Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1237 replies to this topic

#901 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 21 March 2013 - 11:08 AM

FYI...

Fake NACHA SPAM / encodeshole .org
- http://blog.dynamoo....nacha-spam.html
21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
    From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
    Sent: 20 March 2013 18:51
    Subject: Payment ID 454806207096 rejected
    Importance: High
    Dear Sirs,
    Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
    Click here for more information
    Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
    Best regards,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    10933 Sunrise Valley Drive, Suite 771
    Herndon, VA 20190
    Phone: 703-561-0849 Fax: 703-787-0548


The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
91.234.33.187
encodeshole .org
rotariesnotify .org
rigidembraces .info
storeboughtmodelers .info

* http://urlquery.net/....php?id=1536940

... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187

- https://www.google.c...c?site=AS:56485
"... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
___

Fake ScanJet SPAM / hillaryklinton .ru
- http://blog.dynamoo....et-spam_21.html
21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
    From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
    Sent: 21 March 2013 06:56
    Subject: Scan from a Hewlett-Packard ScanJet #269644
    Attached document was scanned and sent
    to you using a Hewlett-Packard HP Officejet 6209P.
    Sent by: SANDIE
    Images : 1
    Attachment Type: .HTM [INTERNET EXPLORER]
    Hewlett-Packard Officejet Location: machine location not set


In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)
Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156

foruminanki .ru
forumla .ru
forumny .ru
gulivaerinf .ru
gxnaika .ru
hanofk .ru
heelicotper .ru
hifnsiiip .ru
hillaryklinton .ru
himalayaori .ru
humalinaoo .ru
* http://urlquery.net/....php?id=1535161
... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
___

Fake CNN emails lead to BlackHole Exploit Kit
- http://blog.webroot....e-exploit-kit/?
March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
Responding to 24.111.157.113 ... malicious domains...
Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
* https://www.virustot...289be/analysis/
File name: deskadp.dll
Detection ratio: 23/45
Analysis date:     2013-03-21 10:46
___

Fake "Data Processing Service" spam / airtrantran .com
- http://blog.dynamoo....rvice-spam.html
21 Mar 2013 - "This spam leads to malware on airtrantran .com
    Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
    From:      Data Processing Service [customerservice @dataprocessingservice .com]
    Subject:      ACH file ID "973.995"  has been processed successfully
    Files Processing Service
    SUCCESS Notification
    We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
    FILE SUMMARY:
    Item count: 21
    Total debits: $17,903.59
    Total credits: $17,903.59
    For addidional info    review it here


24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
..."
___

Fake Facebook SPAM / scriptuserreported .org
- http://blog.dynamoo....eportedorg.html
21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
    Date:      Thu, 21 Mar 2013 10:56:28 -0500
    From:      Facebook [update+oi=MKW63Z @facebookmail .com]
    Subject:      John Jenkins commented photo of you.
    facebook
    John Jenkins commented on {l5}.
    reply to this email to comment on this photo.
    see comment
    this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
    facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}


The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR ...
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01 .com
workhomeheres02 .com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12 .pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels .info
supermyadminspanels .info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Recommended blocklist:
5.39.37.24/29
makeworkhome12 .pl
myadminspanels .info
supermyadminspanels .info
workhomeheres01 .com
workhomeheres02 .com
rl-host .net
pesteringpricelinecom .net
resolveconsolidate.net
scriptuserreported .org
provingmoa .com"
* http://urlquery.net/....php?id=1539128
... Detected live BlackHole v2.0 exploit kit 5.39.37.31
___

Fake Changelog SPAM / hillairusbomges .ru
- http://blog.dynamoo....usbomgesru.html
21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
    Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
    From:      LinkedIn Email Confirmation [emailconfirm @linkedin .com]
    Subject:      Re: Changelog Oct.
    Good morning,
    as prmised updated changelog - View
    L. LOYD


The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)
Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204
..."
* http://urlquery.net/....php?id=1540852
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204

:grrr: :ph34r:


Edited by AplusWebMaster, 21 March 2013 - 10:56 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#902 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 22 March 2013 - 11:15 AM

FYI...

Fake Zendesk SPAM / vagh .ru / pillshighest .com
- http://blog.dynamoo....t-security.html
22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
    Date:      Fri, 22 Mar 2013 13:52:08 -0700
    From:      Support Team [pinbot @schwegler .com]
    To:      [redacted]
    Subject:      An important notice about security
    We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
    We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
        Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
        Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
        Use a strong password. If your password is weak, you can create a new one.
    We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
    Support Team
    Questions? See our FAQ.
    This email was sent to [redacted].
    �2013 Zendesk, Inc. | All Rights Reserved
    Privacy Policy | Terms and Conditions


There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212
..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=1547240
... RBN - Known Russian Business Network IP - 109.120.138.155***

** https://www.google.c...c?site=AS:57954

*** https://www.google.c...c?site=AS:30968

- http://nakedsecurity...ecurity-notice/
March 22, 2013
> https://sophosnews.f...otice.jpg?w=640
___

Fake ACH email - malware...
- http://www.hoax-slay...d-malware.shtml
March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."

Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
- http://blog.dynamoo....singservic.html
22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
    Date:      Fri, 22 Mar 2013 10:42:22 -0600
    From:      support @digitalinsight .com
    Subject:      Terminated Wire Transfer Notification - Ref: 54133
    Immediate Transfers Processing Service
    STATUS Notification
    The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
    TRANSACTION SUMMARY:
    Initiated By: [redacted]
    Initiated Date & Time: 2013-03-21 4:00:46 PM PST
    Reference Number: 54133
    For addidional info visit this link


The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php  (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
..."
* http://urlquery.net/....php?id=1548528
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
___

Fake Changelog SPAM / hohohomaza .ru
- http://blog.dynamoo....hohomazaru.html
22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
    Date:      Fri, 22 Mar 2013 11:06:48 -0430
    From:      Hank Sears via LinkedIn [member @linkedin .com]
    Subject:      Fwd: Changelog as promised (upd.)
    Hello,
    as promised changelog - View
    L. HENDRICKS


The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64  (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)
Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143
..."

:grrr: :ph34r:


Edited by AplusWebMaster, 23 March 2013 - 10:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#903 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 25 March 2013 - 12:19 PM

FYI...

Fake BBC emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the fake BBC News email:
> https://webrootblog...._kit_cyprus.png
... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
(More detail at the webroot URL above.)
* https://www.virustot...f38c7/analysis/
File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
Detection ratio: 23/45
Analysis date: 2013-03-21
___

Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
- http://blog.dynamoo....receipt-25.html
25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
    Date:      Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
    From:      Bank of America [gaudilyl30 @gmail .com]
    Subject:      Your transaction is completed
    Transaction is completed. $4924 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached.
    *** This is an automatically generated email, please do not reply ***
    Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
    © 2013 Bank of America Corporation. All rights reserved


Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru  and programcam .ru hosted on:
59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)
Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20
..."
(More detail at the dynamoo URL above.)
* https://www.virustot...d755d/analysis/
File name: Loaf Harley Goals
Detection ratio: 22/46
Analysis date:     2013-03-25
___

Fake HP ScanJet SPAM / humaniopa .ru
- http://blog.dynamoo....umanioparu.html
25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
    Date:      Mon, 25 Mar 2013 03:57:54 -0500
    From:      LinkedIn Connections [connections @linkedin .com]
    Subject:      Scan from a HP ScanJet #928909620
    Attachments:     Scanned_Document.htm
    Attached document was scanned and sent
    to you using a Hewlett-Packard HP Officejet 98278P.
    Sent by: CHANG
    Images : 5
    Attachment Type: .HTM [INTERNET EXPLORER]
    Hewlett-Packard Officejet Location: machine location not set


The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
..."
* http://urlquery.net/....php?id=1592330
... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
___

Fake "Copies of policies" SPAM / heepsteronst .ru
- http://blog.dynamoo....steronstru.html
25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
    Date:      Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
    From:      Ashley Madison [donotreply @ashleymadison .com]
    Subject:      RE: DEBBRA - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    DEBBRA Barnard,


The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
* http://urlquery.net/....php?id=1593558
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
** http://blog.dynamoo....umanioparu.html
 

:grrr: :grrr: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#904 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 26 March 2013 - 06:52 AM

FYI...

Fake ADP emails lead to malware
- http://blog.webroot....ead-to-malware/
March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....ader_botnet.png
Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
... Initiating the following TCP connections:
213.186.47.54 :8080
195.93.201.42 :80
216.55.186.239 :80
77.92.151.6 :80
66.118.64.208 :80
...
Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126 :25603
81.149.242.235 :28768
88.241.148.26 :19376
78.166.167.62 :26509
88.232.36.188 :11389
80.6.67.158 :11016
..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1363949422/
File name: ADP_Invoice.exe
Detection ratio: 24/46
Analysis date:     2013-03-22
** https://www.virustot...sis/1363952056/
File name: ADP_cx5oMi.exe
Detection ratio: 3/46
Analysis date:     2013-03-22
___

Fake NACHA SPAM / breathtakingundistinguished .biz
- http://blog.dynamoo....inguishedb.html
26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
    From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
    Sent: 25 March 2013 22:26
    Subject: Re: Your Direct Deposit disallowance
    Importance: High
    Attn: Accounting Department
    We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
    Click here for more information
    Please consult with your financial institution to acquire the updated version of the software.
    Yours truly,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    19681 Sunrise Valley Drive, Suite 275
    Herndon, VA 20135
    Phone: 703-561-1796 Fax: 703-787-1698


The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering .biz
hitwiseintelligence .biz
breathtakingundistinguished .biz "
* http://urlquery.net/....php?id=1615815
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
___

Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
- http://blog.dynamoo....3-gfk73zip.html
26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
    Date:      Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
    From:      Bart Whitt - DHL regional manager [reports @dhl .com]
    Subject:      DHL delivery report NY20032013-GFK73
    Web Version  |  Update preferences  |  Unsubscribe
    DHL notification
    Our company’s courier couldn’t make the delivery of parcel.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: ETBAKPRSU3
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    DHL Global
    Edit your subscription | Unsubscribe

> https://lh3.ggpht.co...k/s1600/dhl.png

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
* https://www.virustot...sis/1364296589/
File name: LABEL-ID-NY26032013-GFK73.exe
Detection ratio: 7/46
Analysis date:     2013-03-26
** http://blog.dynamoo....receipt-25.html

Screenshot: http://threattrack.t...tification-spam
___

Fake eFax SPAM / hjuiopsdbgp .ru
- http://blog.dynamoo....iopsdbgpru.html
26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
    Date:      Tue, 26 Mar 2013 06:23:36 +0800
    From:      LinkedIn [welcome @linkedin .com]
    Subject:      Efax Corporate
    Attachments:     Efax_Pages.htm
    Fax Message [Caller-ID: 378677295]
    You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
    * The reference number for this fax is [eFAX-677484317].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax ® is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax ® Customer Agreement.


The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
..."
* http://urlquery.net/....php?id=1617697
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
___

Fake UPS SPAM / Label_8827712794 .zip
- http://blog.dynamoo....7712794zip.html
26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
    Date:      Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
    From:      UPS Express Services [service-notification @ups .com]
    Subject:      UPS - Your package is available for pickup ( Parcel 4HS287FD )
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.
    CONFIDENTIALITY NOTICE...


The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149

aseforum .ro
htlounge .com
htlounge .net
topcancernews .com
23.localizetoday .com
23.localizedonline .com
23.localizedonline .net"
* https://www.virustot...sis/1364312344/
File name: Label_8827712794.exe
Detection ratio: 6/46
Analysis date:     2013-03-26
** http://www.threatexp...e095b509d678f5e

Screenshot: http://threattrack.t...age-pickup-spam
___

Fake Wire Transfer SPAM / hondatravel .ru
- http://blog.dynamoo....datravelru.html
26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 26 March 2013 11:52
    Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
    Dear Bank Account Operator,
    WIRE TRANSFER: FED68081773954793456
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.


The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack**."
* http://urlquery.net/....php?id=1618697
... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
** http://blog.dynamoo....iopsdbgpru.html

Screenshot: http://threattrack.t...ng-service-spam
___

Fake TRAFFIC TICKET SPAM / hondatravel .ru
- http://blog.dynamoo....datravelru.html
26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
    Date:      Wed, 27 Mar 2013 04:24:14 +0330
    From:      "LiveJournal .com" [do-not-reply @livejournal .com]
    Subject:      Fwd: Re: NY TRAFFIC TICKET
    New-York Department of Motor Vehicles
    TRAFFIC TICKET
    NEW-YORK POLICE DEPARTMENT
    THE PERSON CHARGED AS FOLLOWS
    Time: 2:15 AM
    Date of Offense: 28/07/2012
    SPEED OVER 50 ZONE
    TO PLEAD CLICK HERE AND FILL OUT THE FORM


The malicious payload appears to be identical to this spam run* earlier today."
* http://blog.dynamoo....datravelru.html

Screenshot: http://threattrack.t...fic-ticket-spam
 

:grrr: :ph34r:


Edited by AplusWebMaster, 27 March 2013 - 01:42 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#905 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 27 March 2013 - 08:26 AM

FYI...

Fake Airline E-ticket receipt SPAM / illuminataf .ru
- http://blog.dynamoo....ts-spam_27.html
27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
    Date:      Wed, 27 Mar 2013 03:23:05 +0100
    From:      "Xanga" [noreply @xanga .com]
    Subject:      British Airways E-ticket receipts
    Attachments:     E-Ticket-Receipt.htm
    e-ticket receipt
    Booking reference: JQ15191488
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services ...


The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
..."
* http://urlquery.net/....php?id=1633301
... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
___

Fake NACHA SPAM / mgithessia .biz
- http://blog.dynamoo....thessiabiz.html
27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
    From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
    Sent: 27 March 2013 03:25
    Subject: Disallowed Direct Deposit payment
    Importance: High
    To whom it may concern:
    We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
    Click here for more information
    Please consult with your financial institution to obtain the updated version of the software.
    Kind regards,
    ACH Network Rules Department
    NACHA - The Electronic Payments Association
    11329 Sunrise Valley Drive, Suite 865
    Herndon, VA 20172
    Phone: 703-561-1927 Fax: 703-787-1894


The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
* http://urlquery.net/....php?id=1635808
... Detected live BlackHole v2.0 exploit kit 46.4.150.118
DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
..."
___

Sendspace Spam
- http://threattrack.t.../sendspace-spam
27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
Typical e-mail details:
    Sendspace File Delivery Notification:
    You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
    You can use the following link to retrieve your file:
    Download
    Thank you,
    Sendspace, the best free file sharing service.


Malicious URLs:
    my311 .com/info.htm - 173.246.66.199
    contentaz .com/info.htm - 66.147.244.103
    illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
Screenshot: https://gs1.wac.edge...8Kj91qz4rgp.png
___

Xerox WorkJet Pro Spam
- http://threattrack.t...orkjet-pro-spam
27 March 2013 - "Subjects seen:
    Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
Typical e-mail details:
    A Document was sent to you using a XEROX WorkJet PRO
    SENT BY : Anderson
    IMAGES : 4
    FORMAT (.JPEG) DOWNLOAD


Malicious URLs:
    thuocdonga .com/info.htm - 66.147.244.103
    ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
Screenshot: https://gs1.wac.edge...T7vs1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 27 March 2013 - 08:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#906 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 28 March 2013 - 07:04 AM

FYI...

Fake Xerox ptr SPAM / ilianorkin .ru
- http://blog.dynamoo....ianorkinru.html
28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
    From: officejet @[victimdomain]
    Sent: 27 March 2013 08:35
    Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
    A Document was sent to you using a XEROX WorkJet PRO 481864299.
    SENT BY : Omar
    IMAGES : 9
    FORMAT (.JPEG) DOWNLOAD


The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
..."
* http://urlquery.net/....php?id=1652917
... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84

Screenshot: https://gs1.wac.edge...T7vs1qz4rgp.png
___

Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
- http://blog.dynamoo....n992docexe.html
28 March 2013  - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
    From:      Logistics Express [admin @ups .com]
    Subject:      Re: Changelog 2011 update
    Hi,
    as promised changelog,
    Michaud Abran


VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
* https://www.virustot...sis/1364462703/
File name: Changelog_Urgent_N992.doc.exe
Detection ratio: 18/46
Analysis date:     2013-03-28
** http://camas.comodo....9e26149e977eee6
___

Fake Facebook SPAM / ipiniadto .ru
- http://blog.dynamoo....piniadtoru.html
28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
    Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
    From:      FilesTube [filestube @filestube .com]
    Subject:      You have notifications pending
    facebook
    Hi,
    Here's some activity you may have missed on Facebook.
    BERTIE Goldstein has posted statuses, photos and more on Facebook.
    Go To Facebook
    See All Notifications
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
    Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
..."
* http://urlquery.net/....php?id=1661788
... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
** http://blog.dynamoo....ianorkinru.html
___

Key Secured Message Spam
- http://threattrack.t...ed-message-spam
28 March 2013 - "Subjects seen:
    Key Secured Message
Typical e-mail details:
    You have received a Secured Message from:
    [removed] @key .com
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  [removed]
    To read the encrypted message, complete the following steps:
    -  Double-click the encrypted message file attachment to download the file to your computer.
    -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    -  The message is password-protected, enter your password to open it.
    This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
    disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
    immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.


