Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1316 replies to this topic

#801 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 06 November 2012 - 08:14 AM

FYI...

Bogus USPS emails lead to malware
- http://blog.webroot....ead-to-malware/
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.jpg
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
* https://www.virustot...sis/1351876562/
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
___

SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
- http://blog.dynamoo....to-us-show.html
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
___

Fake Apple "Account Info Change" SPAM / welnessmedical .com
- http://blog.dynamoo....hange-spam.html
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
Hello,
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Thanks,
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID


The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
* http://en.wikipedia....iki/CyberBunker
___

Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
- http://blog.dynamoo....centre-pro.html
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set


The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
forumibiza .ru
kiladopje .ru
donkihotik .ru
lemonadiom .ru
peneloipin .ru
panacealeon .ru
finitolaco .ru
fidelocastroo .ru
ponowseniks .ru
dianadrau .ru
panalkinew .ru
fionadix .ru ..."
___

Elections and shenanigans
- http://www.gfi.com/b...nd-shenanigans/
Nov 6, 2012 - "... Election Day... we’re not short of seeing shenanigans related to this big event that online criminals and scammers have been taking advantage of for months. What we have below are just some of what we found surrounding the elections. First off is a file that goes by the name election card1.exe, and it looks like this:
> http://www.gfi.com/b...ction-card1.png
This is actually a Trojan that VIPRE detects as Trojan.Win32.Rotinom.b (v). Once users double-click this file, it then modifies the affected system’s registry to enable its execution every system startup and hide file extensions among others. This file could be as a result of scammers hoping to capitalise on voters in cities who can’t physically go to polling stations to vote due to Hurricane Sandy but will resort to voting using email and/or fax. The nature of this threat cannot be more timely. We’ve also seen something called Romney_Obama_Focus_On_Key_States_on_Final_Lap.zip. When you take a look what’s inside the compressed file, here is what you’ll see:
> http://www.gfi.com/b.../2012/11/01.png
Another executable file that uses an icon of a different file, this time posing as a Microsoft Word document file. Funnily enough, when you do execute the file, it indeed calls on both MS Word and WordPad (just in case you don’t have the other) and then shows you a .DOC article about Mitt Romney and President Barrack Obama:
> http://www.gfi.com/b...2012/11/rom.png
The document is called Romney_Obama_Focus_On_Key_States_on_Final_Lap .doc, and it is embedded within the executable file. Criminals have been using this “sleight-of-hand” trick on their malware for a long time. They do this to make users believe that what downloaded is just a harmless document file, not knowing that the malware already made several modifications on their system before they even start to read the article. Of course, this trick only works if the “Hide file extension” advanced view setting is ticked. We’ve also seen a lot of legitimate web sites pages out there that use tags like “election” and “obama” that serve malicious codes (iframe tags leading to .ru websites and obfuscated JavaScript). Please be wary when you visit election-related sites.
> http://www.gfi.com/b...d-js-script.png
Finally, avid YouTube viewers should be wary of what they watch and of links associated with those clips. Some use the said social media site to lead users to download and install a movie player... (We’ve written about some of those “players”...).
> http://www.gfi.com/b...obama-20161.png
What you’ll see in the actual video is a clip taken from a segment of a television news channel where in a best-selling author talks about his documentary called 2016: Obama’s America, not the teaser clip of the movie that is normally put out when they entice viewers to watch the full version for free. Below the clip is a shortened URL linking to the download page of the said movie player. You must know that in order to watch the clip offered by the software, additional video software have to be downloaded... Let us be mindful of that for the next couple of days..."

:grrr: :ph34r:

Edited by AplusWebMaster, 06 November 2012 - 03:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#802 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 07 November 2012 - 06:03 AM

FYI...

Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
> https://webrootblog....its_malware.png
> https://webrootblog...._malware_01.png
... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
* https://www.virustot...1ea40/analysis/
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
** https://www.virustot...75ed8/analysis/
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
___

Fake Intercompany Invoice SPAM / controlleramo .ru
- http://blog.dynamoo....voice-spam.html
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [welcome@linkedin.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments: Invoice_e49580.htm
Hi
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Rihanna PEASE
Beazer Homes USA Corp.


The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
___

Phishers take aim at USAA
- http://www.gfi.com/b...ke-aim-at-usaa/
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
> http://www.gfi.com/b...SAACred_115.png
From: {random}
To: {random}
Subject: USAA – Account Security Update
Message body:
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
[link] Click here to verify [/link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
reasons.
Thank you,
USAA Internet Banking.


Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
> http://www.gfi.com/b.../11/usaa011.png
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
* https://www.usaa.com...ent_logon/Logon

>> https://www.usaa.com...=phishing email

>>> https://www.youtube....&v=KYiKATvQvWw#!

:grrr: :ph34r:

Edited by AplusWebMaster, 07 November 2012 - 12:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#803 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 08 November 2012 - 07:28 AM

FYI...

Fake Discover Card emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 Email: anil_valiquette124 @ dawnsonmail .com
Name Server: NS1.CHELSEAFUN.NET 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET 65.131.100.90
netgear-india .net 183.180.134.217, AS2519
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
* https://www.virustot...50589/analysis/
File name: KB01474670.exe
Detection ratio: 4/44
Analysis date: 2012-11-02
___

getyourbet .org injection attack
- http://blog.dynamoo....ion-attack.html
8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains @ yahoo .com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear .co.uk
physical.oneandonlykanuhura .com
pig.onmailorder .com
picture.onlyplussizes .com
person.nypersonaltrainers .com
pipe.payday-loanstoday .com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#804 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 09 November 2012 - 07:56 AM

FYI...

Fake Intuit emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich .org..."
* https://www.virustot...c1e14/analysis/
File name: download
Detection ratio: 29/44
Analysis date: 2012-11-08
___

Changelog SPAM / canadianpanakota .ru
- http://blog.dynamoo....panakotaru.html
9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
Date: Fri, 9 Nov 2012 11:55:11 +0530
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changlog 10.2011
Attachments: changelog4-2012.htm
Hello,
as promised changelog,(Internet Explorer File)


The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota .ru
controlleramo .ru
donkihotik .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
lemonadiom .ru
peneloipin .ru
moneymakergrow .ru ..."

:grrr: :ph34r:

Edited by AplusWebMaster, 09 November 2012 - 09:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#805 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 12 November 2012 - 06:24 AM

FYI...

Fake American Express emails serve client-side exploits and malware...
- http://blog.webroot....ts-and-malware/
Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Malicious domain name reconnaissance:
stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
210.56.23.100 :8080/asp/intro.php
210.56.23.100 :8080/za/v_01_a/in ...
The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
* https://www.virustot...c6182/analysis/
File name: c8c607bc630ee2fe6a8c31b8eb03ed43
Detection ratio: 15/43
Analysis date: 2012-11-02
___

Cableforum.co .uk hacked?
- http://blog.dynamoo....ouk-hacked.html
12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
NatWest : Helpful Banking
Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access...

> https://lh3.ggpht.co...600/natwest.png
This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."

:grrr: :ph34r:

Edited by AplusWebMaster, 12 November 2012 - 10:01 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#806 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 12 November 2012 - 03:23 PM

FYI...

Blackhole exploit kit - top threat by a large margin
- https://blogs.techne...ew-heights.aspx
12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."

* https://blogs.techne...0-43/3683.2.jpg

** https://blogs.techne...0-43/6443.1.jpg

*** http://www.microsoft...at/default.aspx
___

New Java attack introduced into "Cool Exploit Kit"
- https://threatpost.c...loit-kit-111212
Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
* https://web.nvd.nist...d=CVE-2012-5076 - 10.0 (HIGH)

:ph34r: :ph34r:

Edited by AplusWebMaster, 13 November 2012 - 06:48 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#807 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 13 November 2012 - 10:42 AM

FYI...

Fake "Your flight" SPAM / monacofrm .ru
- http://blog.dynamoo....onacofrmru.html
13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
From: sales1 @victimdomain .com
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581
Dear Customer,
FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
NAOMI PATTON,
==========
From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733
Dear Customer,
FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Adon Walton,

(...etc.)

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)
The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added: There's a Wire Transfer SPAM using the same payload too:
From: Amazon.com / account-update @amazon .com
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

___

Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
- http://blog.dynamoo....enezioloru.html
13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
Date: Tue, 13 Nov 2012 12:27:15 -0500
From: Mathilda Allen via LinkedIn [member @linkedin .com]
Subject: Re: End of Aug. Statmeent required
Attachments: Invoices12-2012.htm
Good morning,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards


The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186, 203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66 ..."

:grrr: :grrr:

Edited by AplusWebMaster, 13 November 2012 - 06:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#808 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 14 November 2012 - 07:57 AM

FYI...

Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 14, 2012 - "A cybercriminal/group... continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Malicious domain name reconnaissance: puzzledbased .net – 183.180.134.217, AS2519 – Email: rodger_covach3060 @ spacewar .com
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
Although we couldn’t reproduce puzzledbased .net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp ://netgear-india .net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis...
The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:
rovo .pl
itracrions .pl
superdmntre .com
chicwhite .com
radiovaweonearch .com
strili .com
superdmntwo .com
unitmusiceditior .com
newtimedescriptor .com
steamedboasting .info
solla.at votela .net
stempare .net
tradenext .net
bootingbluray .net
The following malicious domain (stempare .net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns..."
___

promotesmetasearch .net promotes malware
From the WeAreSpammers blog: http://wearespammers.../launch-of.html

- http://blog.dynamoo....es-malware.html
14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because a) it's all in French and b) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.
The WHOIS details show a completely different name and address from the one quoted on the email:
Florence Buker
florence_buker05 @rockfan .com
7043 W Avenue A4
93536 Lancaster
United States
Tel: +1.4219588211
Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.
From: Anthony Tomei admin @8 mailer .com
Reply-To: info @ promotesmetasearch .net
To: donotemail @ wearespammers .com
Date: 14 November 2012 18:22
Subject: launch of
Dear Future Millionaire,
Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.
The first way is to...


Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques... You should probably regard the domain chickenkiller .com as compromised and block it. Additionally, all the following IPs and domains are related and a probably malicious.
46.249.38.21
46.249.78.23
46.249.38.27

deficiencieshiss .net
personaloverly .net
spaceyourfilesbig.chickenkiller .com
vodkkaredbuuull.chickenkiller .com
firefoxslacker .pro
personaloverly .net
wowteammy113 .org
logicalforced .org
flashkeyed .org
incidentindie .org
sufficeextensible .org
laughspadstyle .org
check-update .org
softtwareupdate .org
internallycontentchecking .org
cordlesssandboxing .org
westsearch .org
perclickbank .org
trayscoffeecup .org
agreedovetails .org
commencemessengers .org
dfgs453t .org
disappointmentcontent .org
whiskeyhdx .org
uhgng43fgjl82309dfg99df1 .com
rethnds732 .com
odiushb327 .com
a6q7 .com
makosl .com
noticablyccleaner .com
leisurelyadventures .com
invitedns .com
srv50 .in
flacleaderboard.in
frwdlink .in
tgy56fd3fj.firm .in
warrantynetwork .co .in
kclicksnet .in
reelshandsoff .info
scatteredavtestorg .info
ap34 .pro
trafficgid .pro
stop2crimepeople .pro
huge4floorhouse .pro
exportlite .pro
weeembedding .pro
layer-grosshandel .pro
firefoxslacker .pro
s1topcrimefor .pro
opera-soft .pro
brauser-soft .pro
mp3soft .pro
pornokuca .net
licencesoftwareupda .net
settlementstored .net
licencesoftwareuppd .net
compartmentalizationwere .net
seniorhog .net
coinbatches .net
isnbreathy .net
mrautorun .ru
askedvisor .ru
srv50b .biz
vimeosseeing .biz
threatwalkthrough .biz
promotemetasearch .net ..."

:grrr: :ph34r:

Edited by AplusWebMaster, 14 November 2012 - 07:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#809 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 15 November 2012 - 06:58 AM

FYI...

Opera site served Blackhole malvertising...
- http://www.theregist...pera_blackhole/
15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."
* http://www.hotforsec...epage-4431.html
14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."
> http://www.hotforsec...Homepage-21.jpg

- http://www.h-online....iew=zoom;zoom=3
16 Nov 2012
___

Bogus BBB emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire .net
hotsecrete .net - Email: counseling1 @ yahoo .com
the-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .com
Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."
___

Changelog SPAM / feronialopam .ru
- http://blog.dynamoo....nialopamru.html
15 Nov 2012 - "This fake "Changelog" spam leads to malware on feronialopam .ru:
Date: Thu, 15 Nov 2012 10:43:59 +0300
From: "Xanga" [noreply@xanga.com]
Subject: Re: Changelog 2011 update
Attachments: changelog-12.htm
Hello,
as promised chnglog attached (Internet Explorer File)
==========
Date: Thu, 15 Nov 2012 05:43:09 -0500
From: Chaz Shea via LinkedIn [member@linkedin.com]
Subject: Re: Changelog as promised(updated)
Attachments: Changelog-12.htm
Hello,
as prmised changelog is attached (Internet Explorer File)


The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:
120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."

:grrr: :ph34r:

Edited by AplusWebMaster, 16 November 2012 - 09:54 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#810 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 16 November 2012 - 06:34 AM

FYI...

Malware sites to block- 16/11/12
- http://blog.dynamoo....ock-161112.html
16 Nov 2012 - "Some more evil domains and IPs, connected with this spam run*. (Thanks, GFI)
* http://gfisoftware.t...ant-system-spam
chelseafun .net
cosmic-calls .net
dirtysludz .com
fixedmib .net
packleadingjacket .org
performingandroidtoios .info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220
..."
___

Bogus eFax Corporate messages serve multiple malware variants
- http://blog.webroot....lware-variants/
Nov 16, 2012 - "... mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e * ... Trojan-PSW.Win32.Tepfer.blbl
Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly .com
ser.luckypetspetsitting .com
dechotheband .gr
barisdogalurunler .com
alpertarimurunleri .com
oneglobalexchange .com
rumanas .org
www.10130138 .wavelearn.de
visiosofttechnologies .com
sgisolution.com .br
plusloinart .be
marengoit .pl
It then downloads additional malicious payload...
Phone back URL:
hxxp ://oftechnologies.co .in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 ** – Email: melody_mccarroll38 @ indyracers .com
Name Server:NS1.INVITEDNS .COM
Name Server:NS2.INVITEDNS .COM
The following malicious domain responds to the same IP: updateswindowspc .net
The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1352078183/
File name: eFAX.CORPORATE.exe
Detection ratio: 37/43
Analysis date: 2012-11-05

** https://www.google.c...c?site=AS:48434
Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."

:grrr: :ph34r:

Edited by AplusWebMaster, 16 November 2012 - 09:38 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#811 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 17 November 2012 - 02:35 PM

FYI...

