Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1172 replies to this topic

#951 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 01 June 2013 - 07:11 AM

FYI...

NACHA .ZIP file attachment spam
- http://threattrack.t...attachment-spam
June 1, 2013 - "Subjects Seen:
ACH Payment rejected: #<uniq_id>
Typical e-mail details:
Ach payment canceled Transaction ID: #[removed] The ACH transaction, recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction Status: Rejected Transaction ID: [uniq number removed\
Amount : $
To view more details for this transaction , please check the attached file .
NACHA works to maintain the privacy of any personally identifiable information (name, mailing address, e-mail address, etc.) that may be collected though our Web site. This Web site has security measures in place; however, NACHA does not represent, warrant or guarantee that personal information will be protected against unauthorized access, loss, misuse or alterations. Similarly, NACHA disclaims liability for personal information submitted through this Web site. Users are hereby advised that they submit such personal information at their own risk.
Thank you,
13450 Sunrise Valley Drive
Suite 100 Herndon
VA 20171
© 2013 NACHA - The Electronic Payments Association


Malicious URLs
Spam contains a malicious attachment.


Screenshot: https://gs1.wac.edge...IWMy1qz4rgp.png
___

iOS7 announcement prompts themed ransomware kits
- http://community.web...mware-kits.aspx
May 31, 2013 - "... phishing domain related to the imminent release of the Apple iOS7 Operating System. As gossips circulate news in the wild about iOS7 after the D11 conference... cybercriminals are setting up a foundation for phishing and malicious activities...
ios7news .net - 85.25.20.153 **
> http://community.web...40.sshto004.PNG
... As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
> http://community.web...41.sshto003.PNG
... we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news .net). From what we discovered, it seems that this IP address is also used for other phishing domains... The domain "gamingdaily .us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife*... both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware."
* http://community.web...xploit-kit.aspx
"... The Bleeding Life exploit kit uses exploits which can bypass ASLR and DEP, which means this product could be used successfully against Windows 7 and Windows Vista operating systems...

** https://www.google.c...ic?site=AS:8972

ph34r.gifph34r.gifdry.gif

Edited by cnm, 01 June 2013 - 02:48 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#952 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 03 June 2013 - 10:29 AM

FYI...

Malicious photo attachment Spam
- http://threattrack.t...attachment-spam
June 3, 2013 - "Subjects Seen:
    Check the attachment you have to react somehow to this picture
Typical e-mail details:
    Hi there ,
    I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??


Malicious File Name and MD5:
    IMG[removed].zip (724bb53c12ebeb9df3e8525c6e1f9052)
ThreatAnalyzer Report: http://www.threattra...x-software.aspx
- http://db.tt/2ZLJo3Wq [PDF]

 

Screenshot: https://gs1.wac.edge...K1JB1qz4rgp.png
___

Fivserv Secure Email Notification Spam
- http://threattrack.t...tification-spam
June 3, 2013 - "Subjects Seen:
    Fiserv Secure Email Notification - [removed]
Typical e-mail details:
    You have received a secure message
    Read your secure message by opening the attachment, SecureMessage_[removed].zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  [removed]
    To read the encrypted message, complete the following steps:
    -  Double-click the encrypted message file attachment to download the file to your computer.
    -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    -  The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to mobile @res.fiserv.com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly...


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    nourrirnotremonde .org/ponyb/gate.php
    zoecopenhagen .com/ponyb/gate.php
    goldenstatewealth .com/ponyb/gate.php
    190.147.81.28 /yqRSQ.exe
    paulcblake .com/ngY.exe
    207.204.5.170 /PXVYGJx.exe
    netnet-viaggi .it/2L6L.exe


Screenshot: https://gs1.wac.edge...rqkk1qz4rgp.png

- http://blog.dynamoo....ation-spam.html
3 Jun 2013 - "This spam email contains an encrypted ZIP file with password-protected malware.
    Date:      Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
    From:      Fiserv Secure Notification [secure.notification @fiserv .com]
    Subject:      Fiserv Secure Email Notification - IZCO4O4VUHV83W1
    You have received a secure message
    Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  Iu1JsoKaQ
    To read the encrypted message, complete the following steps:
     -  Double-click the encrypted message file attachment to download the file to your computer.
     -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
     -  The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly.


Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).
At the moment the VirusTotal detection rate is a so-so 16/47*. The ThreatTrack analysis** identifies some locations that the malware phones home to:
netnet-viaggi .it
paulcblake .com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170
..."

* https://www.virustot...sis/1370289657/
File name: SecureMessage_06032013.exe
Detection ratio: 16/47
Analysis date:     2013-06-03
** http://www.dynamoo.c...f3135add304.pdf
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Secure Message Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Product Order E-mail Messages - 2013 Jun 03
Fake Bank Transfer Notification E-mail Messages - 2013 Jun 03
Fake Customer Complaint Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Order Invoice Notification E-mail Messages - 2013 Jun 03
Fake Payment Confirmation Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Remittance Slip with Invalid Digital Signature E-mail Messages - 2013 Jun 03
Fake Scanned Document Attachment E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Product Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Personal Photos Sharing E-mail Messages - 2013 Jun 03
Fake Purchase Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Proposal E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Processes and Subpoenas Notification E-mail Messages - 2013 Jun 03
(More detail and links available at the cisco URL above.)
 

:grrr:


Edited by AplusWebMaster, 03 June 2013 - 08:48 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#953 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 05 June 2013 - 09:01 AM

FYI...

Fake Xerox WorkCentre Attachment Spam
- http://threattrack.t...attachment-spam
June 5, 2013 - "Subjects Seen:
    Scanned Image from a Xerox WorkCentre
Typical e-mail details:
    Reply to: Xerox.WorkCentre @[removed]
    Device Name: Not Set
    Device Model: XEROX-2178N
    Location: Not Set
    File Format: PDF (Medium)
    File Name: Xerox_Scan_06-04-2013-466.zip
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format.


Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    4renttulsa .com/ponyb/gate.php
    4rentunitedstates .com/ponyb/gate.php
    newsouthdental .com/jENnMd2X.exe
    leclosdelentaille .fr/2Zxq1hZ.exe
    forexwinnersacademy .com/fmy.exe


Malicious File Name and MD5:
    Xerox_Scan_06-04-2013-[removed].zip (e45db46d63330f20ef8c381f6c0d8f1a)
    Xerox_Scan_06-04-2013-[removed].exe (7e4b3aca9a2a86022d50110d5d9498e2)
    fmy.exe (c3c103ebb3ce065b8b62b08fba40483f)

ThreatAnalyzer Report: http://db.tt/yJoSwFM8 [PDF]
199.168.184.198, 82.165.79.64, 69.163.187.171, 216.172.167.17

Screenshot: https://gs1.wac.edge...58Hw1qz4rgp.png
___

Don't like clicking when you won't know where you're going?
- http://urlxray.com/
Find out where shortened URLs lead to without clicking on them
Enter any shortened URL...
___

More Champions Club Community SPAM
- http://blog.dynamoo....unity-spam.html
5 June 2013 - "... the originating IP is 217.174.248.194 [web1-opp2.champions-bounce .co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing .co.uk also on 217.174.248.194 and championsclubcommunity .com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth..."
- http://blog.dynamoo....-community.html
___

Backdoor Wipes MBR, Locks Screen
- http://blog.trendmic...r-locks-screen/
June 5, 2013 - "German users are at risk of having their systems rendered unusable by a malware that we’re seeing being sent via spam messages. This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea. We recently uncovered this noteworthy backdoor as an attached file in certain spam variants. The spam sample we found is in German and forces recipients to pay for a certain debt, the details of which are contained in the attachment. Those who open the attachment are actually tricked into executing the malware, in this instance, a backdoor.
> http://blog.trendmic...tached-file.jpg
Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and send it to its command-and-control (C&C) server. However, the backdoor’s most noteworthy feature is its capability to wipe the Master Boot Record (MBR). The wiping of the MBR was recently used in the high-profile (but different) attack against certain South Korean institutions. What makes this routine problematic is that once done, infected systems won’t reboot normally and will leave users with unusable machines. Another command is the backdoor’s capability to lock and unlock a screen. This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the “ransom”. Ransomware is a malware that locks an infected system’s screen and display a message, which instructs users to pay for a “ransom” thru certain payment methods... During our testing, BKDR_MATSNU.MCB readily performed the MBR wiping routine. The remote malicious (via server) only needs to communicate this command to the backdoor and it can execute this routine immediately. However, this is not the case with the screen locking. BKDR_MATSNU.MCB is likely to download a different module onto the system, which will then lock the screen. As to what routines will be first executed or not is dependent on the remote malicious user. Attackers may opt to lock the screen first then initiate the MBR overwriting or just initiate any of the two. Another possible scenario is that another version of BKDR_MATSNU is integrated with the screen blocking routine, which will make the screen locking command easier to execute... For better protection, users should always be cautious be the email they receive and must not readily open any attachments. If your system is already infected, it is a safer bet to not pay for the “ransom”, as paying does not guarantee anything..."
 

:ph34r: :grrr:


Edited by AplusWebMaster, 05 June 2013 - 12:25 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#954 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 06 June 2013 - 10:50 AM

FYI...

Fake Innex, Inc SPAM
- http://blog.dynamoo....-fake-spam.html
6 June 2013 - "Innex, Inc is a real company. This spam email message is -not- from Innex, Inc.
    From:     PURCHASING DEPARTMENT [fdmelo @fucsalud .edu.co]
    To:
    Reply-To:     pinky.yu@chanqtjer.com.tw
    Date:     6 June 2013 08:55
    Subject:     Innex, Inc.
    Sir/Madam,
    Our Company is interested in your product, that we saw  in trading site,
    Your early reply is very necessary for further detail specification immediately you receive our email.
    Regards
    Purchasing manager,
    Mr James Vincent ...


Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid."
___

rxlogs .net: spam or Joe Job?
- http://blog.dynamoo....or-joe-job.html
6 June 2013 - "I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job**?
    Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
    From:      Admin [whisis101 @gmail .com]
    Reply-To:      ec2-abuse @amazon .com
    facebook   
    You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
    This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
    If you have any other questions, please visit our Help Center.
    Thanks,
    The Facebook Team


Screenshot: https://lh3.ggpht.co...1600/rxlogs.png

The link in the emails goes to multiple pages on rxlogs .net which as far I as can tell is -not- malware*, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..
Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..
The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been -faked- in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs .net is hosted on 107.20.147.122 which is an Amazon IP... I believe this is a Joe Job and not a "genuine" spam run, and rxlogs .net is simply another victim of the bad guys."
* http://urlquery.net/....php?id=2919241

** http://searchsecurit...inition/Joe-job
___

Fake NatPay SPAM / usforclosedhomes .net
- http://blog.dynamoo....ation-spam.html
6 Jun 2013 - "This fake NatPay spam leads to malware on usforclosedhomes .net.
Version 1:
    Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
    From:      National Payment Automated Reports System [dunks @services .natpaymail .net]
    Subject:      Transmission Confirmation ~26306682~N25BHHL1~
    Transmission Verification    
    Contact Us
    To:    
    NPC Account # 26306682
    Xavier Reed
    Re:    
    NPC Account # 26306682
    D & - D5
    Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
    Batch Number       408
    Batch Description       VENDOR PAY
    Number of Dollar Entries       2
    Number of Prenotes       0
    Total Deposit Amount       $3,848.19
    Total Withdraw Amount      $3,848.19
    Batch Confirmation Number      50983
    Date Transmitted      Thursday, June 06, 2013 ...
---
Version 2:
    Date:      Thu, 6 Jun 2013 09:59:06 -0500
    From:      National Payment Automated Reports System [lemuel @emalsrv.natpaymail .com]
    Subject:      Transmission Confirmation ~10968697~607MPYRC~
    Transmission Verification    
    Contact Us
    To:        NPC Account # 10968697
    Benjamin Turner
    Re:        NPC Account # 10968697
    D & - MN
    Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
    Batch Number     219
    Batch Description     VENDOR PAY
    Number of Dollar Entries     2
    Number of Prenotes     0
    Total Deposit Amount     $2,549.12
    Total Withdraw Amount     $2,549.12
    Batch Confirmation Number     24035 ...


The malicious payload is on [donotclick]usforclosedhomes .net/news/walls_autumns-serial.php (report here*) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)
The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.
Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
..."
* http://urlquery.net/....php?id=2926577
___

USPS Package Pickup Spam
- http://threattrack.t...age-pickup-spam
June 6, 2013 - "Subjects Seen:
    USPS - Your package is available for pickup ( Parcel [removed])
Typical e-mail details:
    We attempted to deliver your item at 6 Jun 2013.
    Courier service could not make the delivery of your parcel.
    Status Deny / Invalid ZIP Code.
    If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
    Label/Receipt Number: [removed]
    Expected Delivery Date: Jun 6, 2013
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office...


Malicious URLs
    michaelscigars .net/ponyb/gate.php
    montverdestore .com/ponyb/gate.php
    errezeta .biz/ToSN79T.exe
    190.147.81.28 /yqRSQ.exe
    207.204.5.170 /PXVYGJx.exe
    archeting .it/86zP.exe


Screenshot: https://gs1.wac.edge...VIUE1qz4rgp.png
___

Global $200M credit card hacking ring busted
- http://www.reuters.c...E95419G20130605
Jun 5, 2013 - "Eleven people in the United States, the UK and Vietnam have been arrested and accused of running a $200 million worldwide credit card fraud ring, U.S. and UK law enforcement officials said... Federal prosecutors in New Jersey said they had filed charges against a 23-year-old man from Vietnam... authorities in Vietnam had arrested Duy Hai Truong on May 29 in an effort to break up a ring he is accused of running with co-conspirators, who were not named in the statement... The arrests come as law enforcement officials around the world are cracking down on Internet-related heists. Two weeks ago, authorities raided Liberty Reserve, a Costa Rica-based company that provided a virtual currency system used frequently by criminals to move money around the world without using the traditional banking system. Earlier last month, authorities arrested seven people involved in a $45 million heist in which hackers removed limits on prepaid debit cards and used ATM withdrawals to drain cash from two Middle Eastern banks... the charges were filed in New Jersey's federal court because some of the victims of the scheme are residents of the state. Prosecutors claim Truong and accomplices stole information related to more than a million credit cards and resold it to criminal customers... According to the complaint, Truong hacked into websites that sold goods and services over the Internet and collected personal credit card information from the sites' customers. "The victims' credit cards incurred, cumulatively, more than $200 million in fraudulent charges," the complaint said..."
- http://www.soca.gov....minal-web-forum
 

:ph34r: :grrr:


Edited by AplusWebMaster, 06 June 2013 - 03:07 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#955 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 07 June 2013 - 07:42 AM

FYI...

Malware sites to block 7/6/13
- http://blog.dynamoo....block-7613.html
7 June 2013 - "Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here** (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:
faggyppvers5 .info
finger2 .climaoluhip.org
linkstoads .net
node1.hostingstatics .org
node2.hostingstatics .org
Injecting some of the same sites as the domains on the above IPs is jstoredirect .net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect .net was online it managed to infect over 1500 sites*.
Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb .com
netstoragehost .com
connecthostad .net
climaoluhip .org
hostingstatics .org
systemnetworkscripts .org
numstatus .com
linkstoads .net
faggyppvers5 .info
jstoredirect .net
..."
* http://www.google.co...storedirect.net

** http://blog.dynamoo....521296-and.html
___

Fake USPS SPAM / USPS_Label_861337597092.zip
- http://blog.dynamoo....7597092zip.html
6 June 2013 - "This fake USPS spam contains a malicious attachment:
    Date:      Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
    From:      USPS Express Services [service-notification @usps .com]
    Subject:      USPS - Your package is available for pickup ( Parcel 861337597092 )
    Postal Notification,
    We attempted to deliver your item at 6 Jun 2013.
    Courier service could not make the delivery of your parcel.
    Status Deny / Invalid ZIP Code.
    If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
    Label/Receipt Number: 861337597092
    Expected Delivery Date: Jun 6, 2013
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Thank you,
    © 2013 Copyright© 2013 USPS. All Rights Reserved.
    *** This is an automatically generated email, please do not reply ...


There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47*. The Comodo CAMAS report** shows an attempt to download more components from michaelscigarbar .net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate -hacked- domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators .com
apparelacademy .com
apparelacademy .net
brokerforcolorado .com
carlaellisproperties .com
dragoncigars .net
heavenlycigars .net
libertychristianstore .com
michaelscigarbar .com
michaelscigarbar .net
michaelscigars .net
montverdestore .com
montverdestore .net
montverdestore .org
..."

* https://www.virustot...sis/1370549956/
File name: USPS_Label_06062013.exe
Detection ratio: 18/47
Analysis date:     2013-06-06
** http://camas.comodo....fb2b4cf553ab695

*** http://urlquery.net/...13-06-06&max=50
___

Better Business Bureau Compliant Spam
- http://threattrack.t...-compliant-spam
7 June 2013 - "Subjects Seen:
    BBB Appeal [removed]
Typical e-mail details:
    The Better Business Bureau has been booked the above mentioned grievance from one of your users in respect to their dealings with you. The detailed description of the consumer’s trouble are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
    We graciously ask you to overview the CLAIM REPORT to answer on this plaint.
    We awaits to your prompt answer.
    WBR
    Ryan Myers
    Dispute Advisor


Malicious URLs
    amapi .com .br/bbb.html
    pnpnews .net/news/readers-sections.php?hvv=rvjzzloo&jnjpe=thpe
    pnpnews .net/news/readers-sections.php?yf=1i:1f:32:33:2v&re=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&u=1f&br=b&sd=c&jopa=5698723


Screenshot: https://gs1.wac.edge...rpWf1qz4rgp.png

- http://blog.dynamoo....pnpnewsnet.html
7 June 2013 - "This fake BBB spam leads to malware on pnpnews .net:
    From: Better Business Bureau [mailto:standoffzwk68 @clients.bbb .com]
    Sent: 07 June 2013 15:08
    Subject: BBB information regarding your customer's pretension No. 00167486
    Better Business Bureau ©
    Start With Trust ©
    Fri, 7 Jun 2013
    RE: Complaint No. 00167486
    [redacted]
    The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
    We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
    We awaits to your prompt answer.
    Faithfully yours
    Jonathan Edwards
    Dispute Advisor
    Better Business Bureau ...


Screenshot: https://lh3.ggpht.co...iQ/s400/bbb.png

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews .net/news/readers-sections.php (report here*) hosted on:
46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago
Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10
..."
* http://urlquery.net/....php?id=2944992
... Detected BlackHole v2.0 exploit kit URL pattern ...
___

Fake American Express PAYVE Remit Spam
- http://threattrack.t...ayve-remit-spam
June 7, 2013 - "Subjects Seen:
    PAYVE - Remit file
Typical e-mail details:
    A payment(s) to your company has been processed through the American Express Payment Network.
    The remittance details for the payment(s) are attached ([removed].zip).
       -   The remittance file contains invoice information passed by your buyer. Please contact your buyer for additional information not available in the file.
       -   The funds associated with this payment will be deposited into your bank account according to the  terms of your American Express merchant agreement and may be combined with other American Express deposits. For additional information about Deposits, Fees, or your American Express merchant agreement:
           Contact American Express Merchant Services at 1-800-528-0933 Monday to Friday, 8:00 AM to 8:00 PM ET.
       -  You can also view PAYVE payment and invoice level details using My Merchant Account/Online Merchant Services. If you are not enrolled in My Merchant Account/OMS, you can do so at americanexpress .com/mymerchantaccount or call us at 1-866-220-7374, Monday - Friday between 9:00 AM-7:30 PM ET, and we’ll be glad to help you.
          For quick and easy enrollment, please have your American Express Merchant Number, bank account ABA (routing number) and DDA (account number) on hand.
    This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express...


Malicious URLs
    storeyourbox .net/ponyb/gate.php
    storeyourthings .net/ponyb/gate.php
    drjoycethomasderm .com/ponyb/gate.php
    errezeta .biz/ToSN79T.exe
    190.147.81.28 /yqRSQ.exe
    207.204.5.170 /PXVYGJx.exe
    archeting .it/86zP.exe


Screenshot: https://gs1.wac.edge...Pc6a1qz4rgp.png

- http://blog.dynamoo....-file-spam.html
7 June 2013 - "This fake American Express Payment Network spam has a malicious attachment.
    Date:      Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
    From:      "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
    Subject:      PAYVE - Remit file ...


Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46* anti-virus scanners detect it.
The Comodo CAMAS report*** gives some details about the malware, including the following checksums:
MD5    fd18576bd4cf1baa8178ff4a2bef0849
SHA1    8b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256    f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875
The malware attempts to download further components from storeyourbox .com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been -badly- compromised**. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:
drjoycethomasderm .com
goodvaluemove .com
jacksonmoving .com
jacksonmoving .net
napervillie-movers .com
reebie .net
storageandmoving .net
storeyourbox .com
storeyourbox .net
storeyourthings .net
"
* https://www.virustot...sis/1370627576/
File name: CD06072013.239871839.exe
Detection ratio: 8/46
Analysis date:     2013-06-07
** https://www.virustot...39/information/

***  http://camas.comodo....5bb33d5e27d6875
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 07 June 2013 - 01:57 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#956 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 10 June 2013 - 02:48 PM

FYI...