Malicious URLs:
    24.cellulazetrainingcenter .com/ponyb/gate.php
    23.mylocalreports .info/ponyb/gate.php
    htlounge .com:8080/ponyb/gate.php
    rueba .com/eXkdB.exe
    nikosst .com/yttur.exe
    bmwautomotiveparts .com/kUXY.exe
"
Screenshot: https://gs1.wac.edge...44wN1qz4rgp.png
___

ADP Netsecure Spam
- http://threattrack.t...-netsecure-spam
28 March 2013 - "Subjects seen:
    ADP Immediate Notification
Typical e-mail details:
    ADP Immediate Notification
    Reference #: [removed]
    Thu, 28 Mar 2013 -01:38:59 -0800
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    flexdirect .adp.com/client/login.aspx
    Please see the following notes:
    •    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    •    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!


Malicious URLs:
    forum.awake-rp .ru/kpindex.htm
    ipiniadto .ru:8080/forum/links/column.php
    otrs.gtg .travel/kpindex.htm
    ej-co .ru/kpindex.htm
    w w w.ddanports .com/kpindex.htm
    yunoksoo.g3 .cc/kpindex.htm
    w w w.nzles .com/kpindex.htm

    thewellshampstead .co.uk/kpindex.htm
Screenshot: https://gs1.wac.edge...agxw1qz4rgp.png

Fake ADP Spam / ipiniadto .ru
- http://blog.dynamoo....piniadtoru.html
28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
    Date:      Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
    From:      Bebo Service [service @noreply.bebo .com]
    Subject:      ADP Immediate Notification
    ADP Immediate Notification
    Reference #: 120327398
    Thu, 28 Mar 2013 04:22:48 +0600
    Dear ADP Client
    Your Transfer Record(s) have been created at the web site:
    https ://www.flexdirect .adp .com/client/login.aspx
    Please see the following notes:
        Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
        Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    This note was sent to acting users in your system that approach ADP Netsecure.
    As usual, thank you for choosing ADP as your business affiliate!
    Ref: 975316004
    HR. Payroll. Benefits.
    The ADP logo and ADP are registered trademarks of ADP, Inc.
    In the business of your success is a service mark of ADP, Inc.
    © 2013 ADP, Inc. All rights reserved.


The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
* http://blog.dynamoo....piniadtoru.html
 

:grrr: :ph34r:


Edited by AplusWebMaster, 28 March 2013 - 04:00 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#907 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 29 March 2013 - 10:50 AM

FYI...

Fake 'Overdue Payment' Spam
- http://threattrack.t...ue-payment-spam
March 29, 2013 - "Subjects seen:
    Please respond - overdue payment
Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Caroline Givens


Malicious URLs:
    24.cellutytelosangeles .com/ponyb/gate.php
    24.cellutytela .com/ponyb/gate.php
    topcancernews .com:8080/ponyb/gate.php
    spireportal .net/L3ork1v.exe
    ftp(DOT)riddlepress .com/bahpZsn6.exe
    easy .com.gr/QpEQ.exe
"
Screenshot: https://gs1.wac.edge...e7bS1qz4rgp.png

Fake Overdue payment SPAM / INVOICE_28781731.zip
- http://blog.dynamoo....yment-spam.html
29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
    Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
    From:      Victor_Lindsey @key .com
    Subject:      Please respond - overdue payment
    Please find attached your invoices for the past months. Remit the payment by 02/04/2013
    as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Victor Lindsey
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY...


Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
* https://www.virustot...sis/1364586082/
File name: INVOICE_28781731.exe
Detection ratio: 16/46
Analysis date:     2013-03-29
** http://camas.comodo....36ef091ee4c1a16
*** http://blog.dynamoo....7712794zip.html
___

Fake FlashPlayer/browser hijack in-the-wild
- http://blogs.technet...Redirected=true
26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
> https://www.microsof...s/preflayer.jpg
... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
FireFox, Chrome, Internet Explorer, Yandex
... to one of the following pages:
    hxxp ://www.anasayfada .net
    hxxp ://www.heydex .com
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
hxxp ://www.anasayfada .net - 109.235.251.146
hxxps ://flash-player-download .com/ - 31.3.228.202
hxxp ://www.yonlen .net/ - 37.220.28.122
hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 29 March 2013 - 11:48 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#908 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 01 April 2013 - 02:15 PM

FYI...

Fake Facebook Security Check Page
- http://blog.trendmic...ity-check-page/
Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook.com and www.facebook.com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking  the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."

Screenshot: https://www.net-secu...b-sec-check.jpg
___

Fake Last Month Remit Spam
- http://threattrack.t...onth-remit-spam
Apr 1, 2013 - "Subjects seen:
FW: Last Month Remit
Typical e-mail details:
    File Validity: 04/05/2013
    Company : [removed]
    File Format: Office - Excel
    Internal Name: Remit File
    Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
    Original Filename: Last month remit file.xls


Malicious URLs:
    3ecompany .com:8080/ponyb/gate.php
    24.chiaplasticsurgery .com/ponyb/gate.php
    24.chicagobodysculpt .com/ponyb/gate.php
    brightpacket .com/coS0GiKE.exe
    extremeengineering .co.in/Vh3a9601.exe
    CornwallCommuter .com/TLJrtcxA.exe


Screenshot: https://gs1.wac.edge...yvth1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 02 April 2013 - 08:11 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#909 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 02 April 2013 - 07:11 AM

FYI...

Fake Changelog emails lead to malware
- http://blog.webroot....ead-to-malware/
April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog....gelog.png?w=869
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1364475932/
File name: LLSMGR.EXE
Detection ratio: 35/46
Analysis date:     2013-04-01

- https://www.google.c...ic?site=AS:6724 - 85.214.143.90

- https://www.google.c...c?site=AS:16276 - 91.121.90.92
___

Fake Sendspace SPAM / imbrigilia .ru
- http://blog.dynamoo....brigiliaru.html
2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
    Date:      Tue, 2 Apr 2013 03:57:26 +0000
    From:      "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
    Subject:      You have been sent a file (Filename: [redacted]-7191.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
    sendspace - The best free file sharing service...


The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
..."
* http://urlquery.net/....php?id=1757102
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
** http://blog.dynamoo....uired-spam.html

Also: http://threattrack.t.../sendspace-spam
2 Apr 2013
Screenshot: https://gs1.wac.edge...EWUN1qz4rgp.png
___

Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
- http://blog.dynamoo....uired-spam.html
2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
    Sent: 02 April 2013 10:15
    Subject: Re: FW: End of Aug. Statement Reqiured
    Hallo,
    as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
    Regards
    SHONTA SCHMITT


Alternate names:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798 .htm
Invoice_U453718 .htm
Invoice_U913687 .htm
The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
..."
* http://urlquery.net/....php?id=1751267
... Detected live BlackHole v2.0 exploit kit 94.103.45.34
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 02 April 2013 - 03:22 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#910 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 03 April 2013 - 08:50 AM

FYI...

Something evil on 151.248.123.170
- http://blog.dynamoo....1248123170.html
3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
(Long list of recommended blocks at the dynamoo URL above.)
* http://urlquery.net/....php?id=1778882
___

Fake eFax SPAM / ivanikako .ru
- http://blog.dynamoo....vanikakoru.html
3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
    From: Global Express UPS [mailto:admin @ups .com]
    Sent: 02 April 2013 21:12
    Subject: Efax Corporate
    Fax Message [Caller-ID: 189609656]
    You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
    * The reference number for this fax is [eFAX-698329221].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax Ž is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax Ž Customer Agreement.


The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
..."
* http://urlquery.net/....php?id=1786247
... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34

Screenshot: https://gs1.wac.edge...bN8o1qz4rgp.png
___

APT malware monitors mouse clicks to evade detection
- https://www.computer...researchers_say
April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
* http://www.fireeye.c...use-clicks.html
April 1, 2013
___

Fake Wire Transfer e-mails
- http://tools.cisco.c...x?alertId=28112
2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
    out going wire. pdf.zip
    npxo.scr
    Sales Contract Order.zip
    DEDE.scr

The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
The following text is a sample of the e-mail message that is associated with this threat outbreak:
    Subject: Re: Out going wire transfer (High Priority)
    Message Body:
    We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
    Bank Wire Transfer Department.

-Or-
    Subject: New Order
    Message Body:
    Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
    as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna
..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 03 April 2013 - 05:07 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#911 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 04 April 2013 - 10:25 AM

FYI...

- https://www.net-secu...ews.php?id=2455
4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
* http://www.fireeye.c...eat-report.html

> https://www.net-secu...ye-042013-1.jpg
___

Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
- http://blog.dynamoo....terreceipe.html
4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
    Date:      Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
    From:      Bill Me Later [notification @billmelater .com]
    Subject:      Thank you for scheduling a payment to Bill Me Later
    BillMeLater
    Log in here
    Your Bill Me Later� statement is now available!
    Dear Customer,
    Thank you for making a payment online! We've received your
    Bill Me Later® payment of $1644.03 and have applied it to your account.
    For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
    Here are the details:
    Your Bill Me Later Account Number Ending in: 0014
    You Paid: $1644.03
    Your Payment Date*: 04/03/2013
    Your Payment Confirmation Number: 228646660603545001
    Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
    BillMeLater
    *NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
    Log in at PayPal.com to make a payment
    Questions:
    Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
    Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
    PP10NDPP1


Screenshot: https://lh3.ggpht.co...ll-me-later.png

There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
* https://www.virustot...sis/1365065866/
File name: PP_BillMeLater_Receipe_04032013.exe
Detection ratio: 26/46
Analysis date:     2013-04-04
___

Fiserv Money Transfer Spam
- http://threattrack.t...y-transfer-spam
4 April 2013 - "Subjects seen:
    Outgoing Money Transfer
Typical e-mail details:
    An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
    To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
    Thank you,
    Joy_Farmer
    Senior Officer
    Cash Management Verification
    Phone : [removed]
    Email: [removed]


Malicious URLs
    3ecompany .com:8080/ponyb/gate.php
    23.wellness-health2day .com/ponyb/gate.php
    23.ad-specialties .info/ponyb/gate.php
    23.advertisingspecialties .biz/ponyb/gate.php
    brightpacket .com/coS0GiKE .exe
    u16432594.onlinehome-server .com/d8dTEXk.exe
    thedryerventdude .com/2FKBSea .exe


Screenshot: https://gs1.wac.edge...RrN91qz4rgp.png
___

Bank of America Trusteer Spam
- http://threattrack.t...a-trusteer-spam
4 April 2013 - "Subjects seen:
    New Critical Update
Typical e-mail details:
    Valued Customer:
    As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.


Malicious URLs
    23.proautorepairdenver .com/forum/viewtopic.php
    23.onqdenver .net/forum/viewtopic.php
    23.onqdenver .com/forum/viewtopic.php
    3ecompany .com:8080/forum/viewtopic.php
    dev2.americanvisionwindows .com/rthsWe.exe
    adr2009 .it/R4eFC.exe
    easy .com.gr/2YcB2jL.exe
    konyapalyaco .net/F6pKX68j.exe
    homepage.osewald .de/ynWx1.exe


Screenshot: https://gs1.wac.edge...bMm31qz4rgp.png
___

Fake  "British Airways" SPAM / igionkialo .ru
- http://blog.dynamoo....ionkialoru.html
4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
    Date:      Thu, 4 Apr 2013 10:19:48 +0330
    From:      Marleen Camacho via LinkedIn [member @linkedin .com]
    Subject:      British Airways E-ticket receipts
    Attachments:     E-Receipt.htm
    e-ticket receipt
    Booking reference: UMA7760047
    Dear,
    Thank you for booking with British Airways.
    Ticket Type: e-ticket
    This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
    Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
    Yours sincerely,
    British Airways Customer Services
    British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
    British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
    How to contact us
    Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
    If you require further assistance you may contact us
    If you have received this email in error
    This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.


The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
..."
* http://urlquery.net/....php?id=1805773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
___

Madi/Mahdi/Flashback OS X connected malware spreading through Skype
- http://blog.webroot....-through-skype/
April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
Sample screenshot of the campaign in action:
> https://webrootblog....engineering.png
Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
(More detail at the webroot URL above.)
* https://www.virustot...a3b91/analysis/
File name: reznechek.exe
Detection ratio: 27/46
Analysis date:     2013-04-03
___

Legal Case Spam
- http://threattrack.t...legal-case-spam
4 April 2013 - "Re: Our chances to win the case are better than ever.
Typical e-mail details:
    We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
    Speech.doc 332kb
    With Best Wishes
    Erica Bermudez


Malicious URLs
    3ecompany .com:8080/ponyb/gate.php
    lanos-info .ru/winadlor.htm


Screenshot: https://gs1.wac.edge...HXcK1qz4rgp.png
___

Pennie stock SPAM
- https://isc.sans.edu...l?storyid=15559
Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock.  They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
News!!!
Date: Thursday, Apr 4th, 2013
Name: Pac West Equities, Inc.
To buy: P_WEI
Current price: $.19
Long Term Target: $.55
OTC News Subscriber Reminder!!! Releases Breaking News This
Morning!


What is old is new again..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 04 April 2013 - 09:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#912 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 05 April 2013 - 04:25 AM

FYI...

Fake Legal SPAM / itriopea .ru
- http://blog.dynamoo....itriopearu.html
5 Apr 2013 - "This fake legal spam leads to malware on itriopea .ru:
    Date:      Thu, 4 Apr 2013 07:44:02 -0500
    From:      Malaki Brown via LinkedIn [member @linkedin .com]
    Subject:      Fwd: Our chances to gain a cause are better than ever.
    We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.
    Speech.doc 458kb
    With respect to you
    Malaki Brown
==============
    Date:      Thu, 4 Apr 2013 05:37:47 -0600
    From:      Talisha Sprague via LinkedIn [member @linkedin .com]
    Subject:      Re: Fwd: Our chances to gain a suit are higher than ever.
    We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.
    Speech.doc 698kb
    With Best Regards
    Talisha Sprague


The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)
Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238
..."
* http://urlquery.net/....php?id=1824890
... Detected suspicious URL pattern... Blackhole 2 Landing Page 93.187.200.250
___

Facebook Photo Share Spam
- http://threattrack.t...hoto-share-spam
5 Apr 2013 - "Subjects Seen:
    [removed] shared photo of you.
Typical e-mail details:
    [removed] commented on Your photo.
    Reply to this email to comment on this photo.


Malicious URLs
    barroj .info/images/cnnbrnews.html
    craftypidor .info/complaints/arrangement-select.php


Screenshot: https://gs1.wac.edge...mG4I1qz4rgp.png
___

Fake Invoice SPAM / ijsiokolo .ru
- http://blog.dynamoo....jsiokoloru.html
5 Apr 2013 - "This fake invoice spam leads to malware on ijsiokolo .ru:
    Date:      Fri, 5 Apr 2013 07:57:37 +0300
    From:      "Account Services ups" [upsdelivercompanyb @ups .com]
    Subject:      Re: End of Aug. Statement Required
    Attachments:     Invoice_AF146989113.htm
    Good morning,
    I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
    Regards
    DAYLE PRIEST
===========
    Date:      Fri, 5 Apr 2013 07:56:53 -0300
    From:      "Tracking" [ups-account-services @ups .com]
    Subject:      Re: FW: End of Aug. Stat.
    Hallo,
    I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
    Regards
    Mariano LEE


The .htm attachment in the email leads to malware at [donotclick]ijsiokolo .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238
..."
* http://urlquery.net/....php?id=1829725
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
___

Fake "Copies of Policies" SPAM / ifikangloo .ru
- http://blog.dynamoo....ikanglooru.html
5 April 2013 - "This spam leads to malware on ifikangloo .ru:
    From: KaelSaine @mail .com [mailto:KaelSaine @mail .com]
    Sent: 05 April 2013 11:43
    Subject: Fwd: LATONYA - Copies of Policies
    Unfortunately, I cannot obtain electronic copies of the SPII policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    LATONYA Richmond,


The link in the email leads to a legitimate -hacked- site and then on to [donotclick]ifikangloo .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238
..."
* http://urlquery.net/....php?id=1831322
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
** http://blog.dynamoo....jsiokoloru.html

Variation - same theme: http://threattrack.t...f-policies-spam
5 Apr 2013

Screenshot: https://gs1.wac.edge...LKJT1qz4rgp.png
___

Fake eFax Corpoprate Spam
- http://threattrack.t...corpoprate-spam
5 April 2013 - "Subjects Seen:
   Corporate eFax message from Caller ID : “[removed]” - 3 page(s)
Typical e-mail details:
    You have received a 3 page(s) fax at 2013-04-05 02:31:33 CST.
    * The reference number for this fax is [removed].
    View this fax using your PDF reader.
    Click here to view this message
    Please visit eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
    Thank you for using the eFax service!


Malicious URLs
    estherashe .com/winching/index.html
    23.frameless-glass-shower-enclosures .com/forum/viewtopic.php
    23.frameless-glass-shower-enclosures .com/adobe/update_flash_player.exe
    23.garryowen .biz/adobe/
    albenden .com/F2SyzQtn.exe
    globalinfocomgroup .com/r18Lm7RJ.exe
    209.164.63.90 /otQw.exe


Screenshot: https://gs1.wac.edge...jWsl1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 05 April 2013 - 03:22 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#913 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 06 April 2013 - 08:43 AM

FYI...