Fake J. dee Edwards / jdeeedwards .com scam
- http://blog.dynamoo....dscom-scam.html
17 Nov 2012 - "I'm not even certain what this scam is, but this is certainly not legitimate:
From: J. dee Edwards j.edwards @ jdeeedwards .com
Reply-To: j.edwards @ jdeeedwards .com
Date: 17 November 2012 16:29
Subject: Edwards contact
Dear Colleague,
We are working with healthcare market companies which would like to hear your opinion.
We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http ://www .jdeeedwards .com/contact.php?e=[redacted] or replying to the email.
Thank you for your time.
J. dee Edwards HRms
j.edwards @ jdeeedwards .com
http ://www .jdeeedwards .com
To ensure that our emails reach you, please remember to add j.edwards @ jdeeedwards .com to your email address book.
We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties.
If you do not wish to receive please visit: http ://jdeeedwards .com/ unsub.php?e=[redacted]
Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK


Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards .com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:
> https://lh3.ggpht.co...jdeeedwards.png
... there used to be a company called JD Edwards, but there isn't any more**, nor is there a company called J. dee Edwards anywhere in the UK. The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.
> https://lh3.ggpht.co...deeedwards2.png
Oddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link. Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764* is a pretty scummy netblock according to Google*. 85.206.51.81 is also the IP address the spam was sent from. So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided."
* http://www.google.co...ic?site=AS:8764

** https://en.wikipedia...wiki/JD_Edwards
"... JD Edwards, abbreviated JDE, -was- an Enterprise Resource Planning (ERP) software company..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#812 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 19 November 2012 - 07:06 AM

FYI...

Fake IRS "W-1" SPAM / 5.chinottoneri .com
- http://blog.dynamoo....ttonericom.html
19 Nov 2012 - "This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form of some sort from the US Internal Revenue Service.
From: Administrator [mailto:administrator @ victimdomain .com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https ://local .victimdomain .com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https ://hr.victimdomain .com/update.aspx?id=[redacted].
Administrator,
http ://victimdomain .com


In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri .com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low*. I suspect that there are many other malicious sites on this IP, blocking it would be wise."
* https://www.virustot...sis/1353338928/
File name: exploit.htm
Detection ratio: 3/43
Analysis date: 2012-11-19
___

Bogus IRS emails lead to malware
- http://blog.webroot....ead-to-malware/
Nov 19, 2012 - "In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective users in an attempt to drop malware on the affected hosts. This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....eal_malware.png
Unlike March 2012's campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.
The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 * ... Worm:Win32/Cridex.E phones back to 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).
We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 ** Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 128.2.172.202 :8080/37ugtbaaaaa/enmtzaaaaa/pxos/
The following MD5s are also known to have phoned back to this very same IP:
MD5: a5c8fb478ff7788609863b83079718ec ... Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb ... Trojan.Win32.Bublik.swr
The third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 *** ... Worm:Win32/Cridex.E phones back to 202.143.189.180 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand)..."
* https://www.virustot...sis/1352985385/
File name: IRS_Letter.exe
Detection ratio: 36/44
Analysis date: 2012-11-15
** https://www.virustot...sis/1352985520/
File name: IRS_Rejected.exe
Detection ratio: 35/44
Analysis date: 2012-11-15
*** https://www.virustot...sis/1352985751/
File name: IRS-AppID.exe
Detection ratio: 36/44
Analysis date: 2012-11-15
___

Fake "Southwest Airlines" SPAM / headerandfooterprebuilt .pro
- http://blog.dynamoo....lines-spam.html
19 Nov 2012 - "This fake Southwest Airlines spam leads to malware at headerandfooterprebuilt .pro:
Date: Mon, 19 Nov 2012 19:33:04 +0000
From: "Southwest Airlines" [no-reply @luv .southwest .com]
To: [redacted]
Subject: Southwest Airlines Confirmation: 5927NI
[redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM
You're all set for your traveling!
My Account | Review My Itinerary Online
Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
Ready for lift-off!
Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
Upcoming Cruise: 11/20/12 - SLC - Phx Knight


The malicious payload is at [donotclick]headerandfooterprebuilt .pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution."
___

Fake "End of Aug. Statement Reqiured" SPAM / bamanaco .ru
- http://blog.dynamoo....iured-spam.html
19 Nov 2012 - "This spam leads to malware on bamanaco .ru:
Date: Mon, 19 Nov 2012 03:55:08 -0500
From: ups [admin@ups.com]
Subject: Re: FW: End of Aug. Statement Reqiured << sp?
Attachments: Invoices-1119-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per oct. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards


The malicious payload is at [donotclick]bamanaco .ru:8080/forum/links/column.php hosted on the following IPs:
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)
These IPs have been used to deliver malware several times recently, you should block access to them if you can."
___

Rolex SPAM rolls out in time for Black Friday
- http://www.gfi.com/b...r-black-friday/
Nov 19, 2012 - "... no surprise that online shenanigans abound when big holidays and major events are just around the corner. What remains to be seen are the forms of these shenanigans we ought to expect to see online and in our inboxes. This Thanksgiving and Black Friday week, cyber criminals did not disappoint. We found this particular email spam in user inboxes these last few days:
> http://www.gfi.com/b...ail-231x300.png
From: Designer Watches by LR (could be random, too)
To: {random}
Subject: Start Black Friday today
Message body:
BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!
The best quality watch replicas on PLANET EARTH!
The lowest priced high-end watches on the PLANET!
www(dot)LRblackfridaytoday(dot)com
BLACK FRIDAY HAS STARTED!
Black Friday every day until November 23!
All items reduced by 25-50% as of TODAY.
Over 25,000 exact watch-copies have been reduced until Friday November 23rd.
There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.
This will ensure INSTOCK availability and fast delivery.
NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!
Currently every watch model is INSTOCK and ready to ship within 1 hour.
THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:
These are hand crafted high-end watch-copies.
These are made using identical parts and materials.
These are tested inside and out to be identical.
There is no difference between our watch-copies and the originals!
www(dot)LRblackfridaytoday(dot)com


Clicking either the image or the URLs on the email body leads users to the LRblackfridaytoday domain, which looks like this:
> http://www.gfi.com/b...ica-300x274.png
The domain resolves to an IP in the Czech Republic that does not only have a bad reputation but also uses a network that Google* warned us about. Our friends at Symantec** have also mentioned several variants of this spam mail (and published other Black Friday-related threats) that you might want to check out, too. Fake Rolex replica spammers, like fake pharma scammers, promise little luxuries but often never deliver. Giving out your credit card information to spammed sites is a sure way of putting yourself in potential debt with no “luxury replica item” in return..."
* http://www.google.co...ic?site=AS:6830

** http://www.symantec....-spammers-radar
___

More here (also links to Screenshots):
- http://www.gfi.com/b...for-the-week-3/
Nov 19, 2012

:grrr: :ph34r:

Edited by AplusWebMaster, 19 November 2012 - 04:20 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#813 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 20 November 2012 - 08:02 AM

FYI...

Malware sites to block 20/11/12
- http://blog.dynamoo....ock-201112.html
20 Nov 2012 - "This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are either being used for malware distribution or some other evil activity:
5.39.8.105 (OVH, Ireland)
46.249.38.27 (Hotkey, Russia)
62.109.31.36 (TheFirst, Russia)
64.79.64.170 (XLHost, US)
78.46.198.143 (GPI Holding,US)
78.110.61.186 (Hosting Telesystems, Russia)
91.220.35.42 (Zamahost, Russia)
91.220.35.74 (Zamahost, Russia)
91.231.156.55 (Sevzapkanat-Unimars, Russia)
93.174.90.81 (Ecatel, Netherlands)
95.211.9.46 (Leaseweb, Netherlands)
95.211.9.55 (Leaseweb, Netherlands)
149.154.67.103 (TheFirst, Russia)
176.9.179.170 (Siteko, Russia)
178.63.226.203 (Avist, Russia)
178.63.247.189 (GPI Holding,US)
178.162.134.205 (AlfaInternet, Russia)
184.82.101.52 (HostNOC, US)
193.161.86.43 (Host-Telecom, Czech Republic)
194.62.233.19 (Stils-Grupp, Russia)
198.23.139.199 (Chicago VPS, US)
208.88.226.231 (WZ Communications, US)
If you want to block those Russian hosts more widely, perhaps use the following list:
46.249.38.0/24
62.109.28.0/22
64.79.64.170
78.46.198.136/29
78.110.61.186
91.220.35.0/24
91.231.156.0/24
93.174.90.81
95.211.9.46
95.211.9.55
149.154.66.0/23
176.9.179.128/26
178.63.226.192/26
178.63.247.128/26
178.162.134.192/26
184.82.101.52
193.161.86.43
194.62.233.0/24
198.23.139.199
...
(More detail at the dynamoo URL above.)
___

Fake "Don't forget about meeting tomorrow" SPAM / hamasutra .ru
- http://blog.dynamoo....orrow-spam.html
20 Nov 2012 - "This spam leads to malware on hamasutra .ru:
From: Lula Stevens [... JolieWright @ shaw .ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow
Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file)


In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)
Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66

___

Fake ‘Copies of Missing EPLI Policies’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 20, 2012 - "Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies (Employment practices liability). In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample client-side exploits serving URL: hxxp ://monacofrm.ru :8080/forum/links/column.php
Malicious domain name reconnaissance:
monacofrm .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 216.24.194.66, AS40676
Name server: ns1.monacofrm .ru – 62.76.178.233
Name server: ns2.monacofrm .ru – 41.168.5.140
Name server: ns3.monacofrm .ru – 132.248.49.112
Name server: ns4.monacofrm .ru – 209.51.221.247 ...
We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP (202.180.221.186) - hxxp ://canadianpanakota .ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E.
We’re also aware of two more client-side exploits serving domains responding to the same IP (202.180.221.186) on 2012-11-15 19:49:33 – hxxp ://investomanio .ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp ://veneziolo .ru/forum/links/column.php...
* https://www.virustot...1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
(More detail at the webroot URL above.)

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 20 November 2012 - 08:10 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#814 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 20 November 2012 - 06:04 PM

FYI...

Linux Rootkit doing iFrame Injections
- https://www.secureli...rame_Injections
Nov 19, 2012 - "... an interesting piece of Linux malware came up on the Full Disclosure mailing-list*... not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario... The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy. The binary is more than 500k, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information). Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet. The malware ensures its startup by adding an entry to the /etc/rc.local script... Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for the later use... the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets... In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication... the malicious server is still active and it hosts other *NIX based tools, such as log cleaners... So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future. An excellent, detailed analysis of this rootkit was recently posted on CrowdStrike blog**."
* http://seclists.org/...ure/2012/Nov/94

** http://blog.crowdstr...ux-rootkit.html
___

- http://h-online.com/-1753969
21 Nov 2012
___

- http://atlas.arbor.n...ndex#2007317889
64-bit Linux Rootkit Doing iFrame Injections
Nov 20, 2012
New development on a Linux-based rootkit shows increased attention from cybercriminals.
Analysis: It's been a while since public linux rootkit activity has raised much attention. This particular rootkit is poorly designed however is/was effective at delivering malicious links to website visitors, it's primary goal. Several write-ups on the threat exist, including a post to the Full-Disclosure list, the Kapsersky blog and the CrowdStrike blog to provide plenty of analysis material to help admins detect this threat. Arbor is interested to hear if any customers have found this threat on their hosting platforms.
Source: http://www.securelis...rame_Injections

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 22 November 2012 - 05:28 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#815 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 21 November 2012 - 08:52 AM

FYI...

Bogus ‘MS License Orders’ serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Nov 21, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating Microsoft Corporation in an attempt to trick users into clicking on a link in a -bogus- ‘License Order” confirmation email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample client-side exploit served: CVE-2010-0188
Malicious domain name reconnaissance:
fidelocastroo .ru – 209.51.221.247; 203.80.16.81
Name server: ns1.fidelocastroo .ru – 85.143.166.170
Name server: ns2.fidelocastroo .ru – 132.248.49.112
Name server: ns3.fidelocastroo .ru – 84.22.100.108
Name server: ns4.fidelocastroo .ru – 213.251.171.30 ...
(Full detail available at the webroot URL above.)
___

5.estasiatica .com / 66.228.57.248
- http://blog.dynamoo....6622857248.html
20 Nov 2012 - "It looks like another variant of this* malicious spam run could be brewing on 5.estasiatica .com / 66.228.57.248 (Linode, US). A bit of pre-emptive blocking might be in order..."
* http://blog.dynamoo....ttonericom.html

:grrr: :ph34r:

Edited by AplusWebMaster, 21 November 2012 - 09:18 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#816 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 22 November 2012 - 06:06 AM

FYI...

Fake ‘Payroll Account Cancelled by Intuit’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Nov 22, 2012 - "Cybercriminals have resumed spamvertising the Intuit Direct Deposit Service Informer themed malicious emails, which we intercepted and profiled earlier this month. While using an identical email template, the cybercriminals behind the campaign have introduced new client-side exploits serving domains, which ultimately lead to the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog...._malware_01.png
... Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
cosmic-calls .net – 108.171.243.172, AS40676 – Email: samyidea @aol .com, used to respond to 75.127.15.39
108.171.243.172 also resolves to lanthaps .com (used to respond to 199.167.31.121) – Email: A1kmmm @ gmail .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET
... Upon successful client-side exploitation, the campaign drops MD5: 896bae2880071c3a63d659a157d5c16f * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to hxxp ://203.172.238.18 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (AS23974, Ministry of Education, Thailand). The following domain has also responded to this IP in the past: phnomrung .com (Name server: ns1 .banbu.ac .th – currently responding to 208.91.197.101)...
(More detail at the webroot URL above.)
* https://www.virustot...4871a/analysis/
File name: 896bae2880071c3a63d659a157d
Detection ratio: 33/44
Analysis date: 2012-11-17
___

Malware sites to block 22/11/12
- http://blog.dynamoo....ock-221112.html
22 Nov 2012 - "This is part of a cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here* and on this blog here**.
* http://gfisoftware.t...re-message-spam
** http://blog.dynamoo....ttonericom.html
50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)
Plain list of IPs and domains for copy-and-pasting:
5.estasiatica .com
5.chinottoneri .com
6.grapainterfood .com
6.grapaimport .com
6.grapafood .com
6.pascesoir .net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207
..."
___

Facebook SPAM / ceredinopl .ru
- http://blog.dynamoo....redinoplru.html
22 Nov 2012 - "This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl .ru:
Date: Thu, 22 Nov 2012 01:30:38 -0700
From: Habbo Hotel [auto-contact @ habbo .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


The malicious payload is at [donotclick]ceredinopl .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)
The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66

ceredinopl .ru
investinindia .ru
hamasutra .ru
feronialopam .ru
monacofrm .ru
bamanaco .ru
ionalio .ru
investomanio .ru
veneziolo .ru
fanatiaono .ru
analunakis .ru ..."

:grrr: :ph34r:

Edited by AplusWebMaster, 22 November 2012 - 12:40 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#817 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 23 November 2012 - 07:43 AM

FYI...