Fake Wells Fargo - attachment Spam
- http://threattrack.t...attachment-spam
June 19, 2013 - "Subjects Seen:
    IMPORTANT - WellsFargo
Typical e-mail details:
    Please check attached documents.
    Michael_Kane
    Wells Fargo Advisors
    817-563-5247 office
    817-368-5170 cell [removed]
    ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
    To unsubscribe from marketing e-mails from:
    ·         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
    ·         Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
    Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
    For additional information regarding our electronic communication policies, visit wellsfargoadvisors.com/disclosures/email-disclosure.html .
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103


Malicious URLs
    megmcenery .com/ponyb/gate.php
    mceneryfinancial .com/ponyb/gate.php
    margueritemcenery .com/ponyb/gate.php
    hraforbiz. com/ponyb/gate.php
    ftp(DOT)impactdata .com/da4.exe
    errezeta .biz/ToSN79T.exe
    ftp(DOT)myfxpips .com/PMLyQRMt.exe
    207.204.5.170 /PXVYGJx.exe


Malicious File Name and MD5:
    WellsFargo.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
    Important WellsFargo Docs.exe (47e739106c24fbf52ed3b8fd01dc3668)

Screenshot: https://gs1.wac.edge...L1ca1qz4rgp.png

- http://blog.dynamoo....wellsfargo.html
10 June 2013 - "This fake Wells Fargo spam run comes with one of two malicious attachments:
    Date:      Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
    From:           Anthony_Starr @wellsfargo .com
    Subject:      IMPORTANT - WellsFargo
    Please check attached documents.
    Anthony_Starr
    Wells Fargo Advisors
    817-563-9816 office
    817-368-5471 cell Anthony_Starr@wellsfargo.com
    ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
    To unsubscribe from marketing e-mails from:
    ·         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
    e-mails and type “Unsubscribe” in the subject line.
    ·         Wells Fargo and its affiliates: Unsubscribe at
    www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
    important service messages regarding your accounts that we may need to send you or
    preferences you may have previously set for other e-mail services.
    For additional information regarding our electronic communication policies, visit

    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
    FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...


There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be -two- variants.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47* (yup.. none at all). The Comodo CAMAS report** gives the following checksums..
Name    Value
Size    94720
MD5    70e604777a66980bcc751dcb00eafee5
SHA1    52ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256    f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial .com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php)... ThreatTrack has a more detailed report*** which also identifies callbacks to www.errezeta .biz and ftp.myfxpips .com. ThreatExpert has a slightly different report (1) and further identifies megmcenery .com, taxfreeincomenow .com, taxfreeincomenow .info and 207.204.5.170 (Linode, US). The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46 (2). Comodo CAMAS reports(3)  the following file characteristics..
Name    Value
Size    114176
MD5    47e739106c24fbf52ed3b8fd01dc3668
SHA1    b85b4295d23c912f9446a81fd605576803a29e53
SHA256    2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b
..in this case the pony download contacts hraforbiz .com (also on 173.255.213.171). Other analyses are pending. Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised(4). 173.254.68.134 (5) (Unified Layer, US) and 207.204.5.170 (6) (Register .com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been -hacked- in some way, I would expect them to be cleaned up at some point in the future. Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162
..."
(More listed at the dynamoo URL above.)
* https://www.virustot...sis/1370888138/
File name: Important WellsFargo Doc.exe
Detection ratio: 0/47
Analysis date:     2013-06-10
** http://camas.comodo....2c16d6db3b8adae
*** http://www.dynamoo.c...dcb00eafee5.pdf
1) http://www.threatexp...c751dcb00eafee5
2) https://www.virustot...sis/1370888252/
File name: Important WellsFargo Docs.exe
Detection ratio: 11/46
Analysis date:     2013-06-10
3) http://camas.comodo....2c16d6db3b8adae
4) https://www.virustot...62/information/
5) https://www.virustot...34/information/
6) https://www.virustot...70/information/
___

- http://tools.cisco.c...Outbreak.x?i=77
E-mail Messages with Malicious Attachments - 2013 Jun 10
Fake Deposit Transfer Confirmation Notification E-mail Messages - 2013 Jun 10
Fake Documents Attachment Email Messages - 2013 Jun 10
Malicious Attachment Email Messages - 2013 Jun 10
Fake Bill Payment Notification Email Messages - 2013 Jun 10
Fake Legal Assistance Inquiry E-mail Messages - 2013 Jun 10
Fake Products Advertisement E-mail Messages - 2013 Jun 10
Fake FedEx Shipment Notification E-mail Messages - 2013 Jun 10
Fake Xerox Scan Attachment Email Messages - 2013 Jun 10
Fake Gift Voucher Redemption Email Messages - 2013 Jun 10
Fake Deposit Statement Notification E-mail Messages - 2013 Jun 10
(More detail and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 11 June 2013 - 06:21 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#957 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 11 June 2013 - 08:53 AM

FYI...

Fake Fax Transmission emails lead to malware
- http://blog.webroot....ead-to-malware/
June 11, 2013 - "Have you sent an eFax recently? Watch out for an ongoing malicious spam campaign that tries to convince you that there’s been an unsuccessful fax transmission. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet of the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....engineering.png
Detection rate for the malicious attachment: MD5: 66140a32d7d8047ea93de0a4a419880b * ... UDS:DangerousObject.Multi.Generic... phones back to the following C&C server ... lukafalls .com/banners/index.php – 95.154.254.17, as well as to the following C&C IPs:
95.154.254.17, 190.179.212.30, 65.92.129.196, 125.25.82.22, 69.235.15.127, 108.215.44.142,  188.153.47.135, 76.226.112.216, 78.100.36.98, 190.162.42.76, 78.99.110.225, 118.101.184.54, 90.156.118.144, 212.182.121.226, 99.97.73.189, 181.67.50.91, 2.87.2.21, 108.215.99.94,  84.59.222.81, 142.136.161.103, 178.203.226.84, 95.234.169.221, 217.41.0.85, 71.143.224.43, 74.139.10.100, 78.38.40.207, 213.215.153.212 ..."
(More detail at the webroot URL above.)
* https://www.virustot...22f68/analysis/
File name: Fax details and transmission_report.doc.exe
Detection ratio: 31/47
Analysis date:     2013-06-10
___

Self-propagating ZBOT malware ...
- http://blog.trendmic...alware-spotted/
June 10, 2013 - "... we have spotted a new ZBOT variant that can spread on its own. This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:
> http://blog.trendmic...13/06/zbot1.jpg
... error message upon execution of the malicious PDF file
While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear. First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives. It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.
> http://blog.trendmic...bot-BD-JPEG.jpg
... Portion of WORM_ZBOT.GJ code creating copy of itself
This kind of propagation by ZBOT is unusual... ZBOT malware is usually distributed by exploit kits and/or malicious attachments..."

- https://net-security...ews.php?id=2515
June 11, 2013 - "The Zeus / Zbot Trojan has been around since 2007, and it and its variants continued to perform MitM attacks, log keystrokes and grab information entered in online forms. It is usually spread via exploit kits (drive-by-downloads), phishing schemes, and social media..."
___

Washington Free Beacon compromised to serve up Malware
- http://www.invincea....rve-up-malware/
UPDATE 10:02 a.m. 6/11 – "Repeated attempts to reach the Beacon have been unsuccessful. We have not seen reinfection in subsequent visits but it is hard to know without navigating every page...
WARNING: Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed nor responded... an article from The Washington Free Beacon on the breaking NSA Leaks story (freebeacon[.]com/nsa-leaker-surfaces-in-hong-kong/) linked to by the Drudge report has been compromising readers with a Java-based exploit kit* ... patching Java to the latest version (if you can) may be your only (temporary) protection..."
- http://www.invincea..../uploads/27.png
(More detail at the invincea URL above.)
* https://www.virustot...sis/1370873028/
File name: 1.jar
Detection ratio: 3/47
Analysis date:     2013-06-10
___

Something evil on 173.255.213.171
- http://blog.dynamoo....3255213171.html
11 June 2013 - "As a follow-up to this post*, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of -hijacked- GoDaddy-registered domains that are serving an exploit kit [1] [2]... block 173.255.213.171 ..."
* http://blog.dynamoo....wellsfargo.html

1) https://www.virustot...71/information/

2) http://urlquery.net/...13-06-11&max=50
___

CitiBank Secure Message Spam
- http://threattrack.t...re-message-spam
June 11, 2013 - "Subjects Seen:
    (SECURE)Electronic Account Statement [removed]
Typical e-mail details:
You have received a Secure PDF message from the CitiSecure Messaging Server.
    Open the PDF file attached to this notification. When prompted, enter your Secure PDF password to view the message contents.
    To reply to this message in a secure manner, it is important that you use the Reply link inside the Secure PDF file. This will ensure that any confidential information is sent back securely to the sender.
    Help is available 24 hours a day by calling 1-866-535-2504 or 1-904-954-6181 or by email at secure.emailhelp @citi .com
    Please note: Adobe Reader version 7 or above is required to view all SecurePDF messages.


Malicious URLs
    chriscarlson .com/ponyb/gate.php
    chrisandannwedding .com/ponyb/gate.php
    ccrtl .com/ponyb/gate.php
    chrisandannwedding .com/ponyb/gate.php
    hoteloperaroma .it/Sb9A7JV1.exe
    stitaly .net/E2KYVJD.exe
    newmountolivet .org/iUHgGvn.exe
    mozzarellabroker .com/pZYTn.exe


Malicious File Name and MD5:
    Secure.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
    secure.pdf.exe (4209430a3393287d5e28def88e43b93b)

ThreatAnalyzer Report: http://db.tt/RtlUb5Vs [PDF]

Screenshot: https://gs1.wac.edge...S8e01qz4rgp.png
___

Amazon Order Notification Spam
- http://threattrack.t...tification-spam
June 11, 2013 - "Subjects Seen:
    Payment for Your Amazon Order # [removed]
Typical e-mail details:
    We’re writing to let you know that we are having difficulty processing your payment for the above transaction.  To protect your security and privacy, your issuing bank cannot provide us with
    information regarding why your credit card was declined.
    However, we suggest that you double-check the billing address, expiration date and cardholder name
    that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no
    need to place a new order as we  will automatically  try your credit card again.
    There are a few steps you can take to make the process faster:
    1. Verify the payment information for this order is correct (expiration date, billing address, etc).
   You can update your account and billing information at :
    amazon .com/gp/css/summary/edit.html?ie=UTF8&orderID=[removed]
    2. Contact your issuing bank using the number on the back of your card to learn more about their
    policies. Some issuers put restrictions on using credit cards for electronic or internet
    purchases.  Please have the exact dollar amount and details of this purchase when you call the
    bank.  If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash
    from authorized resellers at a store near you. Visit amazon.com/cashgcresellers to learn
    more.
    Thank you for shopping at Amazon.com.  Sincerely, Amazon.com Customer Service


Malicious URLs
    gnqlawyers .com/proteans/index.html
    eucert .com/herein/index.html
    gauravvashisht .com/desisted/index.html
    goldcoinvault .com/news/pictures_hints_causes.php
    sweethomesorrento .it/t0q.exe
    server1.extra-web .cz/fdCtJM.exe


Screenshot: https://gs1.wac.edge...3ZjB1qz4rgp.png

- http://blog.dynamoo....invaultcom.html
June 11, 2013 - "This fake Amazon.com spam leads to malware on goldcoinvault .com:
Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update @amazon .com]
Subject:      Payment for Your Amazon Order # 104-884-8180383
Regarding Your Amazon.com Order
Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86 ...


The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent .com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar .com/piggybacks/rejoiced.js
[donotclick]nteshop .es/tsingtao/flanneling.js
..from there it hits the main malware payload site at [donotclick]goldcoinvault .com/news/pictures_hints_causes.php (report here*) hosted on goldcoinvault .com which is a hacked GoDaddy domain -hijacked- to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here** and here***, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good..."
* http://urlquery.net/....php?id=3054553

** http://blog.dynamoo....3255213171.html

*** http://blog.dynamoo....wellsfargo.html
 

:ph34r: :grrr:


Edited by AplusWebMaster, 11 June 2013 - 09:32 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#958 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 12 June 2013 - 07:49 AM

FYI...

Casino PUA software SPAM ...
- http://blog.webroot....o-w32casonline/
June 12, 2013 - "Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network... (multiple screenshots at the URL above)... Spamvertised URLs:
67.211.111.163
213.52.252.59
109.202.114.65
64.34.230.122
64.34.230.149
... (multiple) MD5s... have also phoned back to the same IP (213.52.252.59)... (Low detection rates per Virustotal - links at the webroot URL above)...
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails...."
___

Fake BBB SPAM / trleaart .net
- http://blog.dynamoo....rleaartnet.html
12 June 2013 - "This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart .net:
    From: Better Business Bureau [mailto:rivuletsjb72 @bbbemail .org]
    Sent: 11 June 2013 18:04
    Subject: Better Business Beareau Complaint ¹ S3452568
    Importance: High
    Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
    Better Business Bureau ©
    Start With Trust
    Tue , 11 Jun 2013
    Issue N. S3452568
    The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
    We amiably ask you to open the PLAINT REPORT to answer on this claim.
    We awaits to your prompt response.
    Faithfully yours
    Daniel Cox
    Dispute Advisor...
    Better Business Bureau...


Screenshot: https://lh3.ggpht.co...c/s400/bbb2.png

The link goes through a legitimate -hacked- site and end up with a malware landing page on [donotclick]trleaart .net/news/members_guarantee.php (report here*) hosted on the following IPs:
160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
This network of evil sites is rather large... in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51
..."
* http://urlquery.net/....php?id=3067317
___

Malware sites to block 12/6/13
- http://blog.dynamoo....lock-12613.html
12 June 2013 - "This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway..."
(LONG list at the dynamoo URL above - includes "Plain IPlist for copy-and-pasting".)
___

Fake "Activation Needed" emails...
- http://security.intu.../alert.php?a=82
6/11/13 - "People are receiving -fake- emails with the title "Important Activation Needed/"
Below is a copy of part of the email people are receiving:
Screenshot: http://security.intu...s/importact.jpg
... This is the end of the -fake- email.
Steps to Take Now
    Do not open the attachment in the email...
    Delete the email..."
___

GAMARUE malware uses Sourceforge to host files
- http://blog.trendmic...-to-host-files/
June 11, 2013 - "In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files... SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day... GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit. This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive.  (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG)...
> http://blog.trendmic...aruediagram.png
GAMARUE Infection Chain
Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files... The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards..."

- https://net-security...ews.php?id=2517
June 12, 2013 - "... the infection with a variant of the information-stealing Gamarue starts with a shortcut file to an external file, and ends with malicious files being downloaded from one of three (obviously bogus) Sourceforge projects: "tradingfiles," "stanteam," and "ldjfdkladf". The first two have already been deleted, and the third one emptied of all files. The account of the user who created them has been deleted (whether or not by Sourceforge or the user it's impossible to tell), but according to the researchers new files were uploaded into these projects from June 1 onwards..."
___

Fake Xerox WorkCentre Spam
- http://threattrack.t...workcentre-spam
June 12, 2013 - "Subjects Seen:
    Scan from a Xerox WorkCentre
Typical e-mail details:
    Please download the document.  It was scanned and sent to you using a Xerox multifunction device.
    File Type: pdf
    Download: Scanned from a Xerox multi~3.pdf
    multifunction device Location: machine location not set
    Device Name: Xerox6592
    For more information on Xerox products and solutions, please visit xerox .com


Malicious URLs
    forum.xcpus .com:8080/webstats/counter.php
    buildmybarwebsite .com/webstats/counter.php
    continentalfuel .com/webstats/counter.php
    apparellogisticsgroup .net/Aq70QrZ.exe
    ftp(DOT)celebritynetworks .com/dNYC.exe
    portal.wroctv .com/inZGwEH.exe
    videotre .tv .it/UmQ.exe


Malicious File Name and MD5:
    Scan_<random>.zip (0375c95289fc0e2dd94b63c105c24373)
    Scan_<random> (8fcba93b00dba3d182b1228b529d3c9e)

Screenshot: https://gs1.wac.edge...uzKT1qz4rgp.png

- http://blog.dynamoo....entre-spam.html
12 June 2013 - "This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:
    Date:      Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
    From:      Xerox WorkCentre [Xerox.Device9@victimdomain.com]
    Subject:      Scan from a Xerox WorkCentre
    Please download the document.  It was scanned and sent to you using a Xerox multifunction device.
    File Type: pdf
    Download: Scanned from a Xerox multi~3.pdf
    multifunction device Location: machine location not set
    Device Name: Xerox2023


Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different. VirusTotal results are 23/47* which is typically patchy. Comodo CAMAS reports** that the malware attempts to phone home to forum.xcpus .com on 71.19.227.135 and has the following checksums:
MD5    8fcba93b00dba3d182b1228b529d3c9e
SHA1    54f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256    544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c
... the ThreatTrack report [pdf]*** is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24
195.110.124.133
173.246.106.150
..."
* https://www.virustot...sis/1371077066/
File name: Scan_06122013_29911.exe
Detection ratio: 23/47
Analysis date:     2013-06-12
** http://camas.comodo....f753dd30e39da0c

*** http://www.dynamoo.c...28b529d3c9e.pdf
___

Fake "'Anonymous' sent you a payment" emails...
- http://security.intu.../alert.php?a=83
6/12/13 - " People are receiving fake emails with the title "X sent you a payment (where X is a person's name)." Below is a copy of the email people are receiving:
Screenshot: http://security.intu...mentnetwork.jpg
This is the end of the fake email.
Steps to Take Now
    Do -not- open the attachment in the email...
    Delete the email..."
___

Fake Fedex SPAM / oxfordxtg .net
- http://blog.dynamoo....fordxtgnet.html
12 June 2013 - "This fake FedEx spam leads to malware on oxfordxtg .net:
   Date:      Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
    From:      FedEx [wringsn052 @emc.fedex .com]
    Subject:      Your Fedex invoice is ready to be paid now.
    FedEx®     FedEx Billing Online - Ready for Payment
            fedex.com        
    Hello [redacted]
    You have a new outstanding invoice(s) from FedEx that is ready for payment.
    The following ivoice(s) are to be paid now :
    Invoice Number
     5135-13792
    Thank you,
    Revenue Services
    FedEx...


Screenshot: https://lh3.ggpht.co...s1600/fedex.png

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg .net/news/absence_modern-doe_byte.php (report here*) hosted on:
124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)
The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites** as well.
124.42.68.12
190.93.23.10
..."
* http://urlquery.net/....php?id=3082461

** http://blog.dynamoo....lock-12613.html
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 12 June 2013 - 06:38 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#959 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 13 June 2013 - 04:55 PM

FYI...

Fake eFax Corporate SPAM...
- http://threattrack.t...-corporate-spam
June 13, 2013 - "Subjects Seen:
    Corporate eFax message from “unknown” - 4 page(s)
Typical e-mail details:
    You have received a 4 page fax at 2013-06-10 11:52:46 EST.
    * The reference number for this fax [removed] .
    Please visit efaxcorporate .com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail .efax .com.
    Thank you for using the eFax Corporate service!


Malicious URLs
    50.63.46.110 /erected/index.html
    74.91.143.180 /frosting/index.html
    weedguardplus .net/news/pictures_hints_causes.php


Screenshot: https://gs1.wac.edge...xZRg1qz4rgp.png
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Jun 13
Fake Secure Message Notification Email Messages - 2013 Jun 13
Malicious Attachment Email Messages - 2013 Jun 13
Fake Product Order Quotation E-mail Messages - 2013 Jun 13
Fake Money Transfer Notification E-mail Messages - 2013 Jun 13
Fake Product Order E-mail Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bank Payment Request Notification E-mail Messages - 2013 Jun 13
(More detail and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 13 June 2013 - 06:15 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#960 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 14 June 2013 - 10:26 AM

FYI...

Fake LinkedIn SPAM...
- http://threattrack.t...invitation-spam
June 14, 2013 - "Subjects Seen:
   Invitation to connect on LinkedIn
Typical e-mail details:
    Hattie Fitzgerald, wants to connect with you on LinkedIn.

Malicious URLs
    50.63.46.110 /jotted/index.html
    audio-mastering-music .com/news/pictures_hints_causes.php?jnlp=bd187af1d0
    audio-mastering-music .com/news/pictures_hints_causes.php?rwiezly=qzxqjh&rzvaax=abldjf
audio-mastering-music .com/news/pictures_hints_causes.php?pf=2w:1l:1n:1f:1j&ze=2w:31:1g:1n:1m:2v:33:1g:31:1f&x=1f&xu=s&ma=o&jopa=1715713


Screenshot: https://gs1.wac.edge...iIOr1qz4rgp.png
___

Fake UPS Package Pickup Spam
- http://threattrack.t...age-pickup-spam
June 14, 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


Malicious URLs
    bestseoamerica .com/ponyb/gate.php
    austinremoterecording .com/ponyb/gate.php
    audiomasteringsearch .com/ponyb/gate.php
    audiomasteringmeistro .com/ponyb/gate.php
    sistersnstyle .co/4bnsSjBb.exe
    destinationgreece .com/7tW.exe
    villa-anastasia-crete .com/JWHvdgW.exe
    kahrobaa .com/14VkWHU0 .exe


Malicious File Name and MD5:
    UPS_Label_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
    UPS-Label_Parcel_<random>.exe (bc48d3e736c66f577636ed486a990eeb)

Screenshot: https://gs1.wac.edge...ZKRF1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 14 June 2013 - 11:35 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#961 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 17 June 2013 - 07:35 AM

FYI...

