon clicking on the link found in the phishing emails, users are presented with the following legitimately-looking PayPal login page:
> https://webrootblog....l_paypal_02.png
Users are advised to avoid interacting with the emails, and to report them as fraudulent/malicious as soon as they receive them."

:grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#712 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 28 June 2012 - 01:06 PM

FYI...

Posted Image
Red - Virus Outbreak In Progress
- http://www.ironport.com/toc/

Real-time Outbreak Details
> http://tools.cisco.c...Outbreak.x?i=77
June 29, 2012
___

Bogus online casino themed emails serving W32/Casonline
- http://blog.webroot....g-w32casonline/
June 28, 2012

Fake Delta email leads to Sirefef, Fake AV
- http://www.gfi.com/b...irefef-fake-av/
June 27, 2012

Fake DHL emails serving malware
- http://blog.webroot....erving-malware/
June 26, 2012

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 30 June 2012 - 12:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#713 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 03 July 2012 - 12:36 PM

FYI...

Garbage print jobs...
- http://www.symantec....printlove-video
July 2, 2012 - "...we have received several customer issues about garbage being printed on their network printers... we came across a new -worm- that causes the garbage print jobs. Symantec detects this worm as W32.Printlove. W32.Printlove uses the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE 2010-2729)* discovered in 2010 to spread across networks. We have created a video..."
* https://technet.micr...lletin/MS10-061
MS10-061 - Critical
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
September 2010

- http://web.nvd.nist....d=CVE-2010-2729 - 9.3 (HIGH)
Last revised: 07/19/2011 - "... as exploited in the wild in September 2010, aka 'Print Spooler Service Impersonation Vulnerability'."

- https://isc.sans.edu...l?storyid=13519
Last Updated: 2012-06-21
___

- http://h-online.com/-1632779
5 July 2012

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 05 July 2012 - 08:15 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#714 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 04 July 2012 - 04:51 PM

FYI...

GoPro is compromised serving malicious code
- http://community.web...cious-code.aspx
4 Jul 2012 - "... Websense... has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code. We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them... The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment... Once a user visits gopro .com the injected code gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise .net ... The malicious redirector at ad.fourtytwo.proadvertise .net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath .com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post... according to virustotal...
* https://www.virustot...6b46b/analysis/
File name: !r033PlxM.exe
Detection ratio: 4/42
Analysis date: 2012-07-04 17:44:13 UTC
... The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website..."
___

- http://google.com/sa...oadvertise.net/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 1 trojan...

- http://google.com/sa...=banchoath.com/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 7 trojan(s)...

:ph34r: :grrr:

Edited by AplusWebMaster, 04 July 2012 - 07:28 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#715 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 05 July 2012 - 11:18 AM

FYI...

Java exploit-in-the-wild ...
- https://krebsonsecur...e-exploit-kits/
July 5, 2012 - "... more than 3 billion devices run Java and many these installations are months out of date... a malicious “.jar” file that — when scanned at Virustotal.com — was detected by just -one- antivirus product (Avira), which flagged it as Java/Dldr.Lamar.BD*. The description of that threat says it targets a Java vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5**..."
* https://www.avira.co...2FDldr.Lamar.BD

** http://www.spywarein...post__p__766617

- http://web.nvd.nist....d=CVE-2012-1723 - 10.0 (HIGH)

Verify: https://www.java.com...etect=jre&try=1
___

- http://h-online.com/-1636577
11 July 2012

Ongoing...
- https://threatpost.c...723-flaw-071612
July 16, 2012 - "... Websense* said that they've seen the Black Hole exploit kit targeting this vulnerability and using a series of freshly registered domains... The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions..."
* http://community.web...-2012-1723.aspx
15 Jul 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 17 July 2012 - 07:57 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#716 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 10 July 2012 - 07:52 AM

FYI...

Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail ...
- http://blog.webroot....ed-in-the-wild/
July 9, 2012 - "... intercepted a currently active phishing campaign that’s a good example of a popular tactic used by cybercriminal known as ‘campaign optimization’. The reason this campaign is well optimized it due to the fact that as it simultaneously targets Gmail, Yahoo, AOL and Windows Hotmail email users... Sample screenshot of the spamvertised phishing email:
> https://webrootblog....png?w=333&h=159
Spamvertised URL hosted on a compromised Web server: tanitechnology .com/fb/includes/examples/properties/index .htm - the URL is currently -not- detected by any of the 28 phishing URL scanning services used by the VirusTotal service. Sample screenshot of the landing phishing page affecting multiple free email service providers:
> https://webrootblog....png?w=280&h=320
What makes an impression is the poor level of English applied to the campaign’s marketing creative. Moreover, it’s rather awkward to see that the landing phishing page is themed using the Online Real Estate brand Remax, a brand that has nothing to do with the enforcement of a particular marketing message related to the phishing campaign. Users are advised to avoid interacting with similar pages, and to always ensure that they’re on the right login page before entering their accounting data."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#717 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 11 July 2012 - 12:00 PM

FYI...