Fake pharmacy SPAM / accooma .org / classic-pharmacy .com
- http://blog.dynamoo....accoomaorg.html
6 April 2013 - "This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:
    Date:      Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
    From:      "Account Info Change" [info @virtualregistrar .com]
    Subject:      Updated information
        Updated information
    Hello,
    The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.
    If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.
    This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
    Thanks,
    Customer Support


The link in the email goes to a landing page on accooma .org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy .com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block. There does not appear to be any malware involved (see here* and here**) and of course nobody has changed any details on your account. You can safely ignore these emails. A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party... fake pharma sites are active in this range..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/....php?id=1850413

** http://urlquery.net/....php?id=1850445

- https://www.google.c...c?site=AS:21788
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-06, and the last time suspicious content was found was on 2013-04-06... we found 227 site(s) on this network... that appeared to function as intermediaries for the infection of 981 other site(s)... We found 384 site(s)... that infected 1772 other site(s)..."
___

Fake Facebook pwd reset SPAM / accooma .org
- http://blog.dynamoo....r-password.html
6 April 2013 - "Another very aggressive spam run promoting accooma .org which is a fake pharma site..
    Date:      Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
    From:      Facebook
    Subject:      Reminder: Reset your password
    facebook   
    You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
    This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
    If you have any other questions, please visit our Help Center.
    Thanks,
    The Facebook Team


The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post* about another spam run for the same domain."
* http://blog.dynamoo....accoomaorg.html
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 06 April 2013 - 12:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#914 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 08 April 2013 - 10:53 AM

FYI...

Fake Bank SPAM / ighjaooru .ru
- http://blog.dynamoo....ghjaooruru.html
8 Apr 2013 - "I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru .ru:
    Date:      Mon, 8 Apr 2013 -01:41:06 -0800
    From:      Coral Randolph via LinkedIn [member @linkedin .com]
    Subject:      Re: Fwd: M&I Bank bankruptcy
    Hi, bad news.
    M&I Bank bankruptcy


The malicious payload is at [donotclick]ighjaooru .ru:8080/forum/links/column.php (report here*) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
..."
* http://urlquery.net/....php?id=1885773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
___

Fake obit SPAM / ighjaooru .ru
- http://blog.dynamoo....liefs-spam.html
8 April 2013 - "It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru .ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Josefa Jimenez via LinkedIn
    Sent: 08 April 2013 05:41
    Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs
    Hi, bad news.
    Kissinger: Thatcher's strong beliefs...


The payload and associated domains and IPs are exactly the same as used in this attack*."
* http://blog.dynamoo....ghjaooruru.html
___

Malicious NASA Asteroid Spam
- http://threattrack.t...a-asteroid-spam
8 April 2013 - "Subjects Seen:
    Fwd: NASA plans to catch an asteroid
Typical e-mail details:
    Hi, bad news.
    NASA plans to catch an asteroid..."


Malicious URLs
    worldtennisstars .ru/gakmail.htm
    iztakor .ru:8080/forum/links/column.php


Screenshot: https://gs1.wac.edge...perr1qz4rgp.png
___

Bad News Spam
- http://threattrack.t...8/bad-news-spam
8 April 2013 - "Subjects Seen:

    Fwd: Re: War with N. Korea
    Re: Bank of America bankruptcy
    Re: Fwd: Tax havens busted
    Re: M&I Bank bankruptcy
    Re: Fwd: Shedding light on ‘dark matter’

Typical e-mail details:
    Hi, bad news.

    <E-mail subject news story>


Malicious URLs
    joanred.altervista .org/gakmail.htm
    vtoto .ru/gakmail.htm
    delta-mebel .by/gakmail.htm
    ghostsquad.altervista .org/gakmail.htm
    ighjaooru .ru:8080/forum/links/column.php
    iztakor .ru:8080/forum/links/column.php


Screenshot: https://gs1.wac.edge...esX41qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 08 April 2013 - 11:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#915 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 09 April 2013 - 09:28 AM

FYI...

Fake HP ScanJet SPAM / jundaio .ru
- http://blog.dynamoo....-jundaioru.html
9 Apr 2013 - "This fake printer spam leads to malware on jundaio .ru:
    Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
    From:      Scot Crump [ScotCrump @hotmail .com]
    Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
    Attachment: HP-ScannedDoc.htm
    Attached document was scanned and sent
    to you using a HP HPAD-400812P.
    SENT BY : Scot S.
    PAGES : 9
    FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]


The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
..."
* http://urlquery.net/....php?id=1894750
... Detected live BlackHole v2.0 exploit kit 91.191.170.26

- http://nakedsecurity...c-with-malware/
April 4, 2013
___

Fake BoA Bill Payment SPAM / BILL_04092013_Fail.exe
- http://blog.dynamoo....ecent-bill.html
9 Apr 2013 - "This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe
    Date:      Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
    From:      Bank of America [bill.payment @bankofamerica .com]
    Subject:      Unable to process your most recent Bill Payment
    You have a new e-Message from Bank of America
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
    Please check attached file for more detailed information on this transaction.
    Pay To Account Number:     **********3454
    Due Date:     05/01/2013
    Amount Due:     $ 508.60
    Statement Balance:     $ 2,986.26
    IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
    We apologize for any inconvenience this may cause. .
    Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.
    Bank of America, N.A. Member FDIC. Equal Housing Lender
    Š2013 Bank of America Corporation. All rights reserved...


VirusTotal results are only 11/46*.
MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70
ThreatExpert reports** that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger."
* https://www.virustot...sis/1365522944/
File name:     BILL_04092013_Fail.exe
Detection ratio: 11/46
Analysis date:     2013-04-09
** http://www.threatexp...a7ac09d1be44fc6

Screenshot: https://gs1.wac.edge...dYQ91qz4rgp.png
___

Malicious American Airlines Spam
- http://threattrack.t...n-airlines-spam
April 9, 2013 - "Subjects Seen:
    Please download your ticket #[removed]
Typical e-mail details:
    Customer Notification
    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should Download It .


Malicious URLs
    bikemania .org/components/.5wl0rb.php?request=ss00_323


Screenshot: https://gs1.wac.edge...hOy21qz4rgp.png
___

Fake LinkedIn SPAM / jonahgkio .ru
- http://blog.dynamoo....onahgkioru.html
9 Apr 2013 - "This fake LinkedIn spam leads to malware on jonahgkio .ru:
    Date:      Tue, 9 Apr 2013 10:03:31 -0300
    From:      "service @paypal .com" [service @paypal .com]
    Subject:      Join my network on LinkedIn
    LinkedIn
    Marcelene Bruno has indicated you are a Friend
    I'd like to add you to my professional network on LinkedIn.
    - Marcelene Bruno
    Accept
        View invitation from Marcelene Bruno
    WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?
    Marcelene Bruno's connections could be useful to you
    After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
    © 2012, LinkedIn Corporation


The link leads to a malicious payload on [donotclick]jonahgkio .ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
..."
___

Fake Intuit SPAM / juhajuhaa .ru
- http://blog.dynamoo....uhajuhaaru.html
9 Apr 2013 - "This fake Intuit spam leads to malware on juhajuhaa .ru:
    Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
    From:      Tagged [Tagged @taggedmail .com]
    Subject:      Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.
        Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
        amount to be seceded: 4053 USD
        Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
        Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services


The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa .ru:8080/forum/links/column.php (report here*) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
...
* http://urlquery.net/....php?id=1900207
... Detected suspicious URL pattern... Blackhole 2 Landing Page 91.191.170.26

Screenshot: https://gs1.wac.edge...NPus1qz4rgp.png
___

Top porn sites lead to malware
- http://blog.dynamoo....to-malware.html
9 Apr 2013 - "... the greatest risk comes from external sites such as crakmedia .com (report*), trafficjunky .net (report**) and traffichaus .com (report***) plus several others. These too are intermediaries being abused by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss... If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched... and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential."
(More detail at the dynamoo URL above.)
* http://www.google.co...e=crakmedia.com
** http://www.google.co...rafficjunky.net
*** http://www.google.co...traffichaus.com
___

"Your naked photos online" SPAM ...
- https://www.net-secu...ews.php?id=2460
Apr 9, 2013 - "Malware peddlers continue to use the old "your naked photos online" lure to trick users into following malicious links or downloading malicious attachments, warns Total Defense's* Alex Polischuk. The attached EPS00348.zip file contains an executable of the same name, and sports an icon depicting a natural landscape in order to trick the user into opening it. Unfortunately for those who do, the file is actually a backdoor Trojan that also has the ability to download additional malware onto the compromised computer, allowing the attackers to have total control of it and using it for their own malicious purposes. As always, users are advised -never- to follow links or download files contained in unsolicited emails - no matter the claims they contain and how urgent they sound."
* http://www.totaldefe...ysA-Trojan.aspx
 

:grrr: :ph34r:


Edited by AplusWebMaster, 10 April 2013 - 05:25 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#916 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 10 April 2013 - 11:11 AM

FYI...

Massive Google scam sent by email to Colombian domains
- https://isc.sans.edu...l?storyid=15586
Last Updated: 2013-04-10 21:01:28 UTC - "... supposedly good news from a resume they sent to google looking for open positions:
> https://isc.sans.edu...ages/diary1.png
...  The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection ratio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.c...key=153521#none and the backdoor description can be found at http://home.mcafee.c...aspx?key=100938 ... people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:
- Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
- Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
- Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid performing actions that could materialize such risks like dealing with p2p software."
___

Malware sites to block 10/4/13
- http://blog.dynamoo....lock-10413.html
10 April 2013 - "These domains and IPs are associated with the Amerika gang and are related to this spam run*. Blocking them would be prudent.
46.4.150.96/27
46.161.0.235
93.170.130.241
..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....lware-spam.html
___

Fake credit line SPAM / judianko .ru
- http://blog.dynamoo....as-changed.html
10 April 2013 - "I haven't seen this one before. It leads to malware on judianko.ru:
    From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 10 April 2013 14:24
    Subject: Re: Your credit line percent was changed.
    We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.
    Under this link you can view a details about changing of contract


The link goes through a legitimate but hacked site to [donotclick]judianko .ru:8080/forum/links/column.php (report here*) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
185.5.185.129
188.65.178.27
..."
* http://urlquery.net/....php?id=1915010
... Detected suspicious URL pattern... Blackholev2 redirection successful 188.65.178.27

Screenshot: https://gs1.wac.edge...79cq1qz4rgp.png
___

Fake BBB SPAM / jamiliean .ru
- http://blog.dynamoo....amilieanru.html
10 April 2013 - "This fake BBB spam leads to malware on jamiliean .ru:
    From: Habbo Hotel [mailto:auto-contact @habbo .com]
    Sent: 10 April 2013 00:17
    Subject: Re: Better Business Bureau Complaint
    Good afternoon,
    Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
    from a customer of yours in regard to their dealership with you.
    Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)
    to view the details on this issue and suggest us about your position as soon as possible.
    We hope to hear from you shortly.
    Regards,
    CHRISTI REAGAN
    Dispute Counselor
    Better Business Bureau


There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean .ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack* also running today."
* http://blog.dynamoo....as-changed.html

Screenshot: https://gs1.wac.edge...6Jcz1qz4rgp.png
___

Fake Verizon Wireless SPAM / jamtientop .ru
- http://blog.dynamoo....mtientopru.html
10 Apr 2013 - "This fake Verizon Wireless spam leads to malware on jamtientop .ru:
    Date:      Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
    From:      DorianBottom @hotmail .com
    Subject:      Verizon Wireless
    IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
    Your acknowledgment message is issued.
    Your account No. ending in 1332
    Dear Client
    For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
    Please browse your informational message for more details relating to your new transaction.
    Open Information Message
    In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
    Thank you for joining us.     My Verizon is laso works 24 hours 7 days a week to assist you with:
        Viewing your utilization
        Upgrade your tariff
        Manage Account Members
        Pay for your bill
        And much, much more...
    © 2013 Verizon Wireless
    Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
    We respect your privacy. Please browse our policy for more information


The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
..."
* http://urlquery.net/....php?id=1919123
... Detected suspicious URL pattern... Blackholev2 redirection 185.5.185.129

Screenshot: https://gs1.wac.edge...QaTS1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 11 April 2013 - 10:54 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#917 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 11 April 2013 - 11:10 AM

FYI...

Fake Changelog SPAM / juliaroberzs .ru
- http://blog.dynamoo....aroberzsru.html
11 Apr 2013 - "This spam leads to malware on juliaroberzs .ru:
    Date:      Thu, 11 Apr 2013 02:46:13 +0100
    From:      Mayola Phipps via LinkedIn [member@linkedin.com]
    Subject:      Re: changelog UPD.
    Attachments:     changelog.htm
    Good morning,
    as promised changelog is attached (Internet Explorer format)


The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs .ru:8080/forum/links/column.php (report here*) hosted on some familiar IPs**:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
..."
* http://urlquery.net/....php?id=1927055
... Detected suspicious URL pattern... Blackhole 2 Landing Page
** http://blog.dynamoo....mtientopru.html
___

Malicious Xanga Spam
- http://threattrack.t...ious-xanga-spam
11 Apr 2013 - "Subjects Seen:
    Gracelyn [removed] is your new friend!
Typical e-mail details:
    Hey [removed]!
    Now that you are friends with Gracelyn, you can:
    •    Share a memory of Gracelyn
    •    Post on Gracelyn’s Chatboard
    •    More…
    Have fun!
    The Xanga Team


Malicious URLs
    degsme .lv/settingss.htm
    janasika .ru:8080/forum/links/column.php


Screenshot: https://gs1.wac.edge...LAQw1qz4rgp.png
___

Fake UPS SPAM / juliamanako .ru
- http://blog.dynamoo....iamanakoru.html
11 Apr 2013 - "This fake UPS spam leads to malware on juliamanako .ru:
    Date:      Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
    From:      Aida Tackett via LinkedIn [member@linkedin.com]
    Subject:      United Postal Service Tracking Nr. H9544862721
    Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
    UPS - UPS Customer Services
    UPS UPS SUPPORT 56
    UPS - UPS MANAGER 67 >> UPS - UPS SUPPORT 501
    Already Have an Account?
    Enjoy all UPS has to offer by linking your My UPS profile to your account.
    Link Your Account Now >>
    UPS - UPS Customer Services
    Good day, [redacted].
    DEAR CONSUMER , We were not able to delivery the postal package
    Track your Shipment now!
    Pack it. Ship ip. No calculating , UPS .com Customer Services.
    Shipping Tracking Calculate Time & Cost Open an Account
    @ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
    trademarks of United Parcel Service of America, Inc. All rights reserved.
    This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
    USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
    USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
    Attn: Customer Communications Department


The link goes through a legitimate -hacked- site to a malicious landing page at [donotclick]juliamanako .ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
..."
___

Malicious QuickBooks Overdue Payment SPAM
- http://threattrack.t...ue-payment-spam
April 11, 2013 - "Subjects Seen:
    Please respond - overdue payment
Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 04/11/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Rusty Coffey


Screenshot: https://gs1.wac.edge...Ri9P1qz4rgp.png

Also: http://security.intu.../alert.php?a=79
Last updated 4/11/2013
 

:grrr: :ph34r:


Edited by AplusWebMaster, 11 April 2013 - 04:18 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#918 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 12 April 2013 - 08:59 AM

FYI...

Fake American Airlines emails lead to malware
- http://blog.webroot....ead-to-malware/
April 12, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails impersonating American Airlines in an attempt to trick its customers into thinking that they’ve received a download link for their E-ticket. Once they download and execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....engineering.png
... Detection rate for the malicious executable: MD5: f17ee7f9a0ec3d7577a148ae79955d6a * ... Mal/Weelsof-D..."
(Long list of malware C&C IP's available at the webroot URL above.)
* https://www.virustot...7d3ac/analysis/
File name: f17ee7f9a0ec3d7577a148ae79955d6a
Detection ratio: 27/46
Analysis date:     2013-04-11
___

Chase Bank Credentials Phish
- http://threattrack.t...edentials-phish
April 12, 2013 - "Subjects Seen:
    Chase Online: Site Maintenance Notification
Typical e-mail details:
    Dear Customer:
    As part of our commitment to protecting the security of your account, we routinely verify online profile details. We’re writing you to confirm your Chase account details.
    Your account security is important to us, so we appreciate your prompt attention to this matter. Attached is a form to help complete this process. Download the form and follow the instructions.
    We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
    Sincerely,
    Jennifer Myhre
    Senior Vice President
    Chase Consumer Banking


Malicious URLs
    myasfalisi .gr/images/sampledata/chase.js


Screenshot: https://gs1.wac.edge...6iGe1qz4rgp.png
___

Malicious Wells Fargo Wire Transfer Spam
- http://threattrack.t...e-transfer-spam
April 12, 2013 - "Subjects Seen:
    International Wire Transfer File Not Processed
Typical e-mail details:
    We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
    Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 04/12/2013 03:00 pm PT, the file may not be processed.
    Please view the attached file for more details on this transaction.
    Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
    Event Message ID: [removed]
    Date/Time Stamp: Fri, 12 Apr 2013 12:44:47 -0500 


Malicious URLs
    94.32.66.114 /ponyb/gate.php
    116.122.158.195 :8080/ponyb/gate.php
    embryo-india .com/24gwq.exe


Screenshot: https://gs1.wac.edge...oQum1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 12 April 2013 - 03:17 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#919 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 15 April 2013 - 09:50 AM

FYI...

Malicious PayPal Receipt Spam
- http://threattrack.t...pal-recipt-spam
April 15, 2013 - "Subjects Seen:
    Receipt for your PayPal payment to [removed]
Typical e-mail details:
    Hello,
    You sent a payment of $149.49 USD to [removed] ([removed])
    Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
    It may take a few moments for this transaction to appear in your account.