Something evil on 85.214.64.153
- http://blog.dynamoo....8521464153.html
17 June 2013 - "85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example*) which is being injected into -hacked- websites (specifically, malicious code is being appended to legitimate .js files on those sites)... Dynamic DNS domains are being abused in this attack... These sites are mostly flagged as malicious by Google, you can see some indicators of badness here** and here***..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=3112582

** https://www.virustot...53/information/

*** http://urlquery.net/...13-06-17&max=50

Diagnostic page for AS6724 (STRATO)
- https://www.google.c...ic?site=AS:6724
"... over the past 90 days, 7173 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-17, and the last time suspicious content was found was on 2013-06-17... we found 909 site(s) on this network... that appeared to function as intermediaries for the infection of 7496 other site(s)... We found 1434 site(s)... that infected 14549 other site(s)..."
___

Account takeover attempts nearly double ...
- https://net-security...ld.php?id=15077
17 June 2013 - "ThreatMetrix* announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud...
> http://www.threatmet...ime-Index1.jpeg
Based on data taken from October 2012 through March 2013, they saw account takeover attempts nearly double (168%). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and SaaS companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites..."
* http://www.threatmet...-over-6-months/
___

Rogue ads target EU users - Win32/Toolbar.SearchSuite through the KingTranslate PUA
- http://blog.webroot....gtranslate-pua/
June 17, 2013 - "... Tens of thousands of socially engineered European ads, who continue getting exposed to the rogue ads served through Yieldmanager’s network, are promoting more Potentially Unwanted Applications (PUAs) courtesy of Bandoo Media Inc and their subsidiary Koyote-Lab Inc...
Sample screenshots of the rogue KingTranslate PUA landing/download page:
1) https://webrootblog....png?w=659&h=496
2) https://webrootblog....png?w=592&h=550
... Rogue URL: kingtranslate .com – 109.201.151.95
Detection rate for the PUA: KingTranslateSetup-r133-n-bc.exe – MD5: 51d98879782d176ababcd8d47050f89f * ... Win32/Toolbar.SearchSuite...
We advise users to avoid using this application and to consider other free, legitimate translation services such as, for instance, Google Translate or Bing’s Translator."
* https://www.virustot...27d00/analysis/
File name: KingTranslateSetup-r120-n-bu.exe
Detection ratio: 3/46
Analysis date:     2013-06-16
___

Dun & Bradstreet Complaint Spam
- http://threattrack.t...-complaint-spam
June 17, 2013 - "Subjects Seen:
    FW : Complaint - [removed]
Typical e-mail details:
    Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.


Malicious URLs
    iguttersupply .com/ponyb/gate.php
    micromeshleafguard .com/ponyb/gate.php
    ornamentalgutters .com/ponyb/gate.php
    radiantcarbonheat .com/ponyb/gate.php
    sistersnstyle .co/4bnsSjBb.exe
    destinationgreece .com/7tW.exe
    backup.hellaswebnews .com/8P6j4.exe
    elenaseller .net/jKK1NMDt.exe


Malicious File Name and MD5:
    Case_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
    Case_<random>.exe (9c862af9a540563488cdc1c61b9ef5f8)

Screenshot: https://gs1.wac.edge...7osN1qz4rgp.png
___

Fake NewEgg .com SPAM / profurnituree .com
- http://blog.dynamoo....nitureecom.html
17 June 2013 - "This fake NewEgg .com spam leads to malware on profurnituree .com:
    Date:      Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
    From:      Newegg Auto-Notification [indeedskahu02 @services.neweg .com]
    Subject:      Newegg.com - Payment  Charged ...


Screenshot: https://lh3.ggpht.co...600/newegg3.png

The link goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]profurnituree .com/news/posts_applied_deem.php (report here*) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:
124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
The domain registration details are fake... Below is a partial blocklist which I recommend you use in conjunction with this list.
124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211
..."
* http://urlquery.net/....php?id=3180371
 

:grrr: :ph34r:


Edited by AplusWebMaster, 17 June 2013 - 02:00 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#962 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 18 June 2013 - 09:37 AM

FYI...

Fake UPS SPAM / rmacstolp .net
- http://blog.dynamoo....acstolpnet.html
18 June 2013 - "This fake UPS spam leads to malware on rmacstolp .net:
    Date:      Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
    From:      UPSBillingCenter @upsmail .net
    Subject:      Your UPS Invoice is Ready
    UPS Billing Center
    This is an automatically generated email. Please do not reply to this email address.
    Dear UPS Customer,
    Thank you for your business.
    New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
    Please visit the UPS Billing Center to view your paid invoice.
    Questions about your charges? To get a better understanding of surcharges on your invoice, click here.
    Discover more about UPS:
    Visit ups .com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online
    © 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.
    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS


The link in the email goes through a legitimate -hacked- site but then ends up on a malicious payload at [donotclick]rmacstolp .net/news/fishs_grands.php (report here* and here**). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis. If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta .ru/ftyxsem.php
[donotclick]kontra-antiabzocker .net/cpdedlp.php
[donotclick]www.cyprusivf .net/iabsvkc.php
[donotclick]clubempire .ru/ayrwoxt.php
[donotclick]artstroydom .com/rwlqqtq.php
[donotclick]www.masthotels .gr/ysmaols.php
rmacstolp .net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.21
1 ..."
* http://wepawet.isecl...1562967&type=js

** http://urlquery.net/....php?id=3197446
___

Fake - Wells Fargo attachment Spam
- http://threattrack.t...attachment-spam
June 18, 2013 - "Subjects Seen:
    IMPORTANT Documents- WellsFargo
Typical e-mail details:
    Please check attached documents.
    Chuck_Vega
    Wells Fargo Advisors
    817-889-5857 office
    817-353-6685 cell Chuck_Vega @wellsfargo.com
    ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
    To unsubscribe from marketing e-mails from:
    ·         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
    ·         Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
    Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
    For additional information regarding our electronic communication policies, visit wellsfargoadvisors .com/disclosures/email-disclosure.html .
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103


Malicious URLs
    thinkgreensupply .com/ponyb/gate.php
    pacificcontractsources .com/ponyb/gate.php
    tpi-ny.com/ponyb/gate .php
    50shadesofshades .com/ponyb/gate.php
    sistersnstyle .co/4bnsSjBb.exe
    destinationgreece .com/7tW.exe
    backup.hellaswebnews .com/8P6j4.exe
    elenaseller .net/jKK1NMDt.exe


Malicious File Name and MD5:
    WellsFargo_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
    WellsFargo_<random>.exe (3c671b9f969a7ba0a9d9b532840c4ea2)

Screenshot: https://gs1.wac.edge...blxa1qz4rgp.png
 

:ph34r: :grrr:


Edited by AplusWebMaster, 18 June 2013 - 11:11 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#963 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 19 June 2013 - 07:18 AM

FYI...

Something evil on 205.234.139.169
- http://blog.dynamoo....5234139169.html
19 June 2013 - "205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/jfygZbFu
URLquery* and VirusTotal** are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...13-06-19&max=50

** https://www.virustot...69/information/
___

Fake HP Digital Device Spam
- http://threattrack.t...tal-device-spam
June 19, 2013 - "Subjects Seen:
    Scanned Copy
Typical e-mail details:
    Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
    To view this document you need to use the Adobe Acrobat Reader.


Malicious URLs
    bagdup .com/ponyb/gate.php
    baggagereviews .com/ponyb/gate.php
    bagpreview .com/ponyb/gate.php
    mpricecs .com .au/ceAZfkX6.exe
    serw.myroitracking .com/nokxk.exe
    omnicomer .com/qT6DM.exe
    sweethomesorrento .it/kNH827.exe


Malicious File Name and MD5:
    HP_Scan_<random>.zip (d17aab950060319ea41b038638375268)
    HP_Scan_<random>.exe (eab3a43d077661ca1c9549df49477ddb)

Screenshot: https://gs1.wac.edge...OdIV1qz4rgp.png

HP Spam / HP_Scan_06292013_398.zip FAIL
- http://blog.dynamoo....98zip-fail.html
June 19, 2013 - "I've been seeing these spams for a couple of days now..
    Date:      Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
    From:      HP Digital Device [HP.Digital0 @victimdomain ]
    Subject:      Scanned Copy
    Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
    To view this document you need to use the Adobe Acrobat Reader...


The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
    12 BA E8 AC 16 AC 7B AE
 Another sample version looks like this, with just 6 bytes:
    12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it)..."
___

65+ websites compromised to deliver malvertising
- https://net-security...ews.php?id=2519
June 19, 2013 - "At least 65 different sites serving ads that ultimately led to malware have been spotted by Zscaler researchers*. The massive malvertising campaign started with injected code into the ads served on the sites, and were delivered from several domains, all resolving to the following IP address: 89.45.14.87... The compromised sites were an assortment of random small and medium-sized sites, and among them was the official site for Government Security News..."
* http://research.zsca...lvertising.html
June 18, 2013 - "On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to 89.45.14.87 and are now offline. In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites... Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site..."
 

:ph34r: :grrr:


Edited by AplusWebMaster, 19 June 2013 - 01:30 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#964 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 20 June 2013 - 05:45 AM

FYI...

Linkedin DNS Hijack
- https://isc.sans.edu...l?storyid=16037
Last Updated: 2013-06-20 - "LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromising the account used to manage DNS servers... so far, no details are available so this could be just a simple misconfiguration. The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache. It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromised). Your best bet to make sure you connect to the correct site is SSL... "owning" the domain may allow the attacker to create a new certificate rather quickly... other sites are affected as well... The fact that multiple site's NS records are affected implies that this may not be a simple compromised registrar account... According to:
- http://blog.escanav..../20/dns-hijack/ , the bad IP address is 204.11.56.17* ..."

 

Diagnostic page for AS40034 (CONFLUENCE)
* https://www.google.c...c?site=AS:40034
"... over the past 90 days, 413 site(s).. served content that resulted in malicious software being downloaded and installed without user consent.  The last time Google tested a site on this network was on 2013-06-20, and the last time suspicious content was found was on 2013-06-20... we found 45 site(s) on this network... that appeared to function as intermediaries for the infection of 82 other site(s)... We found 347 site(s)... that infected 4358 other site(s)..."
 

- http://technet.micro...9(v=WS.10).aspx
"... Open Command Prompt. Type: ipconfig /flushdns ..."

 

- https://atlas.arbor.net/briefs/
Elevated Severity
June 20, 2013
An emergent issue involving what's been called "domain hijacking" has taken place involving a number of prominent web properties. Some concern has been expressed that the problem may be part of an attack campaign, despite statements to the contrary.
Analysis: Any type of traffic headed towards any web property that is pointing to an unexpected location - due to a DNS hijack, a hosts file hijack, man-in-the-middle, man-in-the-browser, phishing, pharming, or whatever other technique - carries some risk of delivering sensitive information, credentials, mail contents, or other data to an unexpected party, that may be malicious. Indicators suggest that some type of error was involved in this incident, however there are larger concerns at play that will likely emerge in a more widespread manner in the near future.
Source: http://isc.sans.edu/...NS Hijack/16037
___

Fake ADP SPAM / planete-meuble-pikin .com
- http://blog.dynamoo....e-pikincom.html
20 June 2013 - "This fake ADP spam leads to malware on planete-meuble-pikin .com:
    Date:      Thu, 20 Jun 2013 07:12:28 -0600
    From:      EasyNetDoNotReply @clients.adpmail .org
    Subject:      ADP EasyNet: Bank Account Change Alert
    Dear Valued ADP Client,
    As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
    ** Dominic Johnson **
    ** Ayden Campbell **
    Use this links to: Review or Decline this changes.
    If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
    This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
    Sincerely,
    Your ADP Service Team
    This e-mail comes from an unattended mailbox. Please do not reply.


The link in the email goes through a legitimate but -hacked- site and end up on a malware landing page at [donotclick]planete-meuble-pikin .com/news/network-watching.php (report here*) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)
Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.21
1 ..."
* http://urlquery.net/....php?id=3236122

- http://threattrack.t...dp-easynet-spam
June 20, 2013 - "Subjects Seen:
    ADP EasyNet: Bank Account Change Alert
Typical e-mail details:
    Dear Valued ADP Client,
    As part of ADP’s commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
         [Removed]
    Use this links to: Review or Revert this changes.
    If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
    This security precaution is another reason why so many businesses like yours choose ADP, the world’s leading payroll provider for over 60 years, to handle their payroll.
    Sincerely,
    Your ADP Service Team


Malicious URLs
    support.mega-f .ru/easynet.html?view_id=6L9IRMQH
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?jnlp=4248af38de
    ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?otfjbgzd=mekpsr&lmbcq=snfip
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?lf=1i:1f:32:33:2v&fe=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&fo=a&jb=m&jopa=5634202


Screenshot: https://gs1.wac.edge...Iy9H1qz4rgp.png
___

Fake QuickBooks Overdue Payment Spam
- http://threattrack.t...ue-payment-spam
20 June 2013 - "Subjects Seen:
    Please respond - overdue payment
Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 06/25/2013 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Ginger Mccall


Malicious URLs
    checkpoint-friendly-bag .com/ponyb/gate.php
    checkpoint-friendly-bags .com/ponyb/gate.php
    checkpoint-friendly-laptopcases .com/ponyb/gate.php
    checkpoint-friendly-luggage .com/ponyb/gate.php
    backup.hellaswebnews .com/8P6j4.exe
    powermusicstudio .it/Ckq.exe
    gpbit .com/MACnU.exe
    sedi .ch/XDHMsu.exe


Malicious File Name and MD5:
    <name>_Invoice.zip (eef2fd603a9412d3e5b99264d20a7155)
    <name>_Invoice.exe (eb362fe45a54707d5c796e36975e88a5)

Screenshot: https://gs1.wac.edge...sVz51qz4rgp.png
___

Fake WalMart Order Spam
- http://threattrack.t...-com-order-spam
June 19, 2013 - "Subjects Seen:
    Thanks for your Walmart.com Order [removed]
Typical e-mail details:
    Thanks for ordering from Walmart.com. We’re currently processing your order.
    You’ll receive another email, with tracking information, when your order ships.
    If you’re paying by credit card or Bill Me Later®, your account will not be charged until your order ships.
    If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available.
    All other forms of payment are charged at the time the order is placed...


Malicious URLs
    culinare .tv/wp-content/plugins/customize-admin/walmart.html
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php?jnlp=4248af38de
    ssl.beautysupplyeast .com/indication/primary-processor_cost.php?ef=1i:1f:32:33:2v&le=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&ol=r&gq=m&jopa=4794157


Screenshot: https://gs1.wac.edge...wX111qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 23 June 2013 - 09:16 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#965 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 21 June 2013 - 02:27 PM

FYI...

Flash spoof leads to infectious audio ads
- http://blog.webroot....ious-audio-ads/
June 21, 2013 - "We’ve seen quite a few audio ads infecting users recently... As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.
> https://webrootblog....-ads1.jpg?w=869
... It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.
> https://webrootblog....-ads2.jpg?w=869
So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background... The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound... Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious. All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 “qogrpr”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\qogrpr.dll\”,GetGlobals”
 “ntrti”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\ntrti.dll\”,NewMember”
... That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR..."
 

:grrr:


This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#966 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 22 June 2013 - 07:39 AM

FYI...

Fake LexisNexis SPAM ...
- http://blog.dynamoo....-spam-fail.html
21 Jun 2013 - "This -fake- LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one.
Date:      Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From:      LexisNexis [einvoice.notification @lexisnexis .com]Book
Subject:      Invoice Notification for June 2013 ...  


Screenshot: https://lh3.ggpht.co.../lexisnexis.png


* https://www.virustot...588bc/analysis/
File name: LexisNexis_Invoice_06212013.zip
Detection ratio: 15/47
Analysis date:     2013-06-21
___

"Unusual Visa card activity" SPAM / anygus .com
- http://blog.dynamoo....ivity-spam.html
21 Jun 2013 - "... this FAIL of a Visa spam leads to malware on anygus .com. Note the bits in {braces} that should have content..
    From:     Visa Anti-Fraud [upbringingve @visabusiness .com]
    Date:     21 June 2013 17:36
    Subject:     Unusual Visa card activity
    we {l1} detected {l2} activity in your business visa account.
    please click here to view {l4}
    your case id is: {symbol}{dig}
    look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
    this added security is to prevent any additional fraudulent charges from taking place on your account.
    notice: this visa communication is furnished to you solely in your capacity as a customer of visa inc. (or its authorized agent) or a participant in the visa payments system. by accepting this visa communication, you acknowledge that the information contained herein (the "information") is confidential and subject to the confidentiality restrictions contained in visa's operating regulations, which limit your use of the information. you agree to keep the information confidential and not to use the information for any purpose other than in your capacity as a customer of visa inc. or a participant in the visa payments system. the information may only be disseminated within your organization on a need-to-know basis to enable your participation in the visa payments system.
    please be advised that the information may constitute material nonpublic information under u.s. federal securities laws and that purchasing or selling securities of visa inc. while being aware of material nonpublic information would constitute a violation of applicable u.s. federal securities laws. this information may change from time to time. please contact your visa representative to verify current information. visa is not responsible for errors in this publication. the visa non-disclosure agreement can be obtained from your visa account manager or the nearest visa office.
    this message was sent to you by visa, p.o. box 8999, san francisco, ca 94128. please click here to unsubscribe.


Despite the errors in the email it still ends up going through a -hacked- legitimate site to a Blackhole Exploit kit at [donotclick]anygus .com/news/fewer_tedious_mentioning.php (report here*) hosted on the following IPs:
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom, Pakistan)
Recommended blocklist:
193.254.231.51
202.147.169.211
..."
* http://urlquery.net/....php?id=3262435
"... Detected BlackHole v2.0 exploit kit URL pattern ..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Product Purchase Email Messages - 2013 Jun 21
Fake Claims Invoice Email Messages - 2013 Jun 21
Fake Bill Payment Notification Email Messages - 2013 Jun 21
Fake Christmas Greeting Email Messages - 2013 Jun 21
Fake Bill Payment Request Email Messages - 2013 Jun 21
Fake Payment Notification Email Messages - 2013 Jun 21
Fake Portuguese Bank Deposit Delivery Notification Email Messages - 2013 Jun 21
Malicious Attachment Email Messages - 2013 Jun 21
Fake Xerox Scan Attachment Email Messages - 2013 Jun 21
Fake German Invoice Delivery Email Messages - 2013 Jun 21
(More detail and links at the cisco URL above.)
 

:ph34r: :grrr:


Edited by AplusWebMaster, 23 June 2013 - 08:47 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#967 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 24 June 2013 - 11:03 AM

FYI...

Fake Facebook SPAM / chinadollars .net
- http://blog.dynamoo....dollarsnet.html
24 June 2013 - "This fake Facebook spam leads to malware on chinadollars .net:
    Date:      Mon, 24 Jun 2013 09:18:12 -0500
    From:      Facebook [notification+SCCRJ42M8P @facebookmail .com]
    Subject:      You have 1 friend request ...
    You have new notifications.
    A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
        1 friend request
    View Notifications
     Go to Facebook
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303


The link in the email goes through a legitimate but -hacked- site and then leads to a malware landing page at [donotclick]chinadollars .net/news/inputted-ties.php (report here*) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)
Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141
..."
* http://urlquery.net/....php?id=3303350
___

Fake Fiserv SPAM - / SecureMessage_TBTATU41DMJDT5B.zip
- http://blog.dynamoo....tification.html
24 June 2013 - "This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:

    Date:      Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
    From:      Fiserv Secure Notification [secure.notification@fiserv.com]
    Subject:      Fiserv Secure Email Notification - TBTATU41DMJDT5B
    Part(s):     
          2      SecureMessage_TBTATU41DMJDT5B.zip      [application/zip]      104 KB

    You have received a secure message
    Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  SUgDu07dn
    To read the encrypted message, complete the following steps:
     -  Double-click the encrypted message file attachment to download the file to your computer.
     -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
     -  The message is password-protected, enter your password to open it.
    To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.
    2000-2013 Fiserv Secure Systems, Inc. All rights reserved.


Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46*.
Other analysis is pending, the malware has the following checksums:
Size    117248
MD5    fdd154360854e2d9fee47a557b296519
SHA1    d3de7f5514944807eadb641353ac9380f0c64607
SHA256    1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59
* https://www.virustot...sis/1372086208/
File name: SecureMessage.exe
Detection ratio: 8/46
Analysis date:     2013-06-24

- http://threattrack.t...attachment-spam
24 June 2013 - "Subjects Seen:
    Please respond - overdue payment
Typical e-mail details:
    You have received a secure message ...

