Google Docs users Targeted - Phishing Scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
ABSA Global business - certificate update – fake PDF malware
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator ABSA Global
cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake Facebook messages
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
Banks to be hit with MS costs for running outdated ATMs
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
Bogus online casino themed campaigns intercepted in the wild
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 220.127.116.11
hxxp ://grandparkerpromo .com – 18.104.22.168
hxxp ://kingneptunescasino1 .com – 22.214.171.124
hxxp ://riverbelle1 .com – 126.96.36.199
hxxp ://europacasino .com – 188.8.131.52
hxxp ://vegaspartnerlounge .com – 184.108.40.206
Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (220.127.116.11) ..."
Edited by AplusWebMaster, 14 March 2014 - 04:55 PM.