Malware sites to block 23/11/12
- http://blog.dynamoo....ock-231112.html
23 November 2012 - "This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one*). The payload is apparently "Ponyloader".
* http://blog.dynamoo....ttonericom.html
The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them...
Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118
..."
(More detail at the dynamoo URL above.)
___

Malware sites to (block) 23/11/12 - Part 2
- http://blog.dynamoo....112-part-2.html
23 November 2012 - "Some more bad domains, closely related to this malicious spam run, spotted at the GFI blog*, hosted on 192.155.83.191 (Linode, US)
* http://gfisoftware.t...re-message-spam
192.155.83.191
5.estasiatica .com
5.finesettimana .com
5.italycook .com
5.hdsfm .com
5.eventiduepuntozero .com
5.finesettimana .net ..."
___

An Overview of Exploit Packs (kits)...
- http://contagiodump....cks-update.html
"... Updates/new entries for 13 packs have been added (see exploit listing)..."
CVE's also listed.
____

Bogus Tsunami Warning leads to Arcom RAT
- http://blog.trendmic...s-to-arcom-rat/
Nov 23, 2012 - "... the website “Hoax Slayer”* pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve...
> http://blog.trendmic...ontent_spam.jpg
The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A... It remains unclear who is behind the attack and what the motivation may be...
The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00... There are also free cracked versions available for download from a variety of sources. Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT..."
* http://www.hoax-slay...g-malware.shtml
Nov 19, 2012
___

Bogus Prize Offers on Facebook - 'Like and Share To Win'
- http://www.hoax-slay...share-win.shtml
Nov 22, 2012 - "Outline: Various messages distributed on Facebook claim that users can win expensive prizes such as Apple products or designer headphones just by liking and sharing a Facebook Page.
Analysis: A great many of these supposed prize offers are totally bogus. The "promotions" are created primarily to artificially inflate the number of "likes" gained by the offending Facebook Page and to promote the page further by way of shared posts and images. Those who participate will -never- receive the promised prize. In some cases, the perpetrators of these fake promotions may also try to trick people into divulging their personal information... don't give these unscrupulous people what they want! Don't "like" their bogus Pages. Don't be tricked into spamming your friends with their fake promotions by sharing their pictures. Do not send your personal information to these people in the vain hope of winning a prize. Before entering any type of promotion or prize draw always take a closer look. If it seems suspect or dodgy, give it a miss."
___

Some evil on 5.135.192.16/30
- http://blog.dynamoo....1351921630.html
23 Nov 2012 - "It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs .info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:
10bloodek.info
1bloodek .info
5helnima .net
anotepad .info
asomteltepngs .info
jhqp.bcodec .info
ksmuaelteory .net
mwko.zsomteltepngs .info
osmuaelteory .net
psmuaelteory .net
qfgc.hlegolaj .net
qsomteltepngs .info
rsomelostell .net
shelnima .net
whelnima .net
xsomteltepngs .info
ysomteltepngs .info
zbav.hsomteltepngs .info
If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:
10bloodek .info
1bloodek .info
5helnima .net
anotepad .info
asomteltepngs .info
bcodec .info
hlegolaj .net
hsomteltepngs .info
ksmuaelteory.net
osmuaelteory .net
psmuaelteory .net
qsomteltepngs .info
rsomelostell .net
shelnima .net
whelnima .net
xsomteltepngs .info
ysomteltepngs .info
zsomteltepngs .info ..."

> https://www.google.c...c?site=AS:16276
"... over the past 90 days, 5626 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-24, and the last time suspicious content was found was on 2012-11-24... we found 856 site(s) on this network... that appeared to function as intermediaries for the infection of 6279 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1369 site(s)... that infected 21258 other site(s)..."
___

Fake "Changlog 10.2011" SPAM / efaxinok .ru
- http://blog.dynamoo....efaxinokru.html
23 Nov 2012 - "This spam leads to malware on efaxinok .ru:
Date: Fri, 23 Nov 2012 10:14:22 +0600
From: "Contact" [customer-notification @ ups .com]
Subject: Re: Changlog 10.2011
Attachments: changelog-212.htm
Good morning,
as promised changelog (Internet Explorer File)


The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66

These are the same IPs as used in this attack yesterday*, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator .ru which I haven't seen yet being used in a malicious spam run, but it probably will be.
* http://blog.dynamoo....redinoplru.html
___

Fake FDIC ‘Your activity is discontinued’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Nov 23, 2012 - "A currently ongoing spam campaign attempts to trick users into thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process of monetizing the anticipated traffic. Once users click on the bogus ‘secure download link’, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
stifferreminders .pro – 198.27.94.80 (AS16276) – Email: kee_mckibben0869 @ macfreak .com
Name Server:NS1.CHELSEAFUN .NET
Name Server:NS2.CHELSEAFUN .NET
These are well known name servers currently in use by the same cybercriminals that launched the following malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware“.
The following malicious domains also respond to the same IP:
headerandfooterprebuilt .pro
fixedmib .net
stafffire .net ...
Upon successful client-side exploitation, the campaign drops MD5: 61bc6ad497c97c44b30dd4e5b3b02132 * ... UDS:DangerousObject.Multi.Generic.
Once executed, the sample phones back to hxxp ://182.237.17.180 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/.."
* https://www.virustot...ffa98/analysis/
File name: test45286142972065.bin
Detection ratio: 2/43
Analysis date: 2012-11-21

:grrr: :grrr:

Edited by AplusWebMaster, 24 November 2012 - 08:24 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#818 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 26 November 2012 - 09:21 PM

FYI...

Phishing SCAM asks for TAN list photo
- http://h-online.com/-1757018
26 Nov 2012 - "A new phishing email circulating in Germany is asking customers of the country's largest banking establishment, Deutsche Bank, to upload photographs or scans of their bank-issued TAN (Transaction Authentication Number) list to a maliciously fabricated web site. TANs are used by many banks in Germany to authenticate transactions during online banking sessions. The customer receives a printed list of TANs, essentially one-time passwords, via mail and has to use a randomly selected number from the list each time they want to send money or approve other transactions. The phishing email directs users to a deceptive web page where the scammers claim that the upload of the TAN list is needed as Deutsche Bank supposedly changes their iTAN technology for a mobile TAN (mTAN) system on 1 January 2013... The short time frame is apparently designed to increase the pressure on the victims of the phishing emails. The H's associates at heise online received copies of similar emails that were apparently asking for the information to be uploaded by the next day or the customer's account would be disabled... The web sites are a professional reproduction of Deutsche Bank's actual online banking interface..."
___

- https://isc.sans.edu...l?storyid=14578
Last Updated: 2012-11-27

>> http://www.antiphish...s/apwg-reports/

:ph34r: :ph34r:

Edited by AplusWebMaster, 27 November 2012 - 09:35 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#819 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 27 November 2012 - 08:30 AM

FYI...

Bogus Facebook ‘pending notifications’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
27 Nov 2012 - "A recently launched malicious spam campaign is impersonating Facebook, Inc. in an attempt to trick its one billion users into thinking that they’ve received a notification alerting them on activities they may have missed on Facebook. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....ts_malware1.png
... Malicious payload serving URL: hxxp ://ceredinopl .ru:8080/forum/links/column.php?cfcjm=xbc229&fnhcuc=njx&svdp=2v:1k:1m:32:33:1k:1k:31:1j:1o&xdva=
Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
ceredinopl .ru – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
Upon successful client-side exploitation the campaign drops MD5: 9db13467c50ef248eaf6c796dffdd19c * ...PWS-Zbot.gen.aqw.
Responding to the same IPs – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...
If users feel they received a bogus email that may not be coming from Facebook, they can alert Facebook by forwarding the message to phish@fb.com . In addition, users can check to see if their account has been compromised by visiting https://www.facebook.com/hacked ..."
(More detail at the webroot URL above.)
* https://www.virustot...1290d/analysis/
File name: 413823066bcca9a7b298015fcba37b74a94d1950
Detection ratio: 28/43
Analysis date: 2012-11-25
___

Fake Browser Updates - Malicious Ads...
- http://blog.trendmic...rowser-updates/
Nov 26, 2012 - "Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system. Just recently, we were alerted to a report* of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads. The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:
> http://blog.trendmic...te_browsers.gif
Instead of an update, users download a malware detected asJS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload. The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as hxxp ://{BLOCKED}browserupdate/install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to hxxp ://{BLOCKED}rtpage .com, a site that may host other malicious files that can further infect a user’s system... To avoid this ruse, users must exclusively download updates from a legitimate source or the software vendor’s official websites. Many browsers also include an integrated auto-update feature..."
* http://stopmalvertis...th-malware.html
securebrowserupdate .com = malvertisement...
23 Nov 2012 - "... Internet users are told that their current browser version is out of date and they are invited to install the latest update. Victims are redirected to securebrowserupdate .com via a malvertisement. The domain securebrowserupdate .com has been registered on the 16th November 2012 via name .com. The registrant details are protected by a privacy service..."
___

Bogus ‘Pay by Phone Parking Receipts’ serve malware
- http://blog.webroot....-serve-malware/
Nov 27, 2012 - "U.K users, beware! Cybercriminals are currently mass mailing yet another malicious spam campaign, enticing users into viewing a -bogus- list of parking transactions. Upon executing the malicious attachment, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
Sample detection rate for the malicious attachment: MD5: fbde5bcb8e3521149d2f83888e1716c4 * ... Worm:Win32/Gamarue.I**
* https://www.virustot...sis/1353772427/
File name: Pay_by_Phone_Parking_Receipt.pdf.exe
Detection ratio: 38/44
Analysis date: 2012-11-24

** https://www.microsof...Win32/Gamarue.I
___

Fake Multiple ‘Inter-company’ invoice emails serve malware and client-side exploits
- http://blog.webroot....-side-exploits/
27 Nov 2012 - "... cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
controlleramo .ru
Name server: ns1.controlleramo .ru – 62.76.186.190
Name server: ns2.controlleramo .ru – 132.248.49.112
Name server: ns3.controlleramo .ru – 84.22.100.108
Name server: ns4.controlleramo .ru – 65.99.223.24 ...
Upon successful client-side exploitation the campaign drops MD5: de48416449621ecd62b116cc41aa5bcc * ... Worm:Win32/Cridex.E...
The second sample obtained from yet another spamvertised archive with MD5: 3a8ce3d72b60b105783d74dbc65c37a6 ** ... Worm:Win32/Cridex.E. Upon execution it phones back to the following URL: 188.40.0.138 :8080/AJtw/UCyqrDAA/Ud+asDAA (AS24940, HETZNER-AS)..."
* https://www.virustot...bbf6a/analysis/
File name: de48416449621ecd62b116cc41aa5bcc
Detection ratio: 30/44
Analysis date: 2012-11-11
** https://www.virustot...sis/1353769289/
File name: Invoices_12_N88283.exe
Detection ratio: 37/44
Analysis date: 2012-11-24
___

"Copies of Policies" spam / ganiopatia .ru
- http://blog.dynamoo....niopatiaru.html
27 Nov 2012 - "This spam leads to malware on ganiopatia .ru:
Date: Mon, 26 Nov 2012 02:31:10 -0500
From: sales1 @ victimdomain .com
Subject: RE: ALINA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALINA Prater,
==========
Date: Mon, 26 Nov 2012 02:26:33 +0300
From: ALISHIADBSukwQEf @aol .com
Subject: RE: ALISHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALISHIA Gee,
==========
From: accounting @ victimdomain .com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARCELLE SPENCE,
==========
From: accounting @ victimdomain .com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KASSIE ROMANO,


The malicious payload is at [donotclick]ganiopatia .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
Note that ganalionomka .ru is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea."
___

BeyondTek IT / beyondtekit .com SPAM
- http://blog.dynamoo....ond-tek-it.html
27 Nov 2012 - "Here's an annoying spammer.. but who are they exactly?
From: Nick Snow ---- BeyondTekIT Nick @ beyondtekit .com
Date: 27 November 2012 10:24
Subject: Your IT Jobs - HR
Hello:
The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.
That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.
We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc
PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.
Thank you.
Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick @ beyondtekit .com
www .BeyondTekIT .com


The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit .com and beyondtechit .com domains...
I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam)..."

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 27 November 2012 - 03:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#820 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 27 November 2012 - 07:57 PM

FYI...

Wire transfer SPAM / gurmanikia .ru
- http://blog.dynamoo....rmanikiaru.html
27 Nov 2012 - "This fake wire transfer spam leads to malware on gurmanikia.ru:
Date: Tue, 27 Nov 2012 01:14:15 -0500
From: Emerita Ayers via LinkedIn [member @ linkedin .com]
Subject: RE: Your Wire Transfer N27172774
Dear Customers,
Wire debit transfer was canceled.
Canceled transfer:
FED NUMBER: 6946432301WIRE298280
Transaction Report: View
Federal Reserve Wire Network


The malicious payload is at [donotclick]gurmanikia .ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)..."
___

FedEx SPAM / PostalReceipt .zip
- http://blog.dynamoo....receiptzip.html
27 Nov 2012 - "A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip
Date: Tue, 27 Nov 2012 13:04:37 -0400
From: "Office Mail" [no_replyFRL@cleveland.com]
Subject: ID (I)JI74 384 428 2295 7492
FedEx
Order: AX-7608-99659670234
Order Date: Sunday, 25 November 2012, 10:35 AM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
FedEx 1995-2012


In this case the download site was [donotclick]amsterdam.cathedralsoft .com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft .com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft .com has been compromised in this attack.
VirusTotal detection rates are very low*. I don't currently have an analysis of the malicious payload."
* https://www.virustot...sis/1354056475/
File name: PostalReceipt.exe
Detection ratio: 1/44
Analysis date: 2012-11-27

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#821 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 28 November 2012 - 02:52 AM

FYI...