Screenshot: https://gs1.wac.edge...zZ5Q1qz4rgp.png
___

PayPal Credentials Phish
- http://threattrack.t...edentials-phish
24 June 2013 - "Subjects Seen:
    Important Message
Typical e-mail details:
    Dear PayPal Manager Customer,
    We regret to inform you that your merchant account has been locked.
    Te re-activate it please download the file attached to this e-mail and update your login information.


Malicious URLs
    bellt .es/CSS/confirm.php


Malicious File Name and MD5:
    vtextloginpage.html (06c12f594dc7a558510cb9d9c402ed8f)

Screenshot: https://gs1.wac.edge...7E4u1qz4rgp.png
___

Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ PUA...
- http://blog.webroot....pplication-pua/
June 24, 2013 - "Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore...
Sample screenshot of the landing page:
> https://webrootblog....png?w=609&h=567
Rogue download URL:

Detection rate for the Potentially Unwanted Application (PUA) – MD5: * ... Win32/InstallCore.BL; InstallCore (fs).
The rogue sample is digitally signed by ‘Secure Installer’.
Once executed, it phones back to:
media.ez-download .com – 54.230.12.193
os.downloadster2cdn .com – 54.245.235.34
cdn.secureinstaller .com – 54.230.12.162
img.downloadster2cdn .com – 199.58.87.151
...
We advise users to avoid interacting with ads enticing them into downloading well known software applications, and to always visit their official Web sites in order to obtain the latest versions..."
(More detail at the webroot URL above.)
* https://www.virustot...034b9/analysis/
File name: Firefox_Setup_21.0.exe
Detection ratio: 4/47
Analysis date:     2013-06-21
 

:grrr: :ph34r: :grrr:


Edited by AplusWebMaster, 24 June 2013 - 02:15 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#968 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 25 June 2013 - 01:57 PM

FYI...

Fake Southwest Airlines SPAM / meynerlandislaw .net
- http://blog.dynamoo....ion-kqr101.html
25 June 2013 - "This fake Southwest Airlines spam leads to malware on meynerlandislaw .net:
    from:     Southwest Airlines [information @luv.southwest .com]
    reply-to:     Southwest Airlines [no-reply@ emalsrv.southwestmail .com]
    date:     25 June 2013 17:09
    subject:     Southwest Airlines Confirmation: KQR101
    [redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM
    You're all set for your travel!
    Southwest Airlines
    My Account | Review My Itinerary Online ...


The link goes through a legimate -hacked- site and end up on a malicious payload at [donotclick]meynerlandislaw .net/news/possibility-redundant.php (report here*) hosted on the following IPs:
119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)
Recommended blocklist:
119.147.137.31
203.80.17.155
..."
* http://urlquery.net/....php?id=3323617
... Detected BlackHole v2.0 exploit kit URL pattern..."
___

Something evil on 173.246.104.154
- http://blog.dynamoo....3246104154.html
24 June 2013 - "173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]..."
1] http://urlquery.net/...13-06-24&max=50

2] https://www.virustot...54/information/

Diagnostic page for AS29169 (GANDI)
- https://www.google.c...c?site=AS:29169
"... over the past 90 days, 318 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-25, and the last time suspicious content was found was on 2013-06-25... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 103 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 153 site(s)... that infected 843 other site(s)..."
___

FedEx Delivery Notification Spam
- http://threattrack.t...tification-spam
June 25, 2013 - "Subjects Seen:
    Delivery Notification
    Delivery Notification ID#<random>

Typical e-mail details:
    Dear Client,
    Your parcel has arrived at June 13. Courier was unable to deliver the parcel to you.
    To receive your parcel, print this label and go to the nearest office.


Malicious URLs
    txwebsolutions .com/main.php?d_info=899_549892719
    ehagency .com/main.php?g_info=ss00_323
    eup-ecodesign .com/main.php?g_info=ss00_323
    roccoracingmotors .com/main.php?g_info=ss00_323
    bebmorena .com/main.php?g_info=ss00_323
    metrocomoptimist .org/img/info.php?g_info=ss00_323


Malicious File Name and MD5:
    Shipment_Label.zip (a95ef37d4d992ac63cbb81e116Ca6d07)
    Shipment_Label.exe (fcd9314b644d86eee71cd67c44935fc8)

Screenshot: https://gs1.wac.edge...dowG1qz4rgp.png
___

Fake ADP SPAM / spanishafair .com
- http://blog.dynamoo....shafaircom.html
25 June 2013 - "This fake ADP spam leads to malware on spanishafair .com:
    Date:      Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
    From:      Run Do Not Reply [RunDoNotReply @ipn.adp .net]
    Subject:      Your Biweekly payroll is  accepted
    Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.
    Client ID: [redacted]
    View Details: Review
    Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
    Please do not reply to this message. auto informer system not configured to accept incoming messages.


The malicious payload is at [donotclick]spanishafair .com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
Related evil domains and IP addresses to block can be found here* and here**."
* http://blog.dynamoo....dollarsnet.html

** http://blog.dynamoo....ion-kqr101.html
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bill Payment Notification Email Messages - 2013 Jun 25
Malicious Personal Pictures Attachment Email Messages - 2013 Jun 25
Fake Bank Deposit Confirmation Email Messages - 2013 Jun 25
Fake Legal Contract Form Email Messages - 2013 Jun 25
Fake Customer Complaint Attachment Email Messages - 2013 Jun 25
Fake Mobile Phone Credit Notification Email Messages - 2013 Jun 25
Fake Unpaid Debt Invoice Email Messages - 2013 Jun 25
Email Messages with Malicious Attachments - 2013 Jun 25
Fake Sample Product Purchase Order Email Messages - 2013 Jun 25
Fake Bank Payment Transfer Notification Email Messages - 2013 Jun 25
Fake Personal Photo Sharing Email Messages - 2013 Jun 25
Fake Product Order Inquiry Email Messages - 2013 Jun 25
Fake Authorization Letter Email Messages - 2013 Jun 25
(More detail and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 25 June 2013 - 07:29 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#969 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 26 June 2013 - 10:50 AM

FYI...

Fake UPS Parcel Pickup Spam
- http://threattrack.t...cel-pickup-spam
June 26, 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


Malicious URLs
    nichebiznetwork .com/ponyb/gate.php
    watertreecapital .com/ponyb/gate.php
    attentivetodetails .com/ponyb/gate.php
    furnishedfloorplans .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    casevacanzeversilia .com/9jW.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


Malicious File Name and MD5:
    Label_<random>.zip (d17aab950060319ea41b038638375268)
    Label_<random>.exe (347cbf0c41a978e601b00d39928506aa)

Screenshot: https://gs1.wac.edge...mZ7e1qz4rgp.png
___

Xerox WorkCentre Scan Spam
- http://threattrack.t...entre-scan-spam
June 26, 2013 - "Subjects Seen:
    Scanned Image from a Xerox WorkCentre
Typical e-mail details:
    Tlease open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [removed]
    Number of Images: 5
    Attachment File Type: ZIP [PDF]
    WorkCentre Pro Location: Machine location not set
    Device Name: [removed]
    Attached file is scanned image in PDF format.


Malicious URLs
    attentivetodetails .com/ponyb/gate.php
    watertreecapital .com/ponyb/gate.php
    helisovertidewater .com/ponyb/gate.php
    mcqbuildersllc-1 .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


Malicious File Name and MD5:
    Scan_<random>.zip (d8d8bf4a0890c937d501b78cdfd7de13)
    Scan_<random>.exe (40378c0d43dd8c135f90a704911024bd)

Screenshot: https://gs1.wac.edge...Ph591qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 26 June 2013 - 02:07 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#970 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 27 June 2013 - 10:54 AM

FYI...

BBB Compliant Spam
- http://threattrack.t...-compliant-spam
June 27, 2013 - "Subjects Seen:
    FW: Complaint Case <removed>
Typical e-mail details:
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
    In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.
    Sincerely,
    BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region


Malicious URLs
    ammscanada .com/ponyb/gate.php
    ammschicago .com/ponyb/gate.php
    ammsdallas .com/ponyb/gate.php
    ammsdirectors .com/ponyb/gate.php
    casailtiglio .com/NY19N.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    72.52.164.246 /FDKwgvdt.exe
    scenografiesacs .com/mvNaxR.exe


Malicious File Name and MD5:
    Case_<random>.zip (0ed9dd827d557d3e20818ab50c7d930b)
    Case_<random>.exe (f317d215a672a209cbdcba452e5e84d8)

Screenshot: https://gs1.wac.edge...7SVn1qz4rgp.png
__

Fake OfficeWorld .com SPAM / sartorilaw .net
- http://blog.dynamoo....torilawnet.html
27 June 2013 - "This fake OfficeWorld spam leads to malware on sartorilaw .net:
    Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
    From:      customerservice @emalsrv.officeworldmail .net
    Subject:      Confirmation notification for order 1265953
    Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!
    Please review your order details below. If you have any questions, please Contact Us
    Helpful Tips:
    - Please SAVE or PRINT this confirmation for your records.
    - ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
    - If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
    Order:  1265953
    Date:           6/27/2013
    Ship To:        My Default
    Credit Card:    MasterCard
    Product Qty     Price   Unit    Extended
    HEWCC392A    1       $9703.09  EA      $15.15         
    AVE5366 1       $27.49  BX      $27.49         
    SAF3081 2       $56.29  EA      $112.58        
    Product Total:     $9855.22
    Total:          $9855.22
    OfficeWorld.com values your business!


The link in the email goes through a legitimate -hacked- site and then on to [donotclick]sartorilaw .net/news/source_fishs.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)
Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
..."
* http://urlquery.net/....php?id=3362472
... Detected BlackHole v2.0 exploit kit URL pattern...
 

:grrr: :ph34r:


Edited by AplusWebMaster, 27 June 2013 - 01:40 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#971 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 28 June 2013 - 08:25 AM

FYI...

Fake Fox News-themed malicious email campaign
- http://community.web...l-campaign.aspx
28 Jun 2013 - "Websense... discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th,  featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to 'click' on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.
... Screenshot:
> http://community.web..._2D00_550x0.png
Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:
- U.S. Military Action in Syria - is it WW3 start?
- US deploys 19,000 troops in Syria
- Obama Sending US Forces to Syria
Malicious Email Analysis: The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF
The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.
Malicious component:
https://www.virustot...b1ef9/analysis/
About the PDF file:
https://www.virustot...d243b/analysis/
... Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads..."
(More detail available at the websense URL above.)
___

Fake jConnect SPAM / FAX_281_3927981981_283.zip
- http://blog.dynamoo....1981283zip.html
28 June 2013 - "This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:
    Date:      Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
    From:      jConnect [message @inbound .j2 .com]
    Subject:      jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967
    Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
    02:13:41 EST.* The reference number for this fax is
    lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
    you have not already installed j2 Messenger, download it for questions regarding this message or your j2 service.Thank you for using jConnect!Home    
    Contact     Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
    registered trademark of j2 Global Communications, Inc.This account is subject to the
    terms listed in thejConnect Customer Agreement.


Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run*). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous."
* http://blog.dynamoo....-spam-fail.html
___

- http://threattrack.t...onnect-fax-spam
June 28, 2013 - "Subjects Seen:
    jConnect fax from "[removed]" - 26 page(s), Caller-ID: [removed]
Typical e-mail details:
    You have received a 26 page(s) fax at 2012-12-17 05:25:42 EST.
    * The reference number for this fax is [removed].
    This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2 .com/downloads
    Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
    Thank you for using jConnect!


Malicious URLs
    ammsseattle .com/ponyb/gate.php
    ammsstlouis .com/ponyb/gate.php
    ammstestimonials .com/ponyb/gate.php
    common.karsak .com .tr/FzPfH6.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    printex-gmbh .de/kbo.exe
    sraclinic.netarama .com/2aeDdDTW.exe


Malicious File Name and MD5:
    Fax_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
    Fax_<random>.exe (f9a80dbb13546e235617f5b21d64cad8)

Screenshot: https://gs1.wac.edge...rL5Z1qz4rgp.png
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Faxed Document Delivery Email Message - 2013 Jun 28
Fake Product Availability Request Email Messages - 2013 Jun 28
Fake Banking News Report Email Messages - 2013 Jun 28
Fake Purchase Order Invoice Email Messages - 2013 Jun 28
Fake Photo Sharing Email Messages - 2013 Jun 28
Fake Bank Deposit Confirmation Notice Email Messages - 2013 Jun 28
Fake Portuguese Photo Sharing link Email Messages - 2013 Jun 28
Fake Confidential Business Request Email Messages - 2013 Jun 28
Fake Product Purchase Order Request Email Messages - 2013 Jun 28
Fake Scanned Document Attachment Email Messages - 2013 Jun 28
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jun 28
(More detail and links at the cisco URL above.)
 

:grrr: :ph34r:


Edited by AplusWebMaster, 28 June 2013 - 04:16 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#972 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 29 June 2013 - 04:19 PM

FYI...

Instagram "Fruit" SPAM
- https://isc.sans.edu...l?storyid=16087
Last Updated: 2013-06-29 20:28:25 UTC - "Currently, Instagram appears to be -flooded- with images of various fruits, pointing to a site that advertises a "miracle fruit diet". The spam attack links to a fake BBC page, typically via a bit.ly link. The "BBC" page features an article touting the power of the advertised diet scheme. It appears that compromised Instagram accounts are the source of the spam. The accounts were compromised using -phishing- e-mails as some reports indicate. In addition to posting the images, the users profile URL is also changed to the spam website."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 29 June 2013 - 04:23 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#973 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 01 July 2013 - 06:54 AM

FYI...

Adware sites to block - 1 July 2013
- http://blog.dynamoo....block-1713.html
1 July 2013 - "Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs...
cdnsrv .com
tracksrv .com
cdnloader .com
secure-content-delivery .com
mydatasrv .com

Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address."
___

Email credentials - Phish
- http://threattrack.t...edentials-phish
July 1, 2013 - "Subjects Seen:
    Email Deactivation Notice
Typical e-mail details:
    An automatic security update has been carried out on your Email Account.
    Click here to Login and complete update
    Please note that you have within 24 hours to complete this update, because you might lose access to your Email Account


Malicious URLs
    190.6.206.173 /~radioxge/updated/index.html


Screenshot: https://gs1.wac.edge...Pz3B1qz4rgp.png
___

Fake  Pinterest SPAM / pinterest .com.reports0701.net
- http://blog.dynamoo....ports0701n.html
1 July 2013 - "This fake Pinterest spam leads to malware on pinterest .com.reports0701.net:
    Date:      Mon, 1 Jul 2013 21:04:36 +0530
    From:      "Pinterest" [naughtinessw5 @newsletters .pinterest .net]
    To:      [redacted]
    Subject:      Your password on Pinterest Successfully changed!
    [redacted]
    Yor password was reset. Request New Password.
    See Password    
    Pinterest is a tool for collecting and organizing things you love.
    This email was sent to [redacted].
    Don?t want activity notifications? Change your email preferences.
    �2013 Pinterest, Inc. | All Rights Reserved
    Privacy Policy | Terms and Conditions


The link goes through a legitimate -hacked- site to end up on a malicious payload at [donotclick]pinterest .com.reports0701.net/news/pay-notices.php (report here* and here**) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:
   June Parker parker @mail .com
   740-456-7887 fax: 740-456-7844
   4427 Irving Road
   New Boston OH 45663
   us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
..."
* http://urlquery.net/....php?id=3454469

** http://urlquery.net/....php?id=3454450
 

:( :ph34r: :ph34r:


Edited by AplusWebMaster, 01 July 2013 - 04:39 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#974 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 02 July 2013 - 07:20 AM

FYI...

Adware sites to block 2/7/13
- http://blog.dynamoo....block-2713.html
2 July 2013 - "Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details... Given the amount of adware* on this server, I would recommend blocking it... "
(More detail at the dynamoo URL above.)
* https://www.virustot...61/information/
___

Malware sites to block 2/7/13
- http://blog.dynamoo....block-2713.html
2 July 2013 - "These sites belong to this gang* and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block..."
(Long lists at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Babylon and the 3954 Trojans...
- http://blog.dynamoo....r-whore-of.html
2 July 2013 - ""Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild... At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons... and installs a load of crapware onto your computer when it does so...  system administrators keep finding the product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry* covering malware issues. Do you really want your users to go anywhere near this site? As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to -block- (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91
..."
(More detail at the dynamoo URL above.)
* http://en.wikipedia....#Malware_issues

> https://www.virustot...om/information/

Diagnostic page for AS32475 (SINGLEHOP)
- https://www.google.c...c?site=AS:32475

- https://www.google.c...ite=babylon.com
"... Malicious software includes 3954 trojan(s)..."
___

 

DHL Shipment Notification Spam
- http://threattrack.t...tification-spam
July 2, 2013 - "Subjects Seen:
    Delivery Status Notification ID#[removed]
Typical e-mail details:
    DHL Ship Shipment Notification
    On June 23, 2013 a shipment label was printed for delivery.
    The shipment number of this package is [removed].
    To get additional info about this shipment use any of these options:
    1) Click the following URL in your browser:
                      Get Shipment Info
    2) Enter the shipment number on tracking page:
                      Tracking Page
    For further assistance, please call DHL Customer Service.
    For International Customer Service, please use official DHL site.


Malicious URLs
    ah-nanas .se/main.php?inf=ss00_323
    unitedcricketclub .co.za/main.php?inf=ss00_323
    dsfstore .ro/main.php?inf=ss00_323


Malicious File Name and MD5:
    Delivery_Information.zip (6ea731d13579040c20208dfbc7bddb0f)
    Delivery_Information_ID-<random>.exe (560f37022593bf13c4071f4c5dc3b48c)

Screenshot: https://gs1.wac.edge...AKhv1qz4rgp.png
 

:ph34r: :grrr:


Edited by AplusWebMaster, 03 July 2013 - 03:04 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#975 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 03 July 2013 - 02:51 PM

FYI...

Blackhole Exploit Kit SPAM campaign hits Pinterest
- http://blog.trendmic...hits-pinterest/
July 3, 2013 - "... we are now seeing a BHEK spam campaign targeting social networking website -Pinterest- and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.
> https://blog.trendmi...nterestbhek.jpg
We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:
• The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
• Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
• HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.
While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information. To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice can help prevent them from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way..."
 

:grrr: :ph34r:


This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#976 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 05 July 2013 - 12:19 PM

FYI...

Fake EBC Password Reset Confirmation SPAM / paynotice07 .net
- http://blog.dynamoo....ation-spam.html
5 July 2013 - "This fake password reset spam leads to malware on paynotice07 .net:
    From: EBC_EBC1961Registration@ebank6 .secureaps .com
    Sent: 05 July 2013 12:27
    Subject: Password Reset Confirmation
    Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.
    Support is available Monday - Friday, 8 AM to 8 PM CST.
    This is an automated message, please do not reply. Your message will not be received...


The link goes through a legitimate -hacked- site and ends up on a payload at [donotclick]paynotice07 .net/news/must-producing.php (report here*) hosted on the following IPs:
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)
Blocklist:
189.84.25.188
202.28.69.195
..."
* http://urlquery.net/....php?id=3554479
___

Invoice Export License Spam
- http://threattrack.t...rt-license-spam
July 5, 2013 - "Subjects Seen:
    invoice copy
Typical e-mail details:
    Kindly open to see export License and payment invoice attached,
    meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if
    there is any problem.
    Thanks
    Karen parker


Malicious File Name and MD5:
    invoice copy.zip (5e58effccB7dfbe81910fefaf17766d9)
    invoice copy (2).exe (d70ab58ee9fffd968c3e7327adbb550e)

Screenshot: https://gs1.wac.edge...ValW1qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 05 July 2013 - 02:13 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#977 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 08 July 2013 - 11:31 AM

FYI...

Fake AMEX SPAM - americanexpress .com.krasalco .com
- http://blog.dynamoo....rasalcocom.html
8 July 2013 - "This fake Amex spam leads to malware on americanexpress .com.krasalco .com:
    From: American Express [mailto:AmericanExpress @emalsrv.aexpmail .org]
    Sent: 08 July 2013 15:00
    Subject: Account Alert: A Payment Was Received
    Check your account balance online at any time
        Hello, [redacted]
View Account
Make a Payment
    Manage Alerts Preferences
    Payment Received   
    Check Balance
    We received a payment for your Card account.
         Date Received:
             Mon, Jul 08, 2013
         Payment Amount:
             $2,511.92
    Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.
    Thank you for your Cardmembership.
    American Express Customer Care
    Was this e-mail helpful? Please click here to give us your feedback...


Screenshot: https://lh3.ggpht.co...8/s400/amex.png

The link in the email goes through a legitimate -hacked- site to end up on a malicious landing page at [donoclick]americanexpress .com.krasalco .com/news/slightly_some_movie.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)
Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
..."
* http://urlquery.net/....php?id=3606244
___

Fake Xerox WorkCentre Pro Spam
- http://threattrack.t...centre-pro-spam
July 8, 2013 - "Subjects Seen:
    Scanned Image from a Xerox WorkCentre
Typical e-mail details:
    Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [removed]
    Number of Images: 6
    Attachment File Type: ZIP [PDF]
    WorkCentre Pro Location: Machine location not set
    Device Name: [removed]
    Attached file is scanned image in PDF format.


