Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1243 replies to this topic

#1201 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 05 June 2014 - 07:15 AM

FYI...

Fake Netflix Cancellation - phish
- http://www.hoax-slay...hing-scam.shtml
June 5, 2014 - "Message purporting to be from video streaming service Netflix claims that, due to a payment issue, your account will be cancelled unless you click a link and update credit card details. The message is a phishing scam and Netflix did -not- send it. Clicking the link will take you to a fake Netflix website that asks for login credentials, credit card details, and other personal information. This information will be collected by criminals and used for credit card fraud and identity theft. Example:
> http://www.hoax-slay...hing-scam-1.jpg
Like many other users, you may have recently received an account cancellation message claiming to be from online video streaming service Netflix. The message claims that, because of a problem processing your credit card, you must click a link to update card details to keep your account active. However, the message is -not- from Netflix and you do -not- need to update credit card details as claimed. The message is a typical phishing scam..."
___

Fake email Fax msg - leads to malicious file on Dropbox
- http://blog.mxlab.eu...ile-on-dropbox/
June 5, 2014 - "... new trojan distribution campaign by email with the subject “Fax Message at 2014-05-06 08:55:55 EST”. This email is send from the spoofed address “Fax Message <message@ inbound .efax .com>” and has the following body:

Screenshot: http://img.blog.mxla...xmessage_j2.gif

The embedded URL leads to hxxps ://www .dropbox .com/meta_dl/**SHORTENED**
The downloaded ZIP file has the name Fax-932971.zip and contains the 146 kB large file Fax-932971.scr. The trojan is known as PE:Malware.XPACK-HIE/Heur!1.9C48. At the time of writing, only 1 of the 51* AV engines did detect the trojan at Virus Total so this is a potential risk. Use the Virus Total permalink* and Malwr permalink** for more detailed information..."
* https://www.virustot...sis/1401979986/

** https://malwr.com/an...jQzNmY4NzkyOTc/

192.64.115.91: https://www.virustot...91/information/
5/52 2014-06-09 01:05:06 http ://newsbrontima .com/hcgaryuo4nuf
4/52 2014-06-08 09:42:07 http ://newsbrontima .com/
6/52 2014-06-07 11:18:52 http ://newsbrontima .com/9j3yr9i7zw477
6/52 2014-06-07 11:18:45 http ://newsbrontima .com/a98n76ah7609y
6/52 2014-06-07 11:18:44 http ://newsbrontima .com/z7ekevxgm20zdz

- http://centralops.ne...ainDossier.aspx
192.64.115.91
Registrar URL: http://www.godaddy.com
Registrar Abuse Contact Email: abuse@godaddy.com
Registrant Name: Registration Private - ?
Registrant Organization: Domains By Proxy, LLC
Registrant City: Scottsdale
Registrant State/Province: Arizona ..

efax Spam Containing Malware
- https://isc.sans.edu...l?storyid=18225
2014-06-08
> https://isc.sans.edu...Fax Message.PNG

- http://www.efax.com/...?tab=reportSpam
___

Hacking Apple ID?
- http://blog.trendmic...cking-apple-id/
June 5, 2014 - "... Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals... How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult. We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers** with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users... Our advice is similar to those for any other credential that needs to be protected:
- Don’t reuse your password.
- Use a secure password/passphrase.
- Enable security features like two-factor authentication, if possible.
To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass*), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals..."
* https://itunes.apple...d598904988?mt=8

** http://blog.trendmic...s-turn-hostile/

iCloud: https://www.apple.co.../setup/ios.html
___

dedicatedpool .com.. spam or Joe Job?
- http://blog.dynamoo....or-joe-job.html
5 June 2014 - "... received a number of spam emails mentioning a Bitcoin mining website dedicatedpool .com, subjects spotted are:
    Subject: Bitcoins are around you - don't miss the train!
    Subject: Dedicatedpool .com business proposal (Save up on taxes)
    Subject: Make money with darkcoin and bitcoin now! ...
... the pattern of the spam looks like a Joe Job* rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool .com themselves, but is sent out by someone wanting to disrupt their business.
Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213
"
* https://en.wikipedia.org/wiki/Joe_job
___

Scammers bait users with FIFA Coins
- http://blog.malwareb...ith-fifa-coins/
June 4, 2014 - "To all gamers and enthusiasts of FIFA 14: Please be wary of sites claiming to generate coins for you for nothing. As the saying goes — If it sounds too good to be true, it probably is. Recently, we found one such site: fifa14cheats(dot)cheathacktool(dot)com.
> http://cdn.blog.malw...aksforemail.png
Once visited, it asks for an email address, and then, if provided, lets users decide on how many coins they want handed to them.
> http://cdn.blog.malw...6/03-finito.png
After users press “Finish Hack”, they are then presented with a survey -scam- that, as we may already know, will eventually lead to zero coins. There are -still- users who do not know this and had to find out the hard way unfortunately..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 09 June 2014 - 05:23 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1202 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 06 June 2014 - 04:55 AM

FYI...

Fake Invoice - xls malware
- http://myonlinesecur...ke-xls-malware/
6 June 2014 - "June Invoice with a subject line of inovice <random number> June is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Note the spelling mistake in the subject line of the email inovice 9667444 June rather than invoice. Email simply says:

    This email contains an invoice file attachment

6 June 2014: invoice_9667444.zip ( 49kb) : Extracts to June_invoice_7846935978.xls.exe
Current Virus total detections: 1/51*
This June Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls ( Microsoft excel spread sheet)  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...b58a7/analysis/
___

Malicious major website ads lead to ransomware
Cisco said the attacks can be traced to advertisements on Disney, Facebook and The Guardian newspaper
- http://www.computerw...d_to_ransomware
June 6, 2014 - "Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found*... Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog*... The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers... many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "apps.facebook .com," "awkwardfamilyphotos .com," "theguardian .co.uk" and "go .com," a Disney property, among many others. Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains. The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof... The 90 domains the malicious advertisements pushed traffic to had also been hacked..."
* https://blogs.cisco....kit-strikes-oil
June 5, 2014 - "... we have seen RIG using malvertising to perform a drive-by attack on visitors to high profile, legitimate websites. This accounts for the high amount of traffic we have seen in the last month... Requests for RIG landing pages April 24 - May 22:
> http://blogs.cisco.c...art-550x314.png
___

Fake Pirate Bay uses tricks to push PUS
- http://www.f-secure....s/00002711.html
June 6, 2014 - "This is piratebay.com
> http://www.f-secure....ratebay_com.png
It's a cheap knockoff imitation of The Pirate Bay*. If you "search" for something — you'll be offered a custom named executable to download. Buried at the bottom of the page is this disclaimer:
> http://www.f-secure...._disclaimer.png
"Additional software may be offered to you"? Yeah… indeed it will. And the "decline" button is white text on gray on more gray. Very duplicitous.
> http://www.f-secure....p_discovery.png
In all, several applications are installed. Given the target audience, this probably takes advantage of kids. Lame. To be avoided..."
* http://en.wikipedia..../The_Pirate_Bay
___

Preying on Insecurity: Placebo Applications ...
- http://www.fireeye.c...amazon-com.html
June 4, 2014 - "FireEye mobile security researchers recently uncovered, and notified Google and Amazon to take down, a series of anti-virus and security configuration apps that were nothing more than scams. Written easily by a thieving developer with just a few hundred lines of code then covered with a facade of images and progress bars, the seemingly useful apps for Android’s operating environment charge for installation and upgrade but do nothing. In other words, placebo applications. Fortunately all the applications have been removed from the Google Play store due to our discovery. Up to 50,000 downloads in some cases, these -fake- apps highlight how cybercriminals are exploiting the security concerns consumers have about the Android platform. In this case, we found five (!) fake antivirus apps that do nothing other than take a security-conscious user’s money, leaves them unprotected from mobile threats, and earns a criminal thousands of dollars for little work... the paid versions of the apps were available for Google Play customers outside the US and UK, while users in the UK and US could choose the free versions with in-app upgrade options. Also available in third party markets such as appbrain.com[1] and amazon.com[2], the fraudulent apps ranged in price from free to $3.99. The applications included:
    Anti-Hacker PLUS (com.minaadib.antihackerplus) Price $3.99
    JU AntiVirus Pro (com.minaadib.juantiviruspro) Price $2.99
    Anti-Hacker (com.minaadib.antihacker) Free
    Me Web Secure (com.minaadib.mewebsecurefree) Free
    Me Web Secure Pro (com.minaadib.mewebsecure) Price $1.99
Taking full advantage of the legacy, signature-based approach mobile antivirus apps have adopted, that makes it hard for a user to tell if it really is working, total charges for these “security” apps ran into the thousands of US dollars in the Google Play store alone. This old security model puts users relying on such applications at risk, either because it incites them to download apps that simply don’t have functionality – as we see in this case – or they don’t provide adequate protection against today’s threats. Ultimately, users simply cannot tell when they are protected..."
___

Six governments tap Vodafone calls
- http://www.reuters.c...N0EH0UK20140606
Jun 6, 2014 - "The world's second-biggest mobile phone company Vodafone revealed government agencies in six unidentified countries use its network to listen to and record customers' calls, showing the scale of telecom eavesdropping around the world... While most governments needed legal notices to tap into customers' communications, there were six countries where that was not the case, it said... Vodafone did not name the six for legal reasons... The Vodafone report, which is incomplete because many governments will not allow it to disclose requests, also linked to already-published national data which showed Britain and Australia making hundreds of thousands of requests. It showed that of the countries in which it operates, EU member Italy made the most requests for communication data. Germany, which expressed outrage when it was revealed last year that U.S. intelligence services had listened into the calls of Angela Merkel, also made requests to listen in to conversations and collect the data around them, such as where the calls were made and how long they lasted. Vodafone received no requests from the government of the United States because it does not have an operating licence there. It exited a joint mobile venture with Verizon last year..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 07 June 2014 - 06:29 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1203 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 08 June 2014 - 07:20 PM

FYI...

Fake Shell Oil Promo - Scam
- http://blog.malwareb...promo-419-scam/
June 8, 2014 - "From the spam traps, currently being sent out from a Gmail address:

HEAD OFFICE ADDRESS: PLOT 33, ABUBAKAR TAFAWA BALEWA WAY.
CENTRAL BUSINESS DISTRICT, CADASTRAL ZONE,
ABUJA, FEDERAL CAPITAL TERRITORY,
NIGERIA.
EMAIL: [snip]@ gmail .com
Cell Phone No: +[snip]
DEAR CUSTOMER,
How are you today? I am Dr. Emeka Emuwa, Director/Chief Executive Of
Union Bank PLC, I am delighted to inform you that this panel which
just concluded it’s seating today in Abuja just released your name
among the beneficiaries that has not received their payment, and this
time it has been approved to pay you via Diplomatic cash delivery or
through newly introduced ATM Master Card method, therefore indicate
your choice of receiving.
we have been mandated to pay you the sum of $10.5million from
international gaming board, which is your won prize money from Shell
oil promo that you won in the past 3years but fail to redeem it (your
prize money).
Warning: This will be the last time we will contact you in regards to
this transaction and you are hereby given 7 working days to claim your
won prize failure to claim your prize within the stipulated time will
amount to cancellation of your prize...


This is, of course, a 419 scam* and should be ignored (along with some of the slightly modified variants doing the rounds over the weekend). Note that the name they’re using to sign off with is a real person, in an attempt to bump up the authenticity quota. Despite this, there’s nothing genuine about the offer of large sums of cash and can safely be discarded. Here’s some tips for avoiding 419 scams, along with information on what to look out for. “If it sounds to good to be true…” "
* https://en.wikipedia.../wiki/419_scams
 

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1204 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 09 June 2014 - 10:18 AM

FYI...

Fake ACH report – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 June 2014 - "ACH transaction failure report is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...     

ACH PAYMENT REJECTED
    The ACH Transaction (ID: 78751236216395), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason:  See details in the acttached report.
    Transaction Report:  report_78751236216395.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


9 June 2014;  report_78751236216395.zip(310kb) : Extracts to report_46240876034052.scr
Current Virus total detections:  10/52* . This ACH transaction failure report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...5cd2d/analysis/
___

Fake inovice 2110254 SPAM
- http://blog.dynamoo....-june-spam.html
9 June 2014 - "This terse but badly-spelled spam has a malicious attachment:
    Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
    From:      Ladonna Gray [wtgipagw@ airtelbroadband .in]
    Subject:      inovice 2110254 June
    This email contains an invoice file attachment


Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52*. Automated analysis tools are not able to determine exactly what the malware does."
* https://www.virustot...sis/1402318500/
___

Barclays Phish - “For Security Purposes, Your Account has been Locked”
- http://blog.malwareb...barclays-phish/
June 9, 2014 - "... simple phishing email currently in circulation which claims to be from Barclays:
> http://cdn.blog.malw...claysphish0.jpg
It reads:
    For security purposes, your online account has been locked.
    To restore your account, please click : Sign into My Barclays Account and proceed with the verification process.


Clicking the link will take the victim to a page most likely hosted on a compromised website.
> http://cdn.blog.malw...laysphish11.jpg
It asks for name, 5 digit passcode, DOB, telephone passcode, account number, sort code and debit card number. After filling in the relevant information and sending it to the phisher, the victim is redirected to a (legitimate) Barclays page about mortgages. If you or someone you know falls for this one, be sure to contact your bank as soon as possible so they can take the appropriate action. Phishing emails tend to have a little more effort put into them than this one, but the -fake- Barclays page is about as good as any other in terms of looking like the real thing. As always, avoid."
____

- http://msmvps.com/bl...on-android.aspx
Jun 8, 2014 - "... The best patching tool is still the human brain. Did you expect that email? Is it wise to open that attachment?
The bad guys know we have a hard time patching the human."
S. Bradley
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 09 June 2014 - 04:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1205 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 10 June 2014 - 04:58 AM

FYI...

Fake Company Tax Return – PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 June 2014 - "Company Tax Return – CT600_4938297 June is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

    This email contains an Company Tax Return form file attachment

10 June 2014: invoice_4938297.zip (55kb)  Extracts to CT600_june_4323432432.pdf.exe
Current Virus total detections: 1/52* . This Company Tax Return – CT600_4938297 June is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...ce389/analysis/
___

Fake Voice mail SPAM - downloads malware from Dropbox
- http://blog.dynamoo....-mail-spam.html
10 June 2014 - "Another -fake- voice message spam, and another malware attack downloading from Dropbox.
    From:     Microsoft Outlook [no-reply@ victimdomain]
    Date:     10 June 2014 15:05
    Subject:     You have received a voice mail
    You received a voice mail : VOICE437-349-3989.wav (29 KB)
    Caller-Id: 437-349-3989
    Message-Id: U7C7CI
    Email-Id: [redacted]
    Download and extract the attachment to listen the message.
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
    Sent by Microsoft Exchange Server


The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52*. Automated analysis... indicates that it downloads files from the following domains:
newsbrontima .com
yaroshwelcome .com
granatebit .com
teromasla .com
rearbeab .com
"
* https://www.virustot...sis/1402407401/

Dropbox phishing: Cryptowall, Bitcoins, and You
- http://phishme.com/i...itcoins/#update
Updated June 10 - "... the attackers have changed their tactics... the email is disguised as a voicemail notification..."
- http://phishme.com/b...-dropbox-links/
June 2, 2014
___

News Headlines for KULUOZ SPAM ...
- http://blog.trendmic...spam-campaigns/
June 10, 2014 - "Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy... a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself... Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets...How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.
KULUOZ spam sample with “Knife attack at South China Station”
> http://blog.trendmic...09comment01.jpg
... we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.
KULUOZ spam sample with “Thai Coup news item”
> http://blog.trendmic...09comment02.jpg
... this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root. The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them..."
___

Corporate cyber-espionage ...
Internet postings link a Chinese hacking group to a military unit
- https://www.computer...cyber_espionage
June 9, 2014

- http://resources.cro...om/putterpanda/
June 9, 2014 - "Putter Panda is a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. The PLA’s General Staff Division (GSD) Third Department appears to be China’s primary SIGINT collection and analysis agency. The 12th Bureau, Unit 61486, headquartered in Shanghai’s Chabei District, supports China’s space surveillance network. They are a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications. The group has been operating since at least 2007 and has been observed heavily targeting the US Defense and European satellite and aerospace industries. They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks.
CrowdStrike identified Chen Ping, aka cpyy, a suspected member of the PLA responsible for procurement of the domains associated with operations conducted by Putter Panda."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 June 2014 - 04:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1206 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 11 June 2014 - 04:53 AM

FYI...

