Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 22.214.171.124, AS24514; 126.96.36.199, AS10297; 188.8.131.52, AS16276 ..."
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
Fake Intercompany Invoice SPAM / controlleramo .ru
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [email@example.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Beazer Homes USA Corp.
184.108.40.206 (Universiti Putra, Malaysia)
220.127.116.11 (MYREN, Malaysia)
18.104.22.168 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
Phishers take aim at USAA
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
Subject: USAA – Account Security Update
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
[link] Click here to verify [/link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
USAA Internet Banking.
Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
>> https://www.usaa.com...=phishing email
Edited by AplusWebMaster, 07 November 2012 - 12:43 PM.