Malicious URLs
    2ndtimearoundweddingphotography .com/ponyb/gate.php
    bobkahnvideo .com/ponyb/gate.php
    gfpmenusonline .com/ponyb/gate.php
    gfponlineordering .com/ponyb/gate.php
    lacasadelmovilusado .com/bts1.exe
    common.karsak .com.tr/FzPfH6.exe
    ftp(DOT)vickibettger .com/oEoASW64.exe
    qualitydoorblog .com/qbSTq.exe


Malicious File Name and MD5:
    SCAN_<random>.zip (da8f4d5dc27dd81c6e3eff217a6501ec)
    SCAN_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edge...FfuK1qz4rgp.png
___

Man of Steel, Fast and Furious 6 Among Online Fraudsters’ Most Used Lures
- http://blog.trendmic...ost-used-lures/
July 8, 2013 - "... Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters... attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages. These are hosted on blogging services like Tumblr, WordPress, and Blogger. Most pages on these blogs have shortened URLs that lead to the final sites... Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.
> http://blog.trendmic...views-chart.jpg
Total pageviews of fake streaming sites (per movie titles)
To lure in users, attackers use key phrases like “watch movie title online” or “download movie title free”. Using Blackhat Search Engine Optimization or BHSEO, users looking for the above pages are lured to visit the -fake- streaming sites. This is also known as one of the manipulation of search engine indexes in -spamdexing. Many of the common keywords used are what you’d expect: “watch”, “online”, “free”, etcetera. One of the more surprising keywords is “putlocker”, which refers to a UK-based file locker. In terms of countries involved, while the United States accounts for more than two-thirds of the traffic to these sites, other countries were also represented. Users are advised to stream and subscribe to -legitimate- sites and -not-  from these fake streaming sites. Be wary of sharing posts and clicking links that could propagate these scams. In addition, there might be no such thing as online streaming or movie download except for pirated copies, which in itself can be risky..."
___

sendgrid .me / amazonaws .com SPAM
- http://blog.dynamoo....wscom-spam.html
8 July 2013 - "This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid .me) and leads to malware hosted on Amazon's cloud service, amazonaws .com. There is no body text in the spam, just an image designed to look like a downloadable document.
from:     [victim] via sendgrid .me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid .me


Screenshot: https://lh3.ggpht.co...0/pic848755.jpg

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid .net)
The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws .com/ft556/Document_948357853____.exe [https] (VirusTotal report*) which then downloads a further executable from [donotclick]s3.amazonaws .com/mik49/ss32.exe [http] (VirusTotal report**) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe. ThreatExpert reports*** that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine)... The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost .net 177.185.196.130 (IPV6 Internet Ltda, Brazil)... VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.
Recommended blocklist:
177.185.196.130 ..."
* https://www.virustot...sis/1373309007/
File name: Document_948357853____.exe
Detection ratio: 15/46
Analysis date:     2013-07-08
** https://www.virustot...sis/1373315068/
File name: ss32.exe
Detection ratio: 8/44
Analysis date:     2013-07-08
*** http://www.threatexp...6afe6928fa84c89

**** https://www.virustot...30/information/
 

:grrr: :ph34r:


Edited by AplusWebMaster, 08 July 2013 - 05:55 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#978 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 09 July 2013 - 11:18 AM

FYI...

Malware sites to block 9/7/13
- http://blog.dynamoo....block-9713.html
9 July 2013 - "These are the current IPs and domains that appear to be in use by this gang*. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting (blocking)..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Fake "Payment File Successfully Processed" SPAM / autorize .net.models-and-kits .net
- http://blog.dynamoo....-processed.html
9 July 2013 - "This spam leads to malware on autorize.net.models-and-kits .net:     
Date:      Tue, 9 Jul 2013 15:36:42 -0500
    From:      batchprovider @eftps .gov
    Subject:      Payment File Successfully Processed
    *** PLEASE DO NOT REPLY TO THIS MESSAGE***
    Dear Batch Provider,
    This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358
    Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
    Thank You,
    EFTPS
    Contact Us: EFTPS Batch Provider Customer Service
    at this link


A sender's email address of batchprovider @email.eftpsmail .gov is seen in another sample. The link goes through a legitimate -hacked- site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits .net/news/shortest-caused-race.php (report here**) hosted on:
77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)
All these IPs and more can be found in this recommended blocklist*. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo....block-9713.html

** http://wepawet.isecl...3400740&type=js
 

:ph34r: :grrr:


Edited by AplusWebMaster, 09 July 2013 - 11:07 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#979 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 10 July 2013 - 07:42 AM

FYI...

Something evil on 199.231.93.182
- http://blog.dynamoo....9923193182.html
10 July 2013 - "199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia .com possibly through a traffic exchanger. The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/...13-07-10&max=50

2) https://www.virustot...82/information/
___

Fake Booking Reservation themed emails serve malware
- http://blog.webroot....-serve-malware/
July 10, 2013 - "Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they’ve received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....png?w=465&h=587
Detection rate for the malicious attachment – MD5: 7eed403cfd09ea301c4e10ba5ed5148a * ...  Trojan-PSW.Win32.Tepfer.nprd.
The UPX compressed executable creates an Alternate Data Stream (ADS), starts at Windows startup... It then phones back to the following C&C server:
hxxp :// 62.76.178.178 /fexco/com/index.php
We’ve already seen the same C&C directory structure in the previous profiled ‘Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild‘ campaign... While we were investigating this campaign, we also found out that, apparently, the Westerminster Hotel in Rhyl, Denbighshire, did not renew their primarily domain name (westminster-rhyl .com – 64.74.223.31), allowing opportunistic ‘domainers’ to quickly snatch it. Not surprisingly, we also detected malicious activity with multiple malicious software phoning back to the current hosting IP of the Web site of the Westerminster Hotel in Rhyl, Denbighshire...
> https://webrootblog...._maps.png?w=869
... MD5s known to have phoned back to the same IP (64.74.223.31) ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1373366558/
File name: Document.pdf .exe
Detection ratio: 6/47
Analysis date:     2013-07-09
___

Fake Visa SPAM / estateandpropertty.com and clik-kids .com
- http://blog.dynamoo....ttycom-and.html
10 July 2013 - "This fake Visa spam attempts to lead to malware on estateandpropertty .com:
    Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
    From:      Visa [policemank3 @newsletters.visabusinessnewsmail .org]
    Reply-To:      flintierv34 @complains .visabusinessnewsmail .org
    Subject:      Update Your Business Visa Card Information
    Your Visa Business card has been limited. Please update your information to reactivate your account.
    Please proceed the link: http ://visabusiness .com/ fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
    Your Case ID is: NW61826321176497
    Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
    This added security is to prevent any additional fraudulent charges from taking place on your account...
    Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.
    This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe.


The link in the email goes through a legitimate -hacked- site and then attemped to go to a malware page at [donotclick]estateandpropertty .com/news/visa-report.php (report here*) but it appears the registrar has -nuked- the domain, so the spammers have switched the link to [donotclick]clik-kids .com/news/visa-report.php (report here**) instead. IPs involved are:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251
..."
* http://urlquery.net/....php?id=3651712

** http://urlquery.net/....php?id=3653370
 

:grrr: :ph34r:


Edited by AplusWebMaster, 10 July 2013 - 03:56 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#980 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 11 July 2013 - 07:05 AM

FYI...

Fake "WTX Media INC" SPAM / dajizzum .com
- http://blog.dynamoo....ajizzumcom.html
11 July 2013 - "This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum .com:
    From: Rebecca Media [mailto:support @rebeccacella .com]
    Sent: 11 July 2013 07:46
    To: [redacted]
    Subject: Subscription Details
    We hereby inform you that your subscription has been activated, your login information is as follows:
    Username: IX9322130
    Password: X#(@kIE04N
    Login Key: 839384
    Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
    The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
    Your bank statement will show up as being billed by "WTX Media INC".
    If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:
    [donotclick]www.rebeccacella .com/wp-content/plugins/subscribe/
    Any feedback is appreciated as we strive to improve our services constantly.
    WTX Media Team


The link in the email goes through a legitimate but -hacked- website (rebeccacella .com) and lands on a malware landing page at [donotclick]dajizzum .com/team/administration/admin4_colon/fedora.php?view=44 (report here*) which contains an exploit kit. dajizzum .com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a -hijacked- server. At the moment I can only see that one site hosted on this box, but -blacklisting- the IP as a precaution may be wise. The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider."
* http://urlquery.net/....php?id=3664350
___

Malware sites to block 11/7/13
- http://blog.dynamoo....lock-11713.html
11 July 2013 - "I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run* using a -hijacked- 1&1 account, and VirusTotal thinks that the server is pretty darned evil**. A quick poke at this box shows that has a number of multihomed malicious and C&C domains. Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability***. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.
37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)
Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
..."
* http://blog.dynamoo....ajizzumcom.html

** https://www.virustot...06/information/

*** http://threatpost.co...k-vulnerability
___

Facebook Phish leads to Fake Flash and Mining
- http://www.threattra...ash-and-mining/
July 10, 2013 - "... A new scam has emerged, this time using Tumblr as the launchpad to redirect end-users to a Facebook credential phish (including the collection of the answer to a secret question). At the end of the journey, victims will come across a fake Flash Player install touting the same fake landing page the old attack made use of, while adding a fresh sting in the tail. There’s a message which has been seen on some Facebook profiles doing the rounds at the moment, which reads as follows:
> http://www.threattra...7/minespam1.jpg
With a link to...
> http://www.threattra...am2-300x226.jpg
The spamblog Tumblr will attempt to redirect end-users to a -fake- Facebook login:
> http://www.threattra...7/minespam3.jpg
After handing over their login, the end-user is then asked to surrender the answer to a security question of their own choosing:
> http://www.threattra...7/minespam4.jpg
Finally, they will arrive at the fake Flash player page – identical to the ones used in the 2012 spam runs on Twitter. While the message is the same:
    “An update for Youtube player is needed
    The Flash player update 10.1 includes
    * Smoother video with hardware accelleration support
    * Enhanced performance and memory management
    * Support for multi-touch and gesture-enabled content
    * Private browsing support and security enhancements”


…the downloaded file and intent are rather different.
> http://www.threattra...7/minespam5.jpg
Here’s what it looks like on the desktop, along with information from the Properties tab:
> http://www.threattra...7/minespam7.jpg
... It appears that once they’re done redirecting you to fake Facebook pages, stealing your login / security question information and loading up a fake video page they then want your PC to go mining (most likely Bitcoin, though the files aren’t displaying much activity at time of writing). The domain involved contains numerous files, some of which are password protected and won’t be downloadable unless the infected PC is following the correct “steps”. A compromised machine will attempt to download a proxy and a miner..."
> http://www.threattra...7/minespam8.jpg
 

:ph34r: :grrr: :ph34r:


Edited by AplusWebMaster, 11 July 2013 - 07:42 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#981 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 12 July 2013 - 09:56 AM

FYI...

Fake TAX Return Reminder SPAM / cpa.state.tx .us.tax-returns.mattwaltererie .net
- http://blog.dynamoo....atetxustax.html
12 July 2013 - "This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie .net:

  --- Version 1 --------------------
    Date:      Fri, 12 Jul 2013 14:35:31 +0300
    From:      DO.NOT.REPLY @REMINDER.STATE .TX .US.GOV
    Subject:      TAX Return Reminder
    After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
    A refund can be delayed for a variety of reasons.
    For example submitting invalid records or applying after deadline
    Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=035549412645
    For security reasons we will record your IP address, date and time.
    Deliberate scam inputs are criminally pursued and indicated.
    Please do not reply to this e-mail.
    Please disregard this reminder if the return has already been submitted.

  --- Version 2 --------------------
    Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
    From:      tax.help @STATE.TX .GOV .US
    Subject:      TAX Return Reminder
    After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
    A refund may be delayed for a variety of reasons.
    For example submitting invalid records or applying after deadline
    Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=488702484517
    For security reasons we will record your IP address, date and time.
    Deliberate wrong inputs are criminally pursued and indicated.
    Please do not reply to this e-mail.
    Please disregard this reminder if the return has already been submitted.


Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate -hacked- site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie .net/news/tax_refund-caseid7436463593.php?[snip] (example 1*, example 2**) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
cpa.state.tx.us.tax-returns.mattwaltererie .net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie .net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from)...
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=3689715

** http://urlquery.net/....php?id=3688402
 

:grrr: :ph34r:


This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#982 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 15 July 2013 - 07:40 AM

FYI...

Spamvertised emails lead to Casino PUAs
- http://blog.webroot....ed-application/
July 15, 2013 - "... You may want to skip the rogue online casinos... Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading -fake- online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application)...
Sample screenshots of the landing pages:
> https://webrootblog....png?w=675&h=536
.
> https://webrootblog....png?w=711&h=532
.
> https://webrootblog....png?w=741&h=328
... (More screenshots shown at the first webroot URL above.) ...
Rogue domains reconnaissance:
royalvegascasino .com – 193.169.206.146
888casino .com – 213.52.252.59
spinpalace .com – 109.202.114.65
riverbelle1 .com – 193.169.206.233
alljackpotscasino .com – 64.34.230.122
luckynuggetcasino .com – 67.211.111.163
allslotscasino .com – 64.34.230.149; 205.251.192.125; 205.251.195.210; 205.251.196.131; 205.251.199.63 ...
Detection rates for the Potentially Unwanted Applications (PUAs):
AllJackpots.exe – MD5: fed4e5ba204f3b3034b882481a6ab002 ... Win32/PrimeCasino; W32/Casino.P.gen!Eldorado; PUP.PrimeCasino
luckynugget.exe – MD5: 1e97ddc0ed28f5256167bd93f56a46b2 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado;
Riverbelle.exe – MD5: 1828fc794652e653e6083c204d3b1f34 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
RoyalVegas.exe – MD5: 2dd87b67d4b7ca7a1bfae2192b09f8e6 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
Rogue casino domains... responded to 193.169.206.146 ..."
(More detail at the first webroot URL above.)
___

Half-Life 3 Fakeout...
- http://www.threattra...akeout-roundup/
July 15, 2013 - "Half-Life 3: it doesn’t exist. This short, brutal truth doesn’t mean there aren’t a lot of Half Life 3 fakeouts doing the rounds. For example, here’s a fake Steam Store page located at store(dot)stearnpowered(dot)com... The real thing would be store(dot)steampowered(dot)com – they’re likely banking on end-users not noticing the join between the “r” and the “n”... There’s a lot of so-called “Half-Life 3 giveaway” sites online, and – amazingly enough – -none- of those sites are going to give you Half-Life 3... Halflife3beta(dot)com, which takes the tried and tested survey scam route (complete with fake “Downloads allowed” graphic at the bottom of the survey splash)... If and when Half-Life 3 ever arrives, the first you hear about it won’t be on some obscure domains serving up deals and offers. Keep your wits, your skepticism and your crowbar handy…"

Fake Wiki in the Wild Wild Web
- http://www.threattra...-wild-wild-web/
July 15, 2013 - "If you happen to make a mess of typing up the Wikipedia domain, you could in theory wind up at the following address which is clearly hoping for some finger-related typo malfunction traffic: wikipeida(dot)org
As you can see, it isn’t far off from the real thing. What lurks there? This:
> http://www.threattra...7/fakewiki1.jpg
... The end-user is presented with 3 meaningless questions then asked to choose their final “I’m being marketed to” destination... As far as typosquatting well known sites with the intention of driving traffic to surveys goes, this is a well worn trick and – one would hope – not something a person looking for Wikipedia would fall for..."
___

NOST (NOST.QB) / NSU Resources Inc Pump and Dump SPAM
- http://blog.dynamoo....p-and-dump.html
15 July 2013 - "Over the weekend a pump-and-dump spam* run started for NSU Resources Inc trading as NOST.QB **. NSU Resources almost definitely have -nothing- to do with this spam run...
Subject: This Stock MOVED HARD...
Subject: This Stock Is The Hottest Stock In The Whole Market!...
Subject: They`ve got their rally caps on!...
Subject: Look for Another Push Higher...

... we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid."
* http://en.wikipedia....i/Pump_and_dump

** http://www.nasdaq.com/symbol/nost
___

Bank of America Paymentech SPAM
- http://threattrack.t...paymentech-spam
15 July 2013 - "Subjects Seen:
    Merchant Statement
Typical e-mail details:
    Attached (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
    Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.


Malicious File Name and MD5:
    stid <random>.zip (d8f8701b9485f7a2215da9425c5af7d6)
    stid <random>.exe (198385457408361504c7ccac9d67bd3e)

Screenshot: https://gs1.wac.edge...Prth1qz4rgp.png
___

Fake UPS SPAM / tvblips .net
- http://blog.dynamoo....tvblipsnet.html
15 July 2013 - "This fake UPS spam leads to malware on tvblips .net:
    Date:      Mon, 15 Jul 2013 10:20:13 -0500
    From:     
    Subject:      Your UPS Invoice is Ready
    This is an automatically generated email. Please do not reply to this email address.
    Dear UPS Customer,
    Thank you for your business.
    New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
    Please visit the UPS Billing Center to view and pay your invoice.
    Questions about your charges? To get a better understanding of surcharges on your invoice, click here..."


The link in the email goes to a legitimate -hacked- site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips .net/news/ups-information.php (report here*) hosted on:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
209.222.67.251
..."
* http://urlquery.net/....php?id=3762051
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Payment Information Email Message - 2013 Jul 15
Fake Shipping Invoice Notification Email Messages - 2013 Jul 15
Email Messages with Malicious Attachments - 2013 Jul 15
Fake Bank Payment Confirmation Email Messages - 2013 Jul 15
Fake Bank Deposit Confirmation Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Message - 2013 Jul 15
Fake Online Dating Proposal Email Messages - 2013 Jul 15
Fake Product Quote Request Email Messages - 2013 Jul 15
Fake Order Document Email Attachment Messages - 2013 Jul 15
Fake Photo Email Messages - 2013 Jul 15
Fake Canceled Electronic Payment Notification Email Message - 2013 Jul 15
Fake Telegraphic Transfer Notification Email Messages - 2013 Jul 15
Fake Receipt Attachment Email Messages - 2013 Jul 15
Fake Purchase Order Notification Email Messages - 2013 Jul 15
Fake Billing Statement Email Messages - 2013 Jul 15
Fake Financial Document Delivery Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jul 15
Fake Product Order Email Messages - 2013 Jul 15
Fake Money Transfer Notification Email Messages - 2013 Jul 15
(More detail and links at the cisco URL above.)
 

:ph34r: :grrr: :ph34r:


Edited by AplusWebMaster, 15 July 2013 - 02:08 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#983 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 16 July 2013 - 07:35 AM

FYI...

Malware sites to block 16/7/13
- http://blog.dynamoo....lock-16713.html
16 July 2013 - "These domains and IPs are associated with this gang*. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them -all- ..."
(Long list available at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Photo Attachment Spam
- http://threattrack.t...attachment-spam
July 16, 2013 - "Subjects Seen:
    my undressed image is attached
Typical e-mail details:
   zdjakinuii fgcaba rjgvsy
    vyjxsvlsa luoans vnlfo
    aovkq I R W Q G A L S C M R
    caeqmjj W R P L P D A F


Malicious File Name and MD5:
    mypic62.zip (f2845f8eeeb5e8b2985fdd2c7636bc39)
    mypic.vcr (118980814772348b8e42a5166a4dc2a1)

Screenshot: https://gs1.wac.edge...XZRB1qz4rgp.png
___

Fake Invoice SPAM / doc201307161139482.doc
- http://blog.dynamoo....1139482doc.html
16 July 2013 - "This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

    From: Carlos Phillips [accounting @travidia .com]
    Subject: Invoice 48920
    Thanks !!
    Greg
    Precision Assemblies Products, Inc.Llc.
    179 Nesbitt Hills
    Holley, NY 51902
    (176)-674-6500
    nightmarewdp50 @travidia .com


Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47*. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this...
UPDATE: The ThreatTrack report [pdf**] shows similar characterstics, including an attempted download from [donotclick]mycanoweb .com/report/doc.exe which is a Zbot variant with a low detection rate***... Most of the IPs for mycanoweb .com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Recommended blocklist:
mycanoweb .com
classified.byethost11 .com
myhomes.netau .net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129

Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100
  ..."

* https://www.virustot...d878c/analysis/

** http://www.dynamoo.c...b1201a3e6ef.pdf

*** https://www.virustot...sis/1373989372/
___

Dun and Bradstreet Attachment Spam
- http://threattrack.t...attachment-spam
July 16, 2013 - "Subjects Seen:
    FW : Complaint - <random>
Typical e-mail details:
    Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 8, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter...
    We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.