Fake Invoice/Billing SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 June 2014 - "Focus Accounts Electronic Invoice and Billing Information for FC4800 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

Please find attached your May Invoice and, if you have requested them, additional reports relating to the call and line charges on this bill.
Don’t Forget – We provide a host of other products and services including:
Telephone Systems & Maintenance (both traditional and VoIP)
Office Cabling (Cat5)
IT Support & Maintenance, IT Equipment & Installation
Cloud Computing, Hosted Solutions, Data Backup & Antivirus
Broadband, FTTC, EFM, MPLS & Leased Lines
Mobile Phones & Mobile Broadband
Non-Geographic Numbers (0800, 0845, 0844, 0871)
Inbound and Call Centre Solutions
Web Design & Hosting, Search Engine Optimisation (SEO)
Gas & Electricity Procurement
If you have any problems opening the file(s), or would like to discuss your bill, please call us or reply to this email.
Kind Regards,
Focus Billing.


11 June 2014 : 211852.zip ( 57kb) : Extracts to report_92da3ec16736842.pdf.exe:
Current Virus total detections: 2/53* . This Focus Accounts is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...20110/analysis/
___

Fake RBS SPAM spreads malware via Cubby .com
- http://blog.dynamoo....alware-via.html
11 June 2014 - "This -fake  bank spam downloads malware from file sharing site cubby .com:
    From:     Sammie Aaron [Sammie@ rbs .com]
    Date:     11 June 2014 12:20
    Subject:     Important Docs
    Please review attached documents regarding your account.
    To view/download your documents please click here
    Tel:  01322 215660
    Fax: 01322 796957
    email: Sammie@ rbs .com
    This information is classified as Confidential unless otherwise stated. 



The download location is [donotclick]www .cubby .com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54*. Automated analysis... show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)
(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151
"
* https://www.virustot...sis/1402490061/
___

Fake Booking .com email - attached ZIP file contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 11, 2014 - "... new trojan distribution campaign by email with the subject 'Reservation for Thursday, June 12, 2014 BN_4914940'...

Screenshot: http://img.blog.mxla...g_com_virus.gif

The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe. Please note that the numbers in the subject, message or attachment may vary with each email. The trojan is known as PWSZbot-FXE!3B53E958ECF1  or TrojanSpy.Zbot.herw. At the time of writing, 2 of the 51* AV engines did detect the trojan at Virus Total... Remove the email immediately from your computer. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...sis/1402480105/

** https://malwr.com/an...jQ4MmVlOWMzOWY/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 June 2014 - 12:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1207 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 12 June 2014 - 05:04 AM

FYI...

pcwelt .de hacked - serving Angler EK on 91.121.51.237
- http://blog.dynamoo....9112151237.html
12 June 2014 - "The forum of popular German IT news site pcwelt .de has been -hacked- and is sending visitors to the Angler exploit kit. Visitors to the forum are loading up a compromised script hxxp ://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code... which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:
[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]
The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting .net:2980/meuu5z7b3w.php ... which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK...
Recommended blocklist:
91.121.51.237
type2consulting .net
valueoptimizationfrontier .com
typetwoconsulting .com
afiduciaryfirst .com
7411447a .pw
31674ec .pw
e4ae59eb .pw
95bded0e .pw

(and if you can block all .pw domains then it is probably worth doing that too)...
(More detail and lists at the dynamoo URL above.)
Thanks to the #MalwareMustDie crew* and Steven Burn for help with this analysis."
* https://twitter.com/...ustDie?src=hash
___

Fake World Cup 2014 apps ...
- http://blog.trendmic...-cup-2014-apps/
June 12, 2014 - "... Besides recently flooding the internet with phishing scams and the taking down two Brazilian government sites by hacktivists (the Sao Paulo Military Police website  and the official World Cup 2014 Brazil website), cybercriminals are also targeting the mobile scene with scads of World Cup-themed mobile malware  - more than 375 of them already at last count. We found these malicious apps lurking in unauthorized/third party app download stores, just waiting for users to install them on their mobile devices. Upon analysis, we found that the bulk of the malware in question are variants of prevalent mobile malware families... the remote server the apps connect to has 66 different domains, with each domain -spoofing- famous websites like MtGox .com...
Fake World Cup game apps:
> http://blog.trendmic...6/football4.jpg
.
> http://blog.trendmic...6/football5.jpg
... We also found that the C&C servers in question were also used to host third-party app download websites, where most apps are repacked with advertisements and information theft routines... Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process. We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all). Besides these malware, we also found quite a few high-risk apps also themed after the World Cup. Most, if not all, sport some sort of information theft routine, as well as pushing ad notifications/unwanted app advertisements. While it may be a fact of life that big sporting events like these will inevitably have some sort of cybercriminal attack or campaign following close behind, being a victim of them isn’t..."
___

Malwarebytes anti-exploits service protects Windows XP users from attacks
Covers popular targets including Microsoft Office, Java and Adobe
- http://www.theinquir...rs-from-attacks
Jun 12 2014 - "... Malwarebytes has launched anti-exploit services* to protect Windows users from hacking attacks on vulnerabilities in popular targets including Microsoft Office, Adobe software products and Java, a service which even offers protection for Windows XP users. Consumer, Premium and Corporate versions of the service are available, and are designed to pre-emptively stop hackers from infecting Windows machines with malware... The Consumer version of the anti-exploit service is free and offers basic browser and Java protection..."
* http://blog.malwareb...s-anti-exploit/

- http://www.malwareby...rg/antiexploit/
"... Malwarebytes Anti-Exploit wraps three layers of security around popular browsers and applications, preventing exploits from compromising vulnerable code. Not an antivirus, but compatible with most antivirus, Malwarebytes Anti-Exploit is a small, specialized shield designed to protect you against one of the most dangerous forms of malware attacks. And it’s free."

Download: http://downloads.mal...s.org/file/mbae
___

Fake emails using false Intuit email address
- https://security.int...alert.php?a=106
6/11/2014 - "People are receiving fake emails claiming to be from Intuit - that are advertisement emails for services, such as auto and air conditioning repair. These emails are using a fake email address indicating they are coming from Intuit. These emails are -not- from Intuit and the email address "info @ intuit .com" is -not- an Intuit email address.
Steps to Take Now:
> Do not open the attachment in the email...
> Delete the email.

On the Internet, "phishing" refers to criminal activity that attempts to fraudulently obtain sensitive information...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 12 June 2014 - 01:36 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1208 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 13 June 2014 - 05:45 AM

FYI...

Something evil on 64.202.123.43 and 64.202.123.44
- http://blog.dynamoo....212343-and.html
13 June 2014 - "This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it. The source of the infection seems to be a -malvertisement- on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing. In this case, the visitor gets directed to a page at 12ljeot1.wdelab .com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving. What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services. A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report* shows indications of the Fiesta EK. The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot six domains being abused:
theholdens .org
denytech .com
jonmills .org
wdelab .com
dimatur .pt
hebel .ch
A full list of the subdomains that I have found so far can be found here [pastebin]**.
A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:
64.202.123.43
64.202.123.44
theholdens .org
denytech .com
jonmills .org
wdelab .com
dimatur .pt
hebel .ch
"
1] https://www.virustot...43/information/

2] https://www.virustot...44/information/

3] http://urlquery.net/...14-06-13&max=50

* http://urlquery.net/...d=1402529850112

** http://pastebin.com/S4Ek7tcb
___

Something suspect on 38.84.134.0/24
- http://blog.dynamoo....3884134024.html
13 June 2014 - "This attack (assuming it is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK). It starts when a visitor visits the website click-and-trip .com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.
> https://4.bp.blogspo...ck-and-trip.jpg
However, this URLquery report* also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas .eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly... We can also check the IP's reputation at VirusTotal* and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171... A look at all the hosts I can find in this range... show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...d=1402655467225

** https://www.virustot...71/information/
___

"Equity Investment Limited" lottery scam - still around after more than a decade
- http://blog.dynamoo....ttery-scam.html
13 June 2014 - "... a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..
> https://1.bp.blogspo...FICATIONJPG.JPG
The scam is purportedly from a "Mrs Hilda Adams" references a -fake- company:
Equity Investment Limited
132 Blackburn Road
Bolton
BL7 9RP
England
UK
Tel: 00447924556231
Email: uklclaims@ mail .com
Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750
But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003* about a lottery scam using a company of exactly the same name. The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9** which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all. Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine.."
* http://www.dynamoo.c...ment_org_uk.htm

** https://en.wikipedia.org/wiki/Cloud9

Labels: 419, Advanced Fee Fraud, Lottery Scam, Spam
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 13 June 2014 - 11:00 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1209 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 16 June 2014 - 01:08 PM

FYI...

Fake Simply Business SPAM – malware
- http://myonlinesecur...2715xb-malware/
16 June 2014 - "'Please fill in your Employer Reference Number, policy – MQBI352715XB' pretending to come from Simply Business insurance company is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This set of emails with the subject of 'Please fill in your Employer Reference Number, policy – MQBI352715XB < numbers vary>' is targeted at employers and small business rather than consumers. I cannot get any payload or malware. The links all lead to -compromised- websites or servers and all go to pages called hxxp ://<  name of website >/err_log/sub/activate.html where a simple script -bounces- you on to hxxp :// 62.76.44.211 :8080/inbound.php which at this time is not responding. We believe this is likely to be one of the -exploit- kits that will attempt to install cryptowall on your computer, if you have a -vulnerable- version of Java, Flash, Adobe PDF reader or Microsoft Silverlight... The email looks like:
    You’re receiving this important service message as a Simply Business customer with Employers’ Liability insurance
    View it in your browser ...

[See image at the myonlinesecurity URL above.]

... look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."

- http://centralops.ne...ainDossier.aspx
62.76.40.0 - 62.76.47.255
descr:          IT House, Ltd
country:        RU ...
address:        195427, St. Petersburg, Russia
route:          62.76.40.0/21
descr:          IT House, Ltd
origin:         AS48172 ...

- https://www.google.c...c?site=AS:48172
"... over the past 90 days, 163 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-06-16, and the last time suspicious content was found was on 2014-06-16... Over the past 90 days, we found 35 site(s).. that appeared to function as intermediaries for the infection of 171 other site(s)... We found 26 site(s)... that infected 310 other site(s)..."
___

Hacks steal Dominos Pizza customer data in Europe, ransom sought
- http://www.reuters.c...N0ER1TF20140616
Jun 16, 2014 - "Hackers have stolen data on more than 600,000 Dominos Pizza Inc customers in Belgium and France, the pizza delivery company said, and an anonymous Twitter user threatened to publish the data unless the company pays a cash ransom. Customer names, delivery addresses, phone numbers, email addresses and passwords were taken from a server used in an online ordering system that the company is in the process of replacing, Dominos spokesman Chris Brandon said on Monday. He said he did not know if the stolen passwords had been encrypted. A Tweet directed at Domino's customers through an account of somebody listed as "Rex Mundi" said hackers would publish the customer data on the Internet unless the company pays 30,000 euros ($40,800), according to an article in The Telegraph. The Rex Mundi account was later suspended. Brandon said he was not familiar with the ransom demands, but that the company would not be making any such payment..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 16 June 2014 - 01:27 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1210 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 17 June 2014 - 04:54 AM

FYI...

New banker trojan - Dyreza / delivered by SPAM
- https://www.csis.dk/en/csis/news/4262/
2014-06-16 - "We have been analyzing a new piece of banking malware, which is targeting some major online banking services. Among many, we have verified the following to be on the target list:
Bank of America
Natwest
Citibank
RBS
Ulsterbank

The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware. The malware is being delivered through -spam- campaigns. We have seen various subjects such as: "Your FED TAX payment ID [random number]" and "RE: Invoice #[random number]. The primary target appears to be the UK. We have seen RBS to be a specific target with the content:
"Please review attached documents regarding your account
To view/download your documents please click here
Tel: 01322 247616
Fax: 01322 202705
email: Leonel@ rbs .com
This information is classified as Confidential unless otherwise stated."


The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA * ... Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a "Flash Player update". Still it's unclear if this is provided as a "Crime as a Service" or if it's a full circle criminal outfit. We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code. CSIS would like to credit the following blog/analysis:
- http://phishme.com/p...s-bypasses-ssl/ "
"... block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61 ..."

* https://en.wikipedia..._authentication

- https://www.computer...malware_emerges
June 17, 2014
___

Fake Voicemail recived - malware exploit
- http://myonlinesecur...alware-exploit/
17 June 2014 - "... from Yesterdays Simply Business attack we have the same attack with a subject New voicemail recived pretending to come from YouMail which is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... we are unable to get any malware payload from it... Email looks like:

Screenshot: https://encrypted-tb...X9hcV0N81l7ftlL
... You have received a Voicemail. Follow the link below to listen to it

... these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day... make sure you have “show known file extensions enabled“... look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
___

Spamvertised ‘June invoice” themed emails lead to malware
- http://www.webroot.c...s-lead-malware/
June 17, 2014 - "Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet’s infected population... recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment. Detection rate for a sampled malware: MD5: 8b54dedf5acc19a4e9060f0be384c74d – detected by 43 out of 54 antivirus scanners* as Backdoor.Win32.Androm.elwa... Once executed MD5: 8b54dedf5acc19a4e9060f0be384c74d** ...
It then phones back to the following C&C servers:
hxxp ://62.76.189.58 :8080/dron/ge.php
hxxp ://62.76.41.73 :8080/tst/b_cr.exe
62.76.41.73
62.76.185.30
95.101.0.115

... Detection rate for the dropped sample: MD5: 596ba17393b18b8432cd14a127d7c6e2 – detected by 36 out of 54 antivirus scanners as Trojan-Spy.Win32.Zbot.tfdc ... Related malicious MD5s known to have phoned back to the same C&C server (62.76.41.73) ... Related malicious MD5s known to have phoned back to the same C&C server (95.101.0.115) ..."
* https://www.virustot...sis/1403011569/
"... invoice_pdf.exe ..."

** https://www.virustot...1908d/analysis/

*** https://www.virustot...f68a2/analysis/

62.76.189.58: https://www.virustot...58/information/
62.76.41.73: https://www.virustot...73/information/
62.76.185.30: https://www.virustot...30/information/
95.101.0.115: https://www.virustot...15/information/
___

Fake Virgin Media SPAM - malware exploit
- http://myonlinesecur...alware-exploit/
17 June 2014 - "... Virgin Media Automated Billing Reminder pretending to come from Virgin Media Online Services [billing@ virginmedia .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Once again we are unable to get any malware payload from it because the sites insist on some vulnerable software which we don’t have installed. There is an alternative version spreading with a subject of British Gas bill payment. pretending to come from British Gas [services@ britishgas .co.uk] but with exactly the same virgin media email. Email looks like:

Virgin Media Automated Billing Reminder
> https://t2.gstatic.c...n Media Web.jpg
Date 17th June 2014
This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:
    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address.
Login  to e-Billing
Once logged in you will need to fill in the required fields, please ensure all address and contact details are up to date, once submitted your account details will automatically be updated within 24 Hours.
Kind Regards,
Virgin Media
Customer Services Team
Ellis Willis


All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... make sure you have “show known file extensions enabled“... If it says .EXE then it is a problem and should -not- be run or opened."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 17 June 2014 - 02:55 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1211 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 18 June 2014 - 05:32 AM

FYI...

Fake Customer Daily Statement - XLS malware
- http://myonlinesecur...ke-xls-malware/
18 June 2014 - "Customer Daily Statement pretending to come from Berkeley Futures Limited [trade@ bfl .co.uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... This email has a zip attachment that requires you to use the password in the body of the email to open the zip file ( hopefully this will slow down & make you think and help protect you). The zip contains 2 files: what appears to eb a genuine PDF statement and a file suggesting it is a Microsoft XLS (  Excel) file which is in fact a renamed .exe malware. Email reads:

    Attached is your daily statement and payment request form for May 2014.
    Please fulfill payment request form and send it back. The attached zip archive is secured with personal password.
    Password: XL6Fs#
    Berkeley On-line and Berkeley Equities are trading names of Berkeley Futures Limited. Berkeley Futures Limited is authorised and regulated by the Financial Conduct Authority (Registered no. 114159) © 2012 Berkeley Futures Limited


18 June 2014: XCU01.zip : Extracts to   request_form_8943540512.xls.exe
Current Virus total detections: 3/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1403073130/
___

Pinterest and Tumblr Accounts Compromised to Spread Diet Pill Spam
- http://www.symantec....-diet-pill-spam
Updated: 18 Jun 2014 - "Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter... The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.
Are Twitter accounts compromised?
It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users:
- Make sure your password on all these services are strong and unique*
- Tumblr users should enable two-factor authentication**
- Twitter users should revoke and reauthorize access to the Pinterest application "
* https://identitysafe...sword-generator

** http://www.tumblr.co...ccount_security
___

Fake Wells Fargo SPAM - malicious PDF file
- http://blog.dynamoo....s-spam-has.html
17 June 2014 - "This -fake- Wells Fargo spam comes with a malicious PDF attachment:
    From:     Raul.Kelly@ wellsfargo .com
    Date:     17 June 2014 18:50
    Subject:     Important docs
    We have received this documents from your bank, please review attached documents.
    Raul Kelly
    Wells Fargo Accounting
    817-713-1029 office
    817-306-0627 cell Raul.Kelly@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...


