Bogus USPS emails lead to malware
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 ..."
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
Fake Apple "Account Info Change" SPAM / welnessmedical .com
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
The fake pharma site (welnessmedical.com) is hosted on 220.127.116.11 along with a bunch of other ones, plus some additional sites one IP over at 18.104.22.168... Oddly, 22.214.171.124 doesn't seem to be registered at RIPE. No matter, we know who the owner of 126.96.36.199 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 188.8.131.52/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set
184.108.40.206 (RimuHosting, US)
220.127.116.11 (Universiti Putra, Malaysia)
18.104.22.168 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
fionadix .ru ..."
Elections and shenanigans
Nov 6, 2012 - "... Election Day... we’re not short of seeing shenanigans related to this big event that online criminals and scammers have been taking advantage of for months. What we have below are just some of what we found surrounding the elections. First off is a file that goes by the name election card1.exe, and it looks like this:
This is actually a Trojan that VIPRE detects as Trojan.Win32.Rotinom.b (v). Once users double-click this file, it then modifies the affected system’s registry to enable its execution every system startup and hide file extensions among others. This file could be as a result of scammers hoping to capitalise on voters in cities who can’t physically go to polling stations to vote due to Hurricane Sandy but will resort to voting using email and/or fax. The nature of this threat cannot be more timely. We’ve also seen something called Romney_Obama_Focus_On_Key_States_on_Final_Lap.zip. When you take a look what’s inside the compressed file, here is what you’ll see:
Another executable file that uses an icon of a different file, this time posing as a Microsoft Word document file. Funnily enough, when you do execute the file, it indeed calls on both MS Word and WordPad (just in case you don’t have the other) and then shows you a .DOC article about Mitt Romney and President Barrack Obama:
Finally, avid YouTube viewers should be wary of what they watch and of links associated with those clips. Some use the said social media site to lead users to download and install a movie player... (We’ve written about some of those “players”...).
What you’ll see in the actual video is a clip taken from a segment of a television news channel where in a best-selling author talks about his documentary called 2016: Obama’s America, not the teaser clip of the movie that is normally put out when they entice viewers to watch the full version for free. Below the clip is a shortened URL linking to the download page of the said movie player. You must know that in order to watch the clip offered by the software, additional video software have to be downloaded... Let us be mindful of that for the next couple of days..."
Edited by AplusWebMaster, 06 November 2012 - 03:06 PM.