Malicious URLs
    b-markenergy .com/ponyb/gate.php
    arizonaenergysuppliers .com/ponyb/gate.php
    alabamaenergysuppliers .com/ponyb/gate.php
    bemarkenergy .com/ponyb/gate.php
    costruzionimediterraneo .it/FP0gd6.exe
    preview.vibration-trainers .com/V2YE.exe


Malicious File Name and MD5:
    Case_<random>.zip (b3f17fd862e5e7C617240251be8de706)
    Case_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edge...6ea31qz4rgp.png
___

Spamvertised Payroll themed emails lead to malware
- http://blog.webroot....ntical-malware/
July 16, 2013 - "We’ve intercepted two, currently circulating, malicious spam campaigns enticing users into executing the malicious attachments found in the fake emails. This time the campaigns are impersonating Vodafone U.K or pretending to be a legitimate email generated by Sage 50's Payroll software...
Sample screenshot of the spamvertised email:
> https://webrootblog....slip_sage50.png
... What’s particularly interesting about these two campaigns is the fact that they’ve both been launched by the same cybercriminal/gang of cybercriminals. Not only do the campaigns use an identical MD5 with two previously profiled malicious spam campaigns, but also, all the MD5s phone back to the same C&C server - hxxp:// 62.76.178.178 /fexco/com/index.php
Detection rate for the unique MD5 used in the fake Vodafone U.K MMS themed campaign: 4e9d834fcc239828919eaa7877af49dd * ... Backdoor.Win32.Androm.abrz; Troj/Agent-ACLZ..."
* https://www.virustot...6fd16/analysis/
File name: vt-upload-b6gNq
Detection ratio: 8/47
Analysis date:     2013-07-14
___

Fake Bank of America SPAM / stid 36618-22.zip
- http://blog.dynamoo....6618-22zip.html
16 July 2013 - "This fake Bank of America spam comes with a malicious attachment:
    Date:      Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
    From:      Joyce Bryson [legalsr @gmail .com]
    Subject:      Merchant Statement
    Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
    Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly...


Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47*. Anubis reports** what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart .com/741_out.exe that appears to fail..."
* https://www.virustot...sis/1374010738/

** http://anubis.isecla...d32&format=html
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 16 July 2013 - 06:03 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#984 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 17 July 2013 - 10:11 AM

FYI...

Fake Reservation Confirmation SPAM / marriott .com.reservation.lookup.viperlair .net
- http://blog.dynamoo....eservation.html
17 July 2013 - "This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair .net:
    Date:      Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
    From:      Marriott Hotels & Resorts Reservation [reservations @clients.marriottmail .org]
    Reply-To:      reservations @clients.marriottmail .org
    Subject:      Houston Marriott Westchase Reservation Confirmation #86903601
    Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
    Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
    Reservation for [redacted]
        Confirmation Number: 86903601
        Check-in: Sunday, July 21, 2013 (03:00 PM)
        Check-out: Wednesday, July 24, 2013 (12:00 PM)
        Modify or Cancel reservation ...
     

The -link- in the email goes through a legitimate -hacked- site and lands on [donotclick]marriott.com.reservation.lookup.viperlair .net/news/marriott-ebill-order-confirmation.php (report here*) hosted on the following IPs:
(viperlair .net is registered with -fake- WHOIS details that mark it out as belonging to the Amerika gang...)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251
..."
* http://urlquery.net/....php?id=3804348
___

"PC Wizard" tech support SCAM
- http://blog.dynamoo....pport-scam.html
17 July 2013 - "Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC. I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always errors), and then visit ammyy .com to run some remote control software. DO NOT LET THEM DO THIS!"

- http://centralops.ne...ainDossier.aspx
canonical name     ammyy.com
addresses 70.38.40.185
OriginAS: AS32613 *
City:  Moscow ...
Country:  RU ...

* https://www.google.c...c?site=AS:32613
"... over the past 90 days, 1721 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-17, and the last time suspicious content was found was on 2013-07-17... we found 313 site(s) on this network... that appeared to function as intermediaries for the infection of 794 other site(s)... We found 280 site(s)... that infected 1790 other site(s)..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 17 July 2013 - 03:32 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#985 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 18 July 2013 - 11:03 AM

FYI...

Site primrose .co .uk hacked, emails compromised
- http://blog.dynamoo....ompromised.html
18 July 2013 - "Garden accessory primroseb.co .uk has been -hacked- and email addresses stored in their system are being abused for phishing purposes:
    From:     paypal .co .uk [service @paypal .co .uk]
    Date:     18 July 2013 11:01
    Subject:     We cannot process your payment at this time.
    Dear,
    We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
    we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
    What's the problem ?  It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.
    Reference Number: PP-001-278-254-803
    It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.
    1. Download the attached document and open it in a browser window secure.
    2. Confirm that you are the account holder and follow the instructions.
    Yours sincerely,
    PayPal
    Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589


The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www.thesenddirect .com  (62.149.142.113 - Aruba, Italy) and submitting the data to www.paypserv .com (62.149.142.152 - also Aruba). The WHOIS details are no doubt -fake- are are respectively:
Saunders, John Alan  mahibarayanlol @gmail .com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455
----------
Clarke, Victoria  johanjo1010 @gmail .com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064
Primrose .co .uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything. Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose .co .uk it is impossible to say if any financial data has been compromised."
___

Fake KLWines .com SPAM / prysmm .net
- http://blog.dynamoo....escom-spam.html
18 July 2013 - "This fake K&L Wine Merchants spam email leads to malware on www.klwines.com.order.complete .prysmm.net:
    Date:      Thu, 18 Jul 2013 05:57:28 -0800
    From:      drowsedl04 @inbound.ups .net
    Subject:      Your K&L order #56920789 is complete
    Hello from K&L Wine Merchants -- www.KLWines .com
    Just wanted to let you know that your order (#56920789) is complete.
    Additional comments for this order: Ship Fri. 7/19
    The following items are included...
                    Item Subtotal:    $247.91
                              Tax:      $0.00
              Shipping & Handling:     $67.18
                            Total:    $315.09
    The tracking number for this shipment is 1Z474482A140261050.
    Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below.
    To see the latest information about your order, visit "My Account"...


The link in the email goes through a legitimate -hacked- site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm .net/news/order-information.php (report here*) hosted on:
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The -fake- WHOIS details mark this out as belonging to the Amerika gang...
Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251
..."
* http://urlquery.net/....php?id=3833979
___

Fake QuickBooks Overdue Payment SPAM
- http://threattrack.t...ue-payment-spam
July 18, 2013 - "Subjects Seen:
   Please respond - overdue payment
Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 07/18/2013 as outlines under our “Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Nathan Phipps


Malicious URLs
    prospexleads .com:8080/ponyb/gate.php
    phonebillssuck .com:8080/ponyb/gate.php
    picaletter .com/ZDpczi37.exe
    s268400504.onlinehome .us/v73.exe
    wineoutleteventspace .com/7UNFVh.exe


Malicious File Name and MD5:
    invoice_<random>.zip (9E2221D918E83ED2B264214F5DDAB9FF)
    invoice_<random>.exe (06C3A27772C2552A28C32F82583B7645)

Screenshot: https://gs1.wac.edge...diSE1qz4rgp.png
___

Wells Fargo Important Documents Spam
- http://threattrack.t...-documents-spam
July 18, 2013 - "Subjects Seen:
    IMPORTANT Documents - WellsFargo
Typical e-mail details:
    Please review attached files.
    Alyce_Granger
    Wells Fargo Advisors


Malicious URLs
    prospexleads .com:8080/ponyb/gate.php
    phonebillssuck .com:8080/ponyb/gate.php
    ciclografico .pt/9Up.exe
    mdebra.o2switch .net/2ccVsM9z.exe
    magusdev .com/YSQsWZVU.exe
    splendidhonda .com/Hb3qCt.exe

Malicious File Name
and MD5:
    DOC_<name>.zip (44A3AFFC21D0BA3E4CA5ACE0732C6D65)
    DOC_{_MAILTO_USERNAME}.exe (4A182976242CF4F65B6F219D649B0A98)

Screenshot: https://gs1.wac.edge...zlo31qz4rgp.png
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Video Sharing Email Messages - 2013 Jul 18
Fake Product Order Quotation Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Email Messages with Malicious Attachments - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Product Supply Request Email Messages - 2013 Jul 18
Malicious Personal Pictures Attachment Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Invoice Statement Attachment Email Messages - 2013 Jul 18
Fake Customer Complaint Attachment Email Messages - 2013 Jul 18
Fake Picture Link Email Messages - 2013 Jul 18
Fake Fund Transfer Confirmation Email Messages - 2013 Jul 18
Fake Order Information Email Messages - 2013 Jul 18
Fake Tax Report Documentation Email Messages - 2013 Jul 18
Fake Product Quote Request Email Messages - 2013 Jul 18
Fake Product Quotation Request Email Messages - 2013 Jul 18
(More detail and links at the cisco URL above.)
 

:grrr: :grrr: :ph34r:


Edited by AplusWebMaster, 18 July 2013 - 04:09 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#986 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 19 July 2013 - 09:59 AM

FYI...

Who's Who SCAM
whoswhonetworkonline .com
- http://blog.dynamoo....necom-spam.html
19 July 2013 - "This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam*.
* https://en.wikipedia.../Who's_Who_scam
    From:     Who's Who [cpm2 @contactwhoswho .us]
    Reply-To:     databaseemailergroup @gmail .com
    date:     19 July 2013 05:44
    subject:     You were recently nominated into Who's Who Amoung Executives
    Who's Who Network Online
    Hello,
    As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory.  You were contacted, but we did not receive any of your biographical information.  We would like to give you another opportunity to do so...


Clicking on the link takes you to whoswhonetworkonline .com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.
Screenshot: https://lh3.ggpht.co...tworkonline.png
There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities. However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam... The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2 @contactwhoswho .us sender's address...
Darin Delia appears to be the same person who was sending out Spotlite Radio spam**..."
** http://blog.dynamoo....13com-spam.html
___

Bank of America Transaction Completed Spam
- http://threattrack.t...-completed-spam
19 July 2013 - "Subjects Seen:
    Your transaction is completed
Typical e-mail details:
    Transaction is completed. $99479350 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Receipt on payment is attached.


Malicious File Name and MD5:
    payment receipt(copy).zip (F87DB429BED542ED6D26ACF8924280FB)
    payment receipt(copy).exe (22C694FDA2FF8BECC447D1BE198A74DC)

Screenshot: https://gs1.wac.edge...O0qX1qz4rgp.png
___

Fake  Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports .com
- http://blog.dynamoo....ge-overage.html
20 July 2013 - "This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports .com:
    Date:      Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
    From:      Verizon Wireless [VZWMail @e-marketing. verizonwireless-mail .net]
    Subject:      Data Usage Overage Alert
    Important Information About Your Account.      View Online
    verizon wireless    Explore    Shop    My Verizon    Support   
    Important Information About Your Data Usage
    Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.
    Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.
    Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
    Thank you for choosing Verizon Wireless.
    Details as of:
    [redacted]
    07/19/2013 02:15 AM EDT
    We respect your privacy. Please review our privacy policy for more information
    about click activity with Verizon Wireless and links included in this email.
    This email was sent to [redacted];
    ID: [redacted]


The -link- in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports .com/news/verizon-bill.php (report here*) hosted on:
172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)
The domain verizonwirelessreports .com is -fake- and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports .com
firerice .com
onemessage.verizonwireless .com.verizonwirelessreports.com
package.ups.com.shanghaiherald .net
epackage.ups.com.shanghaiherald .net
vitans .net
www .klwines .com.order.complete.prysmm .net
prysmm .net
shanghaiherald .ne
t"
* http://urlquery.net/....php?id=3863421
 

:grrr: :ph34r:


Edited by AplusWebMaster, 19 July 2013 - 08:05 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#987 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 20 July 2013 - 09:09 AM

FYI...

Fake BBC website SPAM hits Twitter
- http://www.threattra...m-hits-twitter/
July 19, 2013 - "There’s a spam-run doing the rounds right now which uses a -fake- BBC website to drive traffic to a diet pill website:
> http://www.threattra...amazingbbc1.jpg
... All of the posts use the hashtag “Amazing”, with a link to a fake BBC URL + 6 seemingly random numbers:
#amazing newslinkbbc(dot)co(dot)uk/??[6 digits]
The above URL was registered in August 2011. Additionally, there are more fake BBC sites located at mailbbc(dot)co(dot)uk (registered August 2011, on the same day as the URL currently being posted to Twitter) and securebbc(dot)co(dot)uk (registered August 2012). At least one other URL has been up for debate in years gone by in relation to the person claiming ownership of newslinkbbc and mailbbc. Clicking
newslinkbbc(dot)co(dot)uk takes end-users to world-bbc(dot)co(dot)uk (registered August 2012):
Fake BBC Spam site..
> http://www.threattra...amazingbbc2.jpg
... The above site advertises a weightloss diet designed to remove belly fat. The live link on the site leads to bbchost(dot)altervista(dot)org/news/health-21434875/try-garcinia-now which -redirects- to
pgc(dot)my-secure-orders(dot)com/?clickid=[ID removed]
> http://www.threattra...amazingbbc3.jpg
The site is promoting the formerly mentioned diet pills... We’ve seen 360+ of these links being spammed on Twitter... and no doubt the spam will continue to grow before Twitter gets a handle on the situation. For now, be very wary of any and all links being spammed with the #amazing hashtag, and if you find yourself spamming the same Tweets then change your password and remove any apps tied to your account that you don’t remember adding (or indeed, have added recently but don’t feel so confident about anymore)."
 

:grrr: :ph34r:


This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#988 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 21 July 2013 - 08:41 AM

FYI...

Malicious URLs in .lc zone
- https://www.secureli...URLs_in_lc_zone
July 20, 2013 - "While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia* country located in in the eastern Caribbean Sea. Our statistics confirm this trend.
> https://www.secureli...klblog/9106.png
Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.
> https://www.secureli...klblog/9104.jpg
How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer."
* https://en.wikipedia...iki/Saint_Lucia
___

PlugX malware factory revisited... Smoaler
- http://atlas.arbor.n...dex#-1265345240
High Severity
July 19, 2013
The Smoaler malware has been uncovered and is involved in targeted attacks. Organizations that may have been targeted would benefit from careful analysis of this information and associated indicators.
Analysis: Targeted attack campaigns continue as usual. As actors are discovered, their techniques, tactics and procedures evolve. While the technique of running malware in memory is not new, it is put into practice here, and the final payload varies. While many targeted attacks still involve only the amount of force necessary to compromise the targeted, many other attack campaigns that have yet to be unmasked are surely in operation.
Source: http://nakedsecurity...ducing-smoaler/

- https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH) / MS12-027
Last revised: 03/07/2013
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 21 July 2013 - 09:37 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#989 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 22 July 2013 - 11:52 AM

FYI...

Bitcoin mining tools in the wild...
- http://blog.webroot....ed-in-the-wild/
July 22, 2013 - "Cybercriminals continue releasing new, commercially available, stealth Bitcoin/Litecoin mining tools, empowering novice cybercriminals with the ability to start monetizing the malware-infected hosts part of their botnets, or the ones they have access to which they’ve purchased through a third-party malware-infected hosts selling service...
Sample screenshots of the stealth Bitcoin/Litecoin mining tool’s admin panel:
> https://webrootblog....mining_tool.png
.
> https://webrootblog....ing_tool_01.png
... the cybercriminal behind it released it in a way that would prevent its mass spreading, supposedly due to the fact that he doesn’t want to attract the attention of security vendors whose sensor networks would easily pick up any massive campaigns featuring the miner. Therefore, he’s currently offering a limited number of copies of this miner. Over the last couple of months we’ve been intercepting multiple subscription-based or DIY type of stealth Bitcoin/Litecoin miners, indicating that the international underground marketplace is busy responding to the demand for such type of tools. Despite the fact that Bitcoin is a ‘trendy’ E-currency, we believe that for the time being, Russian and Eastern European cybercrime gangs will continue to maintain a large market share of the underground’s market profitability metric, due to their utilization of mature, evasive, and efficient monetization tactics..."

Bitcoin Mining by Botnet...
- https://krebsonsecur...ning-by-botnet/
July 18, 2013
___

Fake American Airlines SPAM / sai-uka-sai .com
- http://blog.dynamoo....-saicom_22.html
22 July 2013 - "This fake American Airlines spam leads to malware on www .aa .com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com:
   From:     American.Airlines@aa .net
    Date:     22 July 2013 17:22
    Subject:     AA.com Itinerary Summary On Hold
    Dear customer,
    Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.
    To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www .aa .com.
    left corners         left corners
    This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) ...


The link in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com/news/american-airlines-hold.php (report here*) hosted on the following IPs:
50.97.253.162 (Softlayer, US**)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)
The WHOIS details for that domain are the characteristically -fake- ones...
Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
..."
* http://urlquery.net/....php?id=3928752

Diagnostic page for AS36351 (SOFTLAYER)
** https://www.google.c...c?site=AS:36351
"... over the past 90 days, 5148 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-22, and the last time suspicious content was found was on 2013-07-22... Over the past 90 days, we found 662 site(s) on this network... that appeared to function as intermediaries for the infection of 2618 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 868 site(s)... that infected 6671 other site(s)..."
___

Fake BMW SPAM / pagebuoy .net
- http://blog.dynamoo....agebuoynet.html
22 July 2013 - "This convincing looking BMW spam leads to malware ...
    Date:      Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
    From:      BMW of North America [womanliere75 @postmaster.aa-mail .org]
    Reply-To:      [redacted]@m.aa-mail .com
    Subject:      The BMW 6-Series M Sport Edition, M Universe, and more.
    BMW’s 6-Series M Sport Edition     View Online
    BMW
    A 6 SERIES.
    WITH M PANACHE.
    Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
    LEARN MORE
    Efficient Dynamics
     Table of Contents
    » BMW M Universe
    » BMW Wins Again
    » BMW i3 Design
    » BMW Superbike
    » BMW Collections
        WELCOME TO M’S NEW HOME.
    In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.
    » ENTER BMW M UNIVERSE
        THE 3 SERIES WINS AGAIN
    The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.
    » BUILD YOUR OWN ...


Screenshot: https://lh3.ggpht.co...00/bmw-spam.jpg

The link in the email goes through a legitimate -hacked- site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy .net/news/bmw-newmodel.php (report here*) which is hosted on the same IP addresses as this spam run**."
* http://urlquery.net/....php?id=3929867

** http://blog.dynamoo....-saicom_22.html
___

NY Better Business Bureau Spam
- http://threattrack.t...ess-bureau-spam
July 22, 2013 - "Subjects Seen:
    FW: Case <removed>
Typical e-mail details:
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
    In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
    The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
   We encourage you to print this complaint (attached file), answer the questions and respond to us.
    We look forward to your prompt attention to this matter.
    Sincerely ...


Malicious URLs
    yourprospexblog .com:8080/ponyb/gate.php
    myimpactblog .com:8080/ponyb/gate.php
    phonebillssuck .com:8080/ponyb/gate.php
    prospexleads .com:8080/ponyb/gate.php
    moneyinmarketing .com/dL1.exe
    abbeyevents .co .uk/fNF1.exe
    salsaconfuego .com/RCY.exe
    fales .info/PwvextRo.exe

Malicious File Name
and MD5:
    Complaint_<date>.zip (B82478381DCECD63B81F64EDF7632D51)
    Complaint_<date>.zip (95B542B1BCBD7D5AEE65F97E9125D90C)

Screenshot: https://gs1.wac.edge...UJgV1qz4rgp.png
___

Fake IRS "Complaint Case #488870383295" SPAM / Complaint_488870383295.zip
- http://blog.dynamoo....83295-spam.html
22 July 2013 -"This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.
    Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
    From:      "IRS.gov" [fraud .dep @irs. gov]
    Subject:      Complaint Case #488870383295
    You have received a complaint in regards to your business services.
    The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/
    Case Number: 488870383295
    Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.
    Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
    The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.
    The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
    2013 Council of IRS, Inc. All Rights Reserved.


Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47*... the Malwr analysis** seems to be the most comprehensive and shows traffic out the the following compromised sites:
prospexleads .com
phonebillssuck .com
moneyinmarketing .com
abbeyevents .co.uk
salsaconfuego .com
fales .info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed."
* https://www.virustot...sis/1374520022/

** https://malwr.com/an...DE1YzE4Yzc0ZGI/
 

:( :ph34r: :grrr:


Edited by AplusWebMaster, 22 July 2013 - 08:45 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#990 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 23 July 2013 - 09:34 AM

FYI...