Malicious URLs
    matsum .info/wp-content/plugins/akismet/wp-status.php?1HJN2KC56FN7C
    lacunanotifies .net/closest/incomming_message.php


Screenshot: https://gs1.wac.edge...S1Ce1qz4rgp.png
___

Malicious USPS Delivery Failure Spam
- http://threattrack.t...ry-failure-spam
April 15, 2013 - "Subjects Seen:
    USPS delivery failure report
Typical e-mail details:
    Notification
    Our company’s courier couldn’t make the delivery of package.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: [removed]
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
   If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    USPS Global.


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    serw.myroitracking .com/24gwq.exe


Screenshot: https://gs1.wac.edge...NDsw1qz4rgp.png
___

Bank of America Credentials Phish
- http://threattrack.t...edentials-phish
April 15, 2013 - "Subjects Seen:
    Please confirm your information
Typical e-mail details:
    We have decided to put an extra verification process to ensure your identity and your account security.
    Please click here to continue the verification process and ensure your account security.
    

Malicious URLs
    safe.bankofamerica .logon.canadapenfund.ca/
- 216.227.221.247*

 

Screenshot: https://gs1.wac.edge...toUs1qz4rgp.png

* http://urlquery.net/....php?id=2023194

Diagnostic page for AS15244 (ADDD2NET)
- https://www.google.c...c?site=AS:15244
"Of the 23067 site(s) we tested on this network over the past 90 days, 1138 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-15, and the last time suspicious content was found was on 2013-04-15... Over the past 90 days, we found 173 site(s) on this network... that appeared to function as intermediaries for the infection of 516 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 157 site(s)... that infected 602 other site(s)..."
___

Boston Marathon SPAM ...
- https://isc.sans.edu...l?storyid=15611
Apr 15, 2013 - "Please send any spam (full headers), URLs or other suspicious content scamming off Boston Marathon explosions to handlers@sans.org"
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake USPS Delivery Failure Notification E-mail Messages - 2013 Apr 15
Fake Tax Refund Notification E-mail Messages - 2013 Apr 15
Fake Product Quotation Document E-mail Messages - 2013 Apr 15
Fake Product Inquiry With Attached Sample Design E-mail Messages - 2013 Apr 15
Fake Portuguese Account Regularization Notification E-mail Messages - 2013 Apr 15
Fake Wire Transfer Notification E-mail Messages - 2013 Apr 15
Fake Western Union Money Compensation Notification E-mail Messages - 2013 Apr 15
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Apr 15
Fake Italian Malicious Link E-mail Messages - 2013 Apr 15
Fake Tax Return Submission Notification E-mail Messages - 2013 Apr 15
Fake Credentials Reset Notification E-mail - 2013 Apr 15
Fake Purchase Order Notification E-mail Messages - 2013 Apr 15
Fake Bill Notification E-mail Messages - 2013 Apr 15
Fake Document Sharing E-mail Messages - 2013 Apr 15
(Links and more detail at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 16 April 2013 - 04:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#920 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 16 April 2013 - 02:49 PM

FYI...

Fake "Fiserv Secure Email Notification" spam
- http://blog.dynamoo....ation-spam.html
April 16, 2013 - "This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
    From: Fiserv Secure Notification [mailto:secure.notificationi@fiservi.com]
    Sent: Tue 16/04/2013 14:02
    Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
    You have received a secure message
    Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  KsUs3Z921mA
    To read the encrypted message, complete the following steps:
     -  Double-click the encrypted message file attachment to download the file to your computer.
     -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
     -  The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
   2000-2013 Fiserv Secure Systems, Inc. All rights reserved.


In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46*. The Comodo CAMAS report is here**, the ThreatExpert report here***... seems to be a Zbot variant.
The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)
Recommended blocklist:
korbi.va-techniker .de
mail.yaklasim .com
phdsurvey .org
vbzmiami .com
user1557864.sites.myregisteredsite .com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13
"
* https://www.virustot...sis/1366120267/
File name: Case_Fiserv_04162013.exe
Detection ratio: 5/46
Analysis date:     2013-04-16 13:51:07 UTC
** http://camas.comodo....a2e921c5b071764
*** http://www.threatexp...ce7562d7b0564f9
___

Malicious American Airlines Spam Continues
- http://threattrack.t...-spam-continues
April 16, 2013 - "Subjects Seen:
    Your order has been completed
    Order #[removed]

Typical e-mail details:
    Customer Notification
    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should Download It .


Malicious URLs
    caprica-toysncomics .com/components/.a9iifi.php?request=ss00_323
    caprica-toysncomics .com/components/.a9iifi.php?ticket=844_220641690


Screenshot: https://gs1.wac.edge...uTUq1qz4rgp.png
___

Malicious NACHA, ACH Transfer Spam
- http://threattrack.t...h-trasnfer-spam
April 16, 2013 - "Subjects Seen:
   Your ACH transfer
Typical e-mail details:
    The ACH  process  (ID: [removed]), recently   requested  from your  checking account (by  you), was rejected by the  recepient’s bank.

Malicious URLs
    glanvillechiro .com/wp-content/themes/toolbox/achadetails.html
    squirrelguide .com/complaints/was_government-devices.php


Screenshot: https://gs1.wac.edge...LxuS1qz4rgp.png
___

Fake Boston Marathon Scams - Update
- https://isc.sans.edu...l?storyid=15617
2013-04-16
 

:grrr: :ph34r:


Edited by AplusWebMaster, 16 April 2013 - 04:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#921 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 17 April 2013 - 06:54 AM

FYI...

Fake Boston Marathon SPAM / askmeaboutcctv .com
- http://blog.dynamoo....outcctvcom.html
17 April 2013 - "This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv .com:
Sample 1:
    From: Graham Jarvis [mailto:alejandro.alfonzo-larrain @tctwest .net]
    Sent: 17 April 2013 09:49
    Subject: Video of Explosion at the Boston Marathon 2013
    hxxp:||61.63.123.44/news .html
Sample 2:
    From: Sally Rasmussen [mailto:artek33 @risd .edu]
    Sent: 17 April 2013 09:49
    To: UK HPEA 2
    Subject: Aftermath to explosion at Boston Marathon
    hxxp:||190.245.177.248/news .html


(Note that the payload links have been lightly obfuscated, don't click them).
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv .com/wmiq.html  (report here*) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
* http://urlquery.net/....php?id=2044081
... RedKit applet + obfuscated URL...
more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
[donotclick]46.233.4.113 /boston.html
[donotclick]37.229.92.116 /boston.html
[donotclick]188.2.164.112 /news.html
[donotclick]109.87.205.222 /news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way."

- http://blog.dynamoo....n-marathon.html
17 April 2013 - "Earlier today I reported some Boston Marathon themed spam and since then I have seen more malicious landing pages on -hacked- legitimate sites as follows (don't click those links, obviously):
hxxp :||46.233.4.113 /boston.html
96.125.163.122 (WebsiteWelcome.com, US) ...
hxxp :||190.245.177.248 /news.html
184.172.168.32 (WebsiteWelcome.com, US)...
hxxp :||95.87.6.156 /boston.html
50.22.194.64 (WebsiteWelcome.com, US)...
69.56.174.178 ...
This situation has been reported to HostGator / WebsiteWelcome who are investigating..."
(More detail at the dynamoo URL above.)

Sample screenshot: https://gs1.wac.edge...VPcg1qz4rgp.png
___

KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast
- http://blog.trendmic...marathon-blast/
April 16, 2013 11:52 pm (UTC-7) - "... a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:
> http://blog.trendmic..._blast_fig1.png
The spammed message only contains the URL... but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
> http://blog.trendmic..._blast_fig2.png
... Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
> http://blog.trendmic..._blast_fig6.png
... a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief."
___

Boston Marathon bombings used to spread malware
- https://www.net-secu...ews.php?id=2469
April 17, 2013 - "... the Boston Marathon bombings have become an effective lure in the hands of cyber scammers and malware peddlers. Kaspersky Lab researchers are warning about spam emails* offering nothing more than a simple link to a web page that contains URLs of non-malicious YouTube videos about the attacks. Unfortunately, after 60 seconds, another link is activated, and this one leads to a malicious executable:
> https://www.net-secu...xe-17042013.jpg
The file offered for download is a variant of the Tepfer info-stealer Trojan, which phones home to a number of IP addresses in Ukraine, Argentina and Taiwan... don't follow links or download files delivered via unsolicited emails or messages sent via popular social media sites and IM services. You're best bet is to check out reputable news sites for information."
* https://www.secureli...oston_Aftermath
___

Fake BBB SPAM / janariamko .ru
- http://blog.dynamoo....nariamkoru.html
17 Apr 2013 - "After a few quiet days on the RU:8080 spam front it has started again..
    Date:      Wed, 17 Apr 2013 20:18:14 +0800
    From:      "Better Business Bureau" [guttersnipeg792 @ema1lsv100249121 .bbb.org]
    Subject:      Better Business Beareau accreditation Terminated 64A488W04
       Case N. 64A488W04
    Respective Owner/Responsive Person:
    The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
    We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-65896564
    If you think you got this email by mistake - please forward this message to your principal or accountant
    We are looking forward to your prompt answer.
    Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
    Sincerely,
    Gabriel Reyes - Online Communication Specialist
    bbb.org - Start With Trust


The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here*) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
..."
* http://urlquery.net/....php?id=2048054
... Blackholev2 redirection successful 93.187.200.250
___

Another BBB spam run / freedblacks .net
- http://blog.dynamoo....dblacksnet.html
17 Apr 2013 - "Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks .net.
    Date:      Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
    From:      BBB [bridegroomc @m.bbb .org]
    Subject:      Better Business Beareau accreditation Cancelled P5088819
    Case No. P5088819
    Respective Owner/Responsive Person:
    The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
    We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:

 http ://www.bbb  .org/business-claims/customercare/report-02111671
    If you think you recieved this email by mistake - please forward this message to your principal or accountant
    We are looking forward to your prompt answer.
    Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
    Sincerely,
    Ian Wilson - Online Communication Specialist
    bbb.org - Start With Trust


The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here*) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
..."
* http://wepawet.isecl...6206729&type=js
___

Fake CNN .com Boston Marathon SPAM / thesecondincomee .com
- http://blog.dynamoo....athon-spam.html
17 Apr 2013 - "This Boston Marathon themed spam leads to malware on thesecondincomee .com:
Example 1:
    Date:      Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
    From:      CNN Breaking News [BreakingNews@mail.cnn.com]
    Subject:      Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com   
    CNN.com    
    Powered by    
    * Please note, the sender's email address has not been verified.
   You have received the following link from BreakingNews @mail .cnn .com:    
    Click the following to access the sent link:
    Boston Marathon Explosions - Obama Benefits? - CNN.com*
    SAVE THIS link     FORWARD THIS link
    Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
    *This article can also be accessed if you copy and paste the entire address below into your web browser.
    by clicking here

Example 2:
    Date:      Wed, 17 Apr 2013 22:32:56 +0600
    From:      behring401 @mail .cnn .com
    Subject:      Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
    Powered by    
    * Please note, the sender's email address has not been verified.
    You have received the following link from BreakingNews @mail .cnn .com:    
    Click the following to access the sent link:
    Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
    Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
    This article can also be accessed if you copy and paste the entire address below into your web browser.
    by clicking here


Screenshot: https://lh3.ggpht.co.../cnn-boston.png
The malicious payload is at [donotclick]thesecondincomee .com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack*."
* http://blog.dynamoo....dblacksnet.html
 

:grrr: :ph34r:


Edited by AplusWebMaster, 17 April 2013 - 02:40 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#922 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 18 April 2013 - 08:46 AM

FYI...

Malicious Texas Explosion SPAM
- http://blog.dynamoo....-near-waco.html
18 April 2013 - "As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
    From: Maria Numbers [mailto:tjm7 @deco-club .ru]
    Sent: 18 April 2013 11:51
    To: UK HPEA 3
    Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
    hxxp :||83.170.192.154 /news.html


At the moment the payload site is [donotclick]bigmovies777 .sweans .org/aoiq.html (report here* but site appears b0rked) but it seems to rotate every hour of so to a new domain. Almost all the domains I have seen are -hacked- legitimate sites hosted by WebsiteWelcome. If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
> https://lh3.ggpht.co...s-explosion.jpg
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens..."
* http://urlquery.net/....php?id=2061326
___

Malicious West, TX Exploison Spam
- http://threattrack.t...-exploison-spam
18 April 2013 - "Subjects Seen:
    West Tx Explosion
    Video footage of Texas explosion

Typical e-mail details:
    182.235.147.164 /texas.html

Malicious URLs
    182.235.147.164 /texas.html
    78.90.133.133 /news.html


Screenshot: https://gs1.wac.edge...bBze1qz4rgp.png
___

Malicious Secure Message Spam
- http://threattrack.t...re-message-spam
18 April 2013 - "Subjects Seen:
    New Secure Message Received from [removed]
Typical e-mail details:
    Greetings [removed],
    You have received a new secure message from [removed].
    If you are using the Secure Message Plugin in Outlook Messamnger this message will be in your SecureMSG Folder.
    If you are NOT using the Secure Message Plugin, you are able to view it at csiweb.com/[removed] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
    Thank You,
    CSIeSafe


Malicious URLs
    klamzi .hu/csisecurmsg.html?id=8757234110
    sub.newwaysys .com/complaints/rush-lacked_whereby.php


Screenshot: https://gs1.wac.edge...LRZF1qz4rgp.png
___

Texas and Boston Blasts SPAM
- http://www.hotforsec...waves-5973.html
April 18, 2013 - "The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware... based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks. In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails. The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.
Screenshot1: http://www.hotforsec...pam-Waves_1.png
... Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.
Screenshot2: http://www.hotforsec...Spam-Waves2.png
... be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake ADP Payroll Invoice Notification E-mail Messages - 2013 Apr 18
Fake Digital Certificate Notification E-mail Messages - 2013 Apr 18
Fake Lawsuit Documents Attachment E-mail Messages - 2013 Apr 18
Fake PayPal Notification E-mail Messages - 2013 Apr 18
Fake Payment Request Notice E-mail Messages on Messages - 2013 Apr 18
Fake Tax Document Submission Notification E-mail Messages - 2013 Apr 18
Malicious Attachment E-mail Messages - 2013 Apr 18
Scanned Document Attachment E-mail Messages - 2013 Apr 18
(Links and more detail available at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 19 April 2013 - 05:50 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#923 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 19 April 2013 - 06:14 AM

FYI...

Fake Facebook scam leads to Fake Flash Player...
- http://blog.trendmic...ke-adobe-flash/
April 19, 2013 - "Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
> https://blog.trendmi...bookprofile.png
... we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site:
> http://blog.trendmic...cebook-page.jpg
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US. Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs... cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends..."
___

Fake American Express SPAM / CD0199381.434469398992.zip
- http://blog.dynamoo....press-spam.html
19 Apr 2013 - "This fake American Express spam comes with a malicious attachment:
    Date:      Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
    From:      "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
    Subject:      PAYVE - Remit file
    Part(s):        2      CD0199381.434469398992.zip      [application/zip]
    A payment(s) to your company has been processed through the American Express Payment
    Network.
    The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
       -   The remittance file contains invoice information passed by your buyer. Please
    contact your buyer
           for additional information not available in the file.
       -   The funds associated with this payment will be deposited into your bank account
    according to the
           terms of your American Express merchant agreement and may be combined with other
    American Express deposits.
           For additional information about Deposits, Fees, or your American Express merchant
    agreement:
           Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
    8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
    using My Merchant Account/Online Merchant Services.
          If you are not enrolled in My Merchant Account/OMS, you can do so at
    www.americanexpress.com/mymerchantaccount
          or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
    be glad to help you.
          For quick and easy enrollment, please have your American Express Merchant Number,
    bank account ABA (routing number)
          and DDA (account number) on hand.
    This customer service e-mail was sent to you by American Express. You may receive
    customer service e-mails even if you have unsubscribed from marketing e-mails from
    American Express.
    Copyright 2013 American Express Company...


The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46*. ThreatExpert reports** that the malware communicates with the following servers:
mail.yaklasim .com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley .com (198.100.45.44: A2 Hosting, US)
This malware shares some characteristics with this attack***.
Blocklist:
198.100.45.44
212.58.4.13
..."
* https://www.virustot...sis/1366379362/
File name: CD0199381-04192013.exe
Detection ratio: 6/46
Analysis date:     2013-04-19
** http://www.threatexp...4622e9e5277ffce
*** http://blog.dynamoo....ation-spam.html
 

:grrr: :ph34r:


Edited by AplusWebMaster, 19 April 2013 - 12:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#924 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 22 April 2013 - 06:54 AM

FYI...

Twitter malware...
- https://www.trusteer...than-just-ideas
April 22, 2013 - "... With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware... recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry. The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim... This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious... it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download)..."
___

Malicious DHL Spam
- http://threattrack.t...icious-dhl-spam
April 22, 2013 - "Subjects Seen:
    Tracking Info
    Shipping Detail
    Order Detail

Typical e-mail details:
    DHL Ship Shipment Notification
    On April 18, 2013 a shipment label was printed for delivery.
    The shipment number of this package is 81395268.
    To get additional info about this shipment use any of these options:
    1) Click the following URL in your browser:
    2) Enter the shipment number on tracking page:
    Tracking Page
    For further assistance, please call DHL Customer Service.
    For International Customer Service, please use official DHL site.