Posted Image
Red - Virus Outbreak In Progress
- http://www.ironport.com/toc/
July 11, 2012

- http://tools.cisco.c...Outbreak.x?i=77
Fake Personal Photos E-mail Messages... Updated July 11, 2012
Fake Portuguese Contract Confirmation Email Messages... New July 11, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012
Unknown Malicious Files Distributed in E-mail Messages... New July 11, 2012
Fake USPS Parcel Delivery Failure Notification E-mail Messages... Updated July 11, 2012
Fake Warning Notification E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012 ...

:grrr: :grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#718 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 13 July 2012 - 09:14 AM

FYI...

Blended attacks in Q2 2012
- http://www.commtouch...port-july-2012/
July 12, 2012 - "Commtouch’s quarterly Internet Threats Trend Report covers Web threats, phishing, malware, and spam. The July 2012 report describes how distributors of malware, spam and phishing attacks are relying more and more on compromised websites. This tactic is designed to outwit email security and Web security systems that consider a site’s reputation before blocking it. Legitimate websites with positive online reputations but with deficient plugins and known vulnerabilities were harvested en masse in the second quarter of 2012 to host redirects, malware, pharmacy sites and phony login pages. The hacked websites were combined with effective social engineering that exploited multiple well-known brands to draw in victims. Similar branding tricks were used to distributed malware via email attachments. The popular file synchronization and sharing site Dropbox was also used as a malware distribution point in an attack promising free movie tickets..."
(More detail in slideshow at the URL above.)

> http://images.slides...slide-5-728.jpg

> http://images.slides...slide-7-728.jpg

> http://images.slides...slide-8-728.jpg

> http://images.slides...lide-27-728.jpg

> http://images.slides...lide-28-728.jpg

- http://www.commtouch.com/download/2336
PDF

- http://blog.commtouc...cks-in-q2-2012/
July 12, 2012 - Infographic
___

2012 June Symantec Intelligence Report - slideshow:
- http://www.slideshar...lligence-report
Jul 06, 2012

:ph34r: :!: :ph34r:

Edited by AplusWebMaster, 13 July 2012 - 03:07 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#719 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 19 July 2012 - 08:42 AM

FYI...

Fake UPS emails - client-side exploits and malware ...
- http://blog.webroot....-spam-campaign/
July 18, 2012 - "... cybercriminals systematically abuse popular brands and online services. Next to periodically rotating the brands, they also produce professional looking email templates, in an attempt to successfully brand-jack these companies, and trick their customers into interacting with the malicious emails... currently spamvertised client-side exploits and malware serving campaign impersonating UPS (United Parcel Service). Once users click on the links found in the malicious email, they’re automatically redirected to a Black Hole exploit kit landing page serving client-side exploits, and ultimately dropping malware on the exploited hosts... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. Detection rate: the sample is detected by 29 out of 41 antivirus scanners** as Trojan.Injector.AFR; Worm.Win32.Cridex.fb... This is the -third- UPS-themed malware serving campaign that we’ve intercepted over the past two months. Next to the malware serving campaigns impersonating DHL, we expect that we’re going to see more malicious activity abusing these highly popular courier service brands. UPS has acknowledged this threat and offered its perspective here*..."
* http://www.ups.com/c...S Name or Brand

** https://www.virustot...fb6b5/analysis/
File name: 20120710_221334_4462C5B3556C5CAB5D90955B3FAA19A8_CAE93.VIR
Detection ratio: 29/41
Analysis date: 2012-07-14
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake SpamCop E-mail Account Alert Notification E-mail Messages - New July 19, 2012
Fake FedEx Shipment Notification E-mail Messages- Updated July 19, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages- Updated July 19, 2012
Fake Product Order Notification E-mail Messages - New July 19, 2012
Fake Contract Notification E-mail Messages - Updated July 19, 2012
Fake DHL Express Tracking Notification E-mail Messages - Updated July 19, 2012
Fake USPS Package Delivery Notification E-mail Messages- Updated July 19, 2012
Fake Airline Ticket Confirmation Attachment E-mail Messages - Updated July 19, 2012 ...

:grrr: :ph34r:

Edited by AplusWebMaster, 19 July 2012 - 01:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#720 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 19 July 2012 - 11:45 AM

FYI...