The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51*. The Malwr report doesn't say much but can be found here**."
* https://www.virustot...sis/1403031721/

** https://malwr.com/an...zdmMDA5YzZkN2I/
___

Fake Payment Overdue SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 June 2014 - "Payment Overdue - Please respond pretending to come from Payroll Invoice [payroll@intuit.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    We have uploaded previous month reports on dropbox, please use the
    following link to download your file:
    https ://www.cubby .com/pl/Document_772-998.zip/_666f6271a7a8418a9881644fdcae6e1f
    Sincerely,
    Gabriel Preston
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY...


18 June 2014: Document_772-998.zip (8kb) : Extracts to Document_772-998.scr
Current Virus total detections: 2/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."    
* https://www.virustot...79ab7/analysis/  
___

Fake Lloyds Bank SPAM
- http://blog.dynamoo....e-customer.html
18 June 2014 - "Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
     From:     Lloyds Bank Commercial Finance [customermail@ lloydsbankcf .co.uk]
    Date:     18 June 2014 12:48
    Subject:     Customer Account Correspondence
    This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.
    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please contact the individual or customer care team whose details appear on the statement.
    This email message and its attachment has been swept for the presence of computer viruses.
    Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance .co.uk


Ensuring that your PDF reader is up-to-date may help to mitigate against this attack."
___

Fake Xerox WorkCentre Spam...
- http://blog.dynamoo....workcentre.html
18 June 2014 - "The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
    From:     Xerox WorkCentre
    Date:     18 June 2014 13:41
    Subject:     Scanned Image from a Xerox WorkCentre
    It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [redacted]
    Number of Images: 0
    Attachment File Type: PDF
    WorkCentre Pro Location: Machine location not set
    Device Name: [redacted]
    Attached file is scanned image in PDF format...


The payload is a malicious PDF that is identical to the HSBC and Lloyds spams."
___

Fake Electro Care SPAM - XLS malware
- http://myonlinesecur...ake-xlsmalware/
18 June 2014 - "Invoice from Electro Care Electrical Services Ltd is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like :
    This invoice is the oldest and we did receive a cheque if £4900.00 On the 16/04/14
    Please not that they have deducted CIS at 20% on the above payment so the total amount applied to this invoice is £5400.00.
    Any question then please call me.
    This message contains Invoice #03974 from Electro Care Electrical Services Ltd.  If you have questions about the contents of this message or Invoice, please contact Electro Care Electrical Services Ltd.
    Electro Care Electrical Services Ltd
    Unit 18
    Lenton Business Centre
    Lenton Boulevard
    Nottingham
    NG7 2BY
    T: 01159699638 F: 01159787862 ...


18 June 2014: ECE03974.zip (57kb) : Extracts to Electro Care Electrical Services Ltd invoice.scr
Current Virus total detections: 3/54* . Invoice from Electro Care Electrical Services Ltd is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper XLS  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...b51f8/analysis/
___

Fake HSBC SPAM...
- http://blog.dynamoo....ost-recent.html
18 June 2014 - "This convincing looking bank spam comes with a malicious PDF attachment:
From:     HSBC.co.uk [service@ hsbc .co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment
HSBC Logo
You have a new e-Message from HSBC .co.uk
This e-mail has been sent to you to inform you that we were unable to process your most recent payment.
Please check attached file for more detailed information on this transaction.
Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69 ...


Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53*. The Malwr report does not add much but can be found here**."
* https://www.virustot...sis/1403092029/

** https://malwr.com/an...GY3OGI5MzdiOWM/
___

Android ransomware uses TOR
- http://blog.trendmic...mware-uses-tor/
June 17, 2014 - "... samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device. Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores... The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping pop out, thus preventing the user from being able to use their device properly... we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware... How to Remove this Ransomware: For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK*, which can be freely downloaded from the Android website..."
* http://developer.and...s/help/adb.html
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 18 June 2014 - 02:27 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1212 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 19 June 2014 - 04:11 AM

FYI...

Netflix – Phish...
- http://myonlinesecur...tflix-phishing/
19 June 2014 - "An email received with a subject saying Your Netflix Account Requires Validation  that is -spoofed- to appear to come from NETFLIX [secure@ netflix .co.uk]. This is a new one on us. It is the first time I have seen a phish trying to get your Netfix log in details. The site in the link looks at first glance to be genuine. But if you look carefully, you will see the genuine Netflix site is - https://www.netflix....in?locale=en-GB
This -fake- phishing site is http ://netflix-user .com/<lots of random characters>/Login.htm

 

The urls are very similar and show how careful you must be to make sure that you are on a genuine site and why you should -never- respond to emails asking for log in details...
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your account Failure to complete the validation process will result in a suspension of your netflix membership. We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team


If you follow the link you see a webpage looking like:
> http://myonlinesecur...ishing-site.png ..."
 

:ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1213 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 20 June 2014 - 06:23 AM

FYI...

Password Protected Malware
- http://blogs.apprive...otected-Malware
Jun 18, 2014 - "... a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, whcih should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.
> http://blogs.apprive...resized-600.PNG
The attached file contains 2 actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip).This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive. Rar malware is much less common that zip malware since zip files work natively on most systems... The -fake- Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (62.76.43.110; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established... The zbot is a common piece of malware we see due to its main purpose of being built to steal money, meaning it can be very profitable for the people behind malware campaigns. A good bit of advice with password protected zips is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password. I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using. Currently we are blocking this malware with over 40,000 hits so far this morning."
(More detail and screenshots at the appriver URL above.)

62.76.43.110: https://www.virustot...10/information/
___

Spamvertised ‘Customer Daily Statement’ emails lead to malware
- http://www.webroot.c...s-lead-malware/
June 20, 2014 - "... persistent spamvertising of tens of thousands of fake emails, for the purpose of socially engineering gullible end users into executing the malicious attachments found in the rogue emails. We’ve recently intercepted a currently circulating malicious campaign, impersonating Barkeley Futures Limited, tricking users into thinking that they’ve received a legitimate “Customer Daily Statement”.
More details: Sample screenshot of the spamvertised email:
> https://www.webroot....ley_Futures.png
Detection rate for a sampled malware: MD5: b05ae71f23148009c36c6ce0ed9b82a7 – detected by 29 out of 54 antivirus scanners* as Trojan-Ransom.Win32.Foreign.kxka
* https://www.virustot...542ee/analysis/
Once executed, the sample drops the following malicious MD5 on the affected hosts: MD5: ed54fca0b17b768b6a2086a50ac4cc90 **
** https://www.virustot...f44c8/analysis/
It then phones back to the following C&C servers:
62.76.43.110
62.76.185.94

Related malicious MD5s known to have phoned back to the following C&C server (62.76.43.110):
MD5: c02e137963bea07656ab0786e7cc54de . Once executed, the dropped MD5: ed54fca0b17b768b6a2086a50ac4cc90 starts listening on ports 35073.
also phones back to the following C&C servers:
62.76.185.94
23.62.99.40

Related malicious MD5s known to have phoned back to the following C&C server (23.62.99.40)..."

23.62.99.40: https://www.virustot...40/information/
___

Fake ACH/Bank form – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 June 2014 - "ACH – Bank account information form pretending to come from Bettye Cohen [Bettye.Cohen@ jpmchase .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
    Please find attached the business account forms 9814285.
    If you are unable to open the attached file, please reply to this email with a contact telephone number. The Finance Dept will be in touch in due course.
    Bettye_Cohen
    Chase Private Banking Level III Officer
    3 Times Square
    New York, NY 10036
    T. 212.804.3166
    F. 212.991.5185


20 June 2014: Important Chase Private Banking Forms.zip (93 kb)  Extracts to: Important Chase Private Banking Forms.scr
Current Virus total detections: 3/54* . This ACH – Bank account information form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...85a24/analysis/
___

Fake Cloud Storage Mails lead to Pharmacy Sites
- http://blog.malwareb...pharmacy-sites/
June 20, 2014 - "We’re seeing a number of emails claiming that image files have been uploaded to the web, or have simply been damaged somehow. Here’s one claiming to be from “Box”, which as you may already know is a Cloud content management service:
> http://cdn.blog.malw...06/boxspam1.jpg
The large “View Images” button leads clickers to a Canadian pharmacy spam page:
> http://cdn.blog.malw...adianpharma.jpg
We’ve seen a few others like the above but in those cases the final destination was already offline, so it’s hard to say exactly what they were trying to send people to. Here’s one stating that your files have been uploaded, this time from “Drive”. SkyDrive / OneDrive? Google Drive? I have no idea, but here it is anyway:
> http://cdn.blog.malw...6/drivespam.jpg
Don’t panic if confronted with mysterious messages about damaged files or uploads you know nothing about. It’s just a slice of spammy -clickbait- which can be safely ignored."
___

Lloyds/TSB – Phish...
- http://myonlinesecur...ation-phishing/
20 June 2014 - "We all get frequent phishing emails pretending to come from a bank or other financial institution. Todays offering shouldn’t really fool anybody, but it will as usual, when you don’t check carefully the address the link sends you to in your browser address bar. Subject says:
Important Update Notification and pretends to come from LloydsTSB

Any customer of the bank knows that Lloyds and TSB have now split up and you either have Lloyds Bank or TSB bank . Most of us still have a credit/debit car and cheque book that says LloydsTSb, but all communications from these banks have been Lloyds or TSB specific for some considerable time now. Email looks like:

Dear Valued Customer,
The update to our mobile banking app for iPhone and Android users is coming this summer.
We’ve made some big improvements, so it’s easier and quicker to use with enhanced security. You’ll need an up-to-date phone number so you can complete
device registration the first time you use it.
Please ensure your phone numbers are up to date today by checking your details now.
CHECK MY DETAILS NOW
Sincerely,
Lloyds Bank plc ...


If you follow the link you see a webpage looking -identical- to the genuine Lloyds bank log in site..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 June 2014 - 02:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1214 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 23 June 2014 - 08:38 AM

FYI...

Fake Order|Mobile Inc. – malformed Word doc malware
- http://myonlinesecur...rd-doc-malware/
23 June 2014 - "Your Order No 7085967 | Mobile Inc. is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... word .doc attachment. The word .doc is malformed and will infect you if you have a vulnerable version of word or some other out of date software on the computer. Luckily Microsoft security essentials detects and blocks it on my computer. It is detected as W97M/Adobdocro.A  Just -previewing- the attachment in your email client or browser might be enough to infect you. MSE jumped in and blocked it as soon as I selected preview, so beware and immediately delete the entire email without attempting to open, save or preview the attachment. We have had this malware running on a test system and it downloads a file from http ://barniefilm1996 .ru/info.exe which is detected on Virus total by 11/54 AV's*...
Thank you for ordering from Mobile Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 4863028.  You will need this in all correspondence.
This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card.
Your card will be charged for the amount of 5.38 USD and “Mobile Inc.” will appear next to the charge on your statement.
Your purchase information appears below in the file...

 
23 June 2014: Order_230614.Doc (47 kb) Current Virus total detections: 2/51**
MALWR Auto Analysis***
This Your Order No 7085967  | Mobile Inc. is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...d0a49/analysis/

** https://www.virustot...291e5/analysis/

*** https://malwr.com/an...2ExZmEzNGFmNWU/
___

Fake Amazon email delivers Malware
- http://blog.malwareb...eliver-malware/
June 23, 2014 - "Beware of an email in circulation claiming to be from 'Amazon Local', which mentions invoices for an order you -never- actually made. If you buy a lot of goods from Amazon there’s always the possibility you might fall for this one in the general deluge of legitimate payment confirmation emails.

Screenshot: http://cdn.blog.malw...mazonlocal1.jpg

... Note that the email mentions the order was placed on the 15th, which adds to the illusion of “Wait…did I actually order this but forget about it?” The attachment is called order_id.zip, though it had already been scrubbed from the service it was sent to up above so we can’t give more information on it at this time. You can see more examples of what appear to be related campaign mails over on this CISCO alert*. As with all fake order mails, be very cautious around attachments and if there’s an order you’re not sure about then login to Amazon or [merchant x] and see if you actually are missing a delivery. Chances are, the only thing waiting in your mailbox is some Malware..."
* http://tools.cisco.c...x?alertId=33857
___

Fake "Domain Listing Expired" scam/spam (ibulkmailer .com / 192.99.148.65)
- http://blog.dynamoo....-scam-spam.html
23 June 2013 - " I've received this spam to the contact details for several domains I own in the past few weeks:

Screenshot: http://1.bp.blogspot...ain-renewal.png

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!" This is where the spam moves from being annoying to being a more of a -scam- ... The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a -fraudulent- misrepresentation. The link in the email goes to 192.99.148.65 (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer .incom on 192.185.170.196 (Websitewelcome, US)... If you get these spam messages (and the link still leads to ibulkmailer .com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome .com. Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid..."
(More detail at the dynamoo URL above.)

192.99.148.65: https://www.virustot...65/information/

192.185.170.196: https://www.virustot...96/information/
___

Dropbox Phish ...
- http://blog.malwareb...-dropbox-creds/
June 23 2014 - "It’s after your email usernames and passwords. All of them if possible, actually.
Screenshot: http://cdn.blog.malw...014/06/db01.png
We suggest that you forget about the image you wanted to see that resulted to this page loading up and -close- the browser tab immediately. As those who are familiar with phishing know, the only end result for anyone who willingly (albeit unknowingly) hand over their digital keys to the wrong hands is more trouble. From the interface, we can infer that this -phishing- campaign placed priority into getting credentials from Yahoo!, Gmail, Hotmail, and Aol email users. Clicking each logo on the page displays a little window where one can provide their login details.
> http://blog.malwareb...gmail.png?w=484
Clicking the green “Sign In” button leads users to the default login pages of these email services. If one happens to use the same user name and password combination across his/her online accounts, from cloud storage sites like Dropbox to digital libraries, emails and social networks (clearly a bad practice we should stop doing), it’s highly likely that more than one account would get compromised with just a single phishing campaign. Several security vendors flag this page as malicious as well since they detect a script in it as equally malicious. Furthermore, we found that the domain where this page is hosted [an official website of a company that is into the trading and wholesale of alloy wheels and accessories] was -hacked- and defaced in January this year. We can only assume that either the security issues surrounding the website has not been fully addressed or the issues were never mitigated..."
___

ZBOT-UPATRE far from Game Over- uses Random Headers
- http://blog.trendmic...random-headers/
June 23, 2014 - "TROJ_UPATRE, the most common malware threat distributed via spam, is known for downloading encrypted Gameover ZeuS onto affected systems. This ZeuS variant, in turn, is known for its use of peer-to-peer connections to its command-and-contol (C&C) servers. This behavior has been known about since October 2013. We have observed that these specific ZeuS variants are now employing non-binary files. The UPATRE downloader is also responsible for decrypting these malicious files. This is done to bypass security features and avoid detection and removal from the infected systems. Previously, ZBOT malware can be detected via its header with ZZP0 even though it is initially encrypted by UPATRE. However, in our recent findings, it is found that ZeuS dropped this header and now uses -random- headers and changed its file extension, thus making it arduous to be detected in the network... UPATRE is continuously developing not only in terms of effective social engineering lures such as the abuse of Dropbox links to lead to ZBOT, NECURS, and just recently, Cryptolocker. This 'improvement' can also be seen in the use of XOR key to decrypt the downloaded file. We can say that the cybercriminals behind UPATRE are aware that their tactic of encrypted downloaded file is already detected by security solutions. As such, they continually modify their algorithm to circumvent efforts to detect and mitigate the risk posed by UPATRE... As a downloader, the main function of UPATRE is to deliver the main payload: Gameover ZeuS. In the past, the Pony loader and Cutwail spam botnet was used to download GoZ malware..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 June 2014 - 11:38 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1215 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 24 June 2014 - 04:16 PM

FYI...

Seasonal Scam returns ...
- http://blog.malwareb...l-scam-returns/
June 24, 2014 - "... For those who are still in the middle of planning on a trip with family or friends, preparing for That Day is an essential step not to miss. And for most of us, part of that preparation is getting healthy, looking fit (thus, good) before hitting the beach... there are sites out there ready to pounce on unwary internet users browsing the Web in search of the latest diet craze, fitness regimens of their favourite celebrities, or healthy recipes that are easy to whip up. Depending on how you combine certain keywords like “summer” and “diet” in your search, you may find yourselves ending up with results that lead to sites such as the below:
> http://cdn.blog.malw...2014/06/TMZ.png
.
> http://cdn.blog.malw...06/gracinia.png
... Malware Intelligence Analyst Chris Boyd has written extensively about this campaign last year. You may check out the scam timeline he put together here* if you’re curious to find out more. Links to Garcinia scams can be shared via email through compromised accounts and social networks like Twitter, Tumblr, and Instagram. That said, we should remain cautious about clicking links from others wherever we are online."
* http://www.threattra...-new-outbreaks/
 

:ph34r:  :hmmm:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1216 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 25 June 2014 - 10:46 AM

FYI...