Malicious URLs
    honoredstudents .org/images/index.php?info=841_139088422
    eumpharma .com/images/index.php?get_info=ss00_323
    sman4-tanjungpinang.sch .id/images/index.php?get_info=ss00_323


Screenshot: https://gs1.wac.edge...l9FL1qz4rgp.png
___

Malware sites to block 22/4/13
- http://blog.dynamoo....lock-22413.html
22 April 2013 - "These domains form part of a large Kelihos botnet described over at Malware Must Die* and which is related to the recent Boston Marathon** and Texas Fertilizer Plant spam*** runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network..."
(Long list at the dynamoo URL above.)

* http://malwaremustdi...-following.html

** http://blog.dynamoo....outcctvcom.html

*** http://blog.dynamoo....-near-waco.html
___

Telstra Bill Account Update Phishing Scam
- http://www.hoax-slay...hing-scam.shtml
April 22, 2013 - "... Detailed Analysis: This email, which purports to be from Australian telecommunications giant, Telstra, informs the recipient that the company was unable to process a recent bill payment. The email claims that, unless the account holder follows a link in the message to confirm and update billing information, his or her Telstra service may be interrupted. The email arrives complete with the Telstra logo and a seemingly genuine Telstra sender address. However, the email is certainly -not- from Telstra and the information about a payment problem is a lie. In reality, the email is a phishing scam designed to trick Telstra customers into handing over their personal and financial information to Internet criminals. The link in the phishing scam email is disguised to make it appear that it leads to the genuine Telstra site. The sender address of the email is also disguised in such a way that it appears to have originated from Telstra... Telstra (or BigPond) will -never- send customers unsolicited emails* requesting them to provide financial and personal information via links in the message..."
* https://help.telstra...tail/a_id/17020
___

Fake "Loss Avoidance Alerts" SPAM / tempandhost .com
- http://blog.dynamoo....lerts-spam.html
22 April 2013 - "I haven't seen this particular spam before. It leads to malware on tempandhost .com:
    Date:      Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
    From:      personableop641 @swacha .org
    Subject:      4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
    Loss Avoidance Alert System
    April 22, 2013
    Loss Avoidance Report:
    The Loss Avoidance Alerts that was processed are now available   on a secure website at:
    www.lossavoidancealert .org
    http ://www.lossavoidancealert .org
    Alerts:
    CL0017279 – Sham Checks (ALL)
    Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
    enter the Alert Number and hit Go.
    Thank you for your participation!
    Loss Avoidance Alert System Administrator
    This email is confidential and intended for the use of the individual to whom it is addressed.  Any views or opinions presented are solely
    those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource.   SWACHA will not be held
    responsible for the information contained in this email if it is not used for its original intent.  Before taking action on any information contained in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
    If you received this email in error, please contact the sender.


Screenshot: https://lh3.ggpht.co...dance-alert.png

The link in the email appears to point to www.lossavoidancealert .org but actually goes through a legitimate -hacked- site (in this case [donotclick]samadaan .com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost .com/news/done-heavy_hall_meant.php or [donotclick]tempandhost .com/news/done-meant.php (sample report here* and here**) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this***. Anyway, tempandhost .com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea) ...
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
..."
* http://wepawet.isecl...6666636&type=js

** http://jsunpack.jeek...001b8fb3caafe11

*** http://urlquery.net/....php?id=2111319
 

:grrr: :ph34r:


Edited by AplusWebMaster, 22 April 2013 - 08:38 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#925 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 23 April 2013 - 07:32 AM

FYI...

Fake DHL SPAM / DHL-LABEL-ID-2456-8344-5362-5466.zip
- http://blog.dynamoo....-8344-5362.html
23 Apr 2013 - "This fake DHL spam has a malicious attachment.
    Date:      Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
    From:      Ramon Brewer - DHL regional manager [reports @dhl .com]
    Subject:      DHL DELIVERY REPORT NY73377
    DHL notification
    Our company’s courier couldn’t make the delivery of parcel.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: ETBAKPRSU3
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    DHL Global ...


Screenshot: https://lh3.ggpht.co.../s1600/dhl2.png

Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45*..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1366703919/
File name: DHL-LABEL-ID-2456-8344-5362-5466.exe
Detection ratio: 22/45
Analysis date:     2013-04-23

> http://camas.comodo....194ecd0257d185b
___

Something evil on 173.246.104.104
- http://blog.dynamoo....3246104104.html
23 April 2013 - "173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon .com/news/pint_excluded.php (report here*).
Both VirusTotal** and URLquery* detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow... I recommend that you apply the following blocklist for the time being:
173.246.104.104
(More listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=2122697
... Detected live BlackHole v2.0 exploit kit 173.246.104.104
- https://www.google.c...c?site=AS:29169

** https://www.virustot...04/information/
___

Fake CareerBuilder SPAM / CB_Offer_04232013_8817391.zip
- http://blog.dynamoo....ation-spam.html
23 Apr 2013 - "This fake CareerBuilder email has a malicious attachment containing malware.
    Date:      Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
    From:      CareerBuilder [Herman_Gallagher @careerbuilder .com]
    Subject:      CareerBuilder Notification
    Hello,
    I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
    You can review the position on the CareerBuilder by downloading the attached PDF file.
    Attached file is scanned in PDF format.
    Adobe®Reader® can be downloaded from the following URL:
http ://www.adobe .com

    Best wishes in your job search !
    Hal_Shields
    Careerbuilder Customer Service Team
    CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092


The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename. VirusTotal detections are patchy*... I'm still waiting for some sort of analysis..
MD5    924310716fee707db1ea019c3b4eca56
SHA1    2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
SHA256    e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 "
* https://www.virustot...38dd5/analysis/
File name: CB_Offer_04232013_8817391.exe
Detection ratio: 19/46
Analysis date:     2013-04-24
 

:grrr: :ph34r:


Edited by AplusWebMaster, 23 April 2013 - 08:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#926 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 24 April 2013 - 07:27 AM

FYI...

Something evil on 151.248.123.170
- http://blog.dynamoo....8123170_24.html
24 April 2013 - "151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1*, example 2**). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

Recommended blocklist:
151.248.123.170 ..."
(Long list at the dynamoo URL above.)

* http://urlquery.net/...13-04-24&max=50

** https://www.virustot...70/information/

- https://www.google.c...c?site=AS:39134
____

Fake American Express SPAM / SecureMail.zip
- http://blog.dynamoo....ss-spam_24.html
24 Apr 2013 - "Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.
    Date:      Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
    From:      American Express [Christian_Frey @aexp .com]
    Subject:      Confidential - Secure Message from AMEX
                                Secure Message                                                               The security of your personal information is of the utmost importance to American Express, so we     have sent the attached as a secure electronic file.
    Note: The attached file contains encrypted data.                  
    If you have any questions, please call us at 800-964-7890, option 3.
    Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
    8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The information contained in this     message may be privileged, confidential and protected from
    disclosure. If the reader of this message is not the intended recipient, or an employee
    or agent responsible for delivering this message to the intended recipient, you are
    hereby notified that any dissemination, distribution or copying of this communication is
    strictly prohibited.                                                                 
    Thank you,      
    American Express                                                                                         2012 American Express Company. All rights reserved...
                                        

The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46* at VirusTotal. Comodo CAMAS doesn't tell us much** except that it seems to phone home to angels-mail .com and has the following checksums:
MD5    6870fd8fd2b2bedd83e218d9e7e4de8b
SHA1    4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
SHA256    ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
What about angels-mail .com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf***].
Recommended blocklist:
5.77.45.108
64.90.61.19
212.58.4.13
..."
* https://www.virustot...sis/1366835710/
File name: SecureMail.exe
Detection ratio: 21/46
Analysis date:     2013-04-24
** http://camas.comodo....5ca660fb2cb45e3
*** http://www.dynamoo.c...8d9e7e4de8b.pdf

Screenshot: https://gs1.wac.edge...2Q8b1qz4rgp.png
___

"New Secure Message" spam / pricesgettos .info
- http://blog.dynamoo....gettosinfo.html
24 Apr 2013 - "This spam leads to malware on pricesgettos .info:
    Date:      Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
    From:      Cooper.Anderson @csiweb .com
    Subject:      New Secure Message Received from Cooper.Anderson@csiweb.com
    New Secure Message
    Respective [redacted],
    You have received a new secure message from Cooper.Anderson@csiweb.com.
    If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
    If you are NOT using the Secure Message Plugin, you are able to view it by clicking [redacted] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
    Sincerely Yours,
    CSIe


The link displayed in the email is -fake- and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos .info/news/done-heavy_hall_meant.php (report here*) hosted on the following IPs:
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2157408
... Detected live BlackHole v2.0 exploit kit 203.64.101.145
 

:grrr: :ph34r:


Edited by AplusWebMaster, 24 April 2013 - 05:01 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#927 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 25 April 2013 - 12:36 PM

FYI...

Malicious Wire Transfer Spam
- http://threattrack.t...e-transfer-spam
25 Apr 2013 - "Subjects Seen:
    Incoming Transactions Report
Typical e-mail details:
    Incoming Transactions Report
    An incoming money transfer has been received by your financial institution and the funds deposited to account.
    Initiated By:  Fiserv Inc.
    Initiated Date & Time: Thu, 25 Apr 2013 06:13:22 -0800
    Batch ID: 497
    Please view the attached file to review the transaction details.


Malicious URLs
    lipo-exdenver .com/ponyb/gate.php
    lipo-exdallas .com/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    angels-mail .com:8080/ponyb/gate.php
    serw.myroitracking .com/vHn3xjt.exe
    pro-sb-immobilien .de/stdwR8gb.exe


Screenshot: https://gs1.wac.edge...dpru1qz4rgp.png
___

Malicious PayPal Password Reset Spam
- http://threattrack.t...word-reset-spam
25 April 2013 - "Subjects Seen:
    Reset Yoyr PayPal Password
Typical e-mail details:
    Your account would stay frozen untill password reset.
    How to reset your PayPal password
    Hello [removed],
    To get back into your PayPal account, you’ll need to create a new password.
    It’s easy:
    Click the link below to open a secure browser window.
    Confirm that you’re the owner of the account, and then follow the instructions.


Malicious URLs
    iremadze .com/wp-content/themes/toolbox/breakingnews.html
    it-academy-by-student07 .ru/wp-content/themes/toolbox/breakingnews.html
    sub.bestquotesnsayings .com/complaints/or_knew-passed.php
    sub.bestquotesnsayings .com/complaints/or_knew-passed.php?kdvawba=mlmr&nlmepj=lwuzwkh


Screenshot: https://gs1.wac.edge...jmCg1qz4rgp.png

 

:grrr: :ph34r:


Edited by AplusWebMaster, 25 April 2013 - 03:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#928 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 26 April 2013 - 05:10 AM

FYI...

Fake USPS SPAM / LABEL-ID-56723547-GFK72.zip
- http://blog.dynamoo....spam-label.html
26 Apr 2013 - "This fake USPS message has a malicious attachment:
    Date:      Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
    From:      USPS client manager Lelia Holden [reports @usps .com]
    Subject:      USPS delivery failure report
    Priority:      High Priority 1
    Notification
    Our company’s courier couldn’t make the delivery of package.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: UGL38SHK4T
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    USPS Global.


There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46*.
The malicious binary has the following checksums:
MD5    df81b21e9526c571d03bc1fb189f233c
SHA1    dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256    db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
Comodo CAMAS reports** some very unusual behaviour around LDAP registry keys, not present in the Anubis report*** or ThreatExpert report****."
* https://www.virustot...sis/1366967613/
File name: LABEL-ID-56753547-GFK72.exe
Detection ratio: 7/46
Analysis date:     2013-04-26
** http://camas.comodo....81d2f4cde60590a

*** http://anubis.isecla...096&format=html

**** http://www.threatexp...03bc1fb189f233c
___

Something evil on 193.107.16.213 / Ideal Solution Ltd
- http://blog.dynamoo....6213-ideal.html
26 April 2013 - "193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range. VirusTotal detects a number of malicious sites on this server (see report*) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects. The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv**]. Use this data as you see fit..."
(More detail at the dynamoo URL above.)
* https://www.virustot...22/information/

** http://www.dynamoo.c...al-solution.csv
___

Something evil on 199.71.212.122
- http://blog.dynamoo....9971212122.html
26 April 2013 - "199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware on them according to VirusTotal* and URLquery**. Some of the malicious domains were recently hosted on this IP. I suspect that there are alot more domains than the ones listed on this server, blocking access to it is probably the best approach..."
* https://www.virustot...22/information/

** http://urlquery.net/...13-04-26&max=50

- https://www.google.c...c?site=AS:40676
___

 

Malicious PayPal Dispute Spam
- http://threattrack.t...al-dispute-spam
26 April 2013 - "Subjects Seen:
    Resolution of case #[removed]
Typical e-mail details:
    Our records indicate that you never responded to requests for additional
    information about this claim. We hope you review the attached file and solve the situation amicably.
    For more details please see the attached file (Case_[removed].zip)
    Sincerely,
    Protection Services Department


Malicious URLs
    angels-mail .com:8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    palmspringsvacationhomerentals .com/ponyb/gate.php
    palmspringsvacationrentalshomes .com/ponyb/gate.php
    techsolbowling .com/Ff1.exe


Screenshot: https://gs1.wac.edge...56WK1qz4rgp.png
___

Fake BoA malicious SPAM
- http://blog.webroot....-serve-malware/
April 26, 2013 - "Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog....otnet.png?w=869
Detection rate for the malicious executable: MD5: c671d0896a2412b42e1abad4be9d43a8 * ...Trojan-Spy.Win32.Zbot.kulh.
...  phones back to... C&Cs servers..."
(Long IP list at the webroot URL above.)
* https://www.virustot...3f838/analysis/
File name: Mnvw57ch.exe
Detection ratio: 32/46
Analysis date:     2013-04-26
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 26 April 2013 - 05:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#929 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 30 April 2013 - 05:14 AM

FYI...

Multiple Facebook SCAMS ...
- http://www.hoax-slay...ewer-scam.shtml
April 30, 2013 - "Outline: Message being spammed across Facebook claims that users can follow a link to install an app that allows them to check who has been viewing their profile.
Brief Analysis: The message is an attempt to trick Facebook users into relinquishing control of their Facebook accounts to Internet scammers by submitting their Facebook authentication token. The scammers will use the compromised accounts to launch further spam and scam campaigns in the names of their victims. Any message that claims that you can install an app to see who has viewed your profile is likely to be a scam. Do not click on any links in these messages...
Detailed Analysis: This message, which is currently appearing on Facebook, claims that users can check out who has been viewing their Facebook profiles by clicking a link and installing a new app.
However, the message is a scam designed to trick users into temporarily handing control of their Facebook accounts to online scammers. Those who click the link will first be taken to a Facebook page with further "instructions" for procuring the app:
> http://www.hoax-slay...ewer-scam-1.jpg
If victims follow the link on the page, they will next be taken to a second page that falsely claims that Facebook is now required to show users who has been viewing their profile:
> http://www.hoax-slay...ewer-scam-2.jpg
Next, victims are taken to a "security check" and told that they must generate an "age verification code" before proceeding:
> http://www.hoax-slay...ewer-scam-3.jpg
Users will then receive the following instructions:
> http://www.hoax-slay...ewer-scam-4.jpg
Folllowed by this:
> http://www.hoax-slay...ewer-scam-5.jpg
... by pasting the "age verification" code as instructed, users are in fact giving the scammers access to their Facebook accounts, including their Friends list. The code is the victim's Facebook authentication token, which can then be used by the criminals to temporarily hijack the Facebook account. The compromised accounts are then used to distribute more of the same scam messages on Facebook... victims will be taken onward to various bogus survey pages and enticed to participate, supposedly as a further prerequisite to getting the promised profile viewer app... In reality, the profile viewer app does not exist... Some versions use the promise of a profile viewer to lead victims directly to a scam survey page. Other versions try to trick users into first installing a rogue Facebook application that will send spam and scam messages to all of their friends.
Do not trust any message that claims that you can click a link and install an app to see who has viewed your profile. If you receive such a message, delete it."
___

UK banks targeted with Trojans and social engineering
- https://www.net-secu...ews.php?id=2477
April 30, 2013 - "... Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
> https://www.net-secu...er-042013-1.jpg
- or:
> https://www.net-secu...er-042013-2.jpg
While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
> https://www.net-secu...er-042013-3.jpg
The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process... the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit* demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there..."

* http://www.trusteer....nancial-malware
___

Malicious PDFs on the rise
- http://blog.trendmic...fs-on-the-rise/
Apr 29, 2013 - "... we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640)... files used dnsport.chatnook .com, inter.so-webmail .com, and 223.25.242.45 as their command-and-control servers... Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158."
(More detail at the trendmicro URL above.)