Fake Media Player - rogue video Downloader PUA
- http://blog.webroot....pplication-pua/
July 23, 2013 - "Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs). The latest detected campaign utilizes multiple legitimately looking banners in an attempt to trick users into thinking that their media player needs to be updated. Once users install the bogus ‘Media Player Update’, they introduce third-party privacy-invading software onto their PCs and directly contribute to the revenue flow of the cybercriminals behind the campaign...
Sample screenshots of multiple deceptive ads leading to the same Potentially Unwanted Application (PUA):
> https://webrootblog....ayer_update.png
> https://webrootblog....te_01.png?w=869
> https://webrootblog....te_03.png?w=869
... Sample screenshot of the landing page:
https://webrootblog....png?w=641&h=544
Rogue URL:
hxxp ://dkg.videodownloadonline .com/download/video_downloader – 107.14.36.160; 107.14.36.120
Detection rate for the PUA – MD5: 85387afff8e5e66e2d9cc5dc1c43c922 * ... Adware.Downware.925; Bundlore (fs). The sample is digitally signed by Bundlore LTD, which is yet another pay-per-install affiliate network.
Rogue URL: bundlore .com – 98.129.229.186 – Email: eldad.shaltiel @gmail .com
... MD5s... known to have interacted with the same IP (98.129.229.186)..."
(More detail at the first webroot URL above.)
* https://www.virustot...e4d3a/analysis/
___

Malware sites to block 23/7/13
- http://blog.dynamoo....lock-23713.html
23 July 2013 - "These malicious domains and IPs are associated with this prolific gang*. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Linkedin Spam leads to Canadian Pharma sites
- http://www.threattra...n-pharma-sites/
July 23, 2013 - "We’ve seen an email spam-run taking place over the last couple of days, involving what appear to be compromised websites redirecting end-users to Canadian pharmacy spam pages (and quite possibly other forms of medicinal spam content too). Here’s an example of one such email – at time of writing, -all- of them are Linkedin message imitations:
> http://www.threattra...07/sadtech1.jpg ...
> http://www.threattra...07/sadtech4.jpg
... Another redirect destination we’ve seen is ipadherbaltablet(dot)com – again, offline at time of writing. Campaigns such as the above tend to be fast moving, constantly shifting URLs as compromised sites get a handle on the hack and new spam domains are set up to replace the ones that are blacklisted / shut down... they have the direct, non-Linkedin URL right there in the Email body. The non-hidden URLs, combined with the seemingly short lifespan of the spam sites will hopefully mean this one isn’t clogging up mailboxes for too long."
___

“Click This Photo for Tumblr Fame” Turns Volume Up...
- http://www.threattra...e-up-to-eleven/
July 23, 2013 - "... garish set of posts that have been doing the rounds on Tumblr over the last day or so. Here’s the most recent collection of archived posts on an affected blog..
> http://www.threattra...ickforfame1.jpg
... “Click this photo for Tumblr fame”, claims the animated .gif. Animated? You bet. It rotates through 3 different “promo” images, and by the time the image goes out of sync on the Archive page it ends up looking something like this with all of the second-long splash images rotating away and vying for attention... The bulk of the posts on the above blog have around 1,000+ reblogs / notes each, though some of them are reposts of the same content. In all cases, they use a shortened URL service to send users to their final destination... At time of writing, none of the apps appear to have done anything publicly – there’s certainly nothing posted to our test account – but we’ll continue to monitor and see what happens."
(More detail at the first URL above.)
___

Something evil on 91.233.244.102
- http://blog.dynamoo....1233244102.html
23 July 2013 - "These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors*, has several malware detections on VirusTotal** plus a few on URLquery***. Google has flagged several domains as being malicious... Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block..."
(More detail at the dynamoo URL above.)
* http://malwaremustdi...struns-dga.html

** https://www.virustot...02/information/

*** http://urlquery.net/...13-07-23&max=50
___

Incoming Money Transfer Spam
- http://threattrack.t...y-transfer-spam
July 23, 2013 - "Subjects Seen:
    Important Notice - Incoming Money Transfer
Typical e-mail details:
    please complete the “A136 Incoming Money Transfer Form".
    Fax a copy of the completed “A136 Incoming Money Transfer Form" to +1 800 722 1934.
    To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
    Thank you,
    Lowell_Madden
    Senior Officer
    Cash Management Verification


Malicious URLs
    yourprospexblog .com:8080/ponyb/gate.php
    myimpactblog .com:8080/ponyb/gate.php
    phonebillssuck .com:8080/ponyb/gate.php
    prospexleads .com:8080/ponyb/gate.php
    abbeyevents .co .uk/fNF1.exe
    salsaconfuego .com/RCY.exe
    aasportsacademy .com/FPzbn.exe
    whiteheadst .com/JrN9Jv.exe

Malicious File Name
and MD5:
    A136_Incoming_Money_Transfer_Form.zip (9BD136876BD8B5796C30F1750983E764)
    A136_Incoming_Money_Transfer_Form.exe (3CDA70F6B2628A6CD1F552F5FEB11F05)

Screenshot: https://gs1.wac.edge...2TvM1qz4rgp.png
___

Fake Incoming Money Transfer SPAM / A136_Incoming_Money_Transfer_Form.zip
- http://blog.dynamoo....y-transfer.html
23 July 2013 - "This fake webcashmgmt .com spam comes with a malicious attachment:
    Date:      Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
    From:      WebCashmgmt [Alberto_Dotson @webcashmgmt .com]
    Subject:      Important Notice - Incoming Money Transfer
    An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct  account please complete the "A136 Incoming Money Transfer Form".
    Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331...


There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47*.
This is a two stage pony/gate infection according to the Malwr report**. Functionally it looks very similar to the payload used in this spam run***."
* https://www.virustot...sis/1374594791/

** https://malwr.com/an...jEzMzliYmRhYjg/

*** http://blog.dynamoo....83295-spam.html
___

Facebook Friend Spam
- http://threattrack.t...ook-freind-spam
July 23, 2013 - "Subjects Seen:
    [removed] wants to be friends with you on Facebook.
Typical e-mail details:
    [removed] wants to be friends with you on Facebook.

Malicious URLs
    dynamicservicesllc .com/neglectfully/index.html
    discountprescriptions.pacificsocial .com/displeased/index.html
    ic44 .com/ganglier/index.html
    hi-defhooters .com/topic/accidentally-results-stay.php
    hi-defhooters .com /topic/accidentally-results-stay.php?VwsYyU=opovyGaoS&NWnVfHBlqeCu=CAAbE
    hi-defhooters .com /topic/accidentally-results-stay.php?xf=2e2g2j2h2g&be=57312h522j2h2g562f2j&X=2d&Rf=q&El=C
    hi-defhooters .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...GNae1qz4rgp.png
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 23 July 2013 - 01:50 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#991 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 24 July 2013 - 11:49 AM

FYI...

Fake Facebook pwd reset SPAM / nphscards .com
- http://blog.dynamoo....k-password.html
 - "This fake Facebook spam leads to malware on nphscards .com:
    Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
    From:      Facebook [update+hiehdzge @facebookmail .com]
    Subject:      You requested a new Facebook password
    facebook
    Hello,
    You recently asked to reset your Facebook password.
    Click here to change your password.
    Didn't request this change?
    If you didn't request a new password, let us know immediately.
    Change Password
    This message was sent to [redacted] at your request.
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303


The link in the email goes through a legitimate -hacked- site and then through one or both of these following scripts:
[donotclick]ftp.thermovite .de/kurile/teeniest.js
[donotclick]traditionlagoonresort .com/prodded/televised.js
The victim is then directed to [donotclick]nphscards .com/topic/accidentally-results-stay.php (report here*) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards .com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards .com is also on the same server and is probably hijacked."
* http://urlquery.net/....php?id=3976081

- https://www.virustot...69/information/
___

Royal Baby News Spam
- http://threattrack.t...aking-news-spam
July 24, 2013 - "Subjects Seen:
    "Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
    Washington (CNN)— What will the Obamas get the royal wee one? Sources say it’s a topic under discussion in the White House and at the State Department.
    No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.
    Kate and William bring home royal baby boy


Malicious URLs
    wurster .ws/rump/index.html
    assuredpropertycare .net/intersperse/index.html
    tennisclub-iburg .de/hepper/index.html
    nphscards .com /topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54&P=2d&Ek=j&PD=j
    nphscards .com /topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
    nphssoccercards .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...tKRB1qz4rgp.png

- http://blog.dynamoo....-baby-tree.html
24 July 2013 - "This fake CNN spam leads to malware on nphscards .com:
Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews @mail.cnn .com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN
CNN
U.S. presidents have spotty record on gifts for royal births ..."


Screenshot: https://lh3.ggpht.co...00/cnn-baby.png

The payload works in exactly the same way as this fake Facebook spam* earlier today and consists of a hacked GoDaddy domain (nphscards .com) hosted on 162.216.18.169 by Linode."
* http://blog.dynamoo....k-password.html

- https://www.virustot...69/information/

- http://www.threattra...e-zbot-malware/
July 24, 2013 - "... “Royal Baby” Malware to start making the rounds... The Malware in question involves... Blackhole Exploit Kit, which leads end-users to Zbot (the Zeus Infostealer) / Medfos ( which typically displays adverts, connects to numerous IP addresses and can also download additional files )..."
> http://www.threattra...malwarespam.jpg
___

eBay iPhone Order Spam
- http://threattrack.t...hone-order-spam
July 24, 2013 - "Subjects Seen:
Payment Received - eBay item #[removed] NEW WHITE-CA Acoustic Guitar+GIGBAG+STRAP+TUNER+LESSON
Typical e-mail details:
    Hello Dear Customer,
    Your payment has been received for the following item. If extra shipping
    charges is required per our ad and not received (for all military addresses/AK/PR/PO
    Box and other U.S.territories outside of the 48 states), we may contact you
    shortly. Be sure your Ebay registered address and contact phone number
    is accurate as the order will be processed as such.


Malicious URLs
    compare-treadmills .co .uk/fosters/index.html
    bernderl .de/fife/index.html
    tennisclub-iburg .de/hepper/index.html
    nphscards .com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=RpZTfjhgRFCk
    nphscards .com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f&D=2d&pb=U&sR=I
    nphscards .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...lx4R1qz4rgp.png
___

Fake inTuit emails - "Your payments are being processed for deposit"
- http://security.intu.../alert.php?a=84
7/23/13 - "People are receiving -fake- emails with the title "Your payments are being processed for deposit". Below is a copy of the email people are receiving.
> http://security.intu...ges/phish84.jpg
This is the end of the -fake- email.
- Steps to Take Now
    Do not open the attachment in the email...
    Delete the email..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 25 July 2013 - 06:12 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#992 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 25 July 2013 - 11:13 AM

FYI...

Fake CNN SPAM / evocarr .net
- http://blog.dynamoo....rails-spam.html
25 July 2013 - "This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr .net:
    Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
    From:      77 dead after train derails [BreakingNews @mail.cnn .com>]
    Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN
    77 dead after train derails, splits apart in Spain
    By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
    iReporter: 'It was a horrific scene'
    STORY HIGHLIGHTS
        NEW: Train driver told police he entered the bend too fast, public broadcaster reports
        NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
        Witness: "The train was broken in half. ... It was quite shocking"
        77 people are dead, more bodies may be found, regional judicial official says
    Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...


Screenshot: https://lh3.ggpht.co...0/cnn-train.png

The link in the email goes to a legitimate -hacked- site which tries to load one or more of the following scripts:
[donotclick]church.main .jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage .com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch .de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr .net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following -hijacked- GoDaddy domains are on the same IP and can be considered suspect:
evocarr .net
serapius .com
leacomunica .net
mindordny .org
rdinteractiva .com
yanosetratasolodeti .org "
___

CNN Spanish Train Derailment Spam
- http://threattrack.t...derailment-spam
July 25, 2013 - "Subjects Seen:
    "Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
    77 dead after train derails, splits apart in Spain
    iReporter: ‘It was a horrific scene’
    STORY HIGHLIGHTS
        NEW: Train driver told police he entered the bend too fast, public broadcaster reports
        NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
        Witness: “The train was broken in half. … It was quite shocking"
        77 people are dead, more bodies may be found, regional judicial official says
    Madrid (CNN) — An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...


Malicious URLs
    caribbeancinemas .net/cheerfullest/index.html
    sroehl .de/inpatient/index.html
    evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
    evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
    evocarr .net/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...7d9o1qz4rgp.png
___

Malicious Facebook E-Mail Spam Campaigns
- http://threattrack.t...-spam-campaigns
July 25, 2013
"New Password Request:
> https://gs1.wac.edge...pVxT1qz4rgp.png
Friend Request:
> https://gs1.wac.edge...PsWI1qz4rgp.png
Tagged Photos Notification:
> https://gs1.wac.edge...THbs1qz4rgp.png
Subjects Seen:
    You requested a new Facebook password
    <Name> wants to be friends with you on Facebook.
    <Name> tagged 2 photos of you on Facebook

Typical e-mail details:
    New Password Request:
    Hello,
    You recently asked to reset your Facebook password.
    Click here to change your password.
    Friend Request:
    <Name> wants to be friends with you on Facebook.
    Tagged Photos Notification:
    <Name> added 5 photos of you.


Malicious URLs
    dl2htd .de/surfaces/index.html
    airductservicepro .com/lighthouse/index.html
    99906.webhosting33.1blu .de/stupids/index.html
    128.121.242.173 /nutritional/index.html
    handmadelifecoaching .com/compelled/index.html
    villaflorida .biz/deepness/index.html
    ekaterini.mainsys .gr/exhorted/index.html
    hackspitz .com/gnarl/index.html
    joerg.gmxhome .de/skeptically/index.html
    lostfounddevices .com/mama/index.html
    spurtwinslotshelvingsystems .co .uk/aquamarine/index.html
    bbsmfg .biz/servo/index.html
    198.251.67.11 /reprehended/index.html
  evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
    evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
    evocarr .net/adobe/update_flash_player.exe

___

Incoming Fax Report Spam
- http://threattrack.t...fax-report-spam
July 25, 2013 - "Subjects Seen:
    INCOMING FAX REPORT : Remote ID: <random>
Typical e-mail details:
    *********************************************************
    INCOMING FAX REPORT
    *********************************************************
    Date/Time: 07/25/2013 04:42:54 CST
    Speed: 26606 bps
    Connection time: 05:09
    Pages: 6
    Resolution: Normal
    Remote ID:
    Line number: 1
    DTMF/DID:
    Description: June Payroll
    Click here to view the file online ...


Malicious URLs
    funeralsintexas .com/someplace/index.html
    keralahouseboatstourpackages .com/mansion/index.html
    christinegreenmd .com/inductees/index.html
    ente-gmbh .de/bragg/index.html
    impresiona2 .net/topic/regard_alternate_sheet.php?uf=2i2h2f5653&Je=302g572f5352572i572f&Y=2d&kc=i&bN=Q
   impresiona2 .net/topic/regard_alternate_sheet.php?Ef=2i2h2f5653&Le=56302d2f2h53562j2j55&a=2d&dV=l&JB=a
    impresiona2 .net/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...QlWe1qz4rgp.png
 

Fake FAX SPAM - 2013vistakonpresidentsclub .com
- http://blog.dynamoo....eport-spam.html
25 July 2013 - "This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub .com:
    Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
    From:      Administrator [administrator @victimdomain]
    Subject:      INCOMING FAX REPORT : Remote ID: 1150758119
    *********************************************************
    INCOMING FAX REPORT
    *********************************************************
    Date/Time: 07/25/2013 02:15:22 CST
    Speed: 23434 bps
    Connection time: 09:04
    Pages: 8
    Resolution: Normal
    Remote ID: 1150758119
    Line number: 2
    DTMF/DID:
    Description: June Payroll
    Click here to view the file online ...


The link in the spam leads to a legitimate -hacked- site and then on to one or more of these three intermediary scripts:
[donotclick]1954f7e942e67bc1.lolipop .jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio .de/djakarta/opel .js
[donotclick]www.pep7 .at/hampton/riposts.js
From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub .com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam*) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side."
* http://blog.dynamoo....-baby-tree.html

** http://blog.dynamoo....y works hosting
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 25 July 2013 - 06:49 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#993 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 26 July 2013 - 12:24 PM

FYI...

Fake eBay SPAM / artimagefrance .com
- http://blog.dynamoo....unity-spam.html
26 July 2013 - "This fake eBay email leads to malware on artimagefrance .com:
    Date:      Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
    From:      eBay [eBay@ reply1.ebay .com]
    Subject:      [redacted] welcome to the eBay community! ...


Screenshot: https://lh3.ggpht.co...0/fake-ebay.png

The link in the email goes to a legitimate -hacked- site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229 /deputy/clodhoppers.js
[donotclick]andywinnie .com/guessable/meteor.js
[donotclick]hansesquash .de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance .com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case..."

... eBay Spam
- http://threattrack.t...me-to-ebay-spam
July 26, 2013 - "Subjects Seen:
    <Name> welcome to the eBay community!
Typical e-mail details:
    Welcome to eBay
    The simpler way to save and shop
    Start shopping ...


Malicious URLs
    gwiz .de/balloonists/index.html
    dialogueseriesonline .com/snag/index.html
    dbrsnet .info/restore/index.html
    b-able .gr/overshot/index.html
    artimagefrance .com/adobe/update_flash_player.exe
    artimagefrance .com/topic/accidentally-results-stay.php


Screenshot: https://gs1.wac.edge...l7mw1qz4rgp.png
___

Fake Intellicast weather SPAM / artimagefrance .com
- http://blog.dynamoo....efrancecom.html
26 July 2013 - "This fake weather spam leads to malware on artimagefrance .com:
    Date:      Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
    From:      "Intellicast.com" [weather @intellicast .com]
    Subject:      Intellicast.com [weather @intellicast .com]
    Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
    For the complete 10-Day forecast and current conditions, visit ...


The payload and infection technique is exactly the same as the one used here*."
* http://blog.dynamoo....unity-spam.html

Intellicast Weather Report Spam
- http://threattrack.t...her-report-spam
July 26, 2013 - "Subjects Seen:
    Intellicast .com <weather@intellicast .com>
Typical e-mail details:
    Intellicast .com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
    For the complete 10-Day forecast and current conditions, visit Intellicast .com:
    intellicast .com/Local/Weather.aspx?location=USNH0164


Malicious URLs
    tohoradio .dx .am/depression/index.html
    tohoradio .dx .am/packers/index.html
    artimagefrance .com/adobe/update_flash_player.exe
    artimagefrance .com/topic/accidentally-results-stay.php


Screenshot: https://gs1.wac.edge...Oilk1qz4rgp.png
___

Fake BoA transaction SPAM / payment receipt 26-07-2013 .zip
- http://blog.dynamoo....saction-is.html
26 July 2013 - "This fake Bank of America spam has a malicious attachment:
    Date:      Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
    From:      impairyd04 @gmail .com
    Subject:      Your transaction is completed
    Transaction is completed. $09681416 has been successfully transferred.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached...


There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal*. The Malwr report** is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant..."
(Long list of URLs at the dynamoo URL above.)
* https://www.virustot...sis/1374847946/

** https://malwr.com/an...2E0MDYyYjJkNmQ/
___

CNN Walking Dead News Alert Spam
- http://threattrack.t...news-alert-spam
July 26, 2013 - "Subjects Seen:
    BreakingNews CNN: New season new ‘Walking Dead’
Typical e-mail details:
    What you’ll see on the new ‘Walking Dead’
    Before heading to Comic-Con in San Diego last weekend, the cast members of “The Walking Dead" were each given a folder with talking points about the upcoming fourth season.
    The folders contained information on what the actors could and couldn’t say about the new episodes, which premieres October 13 on AMC. Although none of the actors could reveal the contents of the folders, it was clear that there are lots of secrets to be kept about where “The Walking Dead" will be headed when it returns.
    Full Story »»


Malicious URLs
    grupocelebrate .com .br/lozenge/index.html
    stem.harrisonschools .org/optimization/index.html
    grupocelebrate .com .br/saintlier/index.html
    artimagefrance .com/adobe/update_flash_player.exe
    artimagefrance .com/topic/accidentally-results-stay.php


Screenshot: https://gs1.wac.edge...GGfk1qz4rgp.png
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 26 July 2013 - 01:00 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#994 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 29 July 2013 - 11:26 AM

FYI...

Fake Facebook SPAM - happykido .com
- http://blog.dynamoo....ppykidocom.html
29 July 2013 - "This fake Facebook spam leads to malware on happykido .com:
    Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
    From:      Facebook [update+zj4o40c2_aay @facebookmail .com]
    Subject:      Betsy Wells wants to be friends with you on Facebook.
    Interesting Pages on Facebook
    Mark as favorite web pages that interest you to receive their updates in your News Feed.
    Betsy Wells
    Baldric Aguino
    Astrid Aggas
    Deloris Bransfield
    Perdita Brantz
    Danelle Erstad
    Daphne Escamilla
    Giovanna Hadesty
    Georgeann Habel
    Hugh Campisi
    Jake Callas ...


Apparently all these people look alike:
- https://lh3.ggpht.co...ke-facebook.png
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings .info/aphrodisiac/nought.js
[donotclick]gc.sceonline .org/worsens/patronizingly.js
[donotclick]www.kgsindia .org/retell/manson.js
from there, the victim is sent to a malware landing page on a -hijacked- GoDaddy domain at [donotclick]happykido .com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161 ..."

- https://www.virustot...61/information/
___

Fake "Key Secured Message" SPAM / SecureMessage .zip
- http://blog.dynamoo....ssage-spam.html
29 July 2013 - "This spam has a malicious attachment:
    Date:      Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
    From:      "Marcia_Manning @key .com" [Marcia_Manning @key .com]
    Subject:      Key Secured Message
    You have received a Secured Message from:
    Marcia_Manning @key .com
    The attached file contains the encrypted message that you have received. To decrypt the
    message use the following password -  nC4WR706
    To read the encrypted message, complete the following steps:
    -  Double-click the encrypted message file attachment to download the file to your
    computer.
    -  Select whether to open the file or save it to your hard drive. Opening the file
    displays the attachment in a new browser window.
    -  The message is password-protected, enter your password to open it. This e-mail and any
    attachments are confidential and intended solely for the addressee and may also be
    privileged or exempt from
    disclosure under applicable law. If you are not the addressee, or have received this
    e-mail in error, please notify the sender
    immediately, delete it from your system and do not copy, disclose or otherwise act upon
    any part of this e-mail or its attachments...