Fake RBS SPAM - leads to malicious ZIP file
- http://blog.dynamoo....m-leads-to.html
25 June 2014 - "This -fake- RBS spam leads to malware:
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    Date:     25 June 2014 15:25
    Subject:     Outstanding invoice
    Dear [redacted],
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Max Francis
    Credit Control ...


The link isn't a Dropbox link at all, but it downloads an archive file from [donotclick]figarofinefood.com/share/document-128_712.zip which contains the malicious executable document-128_712.scr which has a VirusTotal detection rate of 4/54*. Automated analysis tools... show that it attempts to phone home to babyslutsnil .com on 199.127.225.232 (Tocici LLC, US). That domain was registered a few days ago..."
* https://www.virustot...sis/1403708638/

199.127.225.232: https://www.virustot...32/information/
___

Fake Payment Advice / CHAPS credits – PDF malware ...
- http://myonlinesecur...ke-pdf-malware/
25 June 2014 - "Payment Advice – Advice Ref:[GB960814205896] / CHAPS credits... pretending to come from HSBC Advising Service... mail.hsbcnet.hsbc .com... is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Sir/Madam,
    Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link:
    http ://salamatiancar .ir/css/document-128_712.zip
     Yours faithfully,
    Global Payments and Cash Management
    HSBC ...


An alternative version of this malware email is Outstanding invoice pretending to come from Bankline.Administrator@ rbs .co .uk
    Dear scans,
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Jack Duncan
    Credit Control ...


Todays Date: document-128_712.zip (95kb)  Extracted file name:  document-128_712.scr              
Current Virus total detections: 5/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...581f5/analysis/
___

Fake Amazon order/email contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 25, 2014 - "... new trojan distribution campaign by email with the subject “Order Details”.
This email is sent from the spoofed address “delivers@ amazon .com”...

Screenshot: http://img.blog.mxla...0625_amazon.gif

The attached ZIP file has the name order_id_78362477.zip and contains the 118 kB large file order_id_7836247823678423678462387.exe. The trojan is known as Win32:Malware-gen, Trojan.Win32.Krap.2!O, Spyware.Zbot.VXGen, PE:Malware.XPACK-HIE/Heur!1.9C48 or TROJ_GEN.F0D1H0ZFP14. At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total*. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: d12526fc430fa213d77f8523a89c92c5f4e0d11deacbaf5c160a16f87ed5adc3."
* https://www.virustot...sis/1403726988/

** https://malwr.com/an...WU2NmJjOTg2N2Q/
___

China hacking threatens national security ...
- http://www.reuters.c...N0P60KC20140625
Jun 25, 2014 - "Cyber theft of trade secrets by China is a threat to U.S. national security, U.S. Ambassador to China Max Baucus said on Wednesday in the first major public address of his tenure, warning that Washington would continue to pressure Beijing. Baucus' remarks come as commercial ties between the world's two largest economies have been strained over cyber espionage charges... In May, Washington indicted five Chinese military officers for hacking U.S. companies, prompting Beijing to suspend a Sino-U.S. working group on cyber issues. It adamantly denies the charges. Such behaviour is criminal and runs counter to China's World Trade Organization commitments, Baucus told business leaders at an American Chamber of Commerce in China luncheon two weeks ahead of annual high-level bilateral talks in Beijing... China heavily restricts dozens of industries and U.S. firms have long complained they are forced to meet unfair burdens such as ownership caps and are pressured to transfer technology in exchange for market access."
___

PlugX RAT with “Time Bomb” abuses Dropbox for C&C settings
- http://blog.trendmic...ntrol-settings/
June 25, 2014 - "Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks. Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings... Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks... we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting."
___

Havex hunts for ICS/SCADA systems
- http://www.f-secure....s/00002718.html
June 23, 2014 - "... we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code... Havex took a specific interest in Industrial Control Systems (ICS)... The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to. We gathered and analyzed -88- variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of -146- command and control (C&C) servers contacted by the variants, which in turn involved tracing around -1500- IP addresses in an attempt to identify victims. The attackers use compromised websites, mainly blogs, as C&C servers... We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us... The Havex RAT is distributed at least through following channels:
- Spam email
- Exploit kits
- Trojanized installers planted on compromised vendor sites
... Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets. It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers. Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were -trojanized- to include the Havex RAT. We suspect more similar cases exist but have not been identified yet... All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering... Summary: The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure. The method of using -compromised- servers as C&C's is typical for this group... We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors. The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today..."
___

Interactive exploit kit redirection technique
- http://www.welivesec...tion-technique/
20 June 2014 - "The usual pattern we see when dealing with exploit kits starts with a legitimate website that gets compromised and used to automatically redirect its visitors to the actual malicious content. Techniques such as iFrame injection and HTTP -redirections- are frequently observed. This week though, we found an interesting variation while doing research on some exploit kit traffic. We noticed that the compromised website contained code that actually interacts with the user by presenting a -fake- message about some script slowing down the browser:
> http://www.welivesec...ie_warning2.png
The code responsible for this interaction is an injected HTML form that is shown only when the visiting browser is Internet Explorer... Of course, clicking on either Cancel or OK triggers the same POST request to an intermediate page, which in turn -redirects- the visitor to the Angler exploit kit by returning a small snippet of HTML and Javascript code... Typically the visitors are automatically redirected to the exploit kit when they visit a compromised website, so why bother with displaying a message first? It might be to prevent automated systems (malware analysis sandboxes, search-engine bots etc.) from reaching the exploit kit, making it harder for researchers to track and investigate such a threat. The malware that was being distributed at the time we performed our research was Win32/PSW.Papras.CX*  (SHA1: 7484063282050af9117605a49770ea761eb4549d)."
* http://www.virusrada....CX/description
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 25 June 2014 - 04:54 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1217 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 26 June 2014 - 04:04 PM

FYI...

Fake USPS SPAM ...
- http://blog.dynamoo....voice-spam.html
26 June 2014 - "This -fake- USPS spam is pretty Old School in its approach:

Screenshot: https://1.bp.blogspo.../s1600/usps.png

The link in the email I had was broken, but was attempting to redirect to:
[donotclick]kadoi .gr/shopfine/redir.php
and from there to:
[donotclick]cascadebulldogrescue .org/xmlrpc/invoice.zip
This .zip file contains a malicious executable invoice.com (a .com file.. that really is old school) which has a VirusTotal detection rate of 29/54*. The Malwr report** shows an attempted connection to klempfrost.zapto .org on 199.21.79.114 (Internap, US). Other automated analysis tools are less conclusive...
Recommended blocklist:
199.21.79.114
kadoi .gr
cascadebulldogrescue .org
klempfrost.zapto .org
"
* https://www.virustot...sis/1403811760/

** https://malwr.com/an...TQ2ODI0MmY0ZTU/
___

 

MITM steals half million euros in a week ...
- http://www.theregist...k_smash_n_grab/
26 Jun 2014 - "Attackers have pulled off a lucrative lightning raid on a single beleaguered bank stealing half a million euros in a week, Kaspersky researchers say. The crims stole between €17,000 and €39,000 from each of -190- Italian and Turkish bank accounts, with a single continuous attack. Man-in-the-middle attackers used stolen bank login details to transfer money to mule accounts before cashing out at ATMs around 20 January this year. Kaspersky researchers found evidence of the manic raid, dubbed "Luuuk"* in a command and control server and suggested one of a series of established and sophisticated trojans such as Zeus, Citadel or SpyEye were used... The attackers wiped the compromised command and control server as part of what Kaspersky suggested was careful track-covering. The researchers said the attackers were very active and would be unlikely to have terminated their profitable fraud scheme because of the Kaspersky discovery. The mules who funnelled the stolen cash were entrusted with differing transfer limits from €1750 to €50,000 depending on the trust afforded to each by the fraud masterminds... The raid was notable in the short time taken to steal account details and retrieve cash from ATMs..."
* https://www.secureli...the_force_Luuuk
June 25, 2014
___

China cybercrime cooperation stalls after U.S. hacking charges
- http://www.reuters.c...N0F12OJ20140626
June 26, 2014 - "Fledging cooperation between the United States and China on fighting cyber crime has ground to a halt since the recent U.S. indictment of Chinese military officials on hacking charges, a senior U.S. security official said on Thursday. At the same time, there has been no decline in Chinese hackers' efforts to break into U.S. networks, the official said. In May, the Justice Department charged five Chinese military members with hacking the systems of U.S. companies to steal trade secrets, prompting Beijing to suspend a Sino-U.S. working group on cyber issues. China denies the charges and has in turn accused Washington of massive cyber spying. U.S. and Chinese officials had started working together to combat certain types of online crime, including money laundering, child pornography and drug trafficking, the U.S. official said. But that cooperation has stopped... The new chill underscores the fragility of the efforts to ease tensions and mutual accusations of hacking and Internet theft between China and the United States, at the expense of the security areas where the nations had reached some understanding. The indictments, the first criminal hacking charge the United States has filed against specific foreign officials, put more strain on a complex commercial relationship between the two economic powers and created new troubles for some U.S. technology companies doing business in China. Beijing has responded with a promise to investigate all U.S. providers of important IT products and services, though it has not specified the move was a direct retaliation. Chinese state media has also lashed out, without indicating a connection, at U.S. firms including Google, Apple, Yahoo, Cisco Systems, Microsoft and Facebook with allegations of spying and stealing secrets..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 27 June 2014 - 04:12 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1218 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 27 June 2014 - 03:05 PM

FYI...

Banking malware uses Network Sniffing for Data
- http://blog.trendmic...for-data-theft/
June 27, 2014 - "With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants — double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques. Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information. EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.
Sample spammed messages:
> http://blog.trendmic...06/EMOTET-1.png
...
> http://blog.trendmic...06/EMOTET-2.png
The provided links ultimately lead to the downloading of EMOTET variants into the system. Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites... EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country... However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country. As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to -call- the financial or banking institution involved to -confirm- the message before proceeding..."
___

Scams hook users with "free" Facebook hacks
- http://blog.malwareb...cebook-hacking/
June 27, 2014 - "Ah, Facebook hacking. It’s one of those things security folks generally warn people against due to its questionable legality regardless of one’s reasons for doing so, yet many continue to go out of their way to look for hacking tools and services online... Whether one genuinely lost their Facebook account password or not, it’s never a good (nor safe) idea to entrust matters to hacking, cracking, or sniffing. There’s almost always a catch. It’s still best to contact Facebook support directly for password retrieval... bogus site(s) serve as a reason for users considering trying hacking not to do it. Delving into the business of shady fellows who’re only waiting for users to fall into their lures will cost more to the service or tool user than it is for those who developed or is offering the illegal service..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 28 June 2014 - 09:24 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1219 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 30 June 2014 - 03:42 PM

FYI...

Several no-ip .com domains apparently seized by MS
- http://blog.dynamoo....apparently.html
30 June 2014 - "It appears that the nameservers for the following dynamic DNS domains belonging to no-ip .com may have been seized by Microsoft as the namesevers are pointing to NS7.MICROSOFTINTERNETSAFETY .NET and NS8.MICROSOFTINTERNETSAFETY .NET
3utilities .com
serveftp .com
serveblog .net
myftp .org
servehttp .com
servebeer .com
zapto .org
no-ip .org
noip .me
no-ip .biz
redirectme .net
hopto .org
no-ip .info
sytes .net
myvnc .com
myftp .biz
servegame .com
servequake .com
This seems to have had the effect of taking down any sites using these dynamic DNS services. Usually this happens when Microsoft gets a court order prior to legal proceedings. Now, although these domains are widely abused it is not no-ip .com themselves doing the abusing. I do recommend that businesses block access to dynamic DNS sites because of the high level of abuse, but I do feel that it something that network administrators should choose for themselves."
___

MS disrupts cybercrime rings with roots in Kuwait, Algeria
- http://www.reuters.c...N0F52A920140630
Jun 30, 2014 - "Microsoft Corp launched what it hopes will be the most successful private effort to date to crack down on cyber crime by moving to disrupt communications channels between hackers and infected PCs. The operation, which began on Monday under an order issued by a federal court in Nevada, targeted traffic involving malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways* and were written and distributed by developers in Kuwait and Algeria. It is the first high-profile case involving malware written by developers outside of Eastern Europe, according to Richard Domingues Boscovich, assistant general counsel of Microsoft's cybercrime-fighting Digital Crimes Unit**... it would take several days to determine how many machines were infected, but noted that the number could be very large because Microsoft's anti-virus software alone has detected some 7.4 million infections over the past year and is installed on less than 30 percent of the world's PCs. The malware has slick dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations, according to documents filed in U.S. District Court in Nevada on June 19 and unsealed Monday... the developers blatantly marketed their malware over social media, including videos on Google's YouTube and a Facebook page. They posted instructional videos with techniques for infecting PCs... The court order allowed Microsoft to disrupt communications between infected machines and a Reno, Nevada, firm known as Vitalwerks Internet Solutions... about 94 percent of all machines infected with the two viruses communicate with hackers through Vitalwerks servers. Criminals use Vitalwerks as an intermediary to make it more difficult for law enforcement to track them down... Microsoft will filter out communications from PCs infected with another 194 types of malware that are also being filtered through Vitalwerks..."

* http://blogs.technet...e-families.aspx
30 Jun 2014
> http://www.microsoft...ages/a/dcu6.png

** http://blogs.technet...disruption.aspx
30 Jun 2014

> http://blogs.technet...14_5F00_v5e.png
___

'Amazon Local' Spam
- http://threattrack.t...azon-local-spam
June 30, 2014 - "Subjects Seen:
    FW: Order Details
Typical e-mail details:
    Good morning,
    Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
    Order Details...


Screenshot: https://gs1.wac.edge...kEjG1r6pupn.png

Malicious File Name and MD5:
    order_id.zip (80583D63E52AD48A14D91DC7CAE14115)
    order_id_783624782367842367846238751111.exe (C31F54BB78D5B1469B9B1AEE691FF8E3)


Tagged: amazon local, Dofoil
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 30 June 2014 - 06:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1220 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 01 July 2014 - 02:20 PM

FYI...

Something evil on 37.187.140.57 (OVH, France)
- http://blog.dynamoo....ovh-france.html
1 July 2014 - "A group of Cushion Redirect sites appear to be hosted on 37.187.140.57 (OVH, France), although I cannot determine the exact payload of these sites you can be assured that it is Nothing Good and you may well want to block the IP. Here is a sample URLquery report* for this IP. VirusTotal** also reports a low number of detections for this address.
Domains being abused in this attack include:
charlie-lola .co.uk
clashofclanshackdownload .com
check-email .org
cialis25 .pl
adultvideoz .net
In all cases the attack is carried out by using a malicious subdomain..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...d=1404216440815

** https://www.virustot...57/information/
___

MS No-IP Takedown ...
- https://isc.sans.edu...l?storyid=18329
2014-07-01 - "... No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains. Microsoft apparently overestimated the abilities of it's Azure cloud service to deal with these requests. In the past, various networks blocked dynamic IP providers, and dynamic IP services have been abused by criminals for about as long as they exist. However, No-IP had an abuse handling system in place and took down malicious domains in the past. The real question is if No-IP's abuse handling worked "as advertised" or if No-IP ignored take down requests... a similar justification may be used to filter services like Amazon's (or Microsoft's?) cloud services which are often used to serve malware [4][5]. It should make users relying on these services think twice about the business continuity implications of legal actions against other customers of the same cloud service. There is also no clear established SLA for abuse handling, or what level of criminal activity constitutes abuse..."
4] http://blog.malwareb...soft-azure-too/

5] http://www.washingto...est-of-malware/
___

Malware Spam Source in Q2-2014
- http://blog.trendmic...rce-in-q2-2014/
July 1, 2014 - "DOWNAD, also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat. It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs.  It then connects to these created URLs to download files on the system. During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm.  Spam campaigns delivering FAREIT , MYTOB , and LOVGATE payload in email attachments are attributed to DOWNAD infected machines. FAREIT is a malware family of information stealers which download ZBOT . On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.
Spam sending malware
> http://blog.trendmic...e-Family-01.jpg
Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware... CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality. In the last few weeks we have reported various spam runs that abused Dropbox links* to host malware like NECURS and UPATRE.  We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA. Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network. As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters. Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around -175- IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems..."
* http://blog.trendmic...-dropbox-links/
___

2 -Fake- inTuit emails ...
1] https://security.int...alert.php?a=107
June 30, 2014 - "People are receiving -fake- emails with the title "validate". These mails are coming from tax.turbo@ mail .com, which is -not- a legitimate email address. Below is a copy of the email people are receiving.
Kindly validate your login
myturbotax .intuit .com


This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."

2] https://security.int...alert.php?a=108
June 30, 2014 - " People are receiving -fake- emails with the title "Alert from Intuit: Action Required!" Below is a copy of the email people are receiving:
Screenshot: https://security.int...entityPhish.jpg

This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
 

:ph34r: :ph34r:  :blink:


Edited by AplusWebMaster, 02 July 2014 - 05:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1221 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 02 July 2014 - 07:41 AM

FYI...