- https://blogs.techne...Redirected=true
29 Apr 2013
Graph: https://www.microsof..._exploits/2.png
___

Phish target Apple IDs
- http://blog.trendmic...-phishing-bait/
Apr 30, 2013 - "Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs... Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised... the directory contains pages that spoof the Apple ID login page fairly closely:
> http://blog.trendmic.../fake_apple.jpg
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned:
> http://blog.trendmic...13/04/chart.png
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
> http://blog.trendmic...credit_card.jpg
Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
> http://blog.trendmic.../apple_mail.jpg
One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:
> http://blog.trendmic...4/legitsite.jpg
The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites. For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection..."
___

Something evil on 96.126.108.132
- http://blog.dynamoo....6126108132.html
30 April 2013 - "These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ;) ..."
(Long list at the dynamoo URL above.)
1) https://www.virustot...32/information/

2) https://palevotracke...=96.126.108.132

3) http://support.clean...=96.126.108.132
___

Fake "Requested Reset of Yoyr PayPal Password" SPAM / frustrationpostcards .biz
- http://blog.dynamoo....l-password.html
29 Apr 2013 - "This fake PayPal spam leads to malware on frustrationpostcards .biz:
     Date:      Mon, 29 Apr 2013 13:22:03 -0500
    From:      "service @paypalmail .com" [chichisaq0 @emlreq.paypalmail .com]
    Subject:      Requested Reset of Yoyr PayPal Password
    Your account will stay on hold untill password reset.
    How to reset your PayPal password
    Hello [redacted],
    To get back into your PayPal account, you'll have to create a new password.
    It's easy:
        Click the link below to open a secure browser window.
        Confirm that you're the owner of the account, and then follow the instructions.
      Reset your password now
    If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
    Help Center | Security Center
    Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
    Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
    PayPal Email ID 2A7X1


The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards .biz/news/institutions-trusted.php (report here*) hosted on the following IPs:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)...
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
..."
* http://urlquery.net/....php?id=2230181

Screenshot: https://www.net-secu...ke-30042013.jpg
___

Fake Microsoft Security Scam
- http://blog.webroot....-security-scam/
April 30, 2013 - "... we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected. With these types of scams there are a number of things to remember.
1. Microsoft will never call you telling you that your PC is infected
2. Never allow strangers to connect to your PC
3. Do not give any credit card info to somebody claiming to be from Microsoft...
The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that the location of the web site will be a random string of letters.
1) https://webrootblog....owser_alert.jpg
More details: These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).
2) https://webrootblog....3/04/fakeav.jpg
... Infection detected:
c:\users\owner\appdata\local\microsoft\windows\temporary internet files\content.ie5\wckxi56g\security_cleaner[1].exe

MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9 * ... Virus Total... a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates..."
* https://www.virustot...b0a29/analysis/
File name: qdg.exe
Detection ratio: 28/46
Analysis date:     2013-04-27

Link: http://www.microsoft...acy/msname.aspx
___

Fake Wire Transfer SPAM / Payment reeceipt.exe / 78.139.187.6
- http://blog.dynamoo....2-canceled.html
30 Apr 2013 - "This fake wire transfer spam comes with a malicious attachment:
    Date:      Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
    From:      Federal Reserve [alerts @federalreserve .gov]
    Subject:      Your Wire Transfer 82932922 canceled
    The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
    Transfer details attached to the letter.
    This service is provided to you by the Federal Reserve Board. Visit us on the web at website
    To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately


In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46*.
The malware has the following checksums according to Comodo CAMAS**:
Size    371712
MD5    0a3723483e06dcf7e51073972b9d1ef3
SHA1    293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA256    0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
Anubis has a pretty detailed report*** of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here****. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67
...."
* https://www.virustot...sis/1367354089/
File name: Payment reeceipt.exe
Detection ratio: 29/46
Analysis date:     2013-04-30
** http://camas.comodo....759c2d3f25753dd
*** http://anubis.isecla...4fd&format=html

**** http://blog.dynamoo....ation-spam.html
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 30 April 2013 - 06:04 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#930 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 03 May 2013 - 08:41 PM

FYI...

Malicious ADP Delivery Notice Spam
- http://threattrack.t...ery-notice-spam
3 May 2013 - "Subjects Seen:
ADP Chesapeake - Package Delivery Confirmation
Typical e-mail details:
    This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
    Here are the details of your delivery:
    Package Type: QTR/YE Reporting
    Courier: UPS Ground
    Estimated Time of Arrival: Monday, 1:00pm
    Tracking Number (if one is available for this package): [removed]
    Details: Click here to overview and/or modify order
    We will notify you via email if the status of your delivery changes.
    Access these and other valuable tools at support.ADP.com:
    Payroll and Tax Calculators
    Order Payroll Supplies, Blank Checks, and more
    Submit requests online such as SUI Rate Changes, Schedule Changes, and more
    Download Product Documentation, Manuals, and Forms
    Download Software Patches and Updates
    Access Knowledge Solutions / Frequently Asked Questions
    Watch Animated Tours with Guided Input Instructions
    Thank You,
    ADP Client Services
    support.ADP .com


Malicious URLs
    technotkan .kz/templates/ja_purity_ii/adp_dpack.html
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?hyobrlhz=kniez&vvhxv=nle
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?df=1g:1i:2v:32:1f&ne=1g:2w:2w:1h:1g:1j:1l:1h:2v:30&h=1f&ug=q&tr=s&jopa=3366088


Screenshot: https://gs1.wac.edge...fPsL1qz4rgp.png
___

Something evil on 173.255.200.91
- http://blog.dynamoo....7325520091.html
3 May 2013 - "173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit* [see URLquery** and VirusTotal reports***). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server. I can see... domains on the server, ones flagged by Google for malware... I would recommend blocking all domains on this server... or simply block the IP address..."
* http://malware.dontn...xploit-kit.html

** http://urlquery.net/...13-05-03&max=50

*** https://www.virustot...91/information/
___

Malicious US Airways Spam
- http://threattrack.t...us-airways-spam
2 May 2013 - "Subjects Seen:
    US Airways online check-in.
Typical e-mail details:
    You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and go to the gate.

Malicious URLs
    concaribe .com/images/wp_pageid.html?id=516047FC45UOYFC8AVC60VIQ
    yob.newwaysys .com/ensure/origin-want_require.php?jnlp=e3ca9e7968
    yob.newwaysys .com/ensure/origin-want_require.php?bnddxr=nlbaicu&zvgibtad=tqu
    yob.newwaysys .com/ensure/origin-want_require.php?qf=1i:1f:32:33:2v&ge=32:1i:30:2v:1o:32:1m:1o:1l:1n&i=1f&wl=j&rw=r&jopa=2959383


Screenshot: https://gs1.wac.edge...ilQn1qz4rgp.png
___

Malicious Citibank Paymentech Attachment Spam
- http://threattrack.t...attachment-spam
2 May 2013 - "Subjects Seen:
    Merchant Statement
Typical e-mail details:
"   Attached is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech’s or the Merchant’s email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ————— Learn more about Citibank Paymentech Solutions, LLC payment processing services at citibank.com. ————— THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

Malicious URLs
Spam contains a malicious attachment.

Screenshot: https://gs1.wac.edge...SQsp1qz4rgp.png
___

Fake LinkedIn SPAM / guessworkcontentprotect .biz
- http://blog.dynamoo....protectbiz.html
2 May 2013 - "This fake LinkedIn email leads to malware on guessworkcontentprotect .biz:
    From:     LinkedIn Invitations [giuseppeah5 @mail.paypal .com]
    Date:     2 May 2013 16:49
    Subject:     LinkedIn inviation notificaltion.
    LinkedIn
    This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
    Accept Lewis Padilla Invitation
    On May 2, Lewis Padilla wrote:
    > To: [redacted]
    > I'd like to join you to my professional network on LinkedIn.
    > Lewis Padilla    
    You are receiving Reminder emails for pending invitations. Unsubscribe.
    © 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.


The malicious payload is at [donotclick]guessworkcontentprotect .biz/news/pattern-brother.php (report here*) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
..."
* http://urlquery.net/....php?id=2293535
 

:grrr: :ph34r:


Edited by AplusWebMaster, 03 May 2013 - 08:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#931 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 06 May 2013 - 06:30 AM

FYI...

Mother’s Day SPAM ...
- http://www.symantec....it-mother-s-day
6 May 2013 - "... Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically -redirects- the recipient to a website containing a bogus Mother’s Day offer upon completion of a -fake- survey.
> https://www.symantec...1/mothers 1.png
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the -bogus- offer.
> https://www.symantec...1/mothers 2.png
Next...
> https://www.symantec...1/mothers 3.png
... Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
> https://www.symantec...1/mothers 5.png
...  use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats..."

- https://www.bbb.org/...ay-email-scams/
May 6, 2013

- http://mashable.com/...ay-email-scams/
2013-05-01
 

:ph34r: :grrr:


Edited by AplusWebMaster, 07 May 2013 - 05:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#932 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 07 May 2013 - 04:13 AM

FYI...

AutoIt malware - 188.161.9.226 ...
- http://blog.trendmic...e-and-toolsets/
May 6, 2013 - "... In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip .info (188.161.9.226 at the time of writing) over port 1604... In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency... Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed... As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable."
___

Something evil on 151.248.123.170 Part III
- http://blog.dynamoo....0-part-iii.html
7 May 2013 - "I've covered 151.248.123.170 (Reg.ru, Russia*) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites. There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites..."

1) http://blog.dynamoo....8123170_24.html

2) http://blog.dynamoo....1248123170.html

* https://www.google.c...c?site=AS:39134
___

Fake Citibank ‘Merchant Billing Statement’ emails lead to malware
- http://blog.webroot....ead-to-malware/
May 7, 2013 - "Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog....nets_trojan.png
Detection rate for the malicious executable: MD5: 75a666f81847ccf7656790162e6a666a * ... Trojan-Spy.Win32.Zbot.lcnn..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1367618876/
File name: Kwmfd2.exe
Detection ratio: 33/46
Analysis date:     2013-05-05
 

:grrr: :ph34r:


Edited by AplusWebMaster, 07 May 2013 - 09:48 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#933 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 08 May 2013 - 04:30 AM

FYI...

Fake Amazon.com SPAM / ehrap .net
- http://blog.dynamoo....m-ehrapnet.html
8 May 2013 - "This fake Amazon spam leads to malware on ehrap .net:
    Date:      Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
    From:      "Amazon.com" [drudgingb50@m.amazonmail.com]
    Subject:      Your Amazon.com order confirmation.
    Thanks for your order, [redacted]!
    Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
    Order Information:
    E-mail Address:  [redacted]
    Billing Address:
    216 CROSSING CRK N
    GAHANNA
    United States
    Phone: 1-747-289-5672
    Order Grand Total: $ 53.99
    Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
    Order Summary:
    Details:
    Order #:     I12-4392835-6098844
    Subtotal of items:     $ 53.99
    Total before tax:     $ 53.99
    Tax Collected:     $0.00
    Grand Total:     $ 50.00
    Gift Certificates:     $ 3.99
    Total for this Order:     $ 53.99
    The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
    Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
    Sold By: Random House Digital, Inc.
    Give Kindle books to anyone with an e-mail address - no Kindle required!
    You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
    Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
    Thanks again for shopping with us.
    Amazon.com
    Earth's Biggest Selection
    Prefer not to receive HTML mail? Click here


The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap .net/news/days_electric-sources.php (report here*) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
..."
* http://urlquery.net/....php?id=2377955
___

Fake AV and ransomware combo
- https://www.net-secu...ews.php?id=2486
8 May 2013 - "Ransomware and fake antivirus solutions are well-known threats, but a deadly fraudulent combination of the two has been recently spotted... The software - dubbed "Secure Bit" - first tries to convince the victims that the "security level" of their computer is low and instructs them to call for support so that the “threats” it has "found" can be removed. The claim is accompanied with a pop-ups that lists a great number of them. But if the victims don't do as they are told after a period of time, the fake AV turns nasty (well, nastier), and locks the computer screen. The victims can't do anything on their machine, and they are again told to contact the given phone number in order to regain control of it. The phone call reveals that it will cost the victims $49.99 to do that, and Total Defense's Tsahi Carmona warns* that many users may not recognize it's a scam and may pay the ransom..."
* http://www.totaldefe...secure-bit.aspx
"... This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”..."
___

Fake Amazon emails lead to malware...
- http://blog.webroot....ts-and-malware/
May 8, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....png?w=650&h=486
... MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf * ... HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 ** ...Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da *** ...Trojan.Win32.Reveton.a (v).
... phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98
/J9/vp/EGa+AAAAAA/2MB9vCAAAA ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1367968246/
File name: days_electric-sources.php
Detection ratio: 5/46
Analysis date:     2013-05-07
** https://www.virustot...sis/1367968346/
File name: Kindle.pdf
Detection ratio: 26/46
Analysis date:     2013-05-07
*** https://www.virustot...27274/analysis/
File name: sndrec32.exe
Detection ratio: 16/46
Analysis date:     2013-05-08
___

Malicious Better Business Bureau Spam
- http://threattrack.t...ess-bureau-spam
8 May 2013 - "Subjects Seen:
    Better Business Beareau Complaint ID [removed]
Typical e-mail details:
     The Better Business Bureau has been entered the above mentioned complaint from one of your users in regard to their business contacts with you. The information about the consumer’s concern are available at the link below. Please give attention to this point and notify us about your belief as soon as possible.
    We kindly ask you to open the RECLAMATION REPORT to answer on this claim.
    We are looking forward to your prompt response.
    WBR
    Colton Reed
    Dispute Advisor
    Better Business Bureau


Malicious URLs
    stopwulgaryzmom .pl/bbb_view_compl.html?complain=DFMI30GA2_80VJA8
    pub.mumbailocaltraintimetable .net/ensure/misuse-restrict-systems_properties.php


Screenshot: https://gs1.wac.edge...fiSm1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 08 May 2013 - 06:27 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#934 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 09 May 2013 - 08:23 AM

FYI...

Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo....75-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
    Date:      Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
    From:      CITIBANK [noreply @citybank .com]
    Subject:      Merchant Statement
    Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.


The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustot...f9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date:     2013-05-09

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___

Fake Traffic Ticket serves malware
- http://blog.webroot....-serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....png?w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustot...a43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date:     2013-05-08
 

:grrr: :ph34r: :grrr:


Edited by AplusWebMaster, 09 May 2013 - 01:53 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#935 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 10 May 2013 - 06:47 AM

FYI...

Malicious Facebook Friend Notification Spam
- http://threattrack.t...tification-spam
9 May 2013 - "Subjects Seen:
    [removed] wants to be friends on Facebook
Typical e-mail details:
     [removed] wants to be friends with you on Facebook Facebook.

Malicious URLs
    web.jen-pages .de/fbreq.html
    job.bgita .ru/fbreq.html
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591


Screenshot: https://gs1.wac.edge...oht71qz4rgp.png
___

Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo....70-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo....0-part-iii.html

** http://www.dynamoo.c...248-123-170.txt
___

USAA Credentials Phish
- http://threattrack.t...edentials-phish
10 May 2013 - "Subjects Seen:
    Important Message From Usaa
Typical e-mail details:
     Dear Valued Customer,
    We have created new dedicated security servers to keep all our
    online banking customers account safe and secure. This is server< /span>
    has been tested,now we are asking all our online banking customers
    to register for the new security server to keep them safe.
    To register for this new security server quickly click on the button
    below to complete registration immediately.
    Click Here To Register
    We hope you find our Internet Banking service easy and convenient to use.
    Yours sincerely
    USAA,
    Digital Banking Director


Malicious URLs
    sehyup .com/08_dev/board/file/bbs_notice/vi.htm
    philanthropyexpert .org/ass/index.html


Screenshot: https://gs1.wac.edge...LK0n1qz4rgp.png
___

Phone phish ...
- https://www.ic3.gov/...013/130508.aspx
May 08, 2013 - "The Internet Crime Complaint Center has received numerous reports of phishing attacks targeting various telecommunication companies' customers. Individuals receive automated telephone calls that claim to be from the victim's telecommunication carrier. Victims are directed to a phishing site to receive a credit, discount, or prize ranging from $300 to $500. The phishing site is a replica of one of the telecommunication carrier's sites and requests the victims' log-in credentials and the last four digits of their Social Security numbers. Once victims enter their information, they are -redirected- to the telecommunication carrier’s actual website. The subject then makes changes to the customer's account.
The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business."
 

:ph34r: :grrr:


Edited by AplusWebMaster, 11 May 2013 - 06:18 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#936 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 13 May 2013 - 05:45 AM

FYI...

Something evil on 188.241.86.33
- http://blog.dynamoo....1882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/...13-05-13&max=50

2) https://www.virustot...33/information/
___

Browser extension hijacks Facebook profiles
- https://blogs.techne...Redirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___

Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.t...icious-word-doc
13 May 2013 - "Subjects Seen:
    BOA Merchant Statement
Typical e-mail details:
     Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
    Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.


Spam contains malicious attachment.

Screenshot: https://gs1.wac.edge...dxu51qz4rgp.png
___

Malicious Citibank Secure Message Spam
- http://threattrack.t...re-message-spam
13 May 2013 - "Subjects Seen:
    You have received a secure message
Typical e-mail details:
    Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
    First time users - will need to register after opening the attachment.
    About Email Encryption - citi .com/citi/citizen/privacy/email.htm


Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    vulcantire .net/forum/viewtopic.php
    westautorepair .com/forum/viewtopic.php
    metroimport-tires .com/forum/viewtopic.php
    iis1.ontera .net/AUWY5Z.exe


Screenshot: https://gs1.wac.edge...XmUI1qz4rgp.png
___

Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo....-from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
    Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
    From:      American Express [Jarvis_Randall @aexp .com]
    Subject:      Confidential - Secure Message from AMEX    
    Secure Message
    The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
    Note: The attached file contains encrypted data.
    If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
    The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
    Thank you,
    American Express
    2012 American Express Company. All rights reserved.


There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size    137216
MD5    20de8bad8bf8279e4084e9db461bd140
SHA1    caacc00d68f41dad9b1abb02f9e243911f897852
SHA256    18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156
..."
* https://www.virustot...sis/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date:     2013-05-13

** http://camas.comodo....4c962329b691ee7

*** http://www.dynamoo.c...9db461bd140.pdf
 

:ph34r: :grrr: :grrr:


Edited by AplusWebMaster, 13 May 2013 - 05:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#937 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 14 May 2013 - 07:43 AM

FYI...