Bogus DHL emails serve malware
- http://blog.webroot....-serve-malware/
Nov 28, 2012 - "From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails. Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
Sample detection rate for the malicious attachment: MD5: b0d4dad91f8e56caa184c8ba8850a6bd * ... Trojan-Downloader.Win32.Andromeda.daq.
What’s particularly interesting about this MD5 is that there are files named T-Mobile-Bill.pdf.exe that have also been submitted to VirusTotal, indicating that there’s a -another- T-Mobile themed campaign, that’s currently circulating in the wild. PEiD Signature of the file: BobSoft Mini Delphi -> BoB / BobSoft. It also creates %AllUsersProfile%\svchost.exe on the system, plus a Registry Value – “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts."
* https://www.virustot...sis/1353774086/
File name: DHL-EXPRESS-DELIVERY-NOTIFICATION.exe
Detection ratio: 34/42
Analysis date: 2012-11-24
___

Fake Angry Birds Star Wars Android SMS Sender
- http://www.gfi.com/b...oid-sms-sender/
Nov 28, 2012 - "Back in April, fake copies of Angry Birds Space were in circulation – with the recent release of Angry Birds Star Wars, scammers have caused a great disturbance in the Force, as if millions of phones cried out in terror and were suddenly silenced... Fake apps are once again the order of the day – here’s one our Labs have found and taken a look at, offered up for download from a dedicated website over at
angrybirdsstarwars-android(dot)ru [ 5.9.112.10 - AS24940**]
> http://www.gfi.com/b...arsfakeapp1.png
As with so many similar fakeouts, Android owners must download the app from the website then install it on their phone (downloading with anything other than your mobile device – say, a web browser – offers up a .jar file instead)... This one acts like a typical Boxer Android file, sending premium SMS messages before downloading a valid version of the software. All in all, a rather costly mistake given you could pay the one time fee for the legitimate Google Play download and Angry Bird yourself into a (non-scammed) frenzy instead. VirusTotal results can be found here*, and we detect this as Trojan.AndroidOS.Generic.A with VIPRE Mobile.
End-users should always be cautious of websites offering up Android files that aren’t the Google Play store, especially when based around a hot new property or must-have game..."
* https://www.virustot...sis/1354052956/
File name: Angry_Birds_Star_Wars_install.apk
Detection ratio: 7/43
Analysis date: 2012-11-27
** https://www.google.c...c?site=AS:24940
"... over the past 90 days, 5998 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-28, and the last time suspicious content was found was on 2012-11-28... Over the past 90 days, we found 817 site(s)... that appeared to function as intermediaries for the infection of 4963 other site(s)... We found 1714 site(s)... that infected 9332 other site(s)..."
> http://sitevet.com/db/asn/AS24940
Blacklisted URLs: 3081
___

Changelog SPAM / ganadeion .ru
- http://blog.dynamoo....anadeionru.html
28 Nov 2012 - "This fake changelog spam leads to malware at ganadeion .ru:
Date: Wed, 28 Nov 2012 05:21:35 -0500
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changelog as promised (upd.)
Hello,
as prmised updated changelog - View
C. BERGMAN


The malicious payload is at [donotclick]ganadeion .ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)"
___

Fake UPS email serves Fake AV
- http://www.gfi.com/b...ves-up-fake-av/
Nov 28, 2012 - "... seasonal looking fake UPS delivery notification, claiming in broken English that “Your package delivered to the nearest Postal Office. When receiving, please show a mailing receipt. Address of the nearest office you can find on our website”.
> http://www.gfi.com/b...axNI1r6pupn.png
Depending on the spam campaign you happen to stumble upon, you’ll most likely be redirected through a collection of websites before arriving at your final destination which in this case happens to be Fake AV – specifically, System Progressive Protection.
> http://www.gfi.com/b.../upsfakeav2.png
Fake UPS spam is a perennial favourite of Malware pushers... We detect the above as Lookslike.Win32.Winwebsec.p (v)... treat delivery notification emails with the utmost caution. If in doubt, simply visit the website of your chosen parcel delivery service and have fun typing in tracking codes instead. It’s a lot safer."

:grrr: :ph34r:

Edited by AplusWebMaster, 28 November 2012 - 11:10 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#822 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 29 November 2012 - 06:45 AM

FYI...

Fake T-mobile U.K. malicious emails
- http://blog.webroot....-serve-malware/
Nov 29, 2012 - "Cybercriminals are currently impersonating T-Mobile U.K, in an attempt to trick its customers into downloading a bogus billing information report. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the infected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....ing_malware.png
... malicious executable: MD5: b0d4dad91f8e56caa184c8ba8850a6bd * ... Worm:Win32/Gamarue
That’s the same MD5 that was served in the recently profiled “Bogus DHL ‘Express Delivery Notifications’ serve malware” malicious campaign..."
* https://www.virustot...sis/1353777713/
File name: T-Mobile-Bill.pdf.exe
Detection ratio: 35/44
Analysis date: 2012-11-24
___

Fake Vodafone U.K. malicious emails
- http://blog.webroot....-notifications/
Nov 28, 2012 - "Over the past couple of days, cybercriminals have launched yet another massive spam campaign, once again targeting U.K users. This time, they are impersonating Vodafone U.K, in an attempt to trick its customers into executing a bogus MMS attachment found in the malicious emails. Upon execution, the sample opens a backdoor on the affected hosts, allowing the cybercriminals behind the campaign complete access to the affected PC...
Sample screenshot from the spamvertised email:
> https://webrootblog....otification.png
... malicious attachment: MD5: 3ce2b9522a476515737d07b877dae06e * ... Trojan-Downloader.Win32.Andromeda.coh.
Upon execution, the sample creates %AllUsersProfile%\svchost.exe on the host. It also creates a Registry Value - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] -> SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe starts evert time Windows starts..."
* https://www.virustot...sis/1353773239/
File name: Vodafone_MMS.jpg.exe
Detection ratio: 36/44
Analysis date: 2012-11-24
___

More "Wire Transfer" SPAM / dimarikanko .ru
- http://blog.dynamoo....arikankoru.html
29 Nov 2012 - "This fake "Wire Transfer" spam leads to malware on dimarikanko .ru:
Date: Thu, 29 Nov 2012 06:01:55 +0700
From: LinkedIn Connections [connections @ linkedin .com]
Subject: Re: Fwd: Wire Transfer (75631MU030)
Dear Bank Account Operator,
WIRE TRANSFER: FED675249061747420
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.


The malicious payload is at [donotclick]dimarikanko .ru:8080/forum/links/column.php hosted on a bunch of familiar looking IP addresses which have been used in several recent attacks:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)..."
___

Vobfus sites to block
- http://blog.dynamoo....s-to-block.html
29 Nov 2012 - "These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this -worm- about..."
(More detail at the dynamoo URL above.)

What’s the Fuss with WORM_VOBFUS?
- http://blog.trendmic...th-worm_vobfus/
Nov 29, 2012 - "Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known, but easily forgotten safe computing practices... Disabling AUTORUN has its merits – but not everyone knows. Worms, like WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable Autorun to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do -not- disable this feature... As WORM_VOBFUS and other threats using old but reliable exploit show, threats do not burn and turn into ashes easily. Sometimes, they fade away but surface again..."
___

Dynamic DNS sites you might want to block II
- http://blog.dynamoo....want-to_29.html
29 Nov 2012 - "These Dynamic DNS domains belong to a mystery outfit called dnsdynamic .org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns .com) reveals ownership details of:
Manager, Domain manager@invertebrateisp.com
Invertebrate ISP
PO Box 405
Glenmont, New York 12077
United States
+1.2623946781

More digging at invertabrateisp .com comes up with a real name:
Wilde, Tim [redacted]
[redacted]
Glenmont, New York 12077
United States
[redacted] Fax --

Anyway, Mr Wilde is -not- connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on. Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP .com (see here*). There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (-yellow- highlighted ones have some malware, -red- highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely..."
(More detail and "the lists" at the dynamoo URL above)

* http://blog.dynamoo....ht-want-to.html
___

DNS server redirections ...
- http://www.theregist...mania_dns_hack/
28 Nov 2012 - "A hacker -redirected- web surfers looking for Yahoo, Microsoft or Google to a page showing a TV test card by apparently poisoning Google's public DNS system. Punters and organisations relying on Google's free service were affected, rather than the websites themselves being compromised. Visitors to yahoo .ro, microsoft .ro and google .ro were served a message from an Algerian miscreant using the moniker MCA-CRB. Traffic destined for the Romanian websites of Kaspersky Lab and Paypal was also hijacked... MCA-CRB is a prolific online graffiti artist who has defaced at least 5,000 sites, according to records kept by Zone-H*. The latest attack was carried out to gain bragging rights rather than to trouser a profit or stage a political protest... Last week, defaced copies of Google, Yahoo!, Microsoft, eBay and Apple's Pakistan websites were shown to surfers, again as a result of a DNS hijack... the affected Romanian sites was restored by Wednesday lunchtime, except Paypal.ro which proved difficult to reach in any case..."
* http://www.zone-h.or...otifier=MCA-CRB
___

Bogus ‘Meeting Reminder” emails serve malware
- http://blog.webroot....-serve-malware/
Nov 29, 2012 - "Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend .. Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
... the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 * ... Worm:Win32/Cridex.E.
It also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
The newly created Registry Value is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe” so that KB00121600.exe runs every time Windows starts.
Upon execution, the sample phones back to 64.150.187.72 :8080/AJw/UCygrDAA/Ud+asDAA (AS10316**)... We’ve also seen the same IP (64.150.187.72) used as name server in a previously profiled malicious campaign..."
* https://www.virustot...sis/1353778430/
File name: Report.exe
Detection ratio: 38/44
Analysis date: 2012-11-24
** https://www.google.c...c?site=AS:10316

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 29 November 2012 - 04:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#823 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 30 November 2012 - 12:59 PM

FYI...

Bogus ‘Intuit Software Order Confirmations’ lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 30, 2012 - "Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot from the spamvertised email:
> https://webrootblog....its_malware.png
Sample spamvertised URL re-director: hxxp ://www.mysnap .com.tw/sites/default/files/upload.htm?RANDOM_CHARACTERS
Client-side exploits serving URL: hxxp ://moneymakergrow .ru:8080/forum/links/column.php
Malicious domain name reconnaissance:
moneymakergrow .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 207.126.57.208
Name server: ns1.moneymakergrow .ru – 62.76.178.233
Name server: ns2.moneymakergrow .ru – 132.248.49.112
Name server: ns3.moneymakergrow .ru – 84.22.100.108
Name server: ns4.moneymakergrow .ru – 65.99.223.24
... Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns..."
___

Bogus ‘End of August Invoices’ emails serve malware and client-side exploits
- http://blog.webroot....-side-exploits/
Nov 30, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....re_exploits.png
Sample detection rate for the malicious attachment: MD5: 8b194d05c7e7f96a37b1840388231791 * ... Trojan:Win32/Ransom
Sample client-side exploits serving URL: hxxp ://forumibiza .ru:8080/forum/links/column.php
Although we couldn’t obtain the actual payload, the gathered intelligence indicates that this is a campaign launched by the same group that we’ve been monitoring for a few weeks now, allowing us to more effectively expose their campaigns and protect Internet users...
Malicious domain name reconnaissance:
forumibiza.ru – 65.99.223.24, AS30496; 103.6.238.9, AS21125; 203.80.16.81, AS24514
Name server: ns1.forumibiza .ru – 62.76.186.190
Name server: ns2.forumibiza .ru – 84.22.100.108
Name server: ns3.forumibiza .ru – 50.22.102.132
Name server: ns4.forumibiza .ru – 213.251.171.30
... malicious domains also respond to the same IPs (65.99.223.24; 103.6.238.9; 203.80.16.81). We’ve already seen these in several previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1353823689/
File name: Invoices.exe
Detection ratio: 39/44
Analysis date: 2012-11-25
___

(Here they come...) Santa SCAMS...
- http://community.web...amta-claus.aspx
Nov 30, 2012 - "... detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus... They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa. As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer...
> http://community.web...7360.santa1.png
... subject lines to catch your attention and elicit a response:
- Personal Letter From Santa For Your Child
- (A) Letter From Santa For Your Child
- Santa Claus Letters
- A personal letter from Santa for your little ones
- Custom Santa Letters
> http://community.web...7848.santa2.png
Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page: Simple browser detection and IP geolocation techniques are used to appear convincing.
Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams, or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately..."
___

"Copies of Policies" SPAM / podarunoki .ru
- http://blog.dynamoo....darunokiru.html
30 Nov 2012 - "This spam leads to malware on podarunoki .ru:
Date: Fri, 30 Nov 2012 04:54:30 -0300
From: Jone Castaneda via LinkedIn [member @linkedin .com]
Subject: RE: Leonie - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Leonie Doyle,
==========
Date: Fri, 30 Nov 2012 02:32:21 -0400
From: sales1@[victimdomain].com
Subject: RE: Samson - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Samson Henry,


The malicious payload is at [donotclick]podarunoki .ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___

iTunes SPAM / mokingbirdgives .org
- http://blog.dynamoo....rdgivesorg.html
30 Nov 2012 - "This fake iTunes spam leads to malware on mokingbirdgives .org:
From: iTunes itunes @new.itunes .com
To: purchasing [purchasing @victimdomain .com]
Date: 30 November 2012 17:02
Subject: Your receipt #16201509085048
Billed To:
%email%
Order Number: M1V008146011
Receipt Date: 30/11/2012
Order Total: $699.99
Billed To: Credit card
Item Number Description Unit Price
1 Postcard (View\Download )
Cancel order Not your order?Report a Problem $699.99
Subtotal: $699.99
Tax: $0.00
Order Total: $699.99
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary • Detailed invoice
Apple respects your privacy.
Copyright © 2011 Apple Inc. All rights reserved


The malicious payload is at [donotclick]mokingbirdgives .org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious: ..."
(Long list at the dynamoo URL above..)

:grrr: :ph34r:

Edited by AplusWebMaster, 30 November 2012 - 08:45 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#824 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 03 December 2012 - 01:49 AM

FYI...

Malicious email MMS targets mobile phone users
- http://community.web...hone-users.aspx
2 Dec 2012 - "... Websense... has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:
> http://community.web...s/3731.both.png
Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory... It downloads malicious binaries from these remote servers:
> http://community.web..._downloader.jpg
173.254.28.81 ... During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable..."
___

More Wire Transfer SPAM / panamechkis .ru
- http://blog.dynamoo....amechkisru.html
3 Dec 2012 - "This fake wire transfer spam leads to malware on panamechkis .ru:
Date: Mon, 3 Dec 2012 11:34:38 +0330
From: HarrisonCrumm @ mail .com
Subject: RE: Wire Transfer cancelled
Dear Customers,
Wire transfer was canceled.
Rejected transfer:
FED NUMBER: 1704196955WIRE580676
Transaction Report: View
Federal Reserve Wire Network


The malicious payload is at [donotclick]panamechkis .ru:8080/forum/links/column.php hosted on:
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists."
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-4/
Dec 3, 2012 - "... noteworthy spam samples found and documented by our researchers in the AV Labs in our Tumblr page*..."
* http://gfisoftware.tumblr.com/
NY Better Business Bureau Attachment Spam - December 03, 2012
Malicious HP ScanJet Spam Continue - December 03, 2012
Malicious Wire Transfer Spam Continued - Dec 3, 2012
Account has been blocked - Dec 2, 2012
RapidFAX Spam - Dec 3, 2012
NACHA Spam: Your Direct Deposit software is out of date
eFax Corporate Message Spam - Nov 29, 2012
Malicious FedEx Spam Continues - Nov 24, 2012 ...
___

Posted Image
- http://www.ironport.com/toc/

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document E-mail Messages - December 03, 2012
Fake ADP Digital Certificate Notification E-mail Messages - December 03, 2012
Fake Business Complaint E-mail Messages - December 03, 2012
Fake FedEx Shipment Notification E-mail Messages - December 03, 2012
Fake Xerox Scan Attachment E-mail Messages - December 03, 2012
Fake Picture Link E-mail Messages - December 03, 2012
Malicious Personal Pictures Attachment E-mail Messages - December 03, 2012
Fake Picture Posting Notification E-mail Messages - December 03, 2012
Fake Discount Purchases Notification E-mail Messages - December 03, 2012
Fake Telegram Notification E-mail Messages - December 03, 2012 ...