Fake Amazon Local SPAM / order_id.zip
- http://blog.dynamoo....tails-spam.html
2 July 2014 - "This fake Amazon spam has a malicious attachment:

Screenshot: http://3.bp.blogspot...mazon-local.png

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal*. Automated analysis tools are inconclusive about what this malware does..."
* https://www.virustot...sis/1404306154/
___

Fake email “Failed delivery for package #0231764″ from Canada Post - contains URLs to malicious file

- http://blog.mxlab.eu...malicious-file/
July 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764″ from Canada Post regarding a failed attempt to deliver an item. This email is send from the spoofed address “Canada Post <tracking@ canadapost .com>” and has the following body:
Dear customer,
We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
The shipping invoice can be viewed online, by visiting ...


The first embedded URl hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file... The second embedded URL hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip  that contains the file pdf_canpost_RT000961269SG.pif. The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...sis/1404326965/

** https://malwr.com/an...zgxYjA1MjlhMjE/

23.62.98.234: https://www.virustot...34/information/

87.121.52.82: https://www.virustot...82/information/
___

WordPress plugin puts sites at risk
...
- http://arstechnica.c...sk-of-takeover/
July 1 2014 - "Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned. "If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday*. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable." The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7**, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses..."
* http://blog.sucuri.n...ewsletters.html

** http://downloads.wor...tters.2.6.7.zip
___

New Cridex Version Combines Data Stealer and Email Worm
- http://www.seculert....email-worm.html
July 1, 2014 - "... Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method – effectively turning each bot in the botnet into a vehicle for infecting new targets... Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email.
Stolen SMTPs Country of Origin:
> http://www.seculert....ted-numbers.png
The C&C provides the malware with a batch of 20 targeted email addresses.The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body... The emails we have seen, written in German, contain a link prompting the recipient to download a zip file which contains an executable disguised as a PDF document... There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit. And as a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk..."
___

Fake “Google Service Framework” Android malware ...
- http://www.fireeye.c...-hijackrat.html
July 1, 2014 - "... a malicious Android class running in the background and controlled by a remote access tool (RAT). Recently, FireEye mobile security researchers have discovered such a malware that pretends to be a “Google Service Framework” and -kills- an anti-virus application as well as takes other malicious actions. In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work...
The structure of the HijackRAT malware:
> http://www.fireeye.c...6/structure.png
... Virus Total detection of the malware sample:
> http://www.fireeye.c...2014/06/VT5.png
... fake “Google Service Framework” icon in home screen:
> http://www.fireeye.c.../removeicon.png
A few seconds after the malicious app is installed, the “Google Services” icon appears on the home screen. When the icon is clicked, the app asks for administrative privilege. Once activated, the uninstallation option is disabled and a new service named “GS” is started as shown below. The icon will show “App isn’t installed.” when the user tries to click it again and removes itself from the home screen... The malware has plenty of malicious actions, which the RAT can command... The server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server...  the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref... the hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished. Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon."

 

- http://atlas.arbor.n...index#322328699
July 3, 2014
___

Win8 usage declined in June - XP usage increased
- http://www.infoworld...ncreased-245339
July 1, 2014
> http://www.netmarket...=10&qpcustomd=0
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 04 July 2014 - 09:46 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1222 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 03 July 2014 - 08:55 AM

FYI...

Javascript Extortion advertised via Bing ...
- https://isc.sans.edu...l?storyid=18337
Last Updated: 2014-07-02 20:49:25 UTC - "... a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos"...
Screenshot: https://isc.sans.edu... 2_13_48 PM.png
... Once a user clicks on the link, the user is -redirected- to http ://system-check-yueedfms .in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).
> https://isc.sans.edu...s/2_14_44_x.png
The user is not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of iframes that each insert a message if closed. The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely -compromised- WordPress blog have been notified.
> Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation."

46.4.127.172: https://www.virustot...72/information/
___

Chain Letter migrates from mail to Social Networking
- http://blog.malwareb...ial-networking/
July 3, 2014 - "...  guaranteed to see a chain letter of one form or another bouncing around on a social network or in a mailbox, and here’s one such missive currently in circulation. It claims Microsoft and AOL are running a form of email beta test with big cash rewards for anybody forwarding on the email – $245 every time you send it on, $243 every time a contact resends it and $241 for every third person that receives it. The catch here is that the text – which is clearly supposed to be sent to email addresses – has been posted to a social network comment box on a profile page instead.
> http://cdn.blog.malw.../microspam1.jpg
... nonsense then, and it’s nonsense now. Amazingly, the mail from 2005 even sports the same phone numbers as the social network post from a few days ago... it’s extremely likely that they’re long since abandoned. Even so, you can’t keep a good scam down and so -eight- years after it rolled into town the -fake- Microsoft / AOL beta payout bonanza continues to find new life, as it moves from mailboxes to social network comment boxes in a desperate attempt to live on for a few more years. Think twice before forwarding chain letters..."
___

Accidental leak reveals identity numbers of 900,000 Danes
- http://www.reuters.c...N0F822Y20140703
Jul 3, 2014 - "The identity numbers of around 900,000 Danes, widely used as a means of identification in telephone transactions with banks or medical services, were mistakenly made available on the internet for almost an hour on Wednesday, the Danish government said. The numbers were mistakenly included by an outside contractor in a database of people who have asked -not- to receive marketing mail or calls that is made available to Danish firms, according to the daily Borsen. It is common for Danish financial institutions, hospitals and government agencies to ask for the civil registration number as a proof of identity in telephone inquiries, raising the possibility of widespread abuse. The government said the list had been downloaded 18 times in the 51 minutes that it was accessible..."
___

Brazil Boleto Fraud Ring ...
- https://blogs.rsa.co...ud-ring-brazil/
July 2, 2014 - "... Through a coordinated investigation spanning three continents, RSA Research has uncovered details of a substantial malware-based fraud ring that is operating with significant effectiveness to infiltrate one of Brazil’s most popular payment methods – the Boleto. Based on evidence gleaned from this fraud investigation, RSA Research discovered a Boleto malware or “Bolware” fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $3.75 Billion USD (R$ 8.57 Billion). Boleto Bancário, or simply Boleto, is a financial instrument that enables a customer (“sacado”) to pay an exact amount to a merchant (“cedente”). Any merchant with a bank account can issue a Boleto associated with their bank; that Boleto is then sent to the consumer to pay anything from their mortgage, energy bills, taxes or doctor’s bills via electronic transfer.... Their popularity has risen because of the convenience for consumers who don’t require a personal bank account to make payments using Boletos. The Boleto system is regulated by Banco Central do Brasil (Brazilian Central Bank) and has become the second most popular payment method (behind credit cards) in Brazil. E-bit, an e-commerce market research firm in Latin America estimates that 18% of all purchases in Brazil during 2012 were transacted via Boletos...
Boleto malware – how it works:
> https://blogs.rsa.co...letoMalware.png
...  While the fraudsters behind this operation may have had the potential to cash out these modified Boletos, it is not known exactly how many of these Boletos were actually paid by the victims and whether all the funds were successfully redirected to fraudster-controlled bank accounts... RSA has turned over its research along with a significant number of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to both U.S. (FBI) and Brazilian law enforcement (Federal Police) and have been in direct contact with a number of Brazilian banks. RSA is working together with these entities in the investigation... to help with shutting down infection points in the wild and blacklisting fraudulent Boleto IDs... RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments. Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from -unknown- senders and to use updated anti-virus software to help protect their PCs from infection..."

- http://www.reuters.c...N0PB0UQ20140702
Jul 2, 2014
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 03 July 2014 - 02:57 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1223 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 04 July 2014 - 12:32 PM

FYI...

Fake: RAS Cargo (rascargointernational .com)
- http://blog.dynamoo....ationalcom.html
4 July 2014 - "There is -no- company in the UK with the name RAS Cargo according to Companies House*. So why are they spamming me?

Screenshot: https://4.bp.blogspo...0/ras-cargo.png

The site is professional-looking enough, quoting... contact details... there is no multinational freight business going on here. Also, the telephones numbers quoted appear in no trade directories or other web sites, indicating that they are -fake-"
* http://wck2.companieshouse.gov.uk/
___

advocatesforyouths.org, Eem Moura, Tee Bello and other FAKE sites
- http://blog.dynamoo....-moura-tee.html
4 July 2014 - "Advocates for Youth is a -legitimate- campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996. However, the domain advocatesforyouths .org is a completely -fake- rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:
    From:     Advocates for Youth [inboxteam6@ gmail .com]
    Reply-To:     Advocates for Youth [ljdavidson@ advocatesforyouths .org]
    Date:     2 July 2014 21:52
    Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
    Mailing list:     xkukllsbhgeel of 668
    Signed by:     gmail.com
    Invitation Ref No: OB-22-52-30-J ...


In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap. The -fake- site is almost a bit-for-bit copy... but things like the Contact Details page are slightly different:
> https://2.bp.blogspo...00/fake-afy.png
... The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.
> https://3.bp.blogspo...0/fake-afy2.png
... the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site (See screenshot above). The domain advocatesforyouths .org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones .in/advocates4youth/ which is where things get more complicated. googleones .in is hosted on 74.122.193.45  a Continuum Data Centers IP -reallocated- ...
 Al-zaida Emirates: "alz" is a site called "Al-zaida Emirates" which is a -ripoff- of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.
> https://3.bp.blogspo...00/al-zaida.png
 EEM Moura and TEE Bello (part 1): The next -fake- site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.
> https://2.bp.blogspo...a-tee-bello.png
...  perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).
 EEM MOURA & TEE BELLO (part 2) [eemthollandbv .nl] There is another -fake- "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv .nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou .com site.
> https://4.bp.blogspo...-tee-bello2.png
This -fake- site is also likely to be recruiting people for a parcel reshipping scam.
 Hotel T. Bello: The final -fake- site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.
> https://3.bp.blogspo...tel-t-bello.png
Perhaps the "Hotel T Bello" is a -fake- hotel for the delegates to the -fake- "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.
There is not a single legitimate site on this server. Avoid."
 

:ph34r: :ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1224 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 06 July 2014 - 08:51 AM

FYI...

Fake 'Exceeded Storage Limit' Phish ...
- http://www.hoax-slay...imit-scam.shtml
Last updated: July 5, 2014 - "Email claims that the user's email account has exceeded its storage limit and instructs him or her to reply with the account username and password in order to restore full functionality. Some versions ask users to click a link in the message... The message is -not- from any system administrator or support team nor is it from Outlook, Hotmail, or any other email service provider. The email is a phishing scam designed to trick users into divulging their email account login details to Internet criminals...

Screenshot: http://www.hoax-slay...it-scam-pin.jpg

This message, which purports to be from the "System Administrator", claims that the recipient's email account has exceeded its storage limit and the sending and receiving of email may therefore be disrupted. The message instructs the recipient to reply to the email with his or her username and password so that the "System Administrator" can reset the account and increase the size of the database storage limit. A later version of the scam askes users to reply with account details to "confirm" the mailbox. In some variants, users are asked to click a link to supply their username and password. However, the message is not from the "System Administrator" or anyone else at the account holder's email service provider. Instead, the message is a phishing scam designed to trick recipients into handing over their web mail login details to Internet criminals. Those who reply to the message with their login details as instructed will in fact be handing over access to their webmail account to scammers who can then use it as they see fit. Once in their victim's email account, these criminals can then use the account to send spam messages, or in many cases, send other kinds of scam emails... Be wary of -any- unsolicited message that asks you to supply your webmail login details by replying to an email. All such requests are likely to be scams."
___

Attack on Dailymotion - redirected visitors to exploits
- https://www.computer...ors_to_exploits
July 4, 2014 - " Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post*. The iframe redirected browsers to a different website hosting an installation of the Sweet Orange Exploit Kit, an attack tool that uses exploits for Java, Internet Explorer and Flash Player. The flaws that Sweet Orange attempted to exploit are: CVE-2013-2551, patched by Microsoft in Internet Explorer in May 2013; CVE-2013-2460, patched by Oracle in Java in June 2013; and CVE-2014-0515, patched by Adobe in Flash Player in April..."
* http://www.symantec....ers-exploit-kit
3 Jul 2014 - "On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit..."
___

4th of July SPAM...
- http://www.symantec....ndependence-day
4 July 2014 - "... like every other year, spammers are sending people a barrage of cleverly crafted spam aimed at exploiting this mood of celebration. This year, Symantec has observed a variety of spam, ranging from fake Internet offers to pharmacy deals, which take advantage of the US Independence Day.
Travel promotion spam - Subject: 4th of July Private Jets
> http://www.symantec....pam_figure1.png
Online casino spam
> http://www.symantec....pam_figure2.png
Fake pharmacy website exploiting July 4
> http://www.symantec....pam_figure3.png
Clearance sale product spam exploiting July 4
> http://www.symantec....pam_figure4.png
... Keep your antispam product updated frequently to get the best protection against these threats..."

- http://www.bbb.org/b...with-gift-card/
July 4, 2014
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 07 July 2014 - 03:17 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1225 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 07 July 2014 - 07:58 AM

FYI...

Fake USPS SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
July 7, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Ship Notification”. This email is send from the spoofed address “USPS.com” and has the following body:
Notification
Our courier couldnt make the delivery of parcel to you at June 17 2014.
Print label and show it in the nearest post office.
Download attach . Print a Shipping Label NOW ...


Screenshot: http://img.blog.mxla...140707_USPS.gif

The attached ZIP file has the name notification.zip and contains the 67 kB large file Notification_72384792387498237989237498237498.exe. The trojan is known as Win32:Malware-gen, HW32.CDB.C647, W32/Trojan.BIFV-0857, W32/Trojan3.JCT or Trojan-Spy.Agent. At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...38977/analysis/

** https://malwr.com/an...DhkZGFlYWRmNGM/

- http://threattrack.t...usps-label-spam
July 7, 2014 - "Subjects Seen:
    Ship Notification
Typical e-mail details:
    Notification
    Our courier couldnt make the delivery of parcel to you at June 17 2014.
    Print label and show it in the nearest post office.
    Download attach . Print a Shipping Label NOW

Malicious File Name and MD5:
    Notification.zip (C44F58432832C2CA9C568939F7730C83)
    Notification_72384792387498237989237498237498.exe (2C286A551D3ED1CAFFB0F679F9473E65)


Screenshot: https://gs1.wac.edge...8cfu1r6pupn.png

Tagged: USPS, Dofoil
___

All Seized Domains Returned to No-IP
- http://threatpost.co...to-no-ip/107028
July 7, 2014 - "Less than a week after Microsoft seized nearly two dozen domains owned by a small hosting provider as part of a takedown of a malware operation, all of those domains are back in the control of the provider, No-IP... This latest takedown operation, however, raised many eyebrows among security researchers, some of whom questioned why Microsoft is being permitted to take control of other companies’ property... all of the seized domains have been returned to the control of Vitalwerks... Microsoft officials said they were still working with Vitalwerks on identifying specific malicious subdomains..."
- http://www.noip.com/...osoft-takedown/
___

Infected travel websites
- http://www.proofpoin...el-websites.php
July 5, 2014 - "... a large number of travel destination websites had been compromised and were being used to deliver the Nuclear exploit kit...  users received promotional emails from these sites containing -links- to infected pages... shares many of the attributes usually associated with watering hole attacks, since these were legitimate emails that users had typically opted-in to receive... the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen... Initially about a dozen travel destination websites were identified as being compromised, but additional sites are still continuing to be discovered... these are popular sites that see a lot of organic web traffic, so anyone searching for information relating to tourism in a large number of US cities could have been exposed to the infected sites... When a user browsed to any of these websites they were exposed to the Nuclear exploit kit that integrates multiple different exploits including exploits for Java and Adobe Acrobat. In this case, if the exploit is successful, it attempts to install at least three pieces of malware:
Zemot – A downloader that downloads and installs additional pieces of malware.
Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection.
Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDOS attacks.
... In this case they used what appears to be a travel related site, ecom[.]virtualtravelevent[.]org, helping make the exploit link blend in and look like legitimate content.
> http://www.proofpoin...ite07052014.jpg
So far, all the IPs used in the attack appear to be based in the Ukraine.
Current list of infected websites:
www[.]visitsaltlake[.]com
www[.]visitcumberlandvalley[.]com
www[.]visitmyrtlebeach[.]com
www[.]visithoustontexas[.]com
www[.]seemonterey[.]com
www[.]visitannapolis[.]org
www[.]bostonusa[.]com
www[.]visitokc[.]com/
www[.]tourismvictoria[.]com
www[.]trenton-downtown[.]com
UtahValley[.]com
www.visittucson[.]org
www[.]visitrochester[.]com
www[.]visitannapolis[.]org
www[.]southshorecva[.]com
The hosting companies for these sites have been contacted, so some sites shown above might have been fixed."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 07 July 2014 - 02:19 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1226 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 08 July 2014 - 07:16 AM

FYI...