Fake BoA SPAM / RECEIPT428-586.doc
- http://blog.dynamoo....erica-spam.html
14 May 2013 - "This fake Bank of America message has a malicious Word document attached:
    Date:      Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
    Subject:      Your transaction is completed
    Transaction is completed. $51317477 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Receipt of payment is attached.
    *** This is an automatically generated email, please do not reply ***
    Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
    © 2013 Bank of America Corporation. All rights reserved


The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack*. VirusTotal detections stand at just 11/46**. Further analysis is pending.
* http://blog.dynamoo....75-4985doc.html

** https://www.virustot...3e356/analysis/
File name: RECEIPT428-586.doc
Detection ratio: 18/43
Analysis date:     2013-05-14
___

Something evil on 94.242.198.16
- http://blog.dynamoo....9424219816.html
14 May 2013 - "I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection. This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer .me/hpoxqnj.php (report*) or [donotclick]stempelxpress .nl/vechoix.php (report**) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis .info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis.info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP***, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko .com
integrate-koleiko .org
integrate-koleiko .net
muroi-uroi-loi .info
muroi-uroi-loi .org
muroi-uroi-loi .net
zoloni-kemis .info
..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2455754

** http://urlquery.net/....php?id=2455905

*** https://www.virustot...16/information/

- https://www.google.c...ic?site=AS:5577
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-05-14, and the last time suspicious content was found was on 2013-05-14... Over the past 90 days, we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 131 other site(s)... We found 282 site(s)... that infected 4631 other site(s)..."
___

Malicious Dun and Bradstreet Compliant Spam
- http://threattrack.t...-compliant-spam
14 May 2013 - "Subjects Seen:
    FW : Complaint - [removed]
Typical e-mail details:
    Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by May 18, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.


Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    hurricanestormsavings .com/ponyb/gate.php
    hurricanestrengthsavings .com/ponyb/gate.php
    62.233.104.156 /tHjefFt.exe


Screenshot: https://gs1.wac.edge...lB071qz4rgp.png
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 14 May 2013 - 02:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#938 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 15 May 2013 - 05:49 AM

FYI...

Fake ‘Free Media Player’ via rogue ‘Adobe Flash Player HD’ ad ...
- http://blog.webroot....-advertisement/
May 15, 2013 - "Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer...
Sample screenshot of the actual advertisement:
> https://webrootblog....omoto.png?w=869
... once users click, they’re presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted applications... Landing domain:
hxxp ://www.softigloo .com – 78.138.105.151. Responding to the same IP is also the following typosquatted domain – hxxp ://down1oads .com...
Detection rate for the sampled malware:
MD5: 3ee49800cc3c2ce74fa63e6174c81dff * ... Somoto BetterInstaller; Adware.Somoto
MD5: b57cc4b5aecd69eb57063f4de914d4dd ** ... Somoto BetterInstaller; TROJ_GEN.F47V0429 ...
And initiates the following TCP connections:
78.138.97.8 :80
54.239.158.55 :80
78.138.127.129 :80
54.239.158.183 :80
54.239.158.247 :80
78.138.127.7 :80

The affiliate network participant that’s abusing the Yieldmanager ad network is currently earning revenue through the Somoto’s BetterInstaller PPI (Pay-Per-Install) revenue sharing network..."
(More detail at the websense URL above.)
* https://www.virustot...sis/1368314633/
File name: VLCMediaPlayerSetup-9Kf76Wv.exe
Detection ratio: 8/46
Analysis date:     2013-05-11
** https://www.virustot...sis/1368314918/
File name: 7ZipSetup-aVEkw5Y.exe
Detection ratio: 8/46
Analysis date:     2013-05-11

Removal Guide for Somoto.BetterInstaller
> http://forums.spybot...BetterInstaller
2013-05-08
___

Malicious FedEx SPAM delivers trojan ...
- http://www.hotforsec...kages-6173.html
May 15, 2013 - "A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain...
Screenshot1: http://www.hotforsec...-packages-1.jpg
... To give credibility to the malicious payload, scammers added links to the authentic shipping company. Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities. Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices...
Screenshot2:  http://www.hotforsec...-packages-2.png
FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more..."
___

Fake Facebook SPAM / otophone .net
- http://blog.dynamoo....tophonenet.html
15 May 2013 - "This fake Facebook spam leads to malware on otophone .net:
    Date:      Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
    From:      Facebook [notification+LTFS15RDTR @facebookmail .com]
    Subject:      Jonathan Rogers wants to be friends on Facebook
    facebook
    Jonathan Rogers wants to be friends with you on Facebook Facebook...
    1083 friends · 497 photos · 2 notes · 1535 Wall posts
    Confirm Friend Request
    See All Requests
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
    Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303


The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone .net/news/appreciate_trick_hanging.php (report here*) hosted on the following IPs:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)...
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
..."
* http://urlquery.net/....php?id=2474662
___

Something evil on 184.95.51.123
- http://blog.dynamoo....1849551123.html
15 May 2013 - "184.95.51.123 (Secured Servers LLC, US) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live. The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.
These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can..."
___

Malicious DocuSign Payroll Spam
- http://threattrack.t...gn-payroll-spam
15 May 2013 - "Subjects Seen:
    Completed: Please DocuSign this document : Payroll May 2013..pdf
Typical e-mail details:
    Your document has been completed
    Sent on behalf of [removed].
    All parties have completed the envelope ‘Please DocuSign this document: Payroll April 2013..pdf’.
    To view or print the document download the attachment .
    (self-extracting archive, Adobe PDF)
    This document contains information confidential and proprietary to [removed]


Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    lifestylehomeowners .com/ponyb/gate.php
    lifestylehurricaneguide .com/ponyb/gate.php
    parpaiol a.com/0nWhFjZ.exe


Screenshot: https://gs1.wac.edge...rAIV1qz4rgp.png
___

Fake ADP SPAM / outlookexpres .net
- http://blog.dynamoo....kexpresnet.html
15 May 2013 - "This fake ADP spam leads to malware on outlookexpres .net:
    Date:      Wed, 15 May 2013 22:39:26 +0400
    From:      "donotreply @adp .com" [phrasingr6 @news.adpmail .org]
    Subject:      adp_subj
    ADP Instant Warning
    Report #: 55233
    Respected ADP Client May, 15 2013
    Your Processed Transaction Report(s) have been uploaded to the website:
    Sign In here
    Please see the following information:
    • Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
    • Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
    This email was sent to existing users in your company that access ADP Netsecure.
    As every time, thank you for using ADP as your business affiliate!
    Rep: 55233 [redacted]


The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres .net/news/estimate_promising.php (report here*) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
..."
* http://urlquery.net/....php?id=2479638
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 15
Fake Product Order E-mail Messages - 2013 May 15
Fake Document Sharing Notification E-mail Messages - 2013 May 15
Fake Invoice Statement Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
Fake Delta E-Ticket Attachment E-mail Messages - 2013 May 15
Fake Third Party Consumer Complaint Notification E-mail Messages - 2013 May 15
Fake Portuguese Invoice Notification E-mail Messages - 2013 May 15
Fake Photo Sharing E-mail Messages - 2013 May 15
Fake Product Order Request E-mail Messages - 2013 May 15
Fake Xerox Scan Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
(More info and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 15 May 2013 - 04:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#939 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 16 May 2013 - 09:00 AM

FYI...

Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo....ce-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
    Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
    From:      Karen Parker [Kk.parker @tiffany .com]
    Subject:      invoice copy
    Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker


The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size    331776
MD5    ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1    a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256    4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustot...sis/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date:     2013-05-16

** http://camas.comodo....a19592d2b939fe6

*** http://www.dynamoo.c...dc7e0cd8bcd.pdf
___

Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo....7794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
    From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
    Sent: 16 May 2013 10:48
    Subject: Successful Receipt of Online Submission for Reference 517794350
    Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.


The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35
..."
* http://blog.dynamoo....erica-spam.html

** https://www.virustot...sis/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date:     2013-05-16

*** http://www.dynamoo.c...b5b3a8c2a34.pdf
___

Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo....lowablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
    From:     Wallmart.com [deviledm978 @news.wallmart .com]
    Date:     16 May 2013 14:02
    Subject:     Thanks for your Walmart.com Order 3795695-976140
    Walmart    
    Visit Walmartcom  |     Help  |     My Account  |     Track My Orders
    [redacted]
    Thanks for ordering from Walmart.com. We're currently processing your order.
    Items in your order selected for shipping
    • You'll receive another email, with tracking information, when your order ships.
    • If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
    Shipping Information
          Ship to Home    
    Hannah Johnson
    1961 12 Rd
    Orange, NC 68025-3157
    USA
---     
    Walmart.com     Order Number: 3795695-976140
    Ship to Home - Standard
    Items     Qty     Arrival Date     Price
    Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
    Eligible for Free Standard Shipping to Home.     $898.00
    Subtotal:     $898.00
    Shipping:     Free
    Tax:     $62.86
    See our Returns Policy or
    contact Customer Service     Walmart.com Total:     $960.86
    Order Summary
    Order Date:     05/15/2013
    Subtotal:     $898.00
    Shipping:     Free
    Tax:     $62.86
    Order Total:     $960.86
    Credit card:     $960.86
    Billing Information
    Payment Method:
    Credit card
    If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
    Thanks,
    Your Walmart.com Customer Service Team...
    Rollbacks     Sign Up for Email Savings and Updates
    Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
    ©Walmart.com USA, LLC, All Rights Reserved.


The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
..."
* http://urlquery.net/....php?id=2494957
___

More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo....ltanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
    From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
    Sent: 16 May 2013 15:35
    Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
    Subtotal:    $898.00
    Shipping:    Free
    Tax:     $62.86
    See our Returns Policy or
    contact Customer Service
    Walmart.com Total:    $960.86
    Order Summary
    Order Date:    05/15/2013
    Subtotal:    $898.00
    Shipping:    Free
    Tax:     $62.86
    Order Total:    $960.86
    Credit card:    $960.86
            Billing Information
    Payment Method:
    Credit card
    If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
    Thanks,
    Your Walmart.com Customer Service Team...


The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo....lowablecom.html

** http://urlquery.net/....php?id=2496275
___

Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo....-citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
    Date:      Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
    From:      "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
    Subject:      New Secure Message
    Wells Fargo    
        Help
    To Read This Message:
    Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
    Secure Message    
    This message was sent to : [redacted]
    Email Security Powered by Voltage IBE
    Copyright 2013 Wells Fargo. All rights reserved


The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
    Date:      Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
    From:      "secure.email @citi .com" [secure.email @citi .com]
    Subject:      You have received a secure message
    You have received a secure message
    Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
    First time users - will need to register after opening the attachment.
    About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm


... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com
"
* http://www.dynamoo.c...0cddcbdc604.pdf

** https://www.virustot...sis/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date:     2013-05-16
___

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmic...-scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmic...rvey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 16 May 2013 - 02:48 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#940 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 17 May 2013 - 05:54 AM

FYI...

e-netprotections.su ?
- https://isc.sans.edu...l?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."

Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152

199.68.199.178
91.227.220.104

* https://www.virustot...b9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.t...re-message-spam
16 May 2013 - "Subjects Seen:
    New Secure Message
Typical e-mail details:
    View attachment for details
    To Read This Message:
    Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).


Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    mylifestylestormproducts .com/forum/viewtopic.php
    mysafefloridahomelife .com/forum/viewtopic.php
    ryulawgroup .com/Gsdw1.exe


Screenshot: https://gs1.wac.edge...4bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo....worlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
    From: [AOL sender]
    Sent: 17 May 2013 14:12
    To: [redacted]
    Subject: [AOL screen name]
    Subject :RE ( 8 )
    Sent: 5/17/2013 2:11:53 PM
    referral link
    http ://printcopy.co .za/elemqi.php?whvbcfm


The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/....php?id=2512341

** http://urlquery.net/....php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo....ckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
    Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
    From:      Newegg [info @newegg .com]
    Subject:      Newegg.com - Payment Charged
    Priority:      High Priority 1
    Newegg logo    
    My Account     My Account |     Customer Services     Customer Services
    Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
    click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
    Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More
    Customer ID: [redacted]
    Account Number: 23711731
    Dear Customer,
    Thank you for shopping at Newegg.com.
    We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
    If you have any questions, please use our LiveChat function or visit our Contact Us Page.
    Once You Know, You Newegg.
    Your Newegg.com Customer Service Team
    ONCE YOU KNOW, YOU NEWEGG. Ž
    Policy and Agreement | Privacy Policy | Confidentiality Notice
    Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.


Screenshot: https://lh3.ggpht.co...1600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119
..."
* http://urlquery.net/....php?id=2504632

Also at: http://threattrack.t...wegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edge...Awpg1qz4rgp.png
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 19 May 2013 - 05:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#941 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 20 May 2013 - 06:28 AM

FYI...

Something evil on 50.116.28.24
- http://blog.dynamoo....-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)

* http://www.f-secure....s/00002554.html

** http://forums.macrum...d.php?t=1583233
___

Wells Fargo Credentials Phish
- http://threattrack.t...edentials-phish
20 May 2013 - "Subjects Seen:
    Account Update
Typical e-mail details:
    In order to safeguard your account, we require that you confirm your details.
    To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
    To get started, visit the link below:
    Wells Fargo Online Confirmation


Malicious URLs
    update.id5027-wellsfargo .com/index.php?id=586616


Screenshot: https://gs1.wac.edge...kVzo1qz4rgp.png
___

Malicious Invoice Attachment Spam
- http://threattrack.t...attachment-spam
20 May 2013 - "Subjects Seen:
    invoice copy
Typical e-mail details:
    Kindly open to see export License and payment invoice attached,
    meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if
    there is any problem.
    Thanks
    Karen parker


Spam contains malicious attachment.

Screenshot: https://gs1.wac.edge...O1qo1qz4rgp.png
___

Chase Bank Credentials Phish
- http://threattrack.t...edentials-phish
20 May 2013 - "Subjects Seen:
    Billing Code:[removed]
Typical e-mail details:
    During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
    This might be due to either of the following reasons:
    1. A recent change in your personal information ( i.e. change of address).
    2. Submitting invalid information during the initial sign up process.
    3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
    Click on the guide-link below and follow the directions or please call our Online Helpdesk.
    Regards,
    Chase Online
    Billing Department
    Thanks for your co-operation.


Malicious URLs
    goodnickfitness .com.au/hnav.html
    diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html


Screenshot: https://gs1.wac.edge...1itt1qz4rgp.png
___

Blackhole Spam Run evades detection using Punycode
- http://blog.trendmic...using-punycode/
May 20, 2013 - "...  we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmic...HEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 20 May 2013 - 05:03 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#942 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 21 May 2013 - 07:19 AM

FYI...

Fake NATO jobs SPAM ...
- http://blog.webroot....ersonates-nato/
May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
Sample screenshot of the -fake- NATO Employment Application Form:
> https://webrootblog....application.png
    A copy of the -fake- NATO Employment Application Form
> http://webrootblog.f...cation-form.pdf
    A copy of the -fake- NATO Interview Form
> http://webrootblog.f...erview-form.pdf
... NATO impersonating domain name reconnaissance:
nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
Name server: ns1.idnscan .net
Name server: ns2.idnscan .net
usnato-hr.org – 208.91.198.24
Name Server: DNS1.SPIRITDOMAINS .COM
Name Server: DNS2.SPIRITDOMAINS .COM
... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
Always watch where you apply and be aware of offers which sound too good to be true."
(More detail at the webroot URL above.)
___

Fake Delivery_Information_ID-000512430489234.zip
- http://blog.dynamoo....0489234zip.html
21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
* https://www.virustot...sis/1369127051/
File name: Delivery_Information_ID-000512453420234.Pdf______________________...
Detection ratio: 23/47
Analysis date:     2013-05-21
** http://www.dynamoo.c...e89cdadc1fc.pdf
___

Malicious eFax Corporate Spam
- http://threattrack.t...-corporate-spam
21 May 2013 - "Subjects Seen:
    Corporate eFax message from [removed]
Typical e-mail details:
    You have received a 3 fax at 2013-05-07 10:24:18 CST.
    * The reference number for this fax is [removed].
    Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
    Thank you for using the eFax Corporate service!


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    debthelpsmart .org/ponyb/gate.php
    debtsmartretirement .com/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe


Screenshot: https://gs1.wac.edge...C2PH1qz4rgp.png
___

Oklahoma tornado charitable organization scams, malware, and phishing
- https://isc.sans.edu...l?storyid=15854
Last Updated: 2013-05-21 17:09:55 UTC - "... Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has -not- been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma. Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers..."
___

prospectdirect .org SPAM
- http://blog.dynamoo....ctorg-spam.html
21 May 2013 - "Everything that this spammer says is a lie:
    From:     Emily Norton [emily.norton @prospectdirect .org]
    To:     [redacted]
    Date:     21 May 2013 16:33
    Subject:     Cater to your email marketing needs
    Signed by:     prospectdirect .org
    Hello,
    I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
    The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
    If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
    Leave your details at the link above or reply with any requirements.
    Kind Regards,
    Emily Norton
    75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
    Tel: 0843 289 4698
    This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here
http ://www.prospectdirect .org/landing/page.php?jq=[snip]

 

Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
> https://lh3.ggpht.co...pect-direct.png
I would recommend giving these spammers a wide berth given their catalogue of lies."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 21 May 2013 - 02:45 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#943 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 22 May 2013 - 11:59 AM

FYI...