:grrr: :ph34r:

Edited by AplusWebMaster, 03 December 2012 - 08:35 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#825 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 04 December 2012 - 07:42 AM

FYI...

Fake FedEx emails lead to malware
- http://blog.webroot....ead-to-malware/
Dec 4, 2012 - "At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC. This time they didn’t try impersonating USPS, UPS or DHL, but FedEx...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=481
Second screenshot of a sample spamvertised email, again, part of the same campaign:
> https://webrootblog....plate.png?w=545
Third screenshot of a sample spamvertised email used in the campaign:
> https://webrootblog....plate.png?w=495
Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 * ... Trojan.Win32.Buzus.mruv
Upon execution, it phones back to the following URLs:
hxxp ://91.121.90.80 :8080/...
hxxp ://84.40.69.119 :8080/...
hxxp ://211.172.112.7 :8080/...
Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa ** ... Trojan-Dropper.Win32.Dapato.bxhg
Upon execution, it phones back to the following URLs:
hxxp //59.25.189.234 :8080/...
hxxp //140.135.66.217 :8080/...
hxxp //82.113.204.228 :8080/...
hxxp //59.126.131.132 :8080/...
None of these IPs currently respond to any specific domains, besides 59.126.131.132.
songwriter .tw is currently responding to 59.126.131.132 – Email: songwriter .tw@ gmail .com...
> https://webrootblog....rver.png?w=1024
The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.
Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 *** ... TrojanDownloader:Win32/Kuluoz.B..."
* https://www.virustot...sis/1354489330/
File name: Postal_Receipt.exe
Detection ratio: 35/46
Analysis date: 2012-12-02
** https://www.virustot...sis/1354489404/
File name: Postal_Receipt1.exe
Detection ratio: 37/46
Analysis date: 2012-12-02
*** https://www.virustot...sis/1354489465/
File name: PostalReceipt2.exe
Detection ratio: 25/46
Analysis date: 2012-12-02
___

"ARK Bureau" fake job offer
- http://blog.dynamoo....-job-offer.html
4 Dec 2012 - "The ARK Architecture Bureau is a genuine company. This fake job offer is -not- from ARK Bureau, but is some sort of illegal activity such as money laundering.
From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.
POSITION: Customer Assistant
ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.
The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.
Now we have open vacancy in the U.S.: Customer Assistant
RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.
GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.
APPLY:
To apply please: arkbureaumanager @nokiamail .com


An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia). You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement."
___

ADP SPAM / fsblimitedrun .pro
- http://blog.dynamoo....itedrunpro.html
3 Dec 2012 - "This fake ADP spam leads to malware on fsblimitedrun .pro:
From: ADP Transaction Status
Date: 3 December 2012 17:55
Subject: ADP Major Accounts Processed Case
Valued customer:
James lately covered Transaction at your account. Event # 433933082.
Case Caption: 6CO7
Incident Substantiation: Download
We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by visiting the link below.
Click here - ADP Major Accounts Operation Progress mentioned above
Best Wishes,
James Brooks
Vice President of Customer Care Department ADP
ADP Major Accounts
***Reminder***
Please remember to complete your Semi-Annual Service Quality Survey!
Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.
**********
This e-mail was delivered from an robot account.
Please don't reply to this message. auomatic informational system unable to accept incoming email.


The malicious payload is at [donotclick]fsblimitedrun .pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install .info . Blocking access to this IP address would probably be prudent.
___

"Scan from a Hewlett-Packard ScanJet" SPAM / somaliaonfloor .ru
- http://blog.dynamoo....anjet-spam.html
3 Dec 2012 "This fake printer spam leads to malware on somaliaonfloor .ru:
Date: Mon, 3 Dec 2012 09:25:59 -0600
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #3838
A document was scanned and sent to you using a Hewlett-Packard HP15310290
Sent to you by: ROSIO
Pages : 8
Filetype(s): Images (.jpeg) View
==========
Date: Mon, 3 Dec 2012 11:06:22 -0500
From: "service@paypal.com" [service@paypal.com]
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 33712789
A document was scanned and sent to you using a Hewlett-Packard HP8220647
Sent to you by: CLAUDIA
Pages : 7
Filetype(s): Images (.jpeg) View


The malicious payload is at [donotclick]somaliaonfloor .ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___

"Most recent events on Facebook" SPAM / attachedsignup .pro
- http://blog.dynamoo....ebook-spam.html
4 Dec 2012 - "This fake Facebook spam leads to malware on Most recent events on attachedsignup .pro:
Date: Tue, 4 Dec 2012 15:19:16 +0100
From: " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.
This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906


The malicious payload is at [donotclick]attachedsignup .pro/detects/links-neck.php (report here*) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077 .pl..."
* http://wepawet.isecl...4631759&type=js
___

US Airways SPAM / attachedsignup .pro
- http://blog.dynamoo....dsignuppro.html
4 Dec 2012 - "This fake US Airways spam leads to malware on attachedsignup .pro:
From: US Airways - Booking [reservations@myusairways.com][
Date: 4 December 2012 14:30
Subject: US Airways online check-in.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.
Purchase code: 183303
Check-in online: Online booking details
Payment method: Credit card
Money will be withdrawn in next 3 days
Voyage
5990
Departure city and time
Massachusets MA (DCA) 10:10 AM
Depart date: 12/05/2012
We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.


The payload and IP addresses are identical to this spam* doing the rounds today."
* http://blog.dynamoo....ebook-spam.html
___

Facebook "You have notifications pending" SPAM / francese .ru
- http://blog.dynamoo....ns-pending.html
4 Dec 2012 - "This fake Facebook spam leads to malware on francese.ru:
Date: Tue, 4 Dec 2012 03:38:42 +0000
From: KaseyElleman@victimdomain.com
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


The malicious payload is at [donotclick]francese .ru:8080/forum/links/column.php hosted on the following IP addresses:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)
Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110
..."

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 04 December 2012 - 10:39 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#826 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 05 December 2012 - 08:43 AM

FYI...

Zbot sites to block 5/12/12
- http://blog.dynamoo....lock-51212.html
5 Dec 2012 - "These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10 .com domain, or are co-hosted on the same server and have malicious characteristics. I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.
IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)
... Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227
..."
(More detail at the dynamoo URL above.)
___

BBB SPAM / leberiasun .ru
- http://blog.dynamoo....beriasunru.html
5 Dec 2012 - "This fake BBB spam leads to malware on leberiasun .ru:
Date: Wed, 5 Dec 2012 11:32:47 +0330
From: Bebo Service [service@noreply.bebo.com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
JONELLE Payne


The malicious payload is at [donotclick]leberiasun .ru:8080/forum/links/column.php (report here) hosted on the following IPs:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea)..."

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 05 December 2012 - 01:18 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#827 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 06 December 2012 - 10:11 AM

FYI...

SPAM gets Socl ...
- http://www.gfi.com/b...spam-gets-socl/
Dec 6, 2012 - "Microsoft have thrown open the gates to their new social network, Socl (which has a faint whiff of Pinterest about it and is also pronounced “social”. No, really). It didn’t take spammers very long to sink their claws in... we have all the Canadian Pharmacy spam you can eat...
> http://www.gfi.com/b...2/soclspam1.jpg
... links all currently lead to a page touting a 404 error... we can only hope Microsoft (will) have a Banhammer in place to deal with what will no doubt be a bump up in bad content as word of the latest social network to hit the ground running spreads across the news. We haven’t come across any Malware links yet, but as with Tumblr, Pinterest and Twitter end-users shouldn’t abandon common sense in favour of shiny, blinky things carrying a sting in the tail..."
___

Amazon SPAM / evokeunreasoning .pro
- http://blog.dynamoo....asoningpro.html
6 Dec 2012 - "A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning .pro:
Date: Thu, 6 Dec 2012 17:32:38 +0200
From: "Amazon . com" [digital-notifier@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Member,
Thanks for your order, clongmore@arrowuk.com!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Overview:
E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438
Order Grand Total: $ 50.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C47-8578330-3362713
Subtotal of items: $ 50.99
------
Total before tax: $ 50.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 0.99
------
Total for this Order: $ 50.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824
Please note that this message was sent to the following e-mail address: [redacted]


The malicious payload is at [donotclick]evokeunreasoning .pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving."
___

Phishing For Bank Account Information
- http://blog.webroot....nt-information/
Dec 6, 2012 - "... always on the look out for anything that looks ‘phishy’, even if it’s on your own personal time. Today, I opened my personal email to find this:
> https://webrootblog....png?w=413&h=444
Although the email looked very convincing, I don’t bank with Smile Bank so I knew something was up. Smile Bank is an actual bank based in the UK. The bad guys used a spoofed email address to make it look like it came from the legit Smile Bank domain smile.co.uk. If someone did bank with Smile Bank, I can see how they could easily be tricked. It’s the “Click here to proceed” link that gives the bad guys away. The link goes to a page hosted by pier3 .hk, which is a legitimate domain, but appears to be compromised with a simple HTM page that is a -redirect- to the real malicious site. The redirect sends you here:
> https://webrootblog....png?w=491&h=354
... This trick could easily be done with any large bank. Make sure to always be suspicious of any email claiming to be from your bank that -threatens- your account has been locked and insists that you need to enter your account information. Also, if the link to enter your account information isn’t to the URL of the bank it claims to be from, you know it’s malicious."
___

More "Copies of policies" SPAM / cinemaallon .ru
- http://blog.dynamoo....emaallonru.html
6 Dec 2012 - "This spam leads to malware on cinemaallon .ru:
Date: Thu, 6 Dec 2012 06:41:01 -0500
From: Isidro Pierre via LinkedIn [member @linkedin .com]
Subject: RE: ASHTON - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ASHTON QUINONES,


The malicious payload is at [donotclick]cinemaallon .ru:8080/forum/links/column.php hosted on the following familiar IPs:
202.180.221.186 (Gnet, Mongolia)
208.87.243.131 (Psychz Networks, US)..."
___

Bogus ‘Facebook Account Cancellation Request’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Dec 5, 2012 - "Facebook users, watch what you click on! Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=629
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
Malicious domain name reconnaissance:
lakkumigdc .com – 68.168.100.135 – Email: dolphinkarthi @gmail .com
Name Server: NS1.MACROVIEWTECH .COM – 68.168.100.136
Name Server: NS2.MACROVIEWTECH .COM – 68.168.100.137
Domains responding to the same IP, including domains also registered with the same GMail account...
Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 * ... PWS-Zbot.gen.aru
Upon execution, the sample creates the following file on the affected hosts:
%AppData%\Ixriyv\emarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBB
It also creates the following directories:
%AppData%\Ixriyv
%AppData%\Uxwonyl
As well as the following Mutex: Local\{7A4AAF46-5391-8FF9-A32F-78A34C8B50D7}
It then phones back to shallowave.jumpingcrab .com (93.174.95.78) on port 8012. Another similar subdomain on this host (takemeout.jumpingcrab .com), was also seen in a crowdsourced DDoS campaign in 2009..."
* https://www.virustot...36f00/analysis/
File name: 8b3979c1a9c85a7fd5f8ff3caf83fc56
Detection ratio: 3/46
Analysis date: 2012-12-03
___

eBay, PayPal SPAM / ibertomoralles .com
- http://blog.dynamoo....orallescom.html
6 Dec 2012 - "These spam messages lead to malware on ibertomoralles .com:
Date: Thu, 6 Dec 2012 13:12:16 -0600
From: "PayPal" [service @paypal .com]
Subject: Your Ebay.com transaction details.
Dec 5, 2012 09:31:49 CST
Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],
You sent a payment of $363.48 USD to Normand Akers.
It may take a several minutes for this transaction to appear in your transactions history.
Seller
Normand-Akers @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
NordicTrack Mini Cycle
Item# 118770508253 24 $363.48 USD
Shipping and handling $24.99 USD
Insurance - not offered ----
Total $363.48 USD
Payment $363.48 USD
Payment sent to Normand Akers
Receipt ID: D-69NQRGN113A3A9UQ3
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID PZ147
==========
Date: Thu, 6 Dec 2012 19:57:37 +0100
From: "PayPal" [noreply @paypal .com]
Subject: Your Paypal.com transaction confirmation.
Dec 5, 2012 09:50:54 CST
Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],
You done a payment of $894.48 USD to Carol Brewster.
It may take a few moments for this transfer to appear in your transactions history.
Merchant
Carol-Brewster @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
TaylorMade R11 Driver Golf Club
Item# 703099838857 54 $894.48 USD
Shipping and handling $14.49 USD
Insurance - not offered ----
Total $894.48 USD
Payment $894.48 USD
Payment sent to Carol Brewster
Receipt ID: H-K01U2WSTLZZMRAB90
Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.
Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID P8695


The malicious payload is at [donotclick]ibertomoralles .com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server..."
(More detail at the dynamoo URL above.)

:grrr: Posted Image

Edited by AplusWebMaster, 06 December 2012 - 09:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#828 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 06 December 2012 - 09:52 PM

FYI...

#1 malware threat - Blackhole exploit kits
- http://h-online.com/-1762913
5 Dec 2012 - "... according to Sophos*, 30.81% of sites hosting it are in the United States, which is followed by Russia at 17.88% and Chile at 10.77%. Sophos says that between October 2011 and March 2012, almost 30% of detected threats were either directly from Blackhole or diversions to Blackhole kits that had been rigged on formerly reputable sites... Sophos says that in 2012 the biggest problems were cloud services, the Bring Your Own Device (BYOD) movement, hacking of SQL databases, improving social engineering methods, and an increasing number of attacks on the Android mobile operating system. The latter has seen everything from SMS fraud, apparent botnets on phones, banking malware, and bogus or rogue applications from application stores..."
* http://www.sophos.co...le-exploit.aspx
Video - 3:02

Defenses against the Blackhole exploit kit
>> https://en.wikipedia...ole_exploit_kit
" ... Make sure the browser, browser's plugins, and operating system are up to date..."

Test your browser here: https://browsercheck...m/?scan_type=js
___

- https://blogs.techne...Redirected=true
12 Nov 2012 - "... Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin..."
> https://blogs.techne..._2D00_550x0.jpg
Vulnerabilities targeted by the Blacole exploit kit in 1Q12 and 2Q12
> https://blogs.techne..._2D00_550x0.jpg

:ph34r: :ph34r:

Edited by AplusWebMaster, 08 December 2012 - 06:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#829 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 07 December 2012 - 12:53 PM

FYI...