Fake BTinternet email - Phish ...
- http://www.hoax-slay...-phishing.shtml
Last updated: July 8, 2014 - "Message purporting to be from BTInternet claims that you must update all of your 'informations' via an attached form or risk the 'expiration' of your BTInternet email. The message is -not- from BT. It is a phishing scam designed to steal personal and financial information from BT customers.
Screenshot: http://www.hoax-slay...hishing-pin.jpg
According to this email, which claims to be from BTInternet, you are required to update all of your account information by filling in a form contained in an attached file. The message warns that your account will be disabled if you do not update your details as instructed... the email is -not- from BT and the claim that you must update details or risk account 'expiration' is a lie.
In fact, the email is a typical phishing scam and is designed to steal your personal and financial data. The attached file contains a form that asks for a large amount of information, including your account login details, your name and contact data, and your credit card and bank account numbers. Opening the attachment loads the form in your web browser. Clicking the 'Submit' button on the -bogus- form sends all of the information to criminals who can then use it to commit financial fraud and identity theft... Any email that asks you to open an attached file or click a link to supply personal and financial information should be treated as suspicious..."

- https://en.wikipedia.org/wiki/BT_Group
___

Chinese hacks turned focus to U.S. experts on Iraq
- http://www.reuters.c...N0FC2E620140708
Jul 8, 2014 - "A sophisticated group of hackers believed to be associated with the Chinese government, who for years targeted U.S experts on Asian geopolitical matters, suddenly began breaching computers belonging to experts on Iraq as the rebellion there escalated, a security firm said on Monday. CrowdStrike Inc said* that the group is one of the most sophisticated of the 30 it tracks in China and that its operations are better hidden than many attributed to military and other government units... China's Foreign Ministry repeated that the government opposed hacking and dismissed the report... Over the past three years, CrowdStrike said it has seen the group it calls "Deep Panda" target defense, financial and other industries in the United States. It has also gone after workers at think tanks who specialize in Southeast Asian affairs, including former government experts..."
* http://www.crowdstri...anks/index.html
Jul 7, 2014

- http://atlas.arbor.n...ndex#-308984771
July 10, 2014
A Chinese nation-state threat group called "Deep Panda" has been targeting national security think tanks, particularly individuals with ties to Iraq/Middle East policy issues.
Analysis: The focus on these individuals began the same day as an ISIS-led attack on an oil refinery in Iraq, which provides a large amount of oil to China. [ http://www.crowdstri...anks/index.html ] Advanced threat actors frequently target individuals who may have access to sensitive information, demonstrated recently again when hackers believed to be Chinese accessed some databases of the Office of Personnel Maintenance, which conducts background reviews for security clearances. [ http://www.nytimes.c...us-workers.html ] Many individuals are also targeted using information available via public sources such as social media. This information could then be used to conduct social engineering attacks to deliver malware, steal credentials, etc.
___

SCAM: "All Company Formation" (allcompanyformation .com / businessformation247 .com)
- http://blog.dynamoo....-formation.html
8 July 2014 - "Sometimes it isn't easy to see what a -scam- is, but this email hit my -spamtrap- advertising an outfit that can allegedly create offshore companies and acquire all sorts of trading licences and things like SSL certificates.
    From:     All Company Formation [info@ allcompanyformation .com]
    Date:     7 July 2014 12:58
    Subject:     [Info] Worldwide Company Formation Services - EV SSL Approval Services
    We have a team of agents in different countries we are providing Company Registration services...
    For order and need more informations kindly contact us : www .allcompanyformation .com
    Email: info@ allcompanyformation .com
    skype : companiesformations


The spam originates from 209.208.109.225 which belongs to Internet Connect Company in Orlando, Florida.. Orlando being a hotbed of fraud which would make it ideal for twinning with Lagos. The spam then bounces through a WebSiteWelcome IP of 192.185.82.77. None of those IP's give a clue as the the real ownership of the site. The -spamvertised- site of allcompanyformation .com (also mirrored at businessformation247 .com) looks generic but professional:
> https://3.bp.blogspo...yfoundation.png
It is plastered with logos from legitimate organisations, presumably to give it an air of respectability:
> https://2.bp.blogspo...yformation3.png
You can pay for these "services" using any one of a number of obscure payment methods:
> https://2.bp.blogspo...yformation4.png
... The contact information seems deliberately vague and there are no physical contact addresses or company registration details anywhere on the website:
> https://3.bp.blogspo...yformation5.png
The telephone number looks like a US one, but on closer examination appears to be a Bandwidth.com VOIP forwarder to another number (which could be anywhere in the world). These 315-944 numbers seem to be often abused by scammers. The WHOIS details are anonymous, and the website has been carefully excised of any identifying information. Most of the text (and indeed the whole concept) has been copy-and-pasted from Slogold.net who seem to be a real company with real contact details. They even go so far as to warn people of various scams using the Slogold name. The following factors indicate that this is a scam, and sending them money would be a hugely bad idea:
- The site is promoted through spam (this sample was sent to a spamtrap)
- The domain allcompanyformation .com has anonymous registration details and was created only in December 2013.
- There are no real contact details anywhere on the site.
- The text is copy and pasted (i.e. stolen) from other sites, primarily Slogold .net.
-Avoid- "
___

AVG Safeguard and Secure Search ActiveX control provides insecure methods
- http://www.kb.cert.org/vuls/id/960193
Last revised: 07 Jul 2014 - "... By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to download and execute arbitrary code with the privileges of the logged-on user.
Solution: Apply an update: This issue is addressed in AVG Secure Search -toolbar- version 18.1.7.598 and AVG Safeguard 18.1.7.644. While these versions are still marked as Safe for Scripting, this version of the control has restrictions in place that prevent its use by web pages hosted by domains other than .avg .com or .avg.nation .com. Please also consider the following workaround:
Disable the AVG ScriptHelper ActiveX control in Internet Explorer:
The vulnerable AVG ScriptHelper ActiveX control can be -disabled- in Internet Explorer by setting the kill bit..."
(More detail at the cert URL above.)
- https://web.nvd.nist...d=CVE-2014-2956 - 9.3 (HIGH)

> http://www.avg.com/us-en/secure-search
"... connection times out
> http://inst.avg.com/...ab0:productpage
"... connection times out
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 11 July 2014 - 05:46 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1227 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 09 July 2014 - 11:27 AM

FYI...

Fake Incoming Fax – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 July 2014 - "New Incoming Fax pretending to come from Incoming Fax <noreply@ fax-reports .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Dear Customer,
You have received a new fax.
Date/Time: 2014:08:09 12:28:09
Number of pages:2
Received from: 08447 53 54 56
Regards,
FAX


9 July 2014: fax9999999999.zip(168 kb)  Extracts to fax0010029826052014.scr          
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1404915722/
___

E-Z Pass Spam
- http://threattrack.t...3/e-z-pass-spam
July 9, 2014
Screenshot: https://gs1.wac.edge...8QOy1r6pupn.png
Subjects Seen:
    Indebted for driving on toll road
Typical e-mail details:
    Dear customer,
    You have not paid for driving on a toll road. This invoice is sent repeatedly,
    please service your debt in the shortest possible time.
    The invoice can be downloaded here.


Malicious URLs:
    krsk .info/components/api/aHZ/WVeiJ0vWJCZzh9O0pXzmah/NtSjknz1hSYIcsqQ=/toll

91.193.224.60
: https://www.virustot...60/information/

Tagged: E-Z Pass, Kuluoz
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 09 July 2014 - 05:03 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1228 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 10 July 2014 - 09:27 AM

FYI...

Shylock takedown - Europol
- http://www.nationalc...shylock-malware
10 July 2014  -"An international operation involving law enforcement agencies and private sector companies is combating the threat from a type of malicious software (malware) used by criminals to steal from bank accounts. In the first project of its kind for a UK law enforcement agency, the National Crime Agency has brought together partners from the law enforcement and private sectors, including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police (BKA) to jointly address the Shylock trojan. As part of this activity, law enforcement agencies are taking action to disrupt the system which Shylock depends on to operate effectively. This comprises the seizure of servers which form the command and control system for the trojan, as well as taking control of the domains Shylock uses for communication between infected computers. This has been conducted from the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to coordinate action in their respective countries, in concert with counterparts in Germany, Poland and France. Shylock - so called because its code contains excerpts from Shakespeare’s Merchant of Venice -  has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere. The NCA is therefore coordinating international action against this form of malware. Victims are typically infected by clicking on malicious links, and then unwittingly downloading the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers..."
___

MS cybercrime bust frees 4.7 million infected PCs
- http://www.reuters.c...N0FF2CU20140710
July 10, 2014 - "Microsoft Corp said it has freed at least 4.7 million infected personal computers from control of cyber crooks in its most successful digital crime-busting operation, which interrupted service at an Internet-services firm last week. The world's largest software maker has also identified at least another 4.7 million infected machines, though many are likely still controlled by cyber fraudsters, Microsoft's cybercrime-fighting Digital Crimes Unit said on Thursday. India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico have the largest number of infected machines, in the first high-profile case involving malware developed outside Eastern Europe. Richard Domingues Boscovich, assistant general counsel of the unit, said Microsoft would quickly provide government authorities and Internet service providers around the world with the IP addresses of infected machines so they can help users remove the viruses... The operation is the most successful of the 10 launched to date by Microsoft's Digital Crimes Unit, based on the number of infected machines identified, Boscovich said. Microsoft located the compromised PCs by intercepting traffic headed to servers at Reno, Nevada-based Vitalwerks Internet Solutions, which the software maker said criminals used to communicate with compromised PCs through free accounts on its No-IP.com services. Vitalwerks criticized the way Microsoft handled the operation, saying some 1.8 million of its users lost service for several days. The Internet services firm said that it would have been glad to help Microsoft, without interrupting service to legitimate users. Microsoft has apologized, blaming "a technical error" for the disruption, saying service to customers has been restored... The operation, which began on June 30 under a federal court order, targeted malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria."
___

Fake "TT PAYMENT COPY" SPAM - malicious attachment
- http://blog.dynamoo....-copy-spam.html
10 July 2014 - "We've seen spam like this before. It comes with a malicious attachment.
    Date:      Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
    From:      "PGS Global Express Co, Ltd." [pgsglobal1960@ gmail .com]
    Subject:      Re TT PAYMENT COPY
    ATTN:
    Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.
   We hope you will do the needful and let us know the dispatch details.
    (purchase) Manager.
                       ------sent from my iphone5s-------


It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54*. According to Malwr** this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52***. It isn't clear what this file does according to the report**."
* https://www.virustot...sis/1405000247/

** https://malwr.com/an...mU0OWM0YzM0OTA/

*** https://www.virustot...sis/1405000668/
___

Fake E100 MTB ACH SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 July 2014 - "E100 MTB ACH Monitor Event Notification is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
You have received a secure message from M&T Bank
At M&T Bank,we understand the importance of protecting confidential information. That’s why we’ve developed this email messaging system, which will allow M&T to securely send you confidential information via email.
An M&T Bank employee has sent you an email message that may contain confidential information. The sender’s email address is listed in the from field of this message. If you have concerns about the validity of this message, contact the sender directly.
To retrieve your encrypted message, follow these steps:
1. Click the attachment, securedoc.html.
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
2. Enter your password.
If you are a first time user, you will be asked to register first.


10 July 2014: Securedoc.zip ( 284kb): Extracts to Securedoc.pdf.scr               
Current Virus total detections: 0/38 * . This E100 MTB ACH Monitor Event Notification is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405013243/
___

Fake Money Transfer - PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 July 2014 - "Important Notice – Incoming Money Transfer is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
An Incoming Money Transfer has been received by your financial institution for thespykiller .co .uk. In order for the funds to be remitted on the correct account please complete the “A136 Incoming Money Transfer Form”.
Fax a copy of the completed “A136 Incoming Money Transfer Form” to +1 800 722 4969.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Trevor.Mcdowell
Senior Officer Level III
Cash Management Verification ...


10 July 2014: A136_Incoming_Money_Transfer_Form.zip (10kb): Extracts to
A136_Incoming_Money_Transfer_Form.exe.exe - Current Virus total detections: 2/53 * . This Important Notice – Incoming Money Transfer is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
* https://www.virustot...sis/1405013171/
___

Symantec in talks with Chinese government after software ban report
- http://www.reuters.c...N0FF1V320140710
July 10, 2014 - "U.S. security software maker Symantec Corp said it is holding discussions with authorities in Beijing after a state-controlled Chinese newspaper reported that the Ministry of Public Security had banned use of one of its products. The China Daily reported last week that the ministry had issued an order to its branches across the nation telling them to uninstall Symantec's data loss prevention, or DLP, products from their systems and banning their future purchase, saying the software 'could pose information risks'..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 10 July 2014 - 06:17 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1229 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 11 July 2014 - 07:39 AM

FYI...

Fake Citibank Commercial Form email – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 July 2014 - "FW: Important – Commercial Form is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Commercial Banking Form
To: < redacted >
Case: C1293101
Please scan attached document and fax it to +1 800-285-5021 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-6575 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Leanne Davis Commercial Banking Citibank N.A Leanne.Davis@ citibank .com
Copyright © 2014 Citigroup Inc.


11 July 2014: C1293101.zip (9kb): Extracts to  C100714.scr
Current Virus total detections: 0/53 * . This FW: Important – Commercial Form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405086057/
___

A cunning way to deliver malware
- http://blog.malwareb...eliver-malware/
July 11, 2014 - "Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org* shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc... Here is an example of an unwanted warning pushed as a pop-up:
> http://cdn.blog.malw.../07/message.png
... The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.
> http://cdn.blog.malw...07/download.png
It is worth noting that this webpage was totally unsolicited and is in fact very misleading... In other words, the program they want you to download bundles other applications, something we know all too well. Attempting to close the page brings up yet another warning:
> http://cdn.blog.malw...014/07/sure.png
We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download... two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen... We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors."
1) https://www.virustot...115c2/analysis/

2) https://www.virustot...25fbb/analysis/

* https://www.cert.org...cfm?EntryID=199
7/07/2014 - "... depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure, these may be annoyances, but there's an even more important security aspect to these types of applications: attack surface..."
___

Fake 'E-ZPass Unpaid Toll' SPAM - links to Malware
- http://www.hoax-slay...l-malware.shtml
July 11, 2014 - "Email purporting to be from US toll collection system E-ZPass claims that the recipient has not paid for driving on a toll road and should click a link to download an invoice... The email is -not- from E-ZPass. It is a criminal ruse designed to trick you into downloading malware... If you receive this message, do -not- click any links or open -any- attachments that it contains..."
> http://www.hoax-slay...l-malware-1.jpg

Ref: http://stopmalvertis...-to-asprox.html
9 July 2014 - E-ZPass themed emails lead to Asprox
___

GameOver Zeus mutates - launches Attacks
- http://blog.malcover...er-zeus-returns
July 10, 2014 - "... -new- trojan based heavily on the GameOver Zeus binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed... we saw spam messages claiming to be from NatWest...
> https://cdn2.hubspot...er_Return_2.png
... we saw spam messages with the subject “Essentra PastDue” like these:
> https://cdn2.hubspot...er_Return_4.png
... The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing as of this writing.
> https://cdn2.hubspot...er_Return_7.png
The three spam campaigns each had a .zip attachment. Each of these contained the same file in the form of a “.scr” file with the hash:
MD5:   5e5e46145409fb4a5c8a004217eef836
At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal is 10/54:
> https://cdn2.hubspot...er_Return_8.png
Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server. The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists... Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down".  This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy... This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history..."

- http://www.nationalc...icious-software
13 June 2014
___

SCAMS: Free Movies - Reel Deal? ...
- http://blog.malwareb...-the-reel-deal/
July 11, 2014 - "... We often see Netflix themed sites used as a -bait- so this one immediately caught our eye... The end user is presented with a number of surveys and offers, one of which has to be completed to obtain the “free account”. They lead to a variety of places:
> http://cdn.blog.malw...14/07/flix3.jpg
Another one:
> http://cdn.blog.malw...14/07/flix4.jpg
We tried to “unlock” the supposed text file to see what happened next, by installing two separate offers – a “TV toolbar” and a “We love games community toolbar”.
> http://cdn.blog.malw...14/07/flix5.jpg
> http://cdn.blog.malw...14/07/flix6.jpg
In both cases, nothing was unlocked and we saw no evidence of text files. What we did have, were two potentially unwanted programs which a regular user would only have installed to get the text file in the first place. You’re better off avoiding sites which promise “free” signups to websites and services, and buying directly from the real thing. More often than not, you can never be sure if what you’re receiving is legit or will be shut down by the service provider. And of course, in many cases what you’ll be getting your hands on after signing up to offers or downloading programs will be little more than thin air..."
 

:ph34r:  :(


Edited by AplusWebMaster, 11 July 2014 - 01:25 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1230 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 13 July 2014 - 09:57 AM

FYI...