The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email ( which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46*. The Malwr analysis** shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel .com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet .co .uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive .com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93 /MM75.exe (5/45)
[donotclick]paulalfrey .com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93
..."
* https://www.virustot...sis/1375109054/

- https://www.virustot...34/information/

- https://www.virustot...93/information/

** https://malwr.com/an...jBlMjAxZWVhMmU/

Key.com Secured Message Spam
- http://threattrack.t...ed-message-spam
July 29, 2013 - "Subjects Seen:
    Key Secured Message
Typical e-mail details:
    You have received a Secured Message from:
    <removed>@key .com
    The attached file contains the encrypted message that you have received.
    To decrypt the message use the following password -  <removed>
    To read the encrypted message, complete the following steps:
    -  Double-click the encrypted message file attachment to download the file to your computer.
    -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    -  The message is password-protected, enter your password to open it.
    This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law...


Malicious URLs
    198.57.130.35 :8080/ponyb/gate.php
    webmail.alsultantravel .info:8080/ponyb/gate.php
    alsultantravel .com:8080/ponyb/gate.php
    webmail.alsultantravel .com:8080/ponyb/gate.php
    a1bridaloutlet .co.uk/aiswY6.exe
    giftedintuitive .com/kQYjoPqY.exe
    198.61.134.93 /MM75.exe
    paulalfrey .com/guBwFA.exe

Malicious File Name
and MD5:
    SecureMessage.zip (01CC5CE52FC839EBCE6497FB88B1781F)
    SecureMessage.exe (81129764C62417D5B06C73E6FAD838A5)

Screenshot: https://gs1.wac.edge...4v541qz4rgp.png
___

HSBC E-Advice Spam
- http://threattrack.t...c-e-advice-spam
July 29, 2013 - "Subjects Seen:
    HSBC E-Advice
Typical e-mail details:
    Please find attached your Advice containing information on your transactions of last working day with the bank.
    Please do not reply to this e-mail address. If you have any queries, please contact our Customer Services.
    Yours faithfully
    HSBC Bank


Malicious URLs
    198.57.130.35 :8080/ponyb/gate.php
    webmail.alsultantravel .info:8080/ponyb/gate.php
    alsultantravel .com:8080/ponyb/gate.php
    webmail.alsultantravel .com:8080/ponyb/gate.php
    wx04.strato-wlh .de/EggT.exe
    labycar .com/Zi6L.exe
    208.112.50.5 /c38QVmd.exe
    s148231503.onlinehome .us/y3R.exe

Malicious File Name
and MD5:
    HSBC_advice.zip (6C5A65A05E72ADFC64318E7730199192)
    HSBC_advice.exe (E1DBB4BE2A7AE2180100A02C5E3E2D95)

Screenshot: https://gs1.wac.edge...30Ux1qz4rgp.png
___

FedEx Shipment Notification Spam
- http://threattrack.t...tification-spam
July 29, 2013 - "Subjects Seen:
    FedEx Shipment Notification
Typical e-mail details:
    This tracking update has been requested and attached to this email
    Reference information includes: Invoice number, Reference, Special handling/Services, Residential Delivery. Reference information is attached to this email.
    Tracking number:    <removed>
    To track the latest status of your shipment, click on the tracking number above, or visit us at fedex .com...
    This tracking update has been sent to you by FedEx on the behalf of the Requestor noted above. FedEx does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
    Thank you for your business.


Malicious File Name and MD5:
    FedEx Notification.zip (7CFE2BE8E249E9A05664CB2E4BABD6AC)
    FedEx Notification_.PDF.exe (E4EC9F6232A272EA76B65F94A86FF184)
    FedEx Reference information.zip (F28D58D5CA4910495DBB786E8AC0E5D3)
    FedEx Reference information.pdf.exe (CE23868B4F645A39CBB6AE98796346CB)

Screenshot: https://gs1.wac.edge...DK0H1qz4rgp.png
___

DocuSign Confidential Company Agreement Spam
- http://threattrack.t...-agreement-spam
July 29, 2013 - "Subjects Seen:
    Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
Typical e-mail details:
    Your document has been completed    
    Sent on behalf of DocuSign Support.
    All parties have completed the envelope ‘Please DocuSign this document: 2013 Company Contracts..pdf’.
    To view, download or print the completed document click below.
    View in DocuSign


Malicious URLs
    thealphatechnologies .com/interlaces/index.html
    digitalcaptive .net/chickpea/index.html
    ftp(DOT)kirchdach .at/kimonos/index.html
    webmail.alsultantravel .com:8080/ponyb/gate.php
    happykiddoh .com/topic/able_disturb_planning.php
    happykiddoh .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...HReI1qz4rgp.png

More here:
- https://www.virustot...34/information/
"... domains resolved to the given IP address...
... Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset..."
___

Visa Recent Transactions Report Spam
- http://threattrack.t...ons-report-spam
July 29, 2013 - "Subjects Seen:
    VISA - Recent Transactions Report
Typical e-mail details:
    Dear Visa card holder,
    A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
    For more details please see the attached transaction report.
    Augustus_Molina
    Data Protection Officer
    VISA EUROPE LIMITED
    1 Sheldon Square
    London W2 6WH
    United Kingdom


Malicious URLs
    asam.atspace .eu/windsocks/index.html
    deltaboatworks .net/adobe/update_flash_player.exe
    deltaboatworks .net/topic/able_disturb_planning.php


Screenshot: https://gs1.wac.edge...YWPV1qz4rgp.png
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 30 July 2013 - 08:57 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#995 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 30 July 2013 - 11:54 AM

FYI...

Fake CNN Angelina Jolie SPAM / deltadazeresort .net
- http://blog.dynamoo....of-highest.html
30 July 2013 - "This fake CNN spam leads to malware on deltadazeresort .net:
    Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
    From:      CNN [BreakingNews @mail .cnn .com]
    Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
    Forbes: Angelina Jolie tops list of highest-paid actresses
    By Sheridan Watson, EW.com
    July 29, 2013 -- Updated 2014 GMT (0414 HKT)
  Agelina Jolie attends a June 2013 premiere of Brad Pitt's movie, "World War Z" ...


Screenshot: https://lh3.ggpht.co.../s400/jolie.png

The link in the email goes to a legitimate -hacked- site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost .com/immanent/surfeit.js
[donotclick]theplaidfox .com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs .com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort .net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US) ..."

CNN Angelina Jolie Spam
- http://threattrack.t...lina-jolie-spam
July 30, 2013 - "Subjects Seen:
    CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Typical e-mail details:
    (EW.com) — She might not get paid as much as “Iron Man," but there’s no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.
    This year, Jolie topped Forbes’ annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.


Malicious URLs
    gbheatings .com/thou/index.html
    casa-dor .com/bookstore/index.html
    deltadazeresort .net/topic/able_disturb_planning.php
    deltadazeresort .net/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...iSDk1qz4rgp.png
___

Pharma sites to block 30/7/13
- http://blog.dynamoo....lock-30713.html
30 July 2013 - "This IPs host (fake) pharma sites which seem to be associated with this gang* and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent...
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
..."
(More listed at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Malware sites to block 30/7/13
- http://blog.dynamoo....lock-30713.html
30 July 2013 - "These sites and IPs are associated with this gang*, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Fake Pinterest password SPAM / onsayoga .net
- http://blog.dynamoo....terest-was.html
30 July 2013 - "This fake Pinterest spam leads to malware on onsayoga .net:
    Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
    From:      Pinterest [caulksf8195 @customercare .pinterrest .net]
    Subject:      Your password on Pinterest was Successfully modified!
    A Few Updates...
    [redacted]
    Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
    Ask for a New Password  
    Pinterest is a tool for collecting and organizing things you love.
    This email was sent to [redacted].
\

Screenshot: https://lh3.ggpht.co...0/pinterest.png

The link goes through a legitimate -hacked- site and then on to [donotclick]www .pinterest.com.onsayoga .net/news/pinterest-paswword-changes.php (report here*) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang** and form part of this large network*** of malicious IPs and domains. I recommend you use -that- list in conjunction with blocking onsayoga .net."
* http://urlquery.net/....php?id=4226343

** http://blog.dynamoo....h/label/Amerika

*** http://blog.dynamoo....lock-30713.html
___

Fake eBay SPAM / deltamarineinspections .net
- http://blog.dynamoo....-heres-how.html
30 July 2013 - "There is currently an eBay-themed "ready to get started? Here’s how" spam run active, effectively almost the same as this one*, except this time there is a new set of intermediate scripts and payload page. The three scripts** involved are:
[donotclick]03778d6.namesecurehost .com/meaningful/unsnapping.js
[donotclick]icontractor .org/followings/trolloped.js
[donotclick]tvassist .co .uk/plead/grueled.js
..leading to a payload page at  [donotclick]deltamarineinspections .net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are -hijacked- from a GoDaddy account and belong to the same poor sod that last control of the ones here***.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .ne
t ..."
* http://blog.dynamoo....unity-spam.html

** http://blog.dynamoo....el/ThreeScripts

*** http://blog.dynamoo....of-highest.html
___

Fake Facebook SPAM again / deltaoutriggercafe .com
- http://blog.dynamoo....gercafecom.html
30 July 2013 - "These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe .com:
    Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
    From:      Facebook [no-reply @facebook .com]
    Subject:      Issac Dyer wants to be friends with you on Facebook.
    facebook
    Issac Dyer wants to be friends with you on Facebook.
    University of Houston, Victoria
    342 friends - 28 photos
    Confirm Request
    See All Requests
    This message was sent to [redacted]...


I don't know about you, but I think Isaac looks a bit like a girl:
> https://lh3.ggpht.co...00/facebook.png
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run*. However, in this case the target has now changed to [donotclick]deltaoutriggercafe .com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been -hijacked- from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltaoutriggercafe .com
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net
..."
* http://blog.dynamoo....-heres-how.html
 

:grrr: :ph34r: :ph34r:


Edited by AplusWebMaster, 31 July 2013 - 05:51 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#996 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 31 July 2013 - 10:50 AM

FYI...

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Deposit Notification Email Messages - 2013 Jul 31
Fake Online Banking Software Security Update Email Messages [Trusteer] - 2013 Jul 31
Fake Customer Complaint Attachment Email Messages - 2013 Jul 31
Fake Product Services Specification Request Email Messages - 2013 Jul 31
(More detail and links at the cisco URL above.)
___

IRS Tax Payment Rejected Spam
- http://threattrack.t...t-rejected-spam
July 31, 2013 - "Subjects Seen:
    Your FED TAX payment ( ID : <removed> ) was Rejected
Typical e-mail details:
... Your federal Tax payment (ID: <removed>), recently sent from your checking account was returned by the your financial institution.
    For more information, please visit the following link -eftps.com/eftps/payments/history/detail/view?eft=
    Transaction Number:     <removed>
    Payment Amount:     $ 7882.00
    Transaction status:     Rejected
    ACH Trace Number:     <removed>
    Transaction Type:     ACH Debit Payment-DDA


Malicious URLs
    diyhomeimprovementtips .com/clunkier/index.html
    ossjobs .com/tangled/index.html
    singular-cy .com/throughout/index.html
    deltaoutriggercafe .com/adobe/update_flash_player.exe
    deltaoutriggercafe .com/topic/regard_alternate_sheet.php


Screenshot: https://gs1.wac.edge...cWsD1qz4rgp.png
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 31 July 2013 - 12:40 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#997 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 01 August 2013 - 08:22 AM

FYI...

Pump and dump SPAM - Biostem ...
- http://blog.dynamoo....dead-horse.html
1 August 2013 - "About a month-and-a-half ago* I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR)** when it was trading at around $0.30. Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
    This Company Will Make an Impressive Recovery! It is the answer
    to your portfolio troubles!
    Date: August 1st
    Long Term Target: .85
    Per share price: .035
    Ticker: HAI_R
    Name: Biostem Corp.
    You might want to sit down before reading this... Stocks To
    Look At!

So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop***, and looking at news reports there seems to be little chance of recovery.
Screenshot: https://lh3.ggpht.co...00/biostem5.png
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks.. "
* http://blog.dynamoo....p-rakes-in.html

** http://www.nasdaq.com/symbol/hair

*** http://www.nasdaq.co...-20130717-01105
___

Current State of the Blackhole Exploit Kit
- http://blog.trendmic...le-exploit-kit/
July 31, 2013 9:42 pm (UTC-7) - "The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself. Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game. Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.
> http://blog.trendmic...7/bhekEbay1.jpg
The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from...
> http://blog.trendmic...wbhektable2.png
... These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat... Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update... and using a web reputation security product..."
___

UPS Package Pickup Spam
- http://threattrack.t...age-pickup-spam
Aug. 1, 2013 - "Subjects Seen:
    UPS - Your package is available for pickup ( Parcel <removed> )
Typical e-mail details:
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    You may pickup the parcel at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    UPS Logistics Services.


Malicious URLs
    bettersigns .net/ponyb/gate.php
    50.57.185.72 :8080/ponyb/gate.php
    arki .com :8080/ponyb/gate.php
    web1w3.nfrance .com/bzfBGWP.exe
    serw.myroitracking .com/kQYjoPqY.exe
    442594-web1.youneedmedia .com/MM75.exe
    ftp(DOT)jason-tooling .com/nhdx.exe

Malicious File Name
and MD5:
    UPS_Label_<date>.zip (199C2A4EED41CF642FBDDF60949A1DD3)
    UPS-Label_<date>.exe (E1388381884E7434A0A559CAED63B677)

Screenshot: https://gs1.wac.edge...WDl91qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 01 August 2013 - 01:31 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#998 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 02 August 2013 - 12:43 PM

FYI...

Fake American Express Alerts
- https://isc.sans.edu...l?storyid=16285
Last Updated: 2013-08-02 16:20:31 UTC - "Right now we are seeing -fake- American Express account alerts*. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used. Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content."
* https://isc.sans.edu...12_08_22 PM.png

American Express Spending Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
    Account Alert: Recent Charge Approved
Typical e-mail details:
    Dear Customer,
    Spend Activity since your last statement close date has reached the notification amount you set for your account.


Malicious URLs
    blackamber .net/ulnq.html
    medialifegroup .com/~medialifeyerel/xkaq.html
    drstephenlwolman .com/topic/sessions-folk-binds.php
    northernforestcanoetrail .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...1PGc1qz4rgp.png
___

MoneyGram Payment Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
    Payment notification email
Typical e-mail details:
    Dear client!
    You are receiving this notification because of you have been received the payment.
    It may take a few moment for this transaction to appear in the Recent Activity list on your account page.
    Payment details
    Transaction sum: 950 USD
    Transaction date: 2013/08/02
    View the details of this transaction online
    Thank you for using MoneyGram services!


Malicious URLs
    blackamber .net/ulnq.html
    medialifegroup .com/~medialifeyerel/xkaq.html
    drstephenlwolman .com/topic/sessions-folk-binds.php
    northernforestcanoetrail .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...4BM61qz4rgp.png
 

:grrr: :ph34r:


Edited by AplusWebMaster, 02 August 2013 - 12:57 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#999 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 02 August 2013 - 03:34 PM

FYI...

Fake American Express Alerts
- https://isc.sans.edu...l?storyid=16285
Last Updated: 2013-08-02 16:20:31 UTC - "Right now we are seeing -fake- American Express account alerts*. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used. Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content."
* https://isc.sans.edu...12_08_22 PM.png

American Express Spending Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
    Account Alert: Recent Charge Approved
Typical e-mail details:
    Dear Customer,
    Spend Activity since your last statement close date has reached the notification amount you set for your account.


Malicious URLs
    blackamber .net/ulnq.html
    medialifegroup .com/~medialifeyerel/xkaq.html
    drstephenlwolman .com/topic/sessions-folk-binds.php
    northernforestcanoetrail .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...1PGc1qz4rgp.png
___

MoneyGram Payment Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
    Payment notification email
Typical e-mail details:
    Dear client!
    You are receiving this notification because of you have been received the payment.
    It may take a few moment for this transaction to appear in the Recent Activity list on your account page.
    Payment details
    Transaction sum: 950 USD
    Transaction date: 2013/08/02
    View the details of this transaction online
    Thank you for using MoneyGram services!


Malicious URLs
    blackamber .net/ulnq.html
    medialifegroup .com/~medialifeyerel/xkaq.html
    drstephenlwolman .com/topic/sessions-folk-binds.php
    northernforestcanoetrail .com/adobe/update_flash_player.exe


Screenshot: https://gs1.wac.edge...4BM61qz4rgp.png
___

NACHA Direct Deposit was Declined Spam
- http://threattrack.t...s-declined-spam
2 August 2013 - "Subjects Seen:
    Direct Deposit payment was declined
Typical e-mail details:
    Attn: Chief Accountant
    Please be informed, that your most recent Direct Deposit payment (<removed>) was cancelled,because your business software package was out of date. Please use the link below to enter the secure section of our web site and see the details::
    Click here for more information
    Please refer to your financial institution to obtain your updated version of the software needed.
    Sincerely yours
    ACH Network Rules Department


Malicious URLs
    24-7datura .com/wp-sts.php?2HWU2JNHOTU80DVU
    zippierearliest .in/closest/i9jfuhioejskveohnuojfir.php


Screenshot: https://gs1.wac.edge...TrzI1qz4rgp.png
___

Fake Discover Card SPAM / capitalagreements .com
- http://blog.dynamoo....t-has-been.html
2 August 2013 - "This fake Discover Card spam leads to malware on capitalagreements .com:
    Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
    From:      Discover Card [dontrply @service.discovercard .com]
    Reply-To:      dontrply @service.discovercard .com
        Discover
         Access My Account
         ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
        Your most recent payment has been processed.
    Dear Customer,
    This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.
    To view more details please click here.
    Log In to review your account details or to make additional changes...


Screenshot: https://lh3.ggpht.co...scover-card.png

The link in the email goes to a legitimate -hacked- site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys .gr/overspreading/hermaphrodite.js
[donotclick]sisgroup .co .uk/despairs/marveled.js
[donotclick]psik.aplus .pl/christian/pickford.js
After that, the victim is directed to the malware landing page at [donotclick]capitalagreements .com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.
The attack is fundamentally the same as this American Express themed malspam run described here*.
Recommended blocklist:
66.228.60.243
northernforestcanoetrail .com
northforestcanoetrail .org
yourcaribbeanconnection .com
capitalagreements .com
buyfranklinrealty .com
franklinrealtyofcc .com
frccc. com
sellcitruscountyrealestate .com
"
* http://techhelplist....pproved-malware
 

:grrr: :ph34r:


This machine has no brain.
......... Use your own.
Browser check for updates here.
.

#1000 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,697 posts

Posted 11 August 2013 - 01:57 PM

FYI...

Fake Apple Store Gift Card SPAM ...
- http://threattrack.t...-gift-card-spam
August 9, 2013 - "Subjects Seen:
    Apple Store Gift Card
Typical e-mail details:
    Apple Store Gift Card
    Dear client! You got our $100 Apple Store Gift Card.
    Apple Store Gift Cards can be applied to buy Apple hardware and accessories at any Apple Retail Store, the Apple Online Store,
    or over the phone by calling 1-800-MY-APPLE.
    Please follow the link or read the attachment to get the Apple Store Gift Card code.


Malicious URLs
    kidscareinternationalschool .com/f2eyvyj.html
    nsmontessoricenter .com/fz13t.html
    stevecozz .com/topic/sessions-folk-binds.php

Malicious File Name
and MD5:
    GiftCard28493.zip (F4B3986EE1828BDCDD46EE412BE0BA61)
    Apple gift card.exe (74CFF87704AEC030D7AD1171366AFF87)

Screenshot: https://gs1.wac.edge...ZiMr1qz4rgp.png

- http://blog.webroot....ts-and-malware/
August 9, 2013 - "Apple Store users, beware! A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails...
Sample screenshot of the spamvertised email:
> http://webrootblog.f...engineering.png
... MD5: 74cff87704aec030d7ad1171366aff87 * ... UDS:DangerousObject.Multi.Generic; PWSZbot-FBX!74CFF87704AE.
... sampled client-side exploit: MD5: 91cb051d427bd7b679e1abc99983338e ** ...  Mal/ExpJava-F..."
(More detail at the websense URL above.)
* https://www.virustot...2a794/analysis/
File name: Apple gift card.exe
Detection ratio: 24/44
Analysis date: 2013-08-09 14:03:28 UTC
** https://www.virustot...a9a36/analysis/
File name: java-exploit-from-173.246.105.15.jar
Detection ratio: 4/45
Analysis date: 2013-08-11 05:11:11 UTC

- https://www.virustot...15/information/

Diagnostic page for AS29169 (GANDI-AS)
- http://google.com/sa...c?site=AS:29169
"... over the past 90 days, 204 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-11... we found 12 site(s) on this network... that appeared to function as intermediaries for the infection of 71 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 91 site(s)... that infected 407 other site(s)..."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 12 August 2013 - 06:47 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button