Fake Facebook email leads to malware ...
- http://nakedsecurity...g-notification/
July 17, 2012 - "Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph. Because it might be that you're the next potential victim of a malware attack. SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients' computers with malware...
> https://sophosnews.f...lware-email.jpg
... (Did you notice what was odd about the email? The 'from' address misspells Facebook as "Faceboook" with three "o"s) If you click on the link in the email, you are -not- taken immediately to the real Facebook website. Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit)..."
___

The Rise of the “Blackhole” Exploit Kit:
The Importance of Keeping All Software Up To Date
- https://blogs.techne...Redirected=true
19 Jul 2012

Top 10 locations with the most detections of Blacole - second half 2011 (2H11)
> https://blogs.techne...0-43/5127.5.jpg

:grrr: :ph34r:

Edited by AplusWebMaster, 20 July 2012 - 07:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#721 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 20 July 2012 - 11:04 AM

FYI...

Olympic malware on the Web ...
- http://community.web...mpic-games.aspx
20 Jul 2012 - "... Websense... researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations... the Polish Computing Emerging Response Team (CERT)... analyzed an interesting sample of data-stealing malware*. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list... it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network... analysis is based on a sample (MD5: 3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant... the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list... The IP addresses so far are: 46.220.203.212, 89.63.178.149, and 39.54.215.205... The URL hxxp ://lokralbumsgens. com/pictures.php?pic=google is still active, and the domain was registered 20 days ago..."
* http://www.cert.pl/n...gswitch_lang/en

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#722 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 21 July 2012 - 05:03 AM

FYI...

Fake Intuit emails lead to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
July 20, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they -redirect- users to Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.
Screenshot of the spamvertised Intuit themed malicious email:
> https://webrootblog....png?w=592&h=175
... Upon clicking on the links found in the email, users are exposed to the following -bogus- “Page loading…” page:
> https://webrootblog...._malware_01.png
- Spamvertised URLs: hxxp ://sklep.kosmetyki-nel .pl/intpmt.html; hxxp ://kuzeybebe .com/o3whbp0G/index.html; hxxp ://senzor .rs/prolintu.html
- Client-side exploits serving URLs: hxxp ://69.194.194.238/view.php?s=2acc7093df3a2945;
hxxp ://proamd-inc .com/main.php?page=8cb1f95c85bce71b;
hxxp ://thaidescribed .com/main.php?page=8cb1f95c85bce71b
- Client-side exploits served:
http://web.nvd.nist....d=CVE-2010-1885 - 9.3 (HIGH)
... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8* on the exploited hosts.
* https://www.virustot...fb6b5/analysis/
SHA256: dd529f7529692c2ebfe9da9eb7a83a7ac9d672782d93c6a82400aa3845cfb6b5
File name: file
Detection ratio: 33/42
Analysis date: 2012-07-20 10:47:57 UTC
... Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B. Upon execution, the sample phones back to renderingoptimization .info – 87.255.51.229, Email: pauletta_carbonneau2120 @quiklinks .com on port 443. Here is information on Intuit’s Online Security Center about this threat:
> http://security.intu.../alert.php?a=49 ..."
___

The Rise of the “Blackhole” Exploit Kit:
... The Importance of Keeping All Software Up To Date
- https://blogs.techne...Redirected=true
19 Jul 2012

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#723 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 24 July 2012 - 08:09 AM

FYI...

Malware targets Facebook users with Children’s Charity SCAM
- https://www.trusteer...™s-charity-scam
July 24, 2012 - "We recently discovered a configuration of the Citadel malware that targets Facebook users with a fake request for donations to children’s charities in order to steal credit card data. After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid. Then, it asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch. In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region... This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective. Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
(More detail at the URL above.)

:grrr: :grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#724 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 24 July 2012 - 11:14 AM

FYI...

Malware served using bogus ‘Hotel Reservation Confirmation’ emails...
- http://blog.webroot....-themed-emails/
July 23, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating Booking.com, in an attempt to trick end and corporate users into downloading and executing the malicious archive attached to the emails...
Screenshot of a sample spamvertised email:
> https://webrootblog....pam_malware.png
... The malicious Hotel-Reservation-Confirmation_from_Booking.exe (MD5: 7b60d5b4af4b1612cd2be56cfc4c1b92 ) executable is detected... as Backdoor.Win32.Androm.cp; Mal/Katusha-F ..."
* https://www.virustot...9be80/analysis/
SHA256: c57f3f74ccc38913e094480aa09593d3f28f73c48d621fe5136d4bb9f249be80
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-24
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Airline Ticket Confirmation Attachment E-mail Message - Updated July 24, 2012
Fake FedEx Shipment Notification E-mail Messages - Updated July 24, 2012
Fake Product Details Attachment E-mail Messages - New July 24, 2012 ...