Malicious ‘Security Update for Banking Accounts’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 7, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
Sample spamvertised compromised URLs:
hxxp ://promic .pl/page4.htm
hxxp ://promic .pl/rating.htm
Sample client-side exploits serving URLs:
hxxp ://bamanaco .ru:8080/forum/links/column.php
hxxp ://lentuiax .ru:8080/forum/links/column.php
Malicious domains reconnaissance:
bamanaco.ru – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676)
Name servers:
ns1.bamanaco .ru - 62.76.178.233
ns2.bamanaco .ru – 41.168.5.140
ns3.bamanaco .ru – 132.248.49.112
ns4.bamanaco .ru – 209.51.221.247
lentuiax .ru – 203.80.16.81 (AS24514)
Name servers:
ns1.lentuiax .ru – 62.76.178.233
ns2.lentuiax .ru – 41.168.5.140
ns3.lentuiax .ru – 132.248.49.112
ns4.lentuiax .ru – 209.51.221.247
Sample detection rate for the redirection script: MD5: 35e6ddb6ce4229d36c43d9d3ccd182f3 * ... Trojan-Downloader.JS.Iframe.dby.
Although we couldn’t reproduce the malicious exploitation taking place through bamanaco .ru and lentuiax .ru, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains..."
(More detail available at the webroot URL above.)
* https://www.virustot...sis/1353822844/
File name: August.html
Detection ratio: 21/44
Analysis date: 2012-11-25
___

Fake PayPal Emails: Windows 8 and Vintage Photo Collections
- http://www.gfi.com/b...to-collections/
Dec 7, 2012 - "If you want to panic over a mysterious transaction on Ebay to the tune of $564.48 for a “Microsoft Windows 8 Pro Anytime Upgrade”, then this is probably the email you’ve been waiting for.
It reads:
You have made an Ebay.com purchase.
Hello [removed],
You sent a payment of $564.48 USD to [removed].
Microsoft Windows 8 Pro Anytime Upgrade
Item# 16 $564.48 USD

> http://www.gfi.com/b...12/ebaywin8.png
Clicking the link in the fake PayPal email will take end-users to the usual round of Cridex / Blackhole URLs. On a similar note, there’s an additional email floating around that claims you purchased 84 copies of “Vintage photo collection sexy college girls 1990s or 2000s”.
> http://www.gfi.com/b...2/ebaywin82.png
Last time we saw this one was back in June* where the tally was -23- ..."
* http://blog.dynamoo....arshipznet.html
___

iTunes "Christmas gift card" SPAM / api.myobfuscate .com / nikolamireasa .com
- http://blog.dynamoo....-gift-card.html
6 Dec 2012 - "Here's a malware-laden spam with a twist:
From: iTunes [shipping @new. itunes .com]
To: purchasing [purchasing @ [redacted]]
Date: 6 December 2012 20:59
Subject: Christmas gift card
Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing @[redacted]
Order Total: $500.00
Billed To: Hilary Shandonay, Credit card
Item Number Description Unit Price
1 Christmas gift card (View\Download ) $500.00
Subtotal: $500.00
Tax: $0.00
Order Total: $500.00
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary ??????????¬?‚?? Detailed invoice
Apple respects your privacy.
Copyright ??????‚?© 2011 Apple Inc. All rights reserved


In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz .org which contains some heavily obfuscated javascript that eventually leads to a malicious landing page on [donotclick]nikolamireasa .com/less/demands-probably.php hosted on 188.93.210.133 (logol .ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa .com
portgazza. cu .cc
hopercac. cu .cc
hopercas. cu .cc
ukumuxur. qhigh .com
ymuvyjih.25u .com
... you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate .com... if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way. Both api.myobfuscate .com and www.myobfuscate .com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator .com
api.htmlobfuscator .com
htmlobfuscator .info
javascript-obfuscator .info
javascriptcompressor .info
javascriptcrambler .com
javascriptobfuscate .com
javascriptobfuscator .info
myobfuscate .com
api.myobfuscate .com
obfuscatorjavascript .com
api.obfuscatorjavascript .com
js.robotext .com
js.robotext .info
js.robottext .ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots."

- http://www.avgthreat...com/webthreats/
... last updated on Dec 08, 2012 GMT.
Viruses & Threats on the Rise
1) Cool Exploit Kit - 19.24% of all detections...
2) Blackhole Exploit Kit - 19.16% of all detections...
3) Javascript Obfuscation - 12.70% of all detections...
___

AICPA SPAM / ibertomoralles .org
- http://blog.dynamoo....orallesorg.html
7 Dec 2012 - "I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles .org:
From: AICPA [noreply@aicpa.org]
Date: 7 December 2012 16:55
Subject: Your accountant license can be cancelled.
You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.
AICPA logo
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,
We have been informed of your potential involvement in tax return swindle on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Fri, 7 Dec 2012 18:31:58 +0100
From: "AICPA" [do-not-reply @aicpa .org]
Subject: Tax return assistance contrivance.
You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.
Cancellation of Public Account Status due to tax return indictment
Respected accountant officer,
We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.
Delation.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday*."
* http://blog.dynamoo....orallescom.html
___

BBB SPAM / ibertomoralles .org
- http://blog.dynamoo....orallesorg.html
"This bizarrely worded fake BBB spam leads to malware on ibertomoralles .org:
Date: Fri, 7 Dec 2012 18:43:08 +0100
From: "Better Business Bureau" [complaint @bbb .org]
Subject: BBB Complaint No.65183683
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau &#65533;
Start With Trust &#65533;
Fri, 7 Dec 2012
RE: Complaint N. 65183683
Hello
The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.
We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.
We are looking forward to your prompt reaction.
Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
====================
Date: Fri, 7 Dec 2012 19:42:23 +0200
From: "Better Business Bureau" [noreply@bbb.org]
Subject: BBB Appeal No.05P610Q78
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau &#65533;
Start With Trust &#65533;
Fri, 7 Dec 2012
RE: Case # 05P610Q78
Hello
The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.
We politely ask you to visit the PLAINT REPORT to meet on this claim.
We are looking forward to your prompt reaction.
Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe
====================
From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Fri, 7 Dec 2012
RE: Complaint N. S8598593
Valued client
The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.
We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.
We awaits to your prompt response.
WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 26701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


The payload and IP addresses are exactly the same as the ones found in this spam run*."
* http://blog.dynamoo....orallesorg.html
___

Sendspace "You have been sent a file" SPAM / pelamutrika .ru
- http://blog.dynamoo....-file-spam.html
7 Dec 2012 - "This fake Sendspace spam leads to malware on pelamutrika .ru:
Date: Fri, 7 Dec 2012 10:53:57 +0200
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [victimname]-64.pdf)
Sendspace File Delivery Notification:
You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


The malicious payload is at [donotclick]pelamutrika .ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)"
___

Searching for “Windows Android Drivers” Leads to Malware and Bogus Google Play Markets
- http://www.gfi.com/b...e-play-markets/
7 Dec 2012 - "If you’re on the lookout for Android USB drivers for your Windows OS, be very careful. Such strings like “Windows Android Drivers” or combinations of these may bring up results that you would rather stay away from. Our researchers in the AV Labs have found this peculiar search result on Yahoo!... Visiting the Russian URL, bestdrivers(dash)11(dot)ru, automatically downloads a file called install.exe... Running the .exe file, which is a Trojan that we detect as Trojan.Win32.Generic!BT, allows it to modify the start page of the user’s IE browser to 94(dot)249(dot)188(dot)143/stat/tuk/187, a sign-up page for a Russian “escort” site. It does this so users are directed to the page by default whenever they open their IE browser..." (-aka- Hijacked...)
(More detail and screenshots at the gfi URL above.)
___

Christmas themed SCAMS on Facebook ...
- http://community.web...n-facebook.aspx
06 Dec 2012 - "... We spotted more than 3,000 unique URLs used for this scam on Facebook. The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.
> http://community.web...k_5F00_xmas.jpg
... Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam web sites:
208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252

We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong..."

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster, 08 December 2012 - 04:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#830 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 10 December 2012 - 11:13 AM

FYI...

Fake Sendspace SPAM "You have been sent a file" / anifkailood .ru:
- http://blog.dynamoo....space-spam.html
10 Dec 2012 - "This fake Sendspace spam leads to malware on anifkailood .ru:
Date: Mon, 10 Dec 2012 06:01:01 -0500
From: "Octavio BOWMAN" [AdlaiBaldacci @telefonica .net]
Subject: You have been sent a file (Filename: [redacted]-722.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


The malicious payload is at [donotclick]anifkailood .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."
___

Fake AICPA SPAM / eaglepointecondo .co
- http://blog.dynamoo....ntecondoco.html
10 Dec 2012 - "This fake AICPA spam leads to malware on eaglepointecondo .co:
Date: Mon, 10 Dec 2012 19:29:21 +0400
From: "AICPA" [alerts@aicpa.org]
Subject: Income fake tax return accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.
Termination of Public Account Status due to income tax fraud allegations
Respected accountant officer,
We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.
SubmittedReport.doc
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066


The malicious payload is at [donotclick]eaglepointecondo .co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently* for malware distribution..."
* http://blog.dynamoo....q=59.57.247.185

> http://www.aicpa.org...lent-email.aspx

Your CPA License has -not- been revoked
- https://isc.sans.edu...l?storyid=14674
Last Updated: 2012-12-10 - "I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.
> https://isc.sans.edu...es/CPAEmail.png
The only clickable link is the "Delation.pdf" (maybe that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:
The first stop is httx ://tesorogroup .com/components/com_ag_google_analytics2/taxfraudalert.html
It includes javascript and meta tag redirects to
httx ://eaglepointecondo. co/ detects /denouncement-reports.php
... which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.
Wepawet does a nice job analysing the obfuscated javascript:
http://wepawet.isecl...5160668&type=js ..."
___

Facebook SCAM goes wild - doubles over the weekend ...
- http://community.web...he-weekend.aspx
10 Dec 2012 - "Last week we wrote a blog* about a specific Facebook scam that appeared to spread rather aggresively... Websense.. detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat... The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid .org... A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:
> http://community.web...mas_5F00_23.jpg
Screenshot of the scam's main page:
> http://community.web...mas_5F00_24.jpg
How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:
> http://community.web...mas_5F00_25.jpg

* http://community.web...n-facebook.aspx

Facebook Spam leverages/abuses Instagram App
- http://blog.trendmic...-instagram-app/
Dec 10, 2012 - "... social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites. Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram. We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.
> http://blog.trendmic..._screenshot.gif
Should users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it -redirects- users to a page that looks like the Facebook Home page.
> http://blog.trendmic...ge_facebook.gif
... the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user) in a certain dialog box and to click ‘continue’... the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked. This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe..."
___

AICPA SPAM / eaglepointecondo .org
- http://blog.dynamoo....aicpa-spam.html
10 Dec 2012 - "Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo .org:
Date: Mon, 10 Dec 2012 18:51:38 +0100
From: "AICPA" [info@aicpa.org]
Subject: Tax return assistance fraud.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.
Suspension of CPA license due to income tax indictment
Valued AICPA participant,
We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Mon, 10 Dec 2012 14:50:40 -0300
From: "AICPA" [noreply@aicpa.org]
Subject: Your accountant license can be end off.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.
Suspension of Accountant status due to tax return fraud prosecution
Respected AICPA member,
We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.
SubmittedReport.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


In this case the malicious payload is at [donotclick]eaglepointecondo .org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today*."
* http://blog.dynamoo....ntecondoco.html
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-5/
Dec 10, 2012 - "... noteworthy email threats for the week of December 3 to 7:
- Phishers Target Wells Fargo Clients
- Message from the Department of Investigations
- Amazon eBook Spam in the Wild
- Spam from AICPA ...
(More detail and screenshots at the gfi URL above).

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 10 December 2012 - 09:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#831 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 11 December 2012 - 12:42 PM

FYI...

Fake Changelog SPAM / aseniakrol .ru
- http://blog.dynamoo....eniakrolru.html
11 Dec 2012 - "This spam leads to malware on aseniakrol .ru:
Date: Tue, 11 Dec 2012 10:46:43 -0300
From: Tarra Comer via LinkedIn [member @linkedin .com]
Subject: Re: Your Changelog UPDATED
Hi,
as promised your changelog - View
I. Easley


The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#832 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 12 December 2012 - 07:33 AM

FYI...

Fake Sendspace emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E
Once executed it creates %AppData%\kb00121600.exe on the affected system.
The sample also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."
(More detail at the webroot URL above.
* https://www.virustot...1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
___

Fake Citibank SPAM / platinumbristol .net
- http://blog.dynamoo....bristolnet.html
12 Dec 2012 - "This fake Citibank spam leads to malware on platinumbristol .net:
From: citibankonline @serviceemail1 .citibank .com via pado .com .br
Date: 12 December 2012 15:38
Subject: Account Alert
Mailed-by: pado .com .br
Citi
Email Security Zone EMAIL SECURITY AREA
ATM/Credit card ending in: XXX7
Alerting System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12
Log In to Overview Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12
Visit this link to Overview Detailed information
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
From: citibankonline @serviceemail5 .citibank .com via clickz .com
Date: 12 December 2012 15:39
Subject: Account Notify
Mailed-by: clickz .com
Citi
Email Security Zone EMAIL SAFETY AREA
ATM/Debit card ending in: XXX7
Alerting System
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12
Visit this link to Cancel Details
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12
Sign In to Overview Details
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 23:16:15 +0700
From: alets-no-reply @serviceemail6 .citibank .com
Subject: Account Insufficient funds
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX0
Notifications System
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12
Login to Abort Detailed information
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12
Go to web site by clicking here to See Operation
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 20:07:46 +0400
From: citibankonline @serviceemail8 .citibank .com
Subject: Account Operation Alert
EMAIL SECURITY ZONE
Credit card ending in: XXX0
Notifications System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12
Click Here to Review Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12
Sign In to View Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auomatic informational system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
I can see the following evil domains on that same server..."
(More detail at the dynamoo URL above.)

:grrr: :ph34r:

Edited by AplusWebMaster, 12 December 2012 - 12:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#833 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 13 December 2012 - 07:37 AM

FYI...

Fake Citi Cards SPAM / 6.bbnface .com and 6.mamaswishes .com
- http://blog.dynamoo....acecom-and.html
13 Dec 2012 - "This fake Citi Cards spam leads to malware on 6.bbnface .com and 6.mamaswishes .com:
Date: Thu, 13 Dec 2012 11:59:33 +0300
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$8,803.77
Minimum Payment Due: $750.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
============================
Date: Thu, 13 Dec 2012 10:30:55 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$5,319.77
Minimum Payment Due: $506.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."
___

More "Copies of Policies" SPAM / awoeionfpop .ru:
- http://blog.dynamoo....eionfpopru.html
13 Dec 2012 - "This spam leads to malware on awoeionfpop .ru:
Date: Thu, 13 Dec 2012 09:08:32 -0400
From: "Myspace" [noreply @message .myspace .com]
Subject: Fwd: Deshaun - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Deshaun ZAMORA,


The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
(More dtail at the dynamoo URL above.)
___

Fake Citibank SPAM / eaglepointecondo .biz
- http://blog.dynamoo....tecondobiz.html
13 Dec 2012 - "This fake Citibank spam leads to malware on eaglepointecondo .biz:
Date: Thu, 13 Dec 2012 16:59:14 +0400
From: "Citi Alerts" [lubumbashiny63 @bankofdeerfield .com]
Subject: Account Operation Alert
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX8
Notifications System
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12
Sign In to Abort Details
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12
Login to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Alerts [mailto:enormityyf10 @iztzg .hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX6
Notifications System
Bill Payment
Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12
Visit this link to Cancel Detailed information
Bill Payment
Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12
Login to Review Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auto informer system unable to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Service [mailto:goaliesj79 @wonderware .com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX8
Alerting System
Withdraw Message
Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12
Login to Abort Operation
Withdraw Message
Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12
Sign In to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."