Malicious ADP Spam
- http://threattrack.t...dp-invoice-spam
22 May 2013 - "Subjects Seen:
    Invoice #[removed] - Remit file
Typical e-mail details:
    Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices @adp .com.
    For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you ,
    Automatic Data Processing, Inc...


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    10healthynails .com/ponyb/gate.php
    advprintgraphics .com/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe

Malicious File Name and MD5:
    ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
    ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
    uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)

Screenshot: https://gs1.wac.edge...yMJg1qz4rgp.png
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Purchase Order E-mail Messages - 2013 May 22
Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Document Sharing E-mail Messages - 2013 May 22
Fake Facebook Voice Comment E-mail Message - 2013 May 22
Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Check Return Notification E-mail Messages - 2013 May 22
Fake Picture Link E-mail Messages - 2013 May 22
Fake Money Transfer Notification E-mail Messages - 2013 May 22
Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
Fake Product Order E-mail Messages - 2013 May 22
Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
Fake Scanned Document Attachment E-mail Messages -  2013 May 22
Fake Payment Request Notification E-mail Messages - 2013 May 22
(More detail and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 22 May 2013 - 03:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#944 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 23 May 2013 - 05:49 AM

FYI...

Spear-phish e-mails lead to APT
- https://atlas.arbor....dex#-1950400672
Elevated Severity
May 22, 2013
Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
Source: http://www.trendmicr...eted-threat.pdf

- http://blog.trendmic...w-apt-campaign/
"... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
* https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH) - MS12-027

- https://www.net-secu...ews.php?id=2500
May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
___

Fake ‘Export License/Payment Invoice’ emails lead to malware
- http://blog.webroot....ead-to-malware/
May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
Once executed, the sample starts listening on port 28723...
It then phones back to the following C&C servers:
213.230.101.174 :11137
87.203.65.0 :12721
180.241.97.79 :16114
83.7.104.50 :13647
84.59.222.81 :10378
194.94.127.98 :25549
98.201.143.22 :19595
78.139.187.6 :14384
180.183.178.134 :20898

We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1369151297/
File name: invoice copy.exe
Detection ratio: 33/47
Analysis date:     2013-05-21
___

Fake FBI Ransomware - spikes...
- http://blog.webroot....king-worldwide/
May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
* https://webrootblog....erdiv.png?w=869
To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 23 May 2013 - 12:13 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#945 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 24 May 2013 - 09:44 AM

FYI...

Malicious UPS Spam
- http://threattrack.t...icious-ups-spam
24 May 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe

Malicious File Name and MD5:
    UPS_Label_[removed].zip (667cf9590337d47f8c23053a8b2480a1)
    UPS_Label_[removed].exe (1ef1438e2f2273ddbaf543dcdbaea5b1)
    73036718.exe (c7e0c3d8b14e8755d32e27051d0e6477)

ThreatAnalyzer Report: http://db.tt/gTlNJnGy

Screenshot: https://gs1.wac.edge...eaHb1qz4rgp.png
___

Bank of America Credentials Phish
- http://threattrack.t...edentials-phish
24 May 2013 - "Subjects Seen:
    Bank of America alert: Your account has been locked
Typical e-mail details:
    There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
    Please click here to continue the verification process and ensure your account security.


Malicious URLs
    radiojetaislame .com/images/safe5


Screenshot: https://gs1.wac.edge...7cwo1qz4rgp.png
___

Fake Chase "Incoming Wire Transfer" SPAM / incoming_wire_05242013.zip
- http://blog.dynamoo....nsfer-spam.html
24 May 2013 - "This fake Chase "Incoming Wire Transfer" email has a malicious attachment...
    Date:      Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
    From:      Chase [Chase @emailinfo.chase .com]
    Subject:      Incoming Wire Transfer
    Note: This is a service message with information related to your Chase account(s)...


Screenshot: https://lh3.ggpht.co...s1600/chase.png

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal*. The ThreatTrack report** [pdf] and ThreatExpert report*** show various characteristics of this malware, in particular a callback to the following IPs and domains:
116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1 .com

Checksums are as follows:
MD5    f9182e5f13271cefc2695baa11926fab
SHA1    b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA256    0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d
* https://www.virustot...sis/1369405971/
File name: incoming_wire_05242013.exe
Detection ratio: 9/47
Analysis date:     2013-05-24

** http://www.dynamoo.c...baa11926fab.pdf

*** http://www.threatexp...2695baa11926fab
___

Compromised Indian gov't Web site leads to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
May 24, 2013 - "Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns...
Sample screenshot of the affected Web site:
> https://webrootblog....loit_kit_01.png
Sample compromised URLs:
hxxp ://sisijaipur .gov.in/cluster_developement.html
hxxp ://msmedijaipur .gov.in/cluster_developement.html
Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9 * ... Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.
Malicious domain names/redirectors reconnaissance:
888-move-stuff .com – 50.63.202.21 – Email: van2move @yahoo .com
888movestuff .com – 208.109.181.190 – Email: van2move @yahoo .com
jobbelts .com (redirector/C&C) – 98.124.198.1 – Email: aanelli @yahoo .com
More malicious domains are known to have been responding to the same IP in the past (98.124.198.1)... MD5s are also known to have phoned back to the same (redirector/C&C) IP in the past... phoning back to vnclimitedrun .in:443 (199.59.166.86). In 2012, the same IP was also seen in a malvertising campaign..."
* https://www.virustot...sis/1369337259/
File name: Indian.html
Detection ratio: 24/47
Analysis date:     2013-05-23
 

:grrr: :ph34r:


Edited by AplusWebMaster, 24 May 2013 - 12:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#946 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 27 May 2013 - 06:11 PM

FYI...

Fake  Citibank SPAM / Statement 57-27-05-2013.zip
- http://blog.dynamoo....05-2013zip.html
27 May 2013 - "This fake Citibank email has a malicious attachment:
    Date:      Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
    From:      Millard Hinton [leftoverss75 @gmail .com]
    Subject:      Merchant Statement
    Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
    Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly...


The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46*. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report** [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis*** is that this is a Zbot variant. For the record, these are the checksums involved:
MD5    0bbf809dc46ed5d6c9f1774b13521e72
SHA1    9a50fa08e71711d26d86f34d8179f87757a88fa8
SHA256    00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
* https://www.virustot...sis/1369679734/
File name: Statement 57-27-05-2013.exe
Detection ratio: 12/47
Analysis date:     2013-05-27
** http://www.dynamoo.c...74b13521e72.pdf

*** http://www.simseer.c...9f1774b13521e72
 

:grrr: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#947 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 28 May 2013 - 06:46 AM

FYI...

Something evil on 158.255.212.96 and 158.255.212.97
- http://blog.dynamoo....521296-and.html
28 May 2013 - "The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example* for fussball-gsv .de). These two** examples*** report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware... In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so... I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2705726

** http://urlquery.net/....php?id=2705607

*** http://urlquery.net/....php?id=2515019
___

fab .com SPAM
[Via the WeAreSpammers blog]
- http://blog.dynamoo....abcom-spam.html
28 May 2013 - "I've never heard of fab .com before, but online comments are very negative*.  Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab .com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab .com on 184.73.196.153 (Amazon .com, US). Avoid."
From: Fab [info@eu.fab .com]
To: donotemail @wearespammers .com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx @gmail .com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru .com
Signed by: eu.fab .com
* https://www.google.c...="fab.com" spam
___

BANKER Malware hosted in compromised Brazilian gov't sites
- http://blog.trendmic...vernment-sites/
28 May 2013 - "Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers... 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.
> http://blog.trendmic..._percountry.jpg
The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file. The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others. The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif... Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 28 May 2013 - 11:23 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#948 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 29 May 2013 - 06:57 AM

FYI...

Ruby on Rails attack installs bot ...
- http://h-online.com/-1872588
29 May 2013 - "Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel. On his blog*, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE-2013-0156**. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby... The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18."
* http://jarmoc.com/bl...56-in-the-wild/
"... Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105..."

** https://web.nvd.nist...d=CVE-2013-0156 - 7.5 (HIGH)

*** http://rubyonrails.org/download

- http://atlas.arbor.n...ndex#-789014484
Elevated Severity
May 30, 2013 - "... Monitoring for outbound connections to IRC ports on cvv4you .ru, 188.190.124.120, 188.190.124.81 is recommended to find compromised systems that may still be at risk..."
___

Fake Citibank emails serve malware ...
- http://blog.webroot....-serve-malware/
May 29, 2013 - "Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....ent_malware.png
Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 * ... Trojan-Spy.Win32.Zbot.lvpo.
Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
MD5: 6044cc337b5dbf82f8746251a13f0bb2
MD5: d20d915dbdcb0cca634810744b668c70
MD5: 758498d6b275e58e3c83494ad6080ac2 ...
It then phones back to the following C&C servers:
78.161.154.194 :25633
186.29.77.250 :18647
190.37.115.43 :29609
187.131.8.1 :13957
181.67.50.91 :27916
8.161.154.194
186.29.77.250
190.37.115.43
187.131.8.1
181.67.50.91
84.59.222.81
211.209.241.213
108.215.44.142
122.163.41.96
99.231.187.238
89.122.155.200
79.31.232.136
142.136.161.103
63.85.81.254
98.201.143.22
110.164.140.144
195.169.125.228
190.83.222.173
96.29.242.234
178.251.75.50
199.21.164.167
180.92.159.2
213.43.242.145
94.240.224.115
2.187.51.145
208.101.114.115
50.97.98.134
41.99.119.243
197.187.33.59
79.106.11.64
178.89.68.255
190.62.162.200
165.98.119.94
94.94.211.18
..."
(More details at the webroot URL above.)
* https://www.virustot...06400/analysis/
File name: Statement 57-27-05-2013.exe
Detection ratio: 32/47
Analysis date:     2013-05-29
___

University of Illinois CS department compromised
- http://blog.dynamoo....department.html
29 May 2013 - "There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc .edu, croft.cs.illinois .edu, tsvi-pc.cs.uiuc .edu, mirco.cs.uiuc .edu, ytu-laptop.cs.uiuc .edu, node3-3105.cs.uiuc .edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):
128.174.240.37 ...
128.174.240.52 ...
128.174.240.53 ...
128.174.240.74 ...
128.174.240.153 ...
128.174.240.21
3 ..."

(More domains listed at the dynamoo URL above.)
___

Malware sites to block 29/5/13
- http://blog.dynamoo....lock-29513.html
29 May 2013 - "These domains and IP addresses are connected to this malware spam run* and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian). It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting... You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm...
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83
..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo....t-unioncom.html
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 29
Malicious Personal Pictures Attachment E-mail Messages - 2013 May 29
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 29
Fake Invoice Statement Attachment E-mail Messages - 2013 May 29
Fake Sample Product Offering E-mail Messages - 2013 May 29
Fake Bank Account Statement E-mail Messages - 2013 May 29
Fake Order Invoice Notification E-mail Messages - 2013 May 29
Fake Billing Statement E-mail Messages - 2013 May 29
Fake Credit Card Fraud Alert E-mail Messages - 2013 May 29
Fake Bank Deposit Notification E-mail Messages - 2013 May 29
Fake Payment Transfer Notification E-mail Messages - 2013 May 29
Fake Purchase Order Request E-mail Messages - 2013 May 29
Fake Product Quote Inquiry E-mail Messages - 2013 May 29
(Links with more detail available at the cisco URL above.)
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 31 May 2013 - 01:16 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#949 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 30 May 2013 - 04:25 PM

FYI...

Fake ADP Funding Notification - Debit Draft
- http://threattrack.t...ion-debit-draft
May 30, 2013 - "Subjects Seen:
    ADP Funding Notification - Debit Draft
    ADP Invoice Reminder

Typical e-mail details:
    Your Transaction Report(s) have been uploaded to the web site:
    https :/ /www.flexdirect. adp .com/client/login.aspx
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    Thank You,
    ADP Benefit Services


Malicious URLs
    www .primolevi .gov.it/andromeda/index.html
    annbrauner .com/yeltsin/index.html
    www. omegaservice .it/ulcerate/index.html
    www. sweethomesorrento .it/unwell/index.html
    www. italtrike .tv/tomboys/index.html
    kalimat.egyta .com/swearer/titan.js
    www. asitecsrl .com/servicemen/ethic.js
    www. mbbd .it/dzerzhinsky/bewilders.js
    4rentcoloradosprings .com/news/cross_destroy-sets-separate.php


Screenshot: https://gs1.wac.edge...1bxv1qz4rgp.png
___

Fake ADP SPAM / 4rentconnecticut .com and 174.140.171.233
- http://blog.dynamoo....cutcom-and.html
30 May 2013 - "These fake ADP spams lead to malware on 4rentconnecticut .com:
    Date:      Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
    From:      "ADPClientServices @adp .com" [ADPClientServices @adp .com]
    Subject:      ADP Funding Notification - Debit Draft
    Your Transaction Report(s) have been uploaded to the web site:
    https ://www.flexdirect .adp.com/client/login.aspx
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
    Thank You,
    ADP Benefit Services
    ====================
    Date:      Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
    From:      ADP Inc [ADP_FSA_Services @ADP .com]
    Subject:      ADP Invoice Reminder
   Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
    To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
    Total amount due by May 31, 2013
    $26062.29
    If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
    Questions about your bill?
    Contact David Nieto by Secure Mail.
    Note: This is an automated email. Please do not reply.


The link in the email goes to a legitimate -hacked- site and then tries to load three different scripts, currently:
[donotclick]kalimat.egyta .com/swearer/titan.js
[donotclick]www.asitecsrl .com/servicemen/ethic.js
[donotclick]www.mbbd .it/dzerzhinsky/bewilders.js
From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut .com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server* and VirusTotal also reports several malicious URLs**. It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem..."
* http://urlquery.net/...13-05-30&max=50
** https://www.virustot...33/information/
___

Fake NewEgg .com SPAM / 174.140.171.233
- http://blog.dynamoo....4140171233.html
30 May 2013 - "This fake NewEgg.com spam leads to malware on 174.140.171.233:
    Date:      Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
    From:      Newegg [info @newegg .com]
    Subject:      Newegg.com - Payment  Charged...


Screenshot: https://lh3.ggpht.co...600/newegg2.png

The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack*. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server."
* http://blog.dynamoo....cutcom-and.html
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Report Summary E-mail Messages - 2013 May 30
Fake Scanned Document Attachment E-mail Messages - 2013 May 30
Fake Contract Document Information E-mail Messages - 2013 May 30
Fake Product Supply Quote E-mail Messages - 2013 May 30
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 30
Malicious Attachment E-mail Messages - 2013 May 30
Fake Business Complaint Notification E-mail Messages - 2013 May 30
Fake Payroll Report E-mail Messages - 2013 May 30
Fake Product Supply Request E-mail Messages - 2013 May 30
(Links and more detail at the cisco URL above.)
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 30 May 2013 - 06:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#950 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,913 posts

Posted 31 May 2013 - 05:50 AM

FYI...

Fake Vodafone SPAM serving malware in the wild ...
- http://blog.webroot....ng-in-the-wild/
May 31, 2013 - "We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K., in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal...
Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 * ... VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.
Once executed, the sample creates an Alternate Data Stream (ADS) –
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.
It then creates the following files on the affected hosts:
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe
C:\DOCUME~1\User\LOCALS~1\Temp\IMG.JPEG.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\wbem\wbemdisp.TLB ...
It then phones back to the following C&C server:
85.143.166.158 /fexco/com/index.php ..."
* https://www.virustot...38678/analysis/
File name: IMG 9857648740.JPEG.exe
Detection ratio: 29/47
Analysis date:     2013-05-29

- http://centralops.ne...ainDossier.aspx
85.143.166.158
canonical name     webcluster.oversun.clodo .ru.
addresses 62.76.181.230 * 62.76.181.229
inetnum: 85.143.164.0 - 85.143.167.255
descr:   192012, St.Petersburg
country: RU
___

Medfos sites to block 31/5/13
- http://blog.dynamoo....lock-31513.html
31 May 2013 - "The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans* (this** one*** in particular):
84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152
...
The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here****."
* http://www.microsoft...me=Win32/Medfos

** https://www.virustot...fb399/analysis/

*** http://www.threatexp...921cabf331d1e39

**** http://pastebin.com/L9UuMAC7
___

USSR old domain name attracts cybercriminals
- https://www.nytimes....cker-haven.html
May 31, 2013 AP - "... the .su Internet suffix assigned to the USSR in 1990 has turned into a haven for hackers who've flocked to the defunct superpower's domain space to send spam and steal money... other obscure areas of the Internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers... The most notorious site was Exposed .su, which purportedly published credit records belonging to President Barack Obama's wife, Michelle, Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct. Other Soviet sites are used to control botnets — the name given to the networks of hijacked computers used by criminals to empty bank accounts, crank out spam, or launch attacks against rival websites. Internet hosting companies generally eliminate such sites as soon as they're identified. But Swiss security researcher Roman Huessy, whose abuse.ch blog* tracks botnet control sites, said hackers based in Soviet cyberspace can operate with impunity for months at a time. Asked for examples, he rattled off a series of sites actively involved in ransacking bank accounts or holding hard drives hostage in return for ransom — brazenly working in the online equivalent of broad daylight..."

* https://www.abuse.ch/?p=3581
 

:grrr: :ph34r:


Edited by AplusWebMaster, 31 May 2013 - 11:01 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button