:grrr: :ph34r:

Edited by AplusWebMaster, 24 July 2012 - 11:26 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#725 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 26 July 2012 - 09:03 AM

FYI...

Malware-laced traffic ticket SPAM coming to an Inbox near you
- http://blog.webroot....-themed-emails/
July 25, 2012 - "Not fearing prosecution, cybercriminals regularly impersonate law enforcement online in an attempt to socially engineer end users and corporate users into interacting with their malicious campaigns. From 419 scams, police ransomware, to law enforcement themed malware-serving email campaigns, cybercriminals continue abusing the international branches of various law enforcement agencies... a currently spamvertised malware-serving campaign, indicating that the user has “violated red light traffic signal” and that he should download the -fake- camera recording of his vehicle attached to the email...
Screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
... The attached malware*... is detected... as Trojan:W32/Agent.DTYU; Backdoor.Win32.Androm.dc..."
* https://www.virustot...5f549/analysis/
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-25

- http://www.hyphenet....inbox-near-you/
25 July 2012
___

‘Download your USPS Label’ emails serve malware
- http://blog.webroot....-serve-malware/
July 26, 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 26 July 2012 - 03:18 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#726 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 27 July 2012 - 02:11 PM

FYI...

Twitter targeted to spread exploits/malware serving tweets
- http://blog.webroot....serving-tweets/
July 27, 2012 - "Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the [links], users are exposed to the exploits served by the Black Hole web malware exploitation kit...
Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:
> https://webrootblog....exploit_kit.png
... an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files. For the time being, they’re only relying on two static propagation messages, namely, “It’s about уou?” and “It’s уou оn photo?“... the redirection also takes place through the following domains
hxxp ://traffichouse .ru/?2 – 176.57.209.69
hxxp ://traffichouse .ru/?5 – 176.57.209.69
Responding to the same 176.57.209.69 IP are also the following domains:
forex-shop .com
abolyn.twmail .info
pclive .ru
ecoinstrument .ru
Client-side exploits serving domain: hxxp ://oomatsu.veta .su/main.php?page=afaf1d234c788e63
Upon successful client-side exploitation, the campaign drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa* on the affected hosts. Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:
hxxp ://112.121.178.189 /api/urls/?ts=1f737428&affid=35000
hxxp ://thanosactpetitioned .cu.cc/f/notepad.exe?ts=1f737428&affid=35000 ..."
* https://www.virustot...485b5/analysis/
File name: 5d1e7ea86bee432ec1e5b3ad9ac43cfa.exe
Detection ratio: 16/41
Analysis date: 2012-07-27 19:21:48 UTC

- http://nakedsecurity...photo-disguise/
July 27, 2012
Sample-look-alikes...
> https://sophosnews.f...weets.jpg?w=640
> https://sophosnews.f...-you1.jpg?w=640

Blackhole malware attack spreading on Twitter ...
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
July 27, 2012
Another attack by the BlackHole exploit kit reminds us that patching is most important.
Analysis: If a user clicks on these links posted to various twitter feeds, they will be redirected to a Black Hole exploit kit website that will attempt to exploit vulnerabilities on their system that can be reached through the web browser. Unpatched Java is one of the most popular attack methods these days, however a batch of other issues in technologies such as Adobe Reader, Flash and various browsers are also part of the attack strategy. Robust patching for home and enterprise users will greatly reduce the pain of such exploit kits that are based on "drive-by" exploits. The enticement tactic is always going to change, but the intent is the same - to trick the user into clicking on something and getting infected.
Source: Outbreak: http://nakedsecurity...photo-disguise/
___

> http://status.twitter.com/

> http://blog.twitter.com/

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 31 July 2012 - 01:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#727 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 29 July 2012 - 02:31 PM

FYI...

More Olympic malware...

Relay Race To Ruin: Cybercrime in the Olympics
- http://blog.trendmic...n-the-olympics/
Illegal TV Cards Allowing Free Olympic Viewing Sold Online
- http://blog.trendmic...ng-sold-online/
Bogus London Olympics 2012 Ticket Site Spotted
- http://blog.trendmic...t-site-spotted/
Countdown to the Olympics: Are You Safe?
- http://blog.trendmic...s-are-you-safe/
Spammed Messages* Attempt to Cash In on London 2012 Olympics
- http://blog.trendmic...-2012-olympics/

* http://blog.trendmic...pics_2012_1.jpg

* http://blog.trendmic...pics_2012_2.jpg

* http://blog.trendmic...pics_2012_3.jpg

More Olympics-related threats - Blackhat Search Engine Optimization (BHSEO)
> http://blog.trendmic...elated-threats/
July 29, 2012