:grrr: :ph34r:

Edited by AplusWebMaster, 13 December 2012 - 12:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#834 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 14 December 2012 - 07:43 AM

FYI...

Dexter malware targets POS systems...
- http://www.theregist...ts_pos_systems/
14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."
* http://blog.seculert...f-point-of.html

** http://blog.spiderla...ands-dirty.html
___

Something evil on 87.229.26.138
- http://blog.dynamoo....8722926138.html
14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).
* http://urlquery.net/...t.php?id=406222
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha @yahoo .com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen @yahoo .com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."
(More detail at the dynamoo URL above.)
___

Fake Citibank SPAM / 4.whereintrentinoaltoadige .com
- http://blog.dynamoo....oaltoadige.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige .com:
Date: Fri, 14 Dec 2012 13:54:14 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,550.67
Minimum Payment Due: $764.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to... and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
====================
Alternative mid-sections:
Statement Date: December 13, 2012
Statement Balance: -$8,902.58
Minimum Payment Due: $211.00
Payment Due Date: Tue, January 01, 2013
Statement Date: December 13, 2012
Statement Balance: -$9,905.95
Minimum Payment Due: $535.00
Payment Due Date: Tue, January 01, 2013


The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."
(More detail at the dynamoo URL above.)
___

More Citibank SPAM / 6.bbnsmsgateway .com
- http://blog.dynamoo....gatewaycom.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 6.bbnsmsgateway .com:
Date: Fri, 14 Dec 2012 19:27:56 +0530
From: Citi Cards [citicards @info.citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info.citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,873.54
Minimum Payment Due: $578.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."
___

Changelog SPAM / aviaonlolsio .ru
- http://blog.dynamoo....onlolsioru.html
14 Dec 2012 - "This fake Changelog spam leads to malware on aviaonlolsio .ru:
From: messages-noreply @bounce .linkedin .com [mailto :messages-noreply @bounce .linkedin .com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)
Hi,
as promised - View
I. SWEET
====================
Date: Fri, 14 Dec 2012 05:22:54 +0700
From: "Kaiya HIGGINS" [fwGpEzHIGGINS @hotmail .com]
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
as promised chnglog updated - View
I. HIGGINS


The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
___

Fake Chase emails lead to malware
- http://blog.webroot....ead-to-malware/
Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog....ring.png?w=1024
... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“

Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.
Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:
184.184.247.60 :23089
99.124.198.193 :13197
78.93.215.24 :14225
68.167.50.61 :28650 ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1355442736/
File name: Statement_ID.pdf.exe
Detection ratio: 42/46
Analysis date: 2012-12-13

:grrr: :ph34r:

Edited by AplusWebMaster, 14 December 2012 - 03:50 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#835 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 17 December 2012 - 09:53 AM

FYI...

Pharma SPAM - pillscarehealthcare .com
- http://blog.dynamoo....recom-spam.html
17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:
Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From: "Account Info Change" [tyjinc @palmerlakearttour .com]
To: [redacted]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
==================
Date: Mon, 17 Dec 2012 01:22:56 -0700
From: "Angela Snider" [directsales @tyroo .com]
To: [redacted]
Subject: Pending ticket status
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 21:37:47 -0700
From: "Alexis Houston" [cmassuda @agf .com .br]
To: [redacted]
Subject: Pending ticket notification
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 07:06:30 -0800
From: "Account Sender Mail" [daresco @excite .com]
To: [redacted]
Subject: Account is now available
Login unavailable due to maintenance ([redacted])
Hello,
Your Account is now available.
Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
Access Your Account
Hope this information helps you.
Thanks,
Support team
==================
From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info]
Sent: 17 December 2012 11:18
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support


This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."
(More detail at the dynamoo URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#836 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 18 December 2012 - 07:18 AM

FYI...

Fake UPS/USPS SPAM / apensiona .ru
- http://blog.dynamoo....pensionaru.html
18 Dec 2012 - "Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS/USPS/ FilesTube spam leads to malware on apensiona .ru:
From: FilesTube [mailto: filestube @filestube .com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839
USPS Customer Services for big savings!
Can't see images? CLICK HERE.
UPS - UPS TEAM 60 >>
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS .com Customer Services
Good Evening, [redacted].
DEAR USER , Recipient's address is wrong
Track your Shipment now!
With Respect To You , Your UPS .com Customer Services.
Shipping | Tracking | Calculate Time & Cost | Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department


The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."
(More detail at the dynamoo URL above.)
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-6/
Dec 18, 2012 - "... noteworthy email threats for the week... covering the dates of December 10 to 14...

“Mailbox Upgrade” Email is a Phish...
> http://gfisoftware.t...edentials-phish
... Malicious URLs: my3q .com/survey/458/webgrade2052/77717.phtml

Unsolicited “Adobe CS4 License” Leads to Malware...
> http://gfisoftware.t...se-spam-returns
... Malicious URLs: safeshopper .org.nz/redirecting.htm, happy-school .edu.pl/redirecting.htm, amnaosogo .ru:8080/forum/links/column.php...

Spammers Target Citibank Clients.
> http://gfisoftware.t...-statement-spam
... Malicious URLs... (See the gfisoftware.tumblr URL above).
___

LinkedIn SPAM / apensiona .ru
- http://blog.dynamoo....pensionaru.html
18 Dec 2012 - "This fake LinkedIn spam leads to malware on apensiona .ru:
From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn
LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Hien Lawson
Accept
View invitation from Hien Lawson
WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
Hien Lawson's connections could be useful to you
After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation


The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69
..."
* http://blog.dynamoo....pensionaru.html

:ph34r: :grrr:

Edited by AplusWebMaster, 18 December 2012 - 04:46 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#837 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 19 December 2012 - 09:27 AM

FYI...

Fake AV - Malware sites to block 19/12/12
- http://blog.dynamoo....ock-191212.html
19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
* https://www.virustot...4bc70/analysis/
Detection ratio: 14/45
This is a screenshot of the fake AV in action:
> https://lh3.ggpht.co...1600/fakeav.png
From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
report.q7ws17sk1ywsk79g .com
report.7ws17sku7myws931u .com
report.u79i1qgmywskuo9o .com
There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
inetnum: 46.105.131.120 - 46.105.131.127
netname: marysanders1
descr: marysanders1net
country: IE
org: ORG-OH5-RIPE
admin-c: OTC9-RIPE
tech-c: OTC9-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo .com
ez .lv
zyns .com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."
(More detail at the dynamoo URL above.)
___

Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218
- http://blog.dynamoo....8420077218.html
19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:
From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account
Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http ://www.facebook .com/confirmemail.php?e=[redacted]
You may be asked to enter this confirmation code: [redacted]
The Facebook Team
Didn't sign up for Facebook? Please let us know.


46.249.58.211 (Serverius Holding, Netherlands)...
84.200.77.218 (Misterhost, Germany)...
GFI has some more details on this one here*."
* http://gfisoftware.t...o-spam-activity
Your Facebook Account is Blocked due to Spam Activity
Dec 19, 2012
___

Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
- http://blog.webroot....ome-extensions/
Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...
Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension
:
> https://webrootblog....nsion.png?w=702
The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:
> https://webrootblog....png?w=477&h=289
Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:
> https://webrootblog....png?w=555&h=355
... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:
> https://webrootblog....png?w=614&h=324
In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:
> https://webrootblog....png?w=554&h=310
... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."
___

Google Docs SPAM/PHISH...
- https://isc.sans.edu...l?storyid=14731
Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."
> F-secure: http://www.f-secure....s/00002168.html
> GFI: http://www.gfi.com/b...-docs-phishing/
> Sophos: http://nakedsecurity...om-google-docs/
... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...
> https://isc.sans.edu...k-service-3.png
... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."
___

LinkedIn Spam: The Repeat
- http://www.gfi.com/b...pam-the-repeat/
Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.
* http://gfisoftware.t...on-spam-returns
... Here’s what the email looks like:
> http://www.gfi.com/b...dIn_1218-wm.png
From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend
I’d like to add you to my professional network on LinkedIn.
[Allow button] View invitation from {redacted}
WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?
{redacted} connections could be useful to you
After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:
> http://www.gfi.com/b...-wm-300x105.png
This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.
> http://www.gfi.com/b...-wm-300x131.png
when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."
___

Wire Transfer SPAM / angelaonfl .ru
- http://blog.dynamoo....gelaonflru.html
19 Dec 2012 - "This fake Wire Transfer spam leads to malware on angelaonfl .ru:
Date: Wed, 19 Dec 2012 11:26:24 -0500
From: "Myspace" [noreply @message .myspace .com]
Subject: Wire Transfer (3014YZ20)
Welcome,
Your Wire Transfer Amount: USD 45,429.29
Transfer Report: View
EULALIA Henry,
The Federal Reserve Wire Network


The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)
The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69
..."
(More detail at the dynamoo URL above.)
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Home > Security Intelligence Operations > Latest Threat Information > Threat Outbreak Alerts
Fake Order Request E-mail Messages - December 19, 2012
Fake Party Invitation E-mail Messages - December 19, 2012
Fake Sample Product Quote E-mail Messages - December 19, 2012
Fake Scanned Image E-mail Messages - December 19, 2012
Fake Unspecified E-mail Messages - December 18, 2012
Fake Payment Invoice E-mail Messages - December 18, 2012
Fake Funds Transfer Notification E-mail Message - December 18, 2012
Fake Airline Ticket Order Notification E-mail Messages - December 18, 2012
Fake Product Order Quotation Attachment E-mail Message - December 18, 2012
Fake Tax Invoice E-mail Messages - December 18, 2012
Fake Order Invoice Notification E-mail Messages - December 18, 2012
Fake Sales Request E-mail Messages - December 18, 2012 ...

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 19 December 2012 - 10:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#838 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 20 December 2012 - 01:12 PM

FYI...

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog....exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog....loit_kit_01.png
Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
With the following value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe”"
It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It also drops the following MD5s:
MD5: 9e7577dc5d0d95e2511f65734249eba9
MD5: 61bb88526ff6275f1c820aac4cd0dbe9
MD5: b360fec7652688dc9215fd366530d40c
MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
MD5: d7a950fefd60dbaa01df2d85fefb3862
MD5: ed662e73f697c92cd99b3431d5d72091
It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."
* https://www.virustot...1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

Sendspace "You have been sent a file" SPAM / apendiksator .ru
- http://blog.dynamoo....-file-spam.html
20 Dec 2012 - "This fake Sendspace spam leads to malware on apendiksator .ru:
Date: Thu, 20 Dec 2012 09:25:36 -0300
From: "SHIZUKO Ho"
Subject: You have been sent a file (Filename: [redacted]-28.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
===
Date: Thu, 20 Dec 2012 05:05:02 +0100
From: "GENNIE Hensley"
Subject: You have been sent a file (Filename: [redacted]-7123391.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


The malicious payload is at [donotclick]apendiksator .ru:8080/forum/links/column.php hosted on:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
angelaonfl .ru
akionokao .ru
apendiksator .ru
..."
___

"New message" SPAM, fake dating sites and libertymonings .info
- http://blog.dynamoo....-sites-and.html
20 Dec 2012 - "This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012 .asia and libertymonings .info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
Date: Thu, 20 Dec 2012 20:50:17 -0200
From: "SecureMessage System" [2F5DEE622 @hungter .com]
Subject: New message
Click here to view the online version.
New private message from Terra Fisher received.
Total unread messages: 5
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
-------------------------
Date: Thu, 20 Dec 2012 20:36:14 -0200
From: "Secure Message" [82E8ACBD @lipidpanel .com]
Subject: New message
Click here to view the online version.
New private message from Josefina Albert received.
Total unread messages: 3
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


In these cases, the targets URLs are [donotclick]site-dating2012 .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings.info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.
The following IPs and domains are all related and should be blocked if you can:
46.249.42.161
46.249.58.211
84.200.77.218
..."
* https://www.virustot...sis/1356045558/
File name: ztsvgnvlmhe-a.qsypes.jar
Detection ratio: 6/45
Analysis date: 2012-12-20

:grrr: :ph34r: :ph34r:

Edited by AplusWebMaster, 20 December 2012 - 08:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#839 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 21 December 2012 - 10:04 AM

FYI...

Malware sites to block 21/12/12
- http://blog.dynamoo....ock-211212.html
21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentified ad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)
The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)
[donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.
avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.
Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..
Recommended blockist (annotated)...
Recommended blockist (Plain list)..."
(Too long to post here - see the dynamoo URL above - 'great list to use!)
___

Profile Spy...
- http://www.gfi.com/b...yan-apocalypse/
Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.] Watch that mouse pointer... careful where you direct and click it."
(Screenshots and more info available at the gfi URL above.)
___

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 21, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog....exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog....loit_kit_01.png
... Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo.com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo.com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon ...
Responding to 59.57.247.185 are also the following malicious domains..."
(More detail at the webroot URL above.)
* https://www.virustot...1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

‘Work at Home” scams impersonating CNBC spotted in the wild
- http://blog.webroot....ed-in-the-wild/
Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...
Sample screenshot of the spamvertised email impersonating CNBC:
> https://webrootblog....ome_scam_01.png
Sample screenshot of the fake CNBC news article detailing the success of the Home Business System:
> https://webrootblog....t_home_scam.png
No matter where you click, you’ll always be redirected to the Home Business System.
Sample bogus statistics sent by customers of the system:
> https://webrootblog....ome_scam_02.png
What’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.
Sample spamvertised URLs:
hxxp ://5186d4d1.livefreetimenews .com/
hxxp ://5f4a8abae0.get-more-news .com/
Domains participating in the campaign:
worldnewsyesterday .com – Email: johnjbrannigan @teleworm .us
worldnewsimportant .com – Email: johnjbrannigan @teleworm .us
hbs-system .com – Email: cinthiaheimbignerupbg @hotmail .com
Historically, the following domains were also used in a similar fashion:
homeworkhere .com – Email: zoilaprni4d @yahoo .com
lastnewsworld .com – Email: shirleysmith57 @yahoo .com
homecompanysystem .com – Email: deloristrevertonef53 @yahoo .com
> https://webrootblog....ome_scam_04.png
Users are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster, 21 December 2012 - 09:00 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#840 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 22 December 2012 - 04:43 PM

FYI...