ZeuS GameOver Reloaded
- http://stopmalvertis...r-reloaded.html
12 July 2014 - "Yesterday we received an unsolicited email appearing to be from the M&T Bank, an American commercial bank headquartered in Buffalo. The emails arrive with the subject line "E100 MTB ACH Monitor Event Notification".

Screenshot: http://stopmalvertis...s/new-gmo16.jpg

The recipient is informed that an M&T Bank employee has sent them an email message that may contain confidential information. To retrieve the encrypted message the addressee is invited to save the attachment "securedoc.html" and open the file in a Web browser. The attachment isn’t a HTML file as stated by the spammed out message but a ZIP archive containing an executable named SECUREDOC.PDF.SCR. The file with a double extension (.pdf.scr) poses as a PDF document... -never- trust a file by its icon and make sure that Windows Explorer is set to show file extensions... The new instance of SECUREDOC.PDF.SCR will create a random named folder in the %TEMP% directory and will drop a copy of itself in the new folder using a random file name with an EXE extension... The payload is similar to ZeuS GameOver without the Necurs rootkit component... This version doesn’t rely on P2P communications but uses a different Domain Generation Algorithm (DGA) compared to the ZeuS GameOver version we know. The DGA domains are hosted on a Fast Flux infrastructure. This release generates .COM, .NET, .ORG and .BIZ domains, apparently between 21 and 28 alphanumeric characters long (without the domain extension). The threat performs around 500 DNS lookups to see if any of the DGA domains resolve to an IP, pauses 5 minutes and starts all over again...
Update: Additional Information - Although the rootkit component has been left out in this new release of ZeuS GameOver, from a technical point of view the code shares more similarities with the ZeuS GameOver with Necurs variant than with the version before the rootkit introduction. Both versions share the same compiler and compile settings. The new version mostly uses the same classes as ZeuS GameOver with Necurs and the same zlib and pcre library versions. The content of the encrypted string table is identical in both versions. The new release also uses RSA to verify the authenticity of the server’s response, the content is decrypted using RC4 and VisualDecrypt... IP Details
zi7sh2zoptpb14w9mgxugkey2 .com - 69.61.18.148
9zusnu3rh65o1nal2ty1fbb5o0 .net - 86.124.164.25
... The IP 86.124.164.25 is a known CryptoLocker IP. According to VirusTotal* several malware samples communicate with this IP but at the time of the write-up I'm unable to tell if this is yet another sinkhole.
Update July 13, 2014: this IP is a sinkhole..."
(More detail at the stopmalvertising.com URL above.)
* https://www.virustot...25/information/ - Still active 2014-07-16

69.61.18.148: https://www.virustot...48/information/ - Still active 2014-07-16

Cutwail botnet spam email containing the new Gameover Zeus variant
- http://www.securewor...over.zeus.1.png

- http://www.securewor...eer-capability/
July 11, 2014 - "... Previous Gameover Zeus versions relied primarily on the P2P component for communication but reverted to a DGA if no peers could be contacted. The new DGA used in this version generates 1,000 domains per day..."

- http://net-security....ews.php?id=2804
July 11, 2014
> http://www.net-secur...tolocker-bd.jpg
___

Gameover Zeus Variant Resumes Activity
- https://atlas.arbor....index#170748218
17 Jul 2014
A new variant based on the GameOver Zeus Trojan has been identified distributing spam.
Analysis: While the original GameOver Zeus was taken down by law enforcement last month, this new variant suggests that cyber criminals will continue to leverage this malware. Past law enforcement operations on active botnets, while temporarily successful, have done little to fully disrupt malicious activity, as criminals frequently find new available malware and tools. [ http://blog.malcover...er-zeus-returns , http://nakedsecurity...-from-the-dead/ ]
 

:ph34r:  :grrr: :grrr:


Edited by AplusWebMaster, 18 July 2014 - 07:18 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1231 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 14 July 2014 - 04:13 PM

FYI...

Fake Important Internal Only SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 July 2014 - "Important – Internal Only that pretends to come from administrator @ your domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
File Validity: 07/14/2014
File Format: Office – Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s)...


14 July 2014: Internal Only – thespykiller.co.uk.zip: Extracted file name:   Internal Only.scr
Current Virus total detections: 3/54 * . This Important – Internal Only is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405352721/

- http://blog.dynamoo....-only-spam.html
14 July 2014 - "This spam comes with a malicious payload:
    Date:      Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
    Subject:      Important - Internal Only
    File Validity: 07/14/2014

    File Format: Office - Excel ,PDF
    Name: Internal Only
    Legal Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: Internal Only.pdf ...

Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54* which indicates that this is a variant of Upatre... This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54** .."
* https://www.virustot...sis/1405363103/

** https://www.virustot...sis/1405363781/

82.98.160.242: https://www.virustot...42/information/

194.58.101.96: https://www.virustot...96/information/
___

Email Messages distributing Malicious Software - July 14, 2014
- http://tools.cisco.c...x?alertId=34782
Version: 9
First Published: 2014 June 30 11:59 GMT
Last Published: 2014 July 14 18:48 GMT
"... significant activity related to spam email messages distributing malicious software...  sample of the email message that is associated with this threat outbreak: Subject: 10 messages..."
(More detail at the cisco URL above.)
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 15 July 2014 - 06:58 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1232 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 15 July 2014 - 10:06 AM

FYI...

Fake BBB SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 July 2014 - "BBB SBQ Form #862054929(Ref#85-862054929-0-4) pretending to come from BBB Accreditation Services <Emmanuel_Hastings@ newyork .bbb .org> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Thank you for supporting your Better Business Bureau (BBB). As a service to BBB Accredited
Businesses, we try to ensure that the information we provide to
potential customers is as accurate as possible. In order for us to
provide the correct information to the public, we ask that you review
the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)...
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services


15 July 2014:BBB SBQ Form.zip (7kb) : Extracted file name:  BBB SBQ Form.exe.exe              
Current Virus total detections: 2/53 * . This  BBB SBQ Form #862054929(Ref#85-862054929-0-4) is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405433104/
___

Fake Notice to Appear in Court Email - Malware
- http://www.hoax-slay...t-malware.shtml
15 July 2014 - "Email purporting to be from Green Winick Attorneys at Law claims that you are required to appear in court and should click a link to view a copy of the court notice... The email is -not- from Green Winick or any legitimate legal entity.  The link in the email opens a webpage that harbours -malware- ...
> http://www.hoax-slay...s-july-2014.jpg
... The email claims that you are required to appear in court and should therefore -click- a link to download the court notice and 'read it thoroughly'. The message warns that, if you fail to appear as requested, the judge may hear the case in your absence... If you click the link in the email, you will be taken to a website that harbours a version of the notorious Asprox/Kulouz malware. Once downloaded and installed, the malware attempts to download further malware and allows criminals to maintain control of the infected computer and join it to a botnet..."

Ref: ASProx botnet, aka Kulouz
- http://garwarner.blo...reenwinick.html
July 13, 2014
Screenshot: https://3.bp.blogspo...GreenWinick.jpg

- https://www.virustot...sis/1405216664/
___

Fake Virgin Airlines Calls ...
- http://www.hoax-slay...cam-calls.shtml
15 July 2014 - "A number of people in different parts of Australia have reported receiving 'prize' calls claiming to be from Virgin Australia. The callers claim that the 'lucky' recipient of the call has won a cash prize or 999 frequent-flyer points. Supposedly, winners were randomly drawn from the names of people who have flown with the airline in the past. 'Winners' are then told that they must provide their credit card details to claim their prize... the calls are certainly -not- from Virgin Australia and recipients have won nothing at all. The calls are a criminal ruse designed to steal credit card information. Virgin Australia has issued a statement* warning people about the scam..."
* http://www.virginaus.../travel-alerts/
___

.pif files, Polish spam from Orange, and Tiny Banker (Tinba)
- http://garwarner.blo...orange-and.html
July 15, 2014 - "... we saw 1,440 copies of a spam message claiming to be from "orange .pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names... I was surprised to see that the file was actually TinBa or "Tiny Banker"!... email that was distributed so prolifically this morning:
> http://4.bp.blogspot...m.orange.pl.jpg
In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
    If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www .orange .pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www .orange .pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53)* detection rate. The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange .com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal... more malware, disquised as an invoice but actually a .pif file. The current detection at VirusTotal for that campaign is 33 of 53** detections. Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message..."
* https://www.virustot...ce8c6/analysis/

** https://www.virustot...d61d8/analysis/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 15 July 2014 - 12:28 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1233 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 16 July 2014 - 11:51 AM

FYI...

Fake Fax / Secure msg SPAM
- http://blog.dynamoo....u-have-new.html
16 July 2014 - "This -pair- of spam messages leads to a malicious ZIP file downloaded via goo .gl (and -not- Dropbox as the spam says):
From:     Fax [fax@ victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax
New fax at SCAN7905518 from EPSON by https ://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)
-------------
From:     NatWest [secure.message@ natwest .com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)


I have seen three goo .gl URLs leading to three different download locations, as follows
https ://goo .gl/1dlcL3 leads to
http ://webbedenterprisesinc .com/message/Document-6936124.zip
https ://goo .gl/8AanL9 leads to
http ://rollermodena .it/Document-2816409172.zip
https ://goo .gl/pwgQID leads to
http ://www.vetsaudeanimal .net/Document-9879091.zip
- In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54*. The Malwr report** shows that this then downloads components form the following locations (hosted by OVH France):
http ://94.23.247.202 /1607h/HOME/0/51Service%20Pack%203/0/
http ://94.23.247.202 /1607h/HOME/1/0/0/
An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54***. The Malwr report for that is inconclusive.
Recommended blocklist:
94.23.247.202
vetsaudeanimal .net
rollermodena .it
webbedenterprisesinc .com
"
* https://www.virustot...sis/1405523997/

** https://malwr.com/an...DkzOTBmNWJjMjg/

*** https://www.virustot...sis/1405524493/

94.23.247.202: https://www.virustot...02/information/

 

- http://threattrack.t...re-message-spam
July 16, 2014 - "Subjects Seen:
    You have a new Secure Message
Typical e-mail details:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at:
    goo .gl/1dlcL3


Screenshot: https://gs1.wac.edge...9zgJ1r6pupn.png

Malicious URLs:
    webbedenterprisesinc .com/message/Document-6936124.zip
    lavadoeimagen .com/Document-09962146.zip

Malicious File Name and MD5:
    Document-<random>.scr (2A835747B7442B1D58AB30ABC90D3B0F)
    Document-<random>.zip (323706E66968F4B973870658E84FEB69)


Tagged: NatWest, Upatre
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 16 July 2014 - 01:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1234 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 17 July 2014 - 06:43 PM

FYI...

Fake 'Take a look at this picture' email – malware
- http://myonlinesecur...ke-pdf-malware/
17 June 2014 - "'You should take a look at this picture' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very simple email with the subject of 'You should take a look at this picture' and the body just containing a smiley face.
17 July 2014: IMG3384698174-JPG.zip (24 kb) : Extracts to IMG4563693711-JPG.scr
Current Virus total detections: 3/54 * ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405605234/
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 17 July 2014 - 06:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1235 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 18 July 2014 - 09:30 AM

FYI...

Something evil on 5.135.211.52 and 195.154.69.123
- http://blog.dynamoo....521152-and.html
18 July 2014 - "This is some sort of malware using insecure OpenX ad servers to spread... don't know quite what it is, but it's running on a bunch of -hijacked- GoDaddy subdomains and is triggering a generic Javascript detection on my gateway... The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT*] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT**]. This second IP has also been used to host "one two three" malware sites back in May***.
Recommended blocklist:
* 5.135.211.52: https://www.virustot...52/information/
** 195.154.69.123: https://www.virustot...23/information/
somerspointnjinsurance .com
risleyhouse .net
ecofloridian .info
ecofloridian .com
trustedelderlyhomecare .net
trustedelderlyhomecare .org
trustedelderlyhomecare .info
theinboxexpert .com
"
*** http://blog.dynamoo....ons-center.html
___

Law Firm Spam
- http://threattrack.t...8/law-firm-spam
July 18, 2014 - "Subjects Seen:
    Notice of appearance
Typical e-mail details:
    Notice to Appear,
    To view copy of the court notice click here. Please, read it thoroughly. Note: If you do not attend the hearing the judge may hear the case in your absence.


Malicious URLs:
    encoretaxcpa .com/wp-content/plugins/pm.php?notice=rAKMA0yBTjJaHycjLxYiPxWIuHzgUE6cEU/ZGGio7m4=


Screenshot: https://gs1.wac.edge...n8BS1r6pupn.png

Tagged: Law firm, Kuluoz
___

Hotel Business Center Machines - targeted by keyloggers
- https://atlas.arbor....index#802927307
Elevated Severity
July 17, 2014 - "The U.S. Secret Service has issued an advisory warning users to avoid using hotel business center computers, as cybercriminals frequently target these machines to install keylogging malware.
Analysis: Any publicly accessible computer, even those perceived to be in secure locations, should not be used to access personal or company data. If printing services are needed, users should consider forwarding the information to a throw-away email address, which is then accessed from the public computer.

- http://krebsonsecuri...usiness-centers
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 18 July 2014 - 12:01 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1236 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 21 July 2014 - 08:26 AM

FYI...

Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo....981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia
"
* http://blog.dynamoo....ovh-france.html

** http://urlquery.net/...d=1405937345878

*** 188.120.198.1: https://www.virustot....1/information/
___

Facebook video scam leaves unamusing Trojan
- http://net-security....ews.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___

Bank of America - Activity Alert Spam
- http://threattrack.t...vity-alert-spam
July 21, 2014 - "Subjects Seen:
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Malicious File Name and MD5:
    report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
    report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)


Screenshot: https://gs1.wac.edge...Nlop1r6pupn.png

Tagged: Bank of America, Upatre

- http://myonlinesecur...ke-pdf-malware/
21 July 2014
> https://www.virustot...sis/1405960609/
___

Bitly API key and MSNBC unvalidated redirects
- http://community.web...-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.web..._2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.web..._2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.web..._2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing.  Kudos to them.
>> http://community.web..._2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com..._practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 21 July 2014 - 10:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1237 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 22 July 2014 - 06:57 AM

FYI...

Facebook SCAM - 'Actual Footage Missile MH-17'
- http://www.hoax-slay...rvey-scam.shtml
July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
> http://www.hoax-slay...rvey-scam-1.jpg
This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message.  In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
___

Facebook Scam leads to Nuclear Exploit Kit
- http://www.symantec....ear-exploit-kit
22 July 2014 - "... The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook..."
Regions affected by Nuclear exploit kit
> http://www.symantec....book Scam 4.png
___

Spammy Tumblr Apps and Stalker Hunting
- http://blog.malwareb...talker-hunting/
July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
> http://cdn.blog.malw.../tumbstalk1.jpg
Below is the site it leads to, located at reviewsloft(dot)com/a/?3
> http://cdn.blog.malw.../tumbstalk2.jpg
... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
* https://www.tumblr.c...ccount_security

1] http://blog.malwareb...o-tumblr-users/
___

Fake Credit Applicaiton – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Please see credit application for West Star Environmental.
The job we have for them is for $ 46,214.00
Thank you,
From: Jimmy Robertson
Sent: Tue, 22 Jul 2014 11:57:13 +0100
Subject: Credit Applicaiton
Good Afternoon,
Here is our credit application. If you should require further information please feel free to contact me.
Jimmy Robertson
West Star Environmental, Inc.
4770 W. Jennifer
Fresno, CA 93722 ...


22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb)  Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406038205/
___

Over 30 financial institutions defrauded by phone apps used to intercept passwords
- http://www.reuters.c...N0PX02T20140722
Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
* http://blog.trendmic...ation-emmental/
___

"Commingled" user data ...
- http://www.reuters.c...N0FR1XA20140722
July 22, 2014 - "A federal judge rejected Google Inc's bid to dismiss a privacy lawsuit claiming it commingled user data across different products and disclosed that data to advertisers without permission... Google must face breach of contract and fraud claims by users of Android-powered devices who had downloaded at least one Android application through Google Play. Other parts of the lawsuit were dismissed, including claims brought on behalf of account users who switched to non-Android devices from Android devices after Google had changed its privacy policy in 2012 to allow the 'commingling'... The lawsuit arose after Google on March 1, 2012 scrapped a variety of privacy policies for different products, and created a single, unified policy letting it -merge- user data generated through platforms such as Gmail, Google Maps and YouTube. Users complained that Google made this change -without- their consent and with no way to opt out, in a bid to better compete for ad revenue against Facebook Inc and other social media companies "where all of a consumer's personal information is available in one site." They said this jeopardized their privacy by exposing names, email addresses and geographic locations, increasing the threat of harassment or identity theft by third parties. Google reported $15.42 billion of revenue in the first quarter, of which 90 percent came from advertising. The case is In re: Google Inc Privacy Policy Litigation, U.S. District Court, Northern District of California, No. 12-01382."
___

Scams exploit MH17 Disaster
- http://www.hoax-slay...m17-scams.shtml
July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

- http://blog.trendmic...-of-mh17-crash/
July 18, 2014
___

Facebook SCAM - Mercedes Benz CLA 45' Giveaway
- http://www.hoax-slay...ming-scam.shtml
July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
> http://www.hoax-slay...ming-scam-1.jpg
According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 July 2014 - 06:54 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1238 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 23 July 2014 - 08:20 AM

FYI...