- http://research.zsca...from-scams.html
July 28, 2012
___

> http://tools.cisco.c...Outbreak.x?i=77
Fake Roxy Palace Casino Promotional Code Notification E-mail Messages - Updated July 30, 2012
Fake UPS Payment Document Attachment E-mail Messages - Updated July 30, 2012
Fake Financial Transaction Scanned Document - New July 30, 2012
Fake Bank Transfer Receipt E-mail Messages - New July 30, 2012
Fake Picture Link E-mail Messages - Updated July 30, 2012
Fake Coupon Offer E-mail Messages - Updated July 30, 2012
Fake German E-mail Billing Requests - New July 30, 2012
Fake Blocked Credit Card Notification E-mail Messages - Updated July 30, 2012
Malicious Personal Pictures Attachment E-mail Messages - Updated July 30, 2012 ...

:grrr: :ph34r: :grrr:

Edited by AplusWebMaster, 31 July 2012 - 07:59 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#728 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 01 August 2012 - 06:05 PM

FYI...

Fake CPA/AICPA emails lead to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
August 1, 2012 - "Certified public accountants, beware... Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Spamvertised URL: hxxp://thewebloan .com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (221.131.129.200) - hxxp ://jeffknitwear .org/main.php?page=8614d3f3a69b5162;
hxxp ://lefttorightproductservice .org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP:
toeplunge .org; teloexpressions .org; historyalmostany .org
Client-side exploits served:
- http://web.nvd.nist....d=CVE-2010-1885 9.3 (HIGH)
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 *
... Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops
MD5: b00af54e5907d57c913c7b3d166e6a5a ** on the affected hosts...
Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv ..."
* https://www.virustot...sis/1342738075/
File name: AICPA.html
Detection ratio: 4/42
Analysis date: 2012-07-19
** https://www.virustot...28a20/analysis/
File name: b00af54e5907d57c913c7b3d166e6a5a.exe
Detection ratio: 30/39
Analysis date: 2012-07-27

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#729 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 03 August 2012 - 07:04 AM

FYI...

Fake AT&T email installs malware
- http://community.web...ls-malware.aspx
2 Aug 2012 - "Websense... detected a massive phishing campaign targeting AT&T customers... fake emails are masquerading as billing information... Each message claims that there is a bill of a few hundreds US dollars. In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message...
(Screenshot of phish/fake email):
> http://community.web...00_campaign.png
... the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal*..."
* https://www.virustot...dfa13/analysis/
File name: readme.exe
Detection ratio: 10/39
Analysis date: 2012-08-03 06:21:20 UTC
___

Fake PayPal emails lead to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
August 2, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign. Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Upon clicking on the link, users are exposed to a bogus “Page loading…” page:
> https://webrootblog....loit_kit_01.png
... Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23*
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0** on the affected hosts... cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties. PayPal has information (1) on their website to help users identify legitimate emails..."
* https://www.virustot...sis/1343139059/
File name: PayPal.html
Detection ratio: 3/40
Analysis date: 2012-07-24 14:10:59 UTC
** https://www.virustot...d84be/analysis/
File name: file
Detection ratio: 32/41
Analysis date: 2012-08-03 10:30:40 UTC

1- https://www.paypal.c...icious-activity

:grrr: :ph34r:

Edited by AplusWebMaster, 03 August 2012 - 09:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#730 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 05 August 2012 - 01:21 PM

FYI...

Phishing for Payroll with unpatched Java
- https://isc.sans.edu...l?storyid=13840
Last Updated: 2012-08-05 - "... companies that offer outsourced payroll management services have seen their name being abused for phishing scams. One prominent example is ADP, whose website [1] currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP. The average recipient of such a phish would have no idea who or what ADP is, and would be highly unlikely to "click". But a HR/Payroll employee of a company that actually uses ADP services would certainly be alarmed to read, for example, that his/her access to ADP is about to be cut off:
> https://isc.sans.edu...yimages/sd1.JPG
... the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat...
>> https://isc.sans.edu...yimages/sd2.jpg
... Those who clicked nonetheless, have likely been "had" though. The shown marottamare link redirected via three other web sites, and then ended up on 50.116.36.175, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE2012-1723, is currently netting the bad guys a lot of illicit system access. Antivirus detection rate is and stays low, three days later, it is still only at -8/41- on Virustotal*. The main reason for this seems to be that the exploit packs are encoded... which means that the original attack code and payload are split up into five byte blocks, and each of these individual five bytes is encoded by XOR with a different static value... Some of the AV tools are getting better at providing generic detection for encoded CVE-2012-1723, but don't hold your breath... As for defenses:
1. PATCH your Java JRE. CVE2-012-1723** is deadly, and is widely being exploited in the wild at the moment. Even better, uninstall Java JRE completely from your computers if you can get away with it.
2. Make sure your HR and Payroll folks are treated to another round of "DONT CLICK ON THIS LINK" training. They are your first line of defense, and - given Antivirus' ineffectiveness - usually even your ONLY line of defense.
3. If you have an outsourced payroll provider, acquaint yourself with the email logs, so that you know how REAL email coming from this provider looks like. This knowledge is priceless during an incident, and might even help you to automatically -block- some of the more egregious phishes..."
* https://www.virustot...sis/1344175361/
File name: Rooh.jar
Detection ratio: 8/41
Analysis date: 2012-08-05