"New message received" SPAM / siteswillsrockf .com and undering .asia
- http://blog.dynamoo....eived-spam.html
22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo....ock-211212.html ).
Date: Sat, 22 Dec 2012 16:55:38 +0300
From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es]
Subject: New message received
Click here to view the online version.
Hello [redacted],
You have 5 new messages.
Read now
Copyright 2012 SecurePrivateMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=
undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
inetnum: 46.249.42.0 - 46.249.42.255 ...
The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
There are lots of other suspect domains on these two IPs as well:
46.249.42.161 ...
46.249.42.168 ..."
(Too many to post here - see the dynamoo URL above for more detail.)
* https://www.google.c...c?site=AS:50673

:ph34r: :grrr: :grrr:

Edited by AplusWebMaster, 22 December 2012 - 04:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#841 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 23 December 2012 - 09:59 PM

FYI...

Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
- http://blog.dynamoo....direktasia.html
23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
Date: Sun, 23 Dec 2012 14:26:32 +0530
From: "Secure.Message"
Subject: Alert: New message
Click here to view the online version.
Hello [redacted],
You have 4 new messages.
Read now
Copyright 2012 SecureMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....eived-spam.html

** https://www.google.c...c?site=AS:50673

:grrr: :ph34r:

Edited by AplusWebMaster, 23 December 2012 - 11:36 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#842 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 26 December 2012 - 08:41 AM

FYI...

Eastern bloc SPAM...
- http://blog.dynamoo....e-athiests.html
25 Dec 2012 - "... eastern bloc... spammers are sending out today.
Date: Tue, 25 Dec 2012 22:56:51 -0700
From: "Ticket Support"
Subject: Password Assistance
Thank you for your letter of Dec 25, your information arrived today.
Alright, here's the link to the site:
Proceed to Site
If we can help in any way, please do not hesitate to contact us.
Regards, Yuonne Ferro, Support Team manager.


Some variants of the body text:
- "Thank you for contacting us, your information arrived today."
- "Thank you for your letter regarding our products and services, your information arrived today."
- "Thank you for considering our products and services, your information arrived today."
Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
(More detail at the dynamoo URL above.)
* https://en.wikipedia...usiness_Network
"... a host of the infamous Russian Business Network cyber-crime gang..."

> https://www.google.c...c?site=AS:34109
___

Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
- http://blog.webroot....nterfeit-drugs/
Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
Sample screenshot of the spamvertised email
:
> https://webrootblog....png?w=373&h=244
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
> https://webrootblog....e_01.png?w=1009
Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
(More detail at the webroot URL above.)...

This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
___

Fake E-billing SPAM / proxfied .net
- http://blog.dynamoo....roxfiednet.html
26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
Date: Wed, 26 Dec 2012 18:49:37 +0300
From: alets-no-reply @customercenter .citibank .com
Subject: Your Further eBill from Citibank Credit Card
Member: [redacted]
Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
Your Account: Important Warning
New eBill Available
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36
How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.
Please don't reply to this message.
If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
To set up alerts sign on by clicking this link and go to Account Profile.
I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
If you want to communicate with us in writing concerning this email, please direct your correspondence to:
Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
3843054050826645
1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================
(More sample FAKE emails shown at the dynamoo URL above.)

The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
sessionid0147239047829578349578239077 .pl
latticesoft .net
proxfied .ne
t ..."
___

Fake NACHA SPAM / bunakaranka .ru:
- http://blog.dynamoo....akarankaru.html
26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
Date: Wed, 26 Dec 2012 06:48:11 +0100
From: Tagged [Tagged @taggedmail .com]
Subject: Re: Fwd: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department


The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains..."

:ph34r: :ph34r: :grrr:

Edited by AplusWebMaster, 26 December 2012 - 04:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#843 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 27 December 2012 - 10:02 AM

FYI...

Fake Twitter DM emails leads to Canadian Pharma SPAM
- http://www.gfi.com/b...an-pharma-spam/
Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
> http://www.gfi.com/b...picpublish1.png
"Hello, Can i publish link to your photo on my web page?" Another one says:
"Hi. Can i publish link to your video on my home page?"
In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
> http://www.gfi.com/b...picpublish2.jpg
Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
___

Fake British Airways E-ticket receipts serve malware
- http://blog.webroot....-serve-malware/
Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=553
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56 .com – 87.255.51.229
a9h23nuian3owj12 .com – 87.255.51.229
zzbg1zv329sbgn56 .com – 87.255.51.229
http ://www.update .microsoft .com – 65.55.185.26
ddbbzmjdkas .us
ddbbzmjdkas .us
The IPs are currently sinkholed by Abuse.ch..."
* https://www.virustot...sis/1356554124/
File name: BritishAirways-eticket.exe
Detection ratio: 39/46
Analysis date: 2012-12-26
___

Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....t_kit.png?w=603
Sample spamvertised compromised URLs:
hxxp ://www.aberdyn .fr/letter.htm
hxxp ://www.aberdyn .fr/osc.htm
Sample client-side exploits serving URLs:
hxxp ://apendiksator .ru:8080/forum/links/column.php
hxxp ://sectantes-x .ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
Client-side exploits served: CVE-2010-0188
Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)
More MD5s are known to have phoned back to the same IPs..."
* https://www.virustot...59be3/analysis/
File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
Detection ratio: 27/42
Analysis date: 2012-09-30

:grrr: :ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#844 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 28 December 2012 - 08:05 AM

FYI...

Fake IRS SPAM / tv-usib .com
- http://blog.dynamoo....tv-usibcom.html
28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
Date: Thu, 27 Dec 2012 22:14:44 +0400
From: Internal Revenue Service [information @irs .gov]
Subject: Your transaction is not approved
Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
Canceled Tax transfer
Tax Transaction ID: 3870703170305
Rejection ID See details in the report below
Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon


The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
sessionid0147239047829578349578239077.pl
tv-usib .com
proxfied .net
timesofnorth .net
latticesoft .net ..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#845 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 02 January 2013 - 07:37 AM

FYI...

Malware sites to block - 2 Jan 2013
- http://blog.dynamoo....block-2113.html
2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
akionokao .ru
bilainkos .ru
bumarazhkaio .ru
bunakaranka .ru
..."
___

Malware sites to block - 2 Jan 2013 part II
- http://blog.dynamoo....13-part-ii.html
2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
* http://malwaremustdi...am-up-with.html
As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
IPs... Domains ..."
(Long list at the dynamoo URL above.)

:ph34r: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#846 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 04 January 2013 - 08:45 AM

FYI...

Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
- http://www.gfi.com/b...ound-about-you/
Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
> http://www.gfi.com/b...1/twitspam1.jpg
There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
* http://www.phishtank...hish_id=1643038
___

Fake Ebay/Paypal emails lead to client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain names reconnaissance:
litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET...
... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
___

Fake 'bank reports' emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator .ru – 62.76.186.24
Name server: ns2.apendiksator .ru – 110.164.58.250
Name server: ns3.apendiksator .ru – 42.121.116.38
Name server: ns4.apendiksator .ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf .ru – 91.224.135.20
angelaonfl .ru – 91.224.135.20
akionokao .ru – 91.224.135.20 ...
Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
* https://www.virustot...d73da/analysis/
File name: cs8v0k.exe
Detection ratio: 34/42
Analysis date: 2012-06-20
___

Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
* https://www.virustot...01bff/analysis/
File name: KB00182962.exe
Detection ratio: 30/45
Analysis date: 2013-01-04
___

Fake Verizon Wireless emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
Malicious domain name reconnaissance:
proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."

:grrr: :ph34r:

Edited by AplusWebMaster, 04 January 2013 - 09:48 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#847 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 07 January 2013 - 10:32 AM

FYI...

Fake O2 Shop emails - Phish ...
- http://www.gfi.com/b...le-phishy-bait/
Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
> http://www.gfi.com/b...3/01/fakeo2.jpg
Dear User,
    You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
    Regards,
    O2 Customer Service


As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace...  treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."
 

:ph34r: :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#848 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 08 January 2013 - 06:26 PM

FYI...

Malware sites to block 8/1/13
- http://blog.dynamoo....block-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru

Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at  [donotclick]belnialamsik .ru:8080/forum/links/column.php:
Date:      Tue, 8 Jan 2013 10:05:55 +0100
From:      Shavonda Duke via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
===
Date:      Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From:      FilesTube [filestube @filestubecom]
Subject:      Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH  transactions have been
temporarily disabled.
 View details
Best regards,
Security department

___

Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
- http://blog.dynamoo....ement-spam.html
8 Jan 2013 - This rather terse spam leads to malware on cookingcarlog .net:
From:     Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
    Date:     8 January 2013 15:11
    Subject:     FedMail ®: Federal ACH Announcement - End of Day - 12/27/12
    Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.


The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.isecl...7658280&type=js

Added - a BBB spam is also doing the rounds with the same payload:
Better Business Bureau ©
    Start With Trust �
    Mon, 7 Jan 2013
    RE: Case N. 54809787
    [redacted]
    The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
    We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
    We are looking forward to your prompt response.
    WBR
    Mason Turner
    Dispute Consultant
    Better Business Bureau
    Better Business Bureau
    3063   Wilson Blvd, Suite 600  Arlington, VA 22701
    Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

___

Fake BBB SPAM / royalwinnipegballet .net
- http://blog.dynamoo....gballetnet.html
8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
Date:      Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
    From:      Better Business Bureau <information @bbb .org>
    To:      [redacted]Subject:      BBB information regarding your customer's appeal ¹ 96682901
    Better Business Bureau ©
    Start With Trust ©
    Mon, 7 Jan 2013
    RE: Complaint # 96682901
    [redacted]
    The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
    We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
    We are looking forward to your prompt answer.
    Faithfully yours
    Alex Green
    Dispute Counselor
    Better Business Bureau
    3063  Wilson Blvd, Suite 600  Arlington, VA 27201
    Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
    This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
===
    Date:      Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
    From:      Better Business Bureau <donotreply @bbb .org>
    Subject:      Better Business Beareau   Pretense ¹ C6273504
    Priority:      High Priority 1
     Better Business Bureau ©
    Start With Trust ©
    Mon, 7 Jan 2013
    RE: Issue No. C6273504
    [redacted]
    The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
    We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
    We are looking forward to your prompt rebound.
    Yours respectfully
    Julian Morales
    Dispute Advisor
    Better Business Bureau
    3013   Wilson Blvd, Suite 600  Arlington, VA 20701
    Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
    This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)
 

:grrr: :ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#849 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 09 January 2013 - 08:22 AM

FYI...

Fake AICPA emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Second screenshot of the spamvertised email from the same campaign:
> https://webrootblog....loit_kit_01.png
Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following actions:
    Creates a batch script
    Accesses Firefox’s Password Manager local database
    Creates a thread in a remote process
    Installs a program to run automatically at logon
It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
It also phones back to the following C&C servers:
hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
132.248.49.112
173.192.229.36
64.120.193.112
89.221.242.217
174.143.174.136
209.51.221.247

We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
* https://www.virustot...e2e12/analysis/
File name: contacts.exe
Detection ratio: 31/45
Analysis date:     2012-12-18
** https://www.virustot...9d67d/analysis/
File name: exp3C6.tmp.exe
Detection ratio: 27/45
Analysis date:     2013-01-04
___

New Year, New Old Threats
- http://www.gfi.com/b...ew-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___

Something evil on 173.246.102.246
- http://blog.dynamoo....3246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.isecl...4e4a3f1&type=js

> https://www.google.c...c?site=AS:29169
"... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
___

Fake ADP SPAM / demoralization .ru
- http://blog.dynamoo....lizationru.html
9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
Date:      Wed, 9 Jan 2013 04:23:03 -0600
    From:      Habbo Hotel [auto-contact @habbo .com]
    Subject:      ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 948284271
    Wed, 9 Jan 2013 04:23:03 -0600
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www .flexdirect .adp.com/client/login.aspx
    Please see the following notes:
        Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
        Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 703814359
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    � 2013 ADP, Inc. All rights reserved.


The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization .ru
belnialamsik .ru
bananamamor .r
u ..."
___

Fake BBB SPAM / hotelrosaire .net
- http://blog.dynamoo....rosairenet.html
9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
Date:      Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
    From:      Better Business Bureau <complaint @bbb .org>
    Subject:      BBB notification regarding your  cliente's pretense No. 62850348
    Better Business Bureau ©
    Start With Trust �
    Tue, 8 Jan 2013
    RE: Complaint N. 62850348
    [redacted]
    The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
    We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
    We awaits to your prompt reaction.
    Yours respectfully
    Liam Barnes
    Dispute Consultant
    Better Business Bureau
    3053   Wilson Blvd, Suite 600   Arlington, VA 25501
    Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
    This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
    Date:      Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
    From:      Better Business Bureau <donotreply @bbb .org>
    Subject:      BBB  Complaint No. C1343110
    Better Business Bureau ©
    Start With Trust ©
    Tue, 8 Jan 2013
    RE: Case No. C1343110
    [redacted]
    The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
    We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
    We are looking forward to your prompt reaction.
    Yours respectfully
    Hunter Gomez
    Dispute Counselor
    Better Business Bureau
    Better Business Bureau
    3053   Wilson Blvd, Suite 600   Arlington, VA 22801
    Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
    This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."

>> https://www.google.c...c?site=AS:21788
"... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 09 January 2013 - 05:38 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#850 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,155 posts

Posted 10 January 2013 - 08:02 AM

FYI...

Fake U.S Airways emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
Sample screenshot of the spamvertised email:
> https://webrootblog...._expoit_kit.png
... Malicious domain name reconnaissance:
attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
* https://www.virustot...bd1fe/analysis/
File name: 6f51e309530f8900be935716c3015f58
Detection ratio: 24/46
Analysis date:     2012-12-07
___

Fake ADP SPAM / tetraboro .net and advertizing* .com
- http://blog.dynamoo....rtizingcom.html
10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
Date:      Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
    From:      "ADPClientServices @adp .com" [ADPClientServices @adp .com]
    Subject:      adp_subj
    ADP Urgent Note
    Note No.: 33469
    Respected ADP Consumer January, 9 2013
    Your Processed Payroll Record(s) have been uploaded to the web site:
    Click here to Sign In
    Please take a look at the following details:
    •   Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
    Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
    This notification was sent to current clients in your company that approach ADP Netsecure.
    As general, thank you for choosing ADP as your business butty!
    Ref: 33469


The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)
Plain list:
advertizing1 .com
advertizing2 .com
advertizing3 .com
advertizing4 .com
advertizing5 .com
advertizing6 .com
advertizing7 .com
advertizing8 .com
advertizing9 .com
cookingcarlog .ne
hotelrosaire .net
richbergs .com
royalwinnipegballet .net
tetraboro .net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66
..."

:grrr: :ph34r:


Edited by AplusWebMaster, 10 January 2013 - 12:55 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button