Fake Facebook mails lead to Pharma Spam
- http://blog.malwareb...to-pharma-spam/
July 23, 2014 - "... it may look as though something has gone wrong with your Facebook account, but it’s just a ruse to convince you to -click- the provided link. The message reads:
    “[Name], your messages will be deleted soon responsibly
    You haven’t been to Facebook for a few days, and a lot happened while you were away.
    Your messages will be deleted soon.”


Clicking either the View Messages or Go to Facebook button will result in the clicker hitting a php page on a .com(dot)au URL, before being redirected to a Canadian Pharmarcy page:
> http://cdn.blog.malw...07/fbpharma.jpg
... we do not recommend purchasing random pills from websites you’ve discovered via -fake- Facebook spam mails. No matter how urgent-sounding or laced with impending doom a mail sounds, always consider that the sender simply wants you to click through with as much speed and as little thought as possible..."
___

Fake BBB complaint email – malware
- http://myonlinesecur...plaint-malware/
23 July 2014 - "Better Business Bureau complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This version is slightly different to the usual BBB complaints emails because there is -no- attachment and they want you to click the link to download the gameover -zeus- malware binary directly:
July 23, 2014
Case# 5942415: Joe Russell
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
http ://newyork.app.bbb .org/complaint/view/5942415/b/194439957f   
< http ://castlestrategies .net/css/new_7g1.exe>
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated...


23 July 2014: new_7g1.exe  Current Virus total detections: 2/53*
... it appears to come from a friend or is more targeted..."
* https://www.virustot...sis/1406137574/

184.168.152.4: https://www.virustot....4/information/

- http://threattrack.t...eless-bill-spam
23 July 2014
___

Live SSH Brute Force Logs and New Kippo Client
- https://isc.sans.edu...l?storyid=18433
2014-07-23 - "... a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system... For data we are collecting so far, see:
- https://isc.sans.edu/ssh.html
... some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets."
___

Fake "Redirected message" SPAM ...
- http://blog.dynamoo....redirected.html
23 July 2014 - "This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.
    Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
    From:      Birminghammail [paul.fulford@ birminghammail .co.uk]
    Subject:      Redirected message
Dear [redacted]!
Please find attached the original letter received by our system.


I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)
Poor Mr Fulford thinks that his email has been hacked.. it hasn't...
> https://3.bp.blogspo...600/fulford.png
Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe... The Malwr report* shows that this part reaches out to the following IPs:
37.139.47.103
37.139.47.117

Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53**. The Malwr report is inconclusive.
I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites."
* https://malwr.com/an...mZjNTA0YzBiNzI/

** https://www.virustot...sis/1406127100/

- http://myonlinesecur...essage-malware/
23 July 2014
> https://www.virustot...sis/1406126658/
___

Fake invoice 4904541 July SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 July 2014 - "invoice 4904541 July is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very plain simple email that just says:
This email contains an invoice file attachment

23 July 2014: invoice_4904541.zip (46 kb): Extracts to invoice_32990192.exe
Current Virus total detections: 3/53* ...This invoice 4904541 July  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustot...sis/1406127329/
___

Some WSJ systems taken offline after cyber attack
- http://www.reuters.c...N0FS03N20140723
2014.07.23 - "Computer systems containing the Wall Street Journal's news graphics were -hacked- by outside parties, according to the paper's publisher Dow Jones & Co. The systems have been taken offline to prevent the spread of attacks, but Journal officials have not found any damage to the graphics, the newspaper said citing people at the Wall Street Journal familiar with the matter. A hacker who goes by the Twitter handle of 'w0rm' allegedly posted tweets and screenshots claiming to have hacked the Journal's website and offered to sell user information and credentials needed to control the server..."
- http://online.wsj.co...sion-1406074055
July 22, 2014
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 24 July 2014 - 07:18 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1239 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 24 July 2014 - 08:08 AM

FYI...

Fake Remittance Advisory SPAM – malware
- http://myonlinesecur...-email-malware/
24 july 2014 - "Remittance Advisory Email is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email... This email doesn’t have an attachment but has a link in the body for you to click on & download the malware:
Thursday 24 July 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.
Please review the details of the payment here.  
<http ://dentairemalin .com/images/report934875438jdfg8i45jg_07242014.exe>
Lloyds Banking Group plc...


24 July 2014: report934875438jdfg8i45jg_07242014.exe
Current Virus total detections: 5/53* ..."
* https://www.virustot...sis/1406204716/

- http://centralops.ne...ainDossier.aspx
canonical name     dentairemalin.com.
addresses 217.16.10.2 ...

217.16.10.2: https://www.virustot....2/information/

- http://blog.dynamoo....ved-secure.html
24 July 2014

- http://threattrack.t...remittance-spam
July 24, 2014
Tagged: lloyds tsb, Dyreza
___

Fake VoiceMail SPAM
- http://blog.dynamoo....email-spam.html
24 July 2014 - "This tired old malware spam is doing the rounds again.
    From:      Voice Mail [voicemail_sender@local]
    Subject:      You have received a new VoiceMail
    Date:      Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]
    You have received a voice mail message.
    Message length is 00:03:27.


As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53*. The CAMAS report** and Anubis report*** shows the malware downloading an encrypted file from the followng locations:
egozentrica .com/wp-content/uploads/2014/07/tor2800_2.7z
reneerlaw .com/wp-content/uploads/2014/07/tor2800_2.7z
Blocking those sites may give some protection against this malware."
* https://www.virustot...sis/1406214495/

** http://camas.comodo....81ab360a0b0806c

*** http://anubis.isecla...80b&format=html

50.115.19.181: https://www.virustot...81/information/

82.98.151.154: https://www.virustot...54/information/
___

CNN News Spam
- http://threattrack.t...aking-news-spam
July 24, 2014 - "Subjects Seen:
    CNN Breaking News - Malaysian Boing 777
Typical e-mail details:
    Ukraine recognizes that hit a Malaysian Boing 777
    Malaysia Airlines flight 17 shot down in Ukraine.
    FULL STORY


Malicious URLs:
    firstfiresystems .com/images/CNN_breaking_news_read_now.exe
Malicious File Name and MD5:
    CNN_breaking_news_read_now.exe (57D5055223344CF8814DCFC33E18D7E6)


Screenshot: https://gs1.wac.edge...rrEN1r6pupn.png

Tagged: CNN, Malaysian Airlines, Dyreza, MH17

208.69.121.22: https://www.virustot...22/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 24 July 2014 - 11:43 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1240 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 25 July 2014 - 06:11 AM

FYI...

Fake Tax Notice SPAM
- http://blog.dynamoo....-2014-spam.html
25 July 2014 - "This fake HMRC tax notice comes with a malicious attachment:
    Date:      Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
    From:      HMRC Revenue&Customs [Rosanne@ hmrc .gov.uk]
    Reply-To:      Legal Aid Agency [re-HN-WFCLL-OECGTZ@ hmrc .gov.uk]
    Dear [redacted] ,
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Document Reference: 34320-289...


Screenshot: https://4.bp.blogspo.../s1600/hmrc.png

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53*. The CAMAS report** shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52***. The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here [1]. I would very strongly recommend -blocking- traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there)..."
* https://www.virustot...sis/1406281395/

** http://camas.comodo....eb92638ce475692

*** https://www.virustot...sis/1406281708/

1] http://blog.dynamoo....redirected.html
___

Fake Virgin Media SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 July 2014 - "Help & Advice – Virgin Media Business Virgin Media Automated Billing Reminder  pretending to come from Virginmedia Business <services@ virginmediabusiness .co.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer...
> https://t2.gstatic.c...n Media Web.jpg
This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:
    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please fulfill attached form and send it back to our email adress...


25 July 2014: form_19927-267.zip (85 kb): Extracts to billing_form91_4352-2105.pdf.scr
Current Virus total detections: 5/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406293502/
___

Fake Tiffany SPAM...
- http://blog.dynamoo....-july-spam.html
25 July 2014 - "This fake Tiffany & Co email has a malicious attachment:
    Date:      Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
    From:      "J.Parker" [rcaukomti@ tiffany .co.uk]
    Subject:      invoice 0625859 July
    Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if there is any problem.
    Thanks
    J.parker
    Tiffany & Co.


Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51*. The CAMAS report** shows that the malware downloads components..."
* https://www.virustot...sis/1406295906/

** http://camas.comodo....8811ff0ea747d57
___

Fake "eFax message" SPAM
- http://blog.dynamoo....ssage-spam.html
25 July 2014 - "Another tired old spam template leading to malware:

Screenshot: https://3.bp.blogspo.../s1600/efax.png

In this case the link in the email goes to verzaoficial .com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45*. Automated analysis [pdf] is fairly inconclusive as to what it does."
* https://www.virustot...sis/1406297301/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 25 July 2014 - 09:59 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1241 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 26 July 2014 - 06:19 AM

FYI...

Something evil on 198.27.110.192/26 ...
- http://blog.dynamoo....ng-evil-on.html
26 July 2014 - "... seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.
    Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
    From:      OLINMETALS TRADING CO
    Subject:      PLEASE SEND PI
    Greetings,
    Regarding our previous conversation about our urgent purchase, kindly
    find attached PI and let us know if the quantity can fit in 40ft
    container.
    kindly revise the Proforma invoice so that we can proceed with an
    advance payment as agreed.
    We look forward to your urgent response with revised proforma invoice.
    Thks & Rgds,
    OLINMETALS TRADING CO., LTD ...


... the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53*... malware phones home to walex2.ddob .us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US). Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs... I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too)...
Recommended blocklist:
198.27.110.192/26
xiga .us
ddob .us
"
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1406366678/

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 3231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-26, and the last time suspicious content was found was on 2014-07-26... Over the past 90 days, we found 483 site(s) on this network... that appeared to function as intermediaries for the infection of 1070 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 930 site(s)... that infected 219349 other site(s)."
___

Fake Order Notification SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 July 2014 - "Notification of order is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  using an old trick to attempt to disguise the file name & fool you into thinking it is a genuine PDF by inserting loads of spaces between the pdf & the .exe:
    Dear Customer
    We have received your order and it’ll be processed for 2 business days.
    Your credit card will be charged for 803 USD.
    You can find specification of the invoice and delivery details: http ://link.vpn .by/?id=157562
    Yours truly,
    Absalon Holmes
    FG Charter Travel Company


Todays Date: bill.2563034.zip (53 kb): Extracts to bill.2563034.PDF____________.exe
Current Virus total detections: 1/53* . This Notification of order is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustot...sis/1406396500/

178.124.137.170: https://www.virustot...70/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 26 July 2014 - 06:26 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1242 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted 28 July 2014 - 12:48 PM

FYI...

Something evil on 88.198.252.168/29 - Ransomware
- http://blog.dynamoo....9825216829.html
28 July 2014 - "88.198.252.168/29 (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:
Screenshot: https://4.bp.blogspo...1600/locker.png

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting -ransomware- landing pages exclusively. The domains in use are a combination of crappy .in domains registered to a series of -fake- addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid .org as namerservers. This hijacking at afraid .org is because these particular domain users are using the free afraid .org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ*). The bad news is that this sort of -hijacking- is a quick way to ruin your domain's reputation... Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.
Recommended blocklist:
88.198.252.168/29
fernandocoelho .net.br
duk66 .com
cerone .com.ar
gigliotti .com.ar
clawmap .com
lareferencedentaire .com
izaksuljkic .tk
..."
(Complete list @ the dynamoo URL above.)
* https://freedns.afraid.org/faq/#14

Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.c...c?site=AS:24940
"... Of the 327849 site(s) we tested on this network over the past 90 days, 2634 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-28, and the last time suspicious content was found was on 2014-07-28... Over the past 90 days, we found 328 site(s) on this network... that appeared to function as intermediaries for the infection of 2189 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 377 site(s)... that infected 4506 other site(s)..."
___

Fake Delivery fail SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2014 - "Delivery failure , July 28, 2014 BN_3647007 pretending to come from UKmail  Express is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
> http://printhut.co.u...k_mail_logo.jpg
   An urgent service package has come to the local post office. Delivery was rescheduled because our courier was not able to deliver the package [RECEIVER NOT PRESENT].
    You can find more information including contact details regarding your package in the attached file.
    Privacy Policy and
      Copyright © 2014 UKMail Group plc


28 July 2014: BN_2118176.zip (83 kb) : Extracts to report_form2_28-07-2014.pdf.scr
Current Virus total detections: 2/54* . This Delivery failure , July 28, 2014 BN_3647007 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406549984/
___

Fake skipped invoice SPAM – word doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2014 - "skipped invoice is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
     HI Richie,
    Attached is invoice #2223 651.45 from May missed in check received.
    I am out of the office tomorrow and Monday so I’m emailing & begging for payment to make month end.
    Thanks & have a great weekend!
    Katherine Sargent / Credit Manager
    Pacemaker Steel and Piping Co., Inc. ... 


28 July 2014: invoice_28.07.zip ( 11kb) : Extracts to invoice_28.07.doc.exe          
Current Virus total detections: 5/54* . This skipped invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406569801/

178.63.240.112: https://www.virustot...12/information/
___

Fake Amazon order SPAM
- http://blog.dynamoo....order-spam.html
28 July 2014 - "This fake Amazon spam comes with a malicious attachment:
Screenshot: https://2.bp.blogspo...1600/amazon.png

Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54*. The Comodo CAMAS analysis** shows that the malware reaches out to a familiar set of URLs*** to download further components... recommend blocking the following domains:
zag .com.ua
daisyblue .ru
ricebox .biz
brandsalted .com
fbcashmethod .ru
expositoresrollup .es
madrasahhusainiyahkl .com
sexyfoxy .ts6.ru
huework .com
siliconharbourng .com
martijnvanhout .n
l "
* https://www.virustot...sis/1406572004/

** http://camas.comodo....8753809cbbc5ac2

*** http://blog.dynamoo....-july-spam.html
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 28 July 2014 - 03:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1243 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted Yesterday, 09:59 AM

FYI...

Something evil on 31.210.96.155, ...156, ...157 and ...158 (31.210.96.152/29)
- http://blog.dynamoo....3121096156.html
29 July 2014 - "I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using -hijacked- GoDaddy domains, and are targeting victim websites by altering their .htaccess files** to intercept traffic coming from search engines such as Google. These IP addresses have been used for malware for some time*...VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range... these appear to be subdomains of -hijacked- GoDaddy domains... I would recommend permablocking the following IP range and temporarily blocking the following domains:
31.210.96.152/29 ..."
(Long list at the dynamoo URL above.)
* http://c-apt-ure.blo...ears-later.html

** http://www.symantec....ess-redirection

1] 31.210.96.155: https://www.virustot...55/information/
2] 31.210.96.156: https://www.virustot...56/information/
3] 31.210.96.157: https://www.virustot...57/information/
4] 31.210.96.158: https://www.virustot...58/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 11:51 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1244 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,929 posts

Posted Today, 04:35 AM

FYI...

Fake 'documents ready for download' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2014 - "Your documents are ready for download is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your documents 6419165973846 are ready , please sign them and email them back.
Thank you
John Garret
Level III Account Management
817-768-8742 office
817-874-8795 cell
johngarret@ natwest .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive...


30 July 2014: Documents_3922929617733.rar (10 kb) : Extracts to Documents.scr
Current Virus total detections: 2/53* . This Your documents are ready for download is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406710734/
___

Fake "Amazon order" SPAM
- http://blog.dynamoo....er-spam_30.html
30 July 2014 - "Another -fake- Amazon spam with a malicious payload:

Screenshot: https://4.bp.blogspo...600/amazon4.png

There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53*. The Comodo CAMAS report** shows that it downloads a further component...
This second executable has a VT detection rate of 5/54***..."
(Long recommended blocklist at the dynamoo URL above.)
* https://www.virustot...sis/1406729013/

** http://camas.comodo....d35633ec2b7f226

*** https://www.virustot...sis/1406729311/
___

Fake Order status 30.07.2014.xls – XLS malware
- http://myonlinesecur...ke-xls-malware/
30 July 2014 - "Order status -540130 30.07.2014.xls is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... An email received coming from a -random- name with -no- company details and a totally blank body and a subject of  Order status -540130 30.07.2014.xls ( different order numbers ) with a zip attachment
30 July 2014 : 540130-30.07.2014.zip ( 47 kb) : Extracts to   order-8301138-30.07.2014.xls.exe
Current Virus total detections: 9/54* . This  Order status -540130 30.07.2014.xls  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Excel spreadsheet file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406736903/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Today, 12:12 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button