[1] http://www.adp.com/a...ity-alerts.aspx

** http://web.nvd.nist....d=CVE-2012-1723 - 10.0 (HIGH)
6/16/2012

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#731 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 09 August 2012 - 08:39 AM

FYI...

Fake LinkedIn emails serve exploits and malware
- http://blog.webroot....ts-and-malware/
August 8, 2012 - "... cybercriminals launched the most recent spam campaign impersonating LinkedIn, in an attempt to trick LinkedIn’s users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Spamvertised URL: hxxp ://glqzc .com/linkzane.html
Client-side exploits serving URL: hxxp ://headtoheadblaster .org/main.php?page=f6857febef53e332
Client-side exploits served: http://web.nvd.nist....d=CVE-2010-1885 - 9.3 (HIGH)
Upon successful client-side exploitation, the campaign drops MD5: 6c59e90d9c3931c900cfd2672f64aec3 *
... PWS-Zbot.gen.ajm; W32/Kryptik.BRK..."
* https://www.virustot...bc800/analysis/
File name: 6c59e90d9c3931c900cfd2672f64aec3
Detection ratio: 24/42
Analysis date: 2012-08-09 02:17:01 UTC

:grrr: :ph34r:

Edited by AplusWebMaster, 09 August 2012 - 08:58 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#732 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 09 August 2012 - 10:57 AM

FYI...

- https://isc.sans.edu...l?storyid=13861
Last Updated: 2012-08-09 10:20:41 UTC
... Ref (1): http://blog.fox-it.c...preading-virus/
XDocCrypt/Dorifel – Document encrypting and network spreading virus
August 9, 2012 - "... apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system. If you were hit, you will likely start asking yourself some questions now… A properly configured IDS would have picked up the attack earlier and you would have been notified of the event. Communication to the following IP addresses might indicate malicious behavior on your system:
184.82.162.163
184.22.103.202

... Ref (2): http://www.damnthose.../?p=599&lang=en
Latest reference 09-08-2012 Update 18:05...
... 2x IPs to block: 184.82.162.163... 184.22.103.202

:!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#733 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 10 August 2012 - 07:36 AM

FYI...

Fake Groupon email malware coupon
- http://blog.commtouc...oupon-with-you/
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
> http://blog.commtouc...ith-malware.jpg
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
Email text:
Hi there!
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!
"

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#734 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 10 August 2012 - 04:42 PM

FYI...

Fake AT&T email billing - serves exploits and malware
- http://blog.webroot....ts-and-malware/
August 10, 2012 - "... yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill. Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts...
Screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Client-side exploits serving URL:
hxxp ://advancementwowcom .org/main.php?page=19152be46559e39d
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e* on the infected hosts... as Trojan.Generic.KD.687203; W32/Cridex-Q. Once executed, the sample phones back to hxxp :// 87.204.199.100 :8080 /mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign... cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware..."
* https://www.virustot...dfa13/analysis/
File name: C497B4D6DFADD4609918282CF91C6F4E_100-about.exe
Detection ratio: 19/41
Analysis date: 2012-08-05

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#735 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 11 August 2012 - 09:29 AM

FYI...

Olympic malware spread continues ...
- http://community.web...able-Sites.aspx
10 Aug 2012 - "... Websense... analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th... Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Links:
> http://community.web..._2D00_550x0.jpg
... We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:
> http://community.web.../1057.chart.jpg
..."

:grrr: :ph34r: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#736 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 11 August 2012 - 04:09 PM

FYI...

Fake Intuit emails ...
- http://security.intu.../alert.php?a=52
8/10/2012 - "People are receiving emails purportedly from Classmates.com with the title "Download your Intuit.com invoice." There is an attachment to the email. Below is the text of the email people are receiving, including the errors in the email:

"Dear Customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-040-6988 ($3.19/min).
ORDER INFORMATION
Please download your complete order id#6269722 from the attachment.(Open with Internet Explorer)"


This is the end of the fake email... Steps to Take Now:
. Do not click on the link in the email...
. Spoofed email address. Don't reply to unsolicited email and don't open email attachments...
. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email..."

:( :ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#737 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 13 August 2012 - 07:38 AM

FYI...

Phishing emails from "Nationwide" in circulation
- http://www.gfi.com/b...in-circulation/
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
> http://www.gfi.com/b...nationphish.jpg
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
> http://www.gfi.com/b...ationphish2.jpg
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
http://www.gfi.com/b...ationphish3.jpg
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
* https://en.wikipedia...uilding_Society
"Nationwide Building Society is a British mutual financial institution..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#738 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 13 August 2012 - 08:58 AM

FYI...

Insecure WordPress blogs... host Blackhole malware attack
- http://nakedsecurity...malware-attack/
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
> https://sophosnews.f...mail1.jpg?w=640
Subject: Verify your order
Message body:
Dear [name],
please verify your order #[random number] at [LINK]
We hope to see you again soon!

The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."

* http://www.spywarein...post__p__768572

:grrr: :!: :ph34r:

Edited by AplusWebMaster, 13 August 2012 - 10:16 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#739 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 14 August 2012 - 09:20 AM

FYI...

IRS SPAM campaign leads to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
> https://webrootblog....exploit_kit.png
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog....loit_kit_01.png
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."

- https://www.virustot...sis/1343319131/
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
- https://www.virustot...44557/analysis/
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#740 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 15 August 2012 - 02:15 PM

FYI...

Another Fake Intuit email: "Your order was shipped today"
> http://security.intu.../alert.php?a=53
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.

Dear Customer,
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.


This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]
___

JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
It works.

>> http://www.spywarein...post__p__769733

:grrr: :ph34r:

Edited by AplusWebMaster, 15 August 2012 - 03:15 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#741 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 16 August 2012 - 11:29 AM

FYI...

PDF reader exploits-in-the-wild ...
- http://blog.fireeye....an-myagent.html
2012.08.15 - "At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation... We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment... we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits... We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#742 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 21 August 2012 - 10:51 AM

FYI...

Posted Image
- http://www.ironport.com/toc/
August 21, 2012

- http://tools.cisco.c...Outbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - August 21, 2012
Fake Payment Notification E-mail Messages - August 21, 2012
Fake DHL Express Tracking Notification E-mail Messages - August 21, 2012
Fake Tax Refund Statement E-mail Messages - August 20, 2012
Malicious Personal Pictures Attachment E-mail Messages - August 20, 2012
Fake Criminal Complaint E-mail Messages - August 20, 2012
Fake Product Photo Attachment E-mail Message - August 20, 2012
Fake Money Transfer Notification E-mail Messages - August 20, 2012
Fake Private Photo Disclosure E-mail Messages - August 20, 2012 ...
Fake Microsoft Security Update E-mail Messages- August 17, 2012 ...

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#743 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 22 August 2012 - 07:52 AM

FYI...

F-secure Threat Report H1 2012
- https://www.f-secure...s/00002411.html
August 21, 2012 - "... criminals were still as busy as ever. Our report includes the following case studies:
• ZeuS & Spyeye
• Flashback
• Blackhole
• Mobile Threats
• Ransomware
• Rogueware
You can download the report from:
- http://www.f-secure....ort_H1_2012.pdf
"One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code."

:ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#744 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 22 August 2012 - 09:26 AM

FYI...

Fake Flash Player App is an SMS Trojan ...
- http://www.gfi.com/b...jan-and-adware/
August 22, 2012 - "Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers. Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites. It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices... As of this writing, we’ve seen -eight- sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant... You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play*."
* https://play.google....ashplayer&hl=en
___

- http://blog.webroot....obe-flash-apps/
August 23, 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 23 August 2012 - 09:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#745 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 23 August 2012 - 07:49 AM

FYI...

Fake BlackBerry ID emails...
- http://community.web...ed-malware.aspx
22 Aug 2012 - "Websense... intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.
> http://community.web..._2D00_550x0.png
... The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal*..."
* https://www.virustot...7b082/analysis/
File name: Hotel-Booking_Confirmation.exe
Detection ratio: 27/42
Analysis date: 2012-08-23 10:54:21 UTC
> http://community.web...threatscope.PNG
___

Bogus greeting cards serve exploits and malware
- http://blog.webroot....ts-and-malware/
August 21, 2012 - "Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Upon clicking on -any- of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
> https://webrootblog....loit_kit_01.png
... Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 *...
Upon successful execution, the sample phones back to 87.120.41.155 :8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server... 87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers... The second sample phones back to 87.204.199.100 :8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns..."
* https://www.virustot...0365f/analysis/
File name: 42307705ad637c615a6ed5fbf1e755d1
Detection ratio: 34/42
Analysis date: 2012-08-23 01:27:36 UTC

:grrr: :ph34r:

Edited by AplusWebMaster, 23 August 2012 - 01:01 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#746 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 27 August 2012 - 05:07 PM

FYI...

Java 0-Day exploit-in-the-wild
- https://secunia.com/advisories/50133/
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist....d=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Original Advisory:
http://blog.fireeye....t-over-yet.html

- https://isc.sans.edu...l?storyid=13984
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
- https://krebsonsecur...y-java-exploit/
August 27, 2012
- http://www.deependre...nformation.html
August 27, 2012 - "... currently being used in targeted attacks..."

- http://labs.alienvau...ed-in-the-wild/
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255

8 to Infinity Pte Ltd ..."
> https://www.virustot...8200f/analysis/
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC

- https://www.virustot...8200f/analysis/
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
___

- http://www.kb.cert.org/vuls/id/636312
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."

- http://www.symantec....y-cve-2012-4681
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."

* http://www.spywarein...post__p__769824

:!: :ph34r:

Edited by AplusWebMaster, 29 August 2012 - 09:19 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#747 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 29 August 2012 - 06:59 AM

FYI...

Java 0-day added to Blackhole Exploit Kit
- http://community.web...xploit-kit.aspx
28 Aug 2012 - "... exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole... The Pre.jar file (VirusTotal link*) will use the new vulnerability to install the malware (VirusTotal link**) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report(1)... A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post(2)."
* https://www.virustot...1f874/analysis/
File name: Pre.jar
Detection ratio: 17/42
Analysis date: 2012-08-29 10:43:59 UTC
** https://www.virustot...38137/analysis/
File name: about.exe
Detection ratio: 18/42
Analysis date: 2012-08-29 04:32:07 UTC
1) http://community.web...threatscope.png
2) http://immunityprodu...-2012-4681.html
___

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecur...aged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

:!: :ph34r:

Edited by AplusWebMaster, 29 August 2012 - 10:25 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#748 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 29 August 2012 - 09:46 AM

FYI...

Fake QuickBooks update email ...
- http://security.intu.../alert.php?a=54
8/28/2012 - "People are receiving emails with one of the following titles: "Important QuickBooks Update, "QuickBooks Security Update," "Urgent: QuickBooks Update," and "QuickBooks Update: Urgent." There is a link in the email.DO NOT click on the link.
Below is the text of the email people are receiving, including the errors in the email.

'You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.'


This is the end of the -fake- email..."

- http://blog.webroot....serving-emails/
August 29, 2012 - "... millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#749 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 29 August 2012 - 04:51 PM

FYI...

Java v7u7 / v6u35 released
- http://www.spywarein...post__p__770487
August 30, 2012
___

- http://www.symantec....attack-campaign
Update August 30, 2012 - "... using a Java zero-day, hosted as a .jar file on websites, to infect victims... attackers have been using this zero-day for several days since August 22... resolves to 223.25.233.244. That same IP was used by the Nitro attackers back in 2011..."

- http://blog.trendmic...d-java-zero-day
Aug 30, 2012

- http://nakedsecurity...ited-tax-email/
August 30, 2012
- http://nakedsecurity...fixes-for-java/
August 30, 2012
___

Java 0-day exploit on 100+ sites serving malware
- https://www.computer...s_serve_malware
August 29, 2012 - "... Websense... had found more than 100 unique domains serving the Java exploit. "The number is definitely growing...and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days"... Yesterday, Michael Coates, Mozilla's director of security assurance, urged Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes... Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons..."
___

- http://web.nvd.nist....d=CVE-2012-4681 - 9.3 (HIGH)
Last revised: 08/29/2012 - "... as exploited in the wild in August 2012..."

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecur...aged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

- http://www.darkreadi...le/id/240006469
Aug 29, 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 31 August 2012 - 11:04 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#750 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,152 posts

Posted 31 August 2012 - 10:37 AM

FYI...

Fake UPS SPAM links to malware
- http://blog.webroot....-serve-malware/
August 31, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
... location of the malicious archive: buzzstar .co .uk/Label_Copy_UPS.zip
The malware has a MD5: b702590c01f76f02e2d8d98833d1c95f * ...
* https://www.virustot...eaefb/analysis/
File name: file-4438621_exe
Detection ratio: 20/25
Analysis date: 2012-08-31 02:25:37 UTC

Fake Paypal SPAM links to malware
- http://blog.webroot....-serve-malware/
August 30, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails. Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....ion_malware.png
... The malware has a MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ...
* https://www.virustot...7d67a/analysis/
File name: smona_1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.bin
Detection ratio: 37/42
Analysis date: 2012-08-29 08:33:11 UTC

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





5 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users


    Google (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button