Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1268 replies to this topic

#1251 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 07 August 2014 - 06:44 AM

FYI...

Fake CDS invoice SPAM
- http://blog.dynamoo....voice-spam.html
7 Aug 2014 - "This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted... CDS have a notice about these emails on their site*. This is a sample email:

Screenshot: https://3.bp.blogspo...0/s1600/cds.png

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54**. Automated analysis tools are inconclusive at the moment..."
* http://www.cdsgroup....yber-crime.html

** https://www.virustot...sis/1407408295/

- http://threattrack.t...ds-invoice-spam
Aug 7 2014
- https://gs1.wac.edge...05XI1r6pupn.png
Tagged: cds, Lerspeng
___

Vawtrak sites to block
- http://blog.dynamoo....s-to-block.html
7 Aug 2014 - "I found these domains and IPs today while investigating a machine apparently infected with Vawtrak* (aka Tepfer), most of them seem to be active:
http ://80.243.184.239 /posting.php
http ://80.243.184.239 /viewforum.php
http ://146.185.233.97 /posting.php
http ://146.185.233.97 /viewforum.php
http ://ipubling .com/posting.php
http ://ipubling .com/viewforum.php
http ://magroxis .com/posting.php
http ://magroxis .com/viewforum.php
http ://maxigolon .com/viewforum.php
http ://terekilpane .com/viewforum.php
Some of these domains are associated with the email address ctouma2@ gmail .com. You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27

The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK."
* http://about-threats...KDR_VAWTRAK.YZY
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 07 August 2014 - 09:53 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1252 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 08 August 2014 - 05:51 AM

FYI...

Fake RBS SPAM
- http://blog.dynamoo....93549-spam.html
8 Aug 2014 - "This fake RBS spam has a malicious attachment:
    Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
    From:      Annie Wallace[Annie.Wallace@ rbs .co.uk]
    Subject:      RE: Incident IM03393549
    Good Afternoon ,
    Attached are more details regarding your account incident. Please extract the attached
    content and check the details.
    Please be advised we have raised this as a high priority incident and will endeavour to
    resolve it as soon as possible. The incident reference for this is IM03393549.
    We would let you know once this issue has been resolved, but with any further questions
    or issues, please let me know.
    Kind Regards, ...


The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42*. The CAMAS report** shows that the malware connects to the following locations to download additional components:
94.23.247.202 /n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202 /n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia .com/Scripts/n0808uk.zip
energysavingproductsinfo .com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia .com
energysavingproductsinfo .com
"
* https://www.virustot...sis/1407490764/

** http://camas.comodo....4663b54ab14b0a3
___

Fake Resume SPAM - malicious attachment
- http://blog.dynamoo....attachment.html
8 Aug 2014 - "This terse spam is malicious:
    Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
    From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
    Subject:      FW: Resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Janette Sheehan


Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54*. The CAMAS report** shows that the malware attempts to phone home to the following locations:
94.23.247.202 /0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0708stat/SANDBOXA/1/0/0/
hngdecor .com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind .com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor .com
welfareofmankind .com
"
* https://www.virustot...sis/1407493005/

** http://camas.comodo....58b27ebf5a55d5b

94.23.247.202: https://www.virustot...02/information/
___

Fake HMRC tax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Aug 2014 - "HMRC taxes application with reference 4DEW NASM CBCG RC6 received pretending to come from noreply@ taxreg .hmrc .gov .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    The application with reference number 4DEW NASM CBCG RC6 submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.


7 August 2014: 4DEW NASM CBCG RC6.zip (8kb) Extracts to 4DEW NASM CBCG RC6.scr
Current Virus total detections: 0/54* . This HMRC taxes application with reference 4DEW NASM CBCG RC6 received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407447014/
___

AmericanExpress - PHISH
- http://blog.dynamoo....rn-on-your.html
8 Aug 2014 - "This -fake- AmEx spam appears to lead to a phishing site on multiple URLs:

Screenshot: https://3.bp.blogspo.../amex-phish.png

In this case the link goes to a phishing site... but there seem to be a bunch of them at the moment... IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75
"

91.219.29.35: https://www.virustot...35/information/

188.240.32.75: https://www.virustot...75/information/

- http://myonlinesecur...e-key-phishing/
8 Aug 2014
___

Fake e-on energy SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Aug 2014 - "e-on energy Unable to process your most recent bill payment pretending to come from E ON Energy <noreply@ eonenergy .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.


8 August 2014: e-ON-Energy-Bill.zip (15kb) : Extracts to e-ON-Energy-Bill.exe
Current Virus total detections: 7/54* . This e-on energy Unable to process your most recent bill payment is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407509103/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 08 August 2014 - 11:06 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1253 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 11 August 2014 - 01:00 PM

FYI...

Fake BoA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Aug 2014 - "Bank of America Alert: A Check Exceeded Your Requested Alert Limit pretending to come from Bank of America Alert <onlinebanking@ ealerts.bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Amount:     $32,095.35
Check number:     00000006756
Transaction date:     08/11/2014
You can sign in to Online or Mobile Banking to review this activity...
Security Checkpoint
To confirm the authenticity of messages from us, always look for this Security Checkpoint.
Remember: Always look for your SiteKey® before entering your Passcode. We’ll ask you for your Online ID and Passcode when you sign in.
This is a service email from Bank of America. Please note that you may receive service emails in accordance with your Bank of America service agreements..


11 August 2014: report081114_6897454147412.zip(10kb) : Extracts to report081114_6897454147412.exe
Current Virus total detections: 2/54* ... This Bank of America Alert: A Check Exceeded Your Requested Alert Limit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407773230/
___

Citi Corp Spam
- http://threattrack.t...n-approved-spam
Aug 11, 2014 - "Subjects Seen:
    RE: Application Approved
Typical e-mail details:
    Your documents are ready , please sign them and email them back.
    Thank you
    Henri Foley
    Level III Account Management


Malicious File Name and MD5:
    application _apprd_93447836734346.exe  (CAD7B09903F7646EC37E4014DD6E70E4)
    application _apprd_93447836734346.zip (0B4A28D6737B9E27E7BF5B98DBBE6B84)


Screenshot: https://gs1.wac.edge...GBaE1r6pupn.png

Tagged: Citi, Upatre
___

Public Wi-Fi is safe?? ...
- http://nakedsecurity...safe-seriously/
11 Aug 2014 - "... most people still don't understand the potential dangers of public and/or free Wi-Fi, despite doom and gloom headlines about the dangers, which include these:
- A US trio who attacked companies by wardriving - i.e., driving around, scanning for poorly protected wireless networks. Between that and breaking in to install keyloggers, they bilked companies of a total of $3 million (£1.8 million).
- An unsecured Wi-Fi home connection that led to a heavily-armed police SWAT team raiding the wrong home, including breaking down the door of a house, smashing windows and tossing a flashbang stun grenade into a living room.
- Facebook accounts of five US politicians being hijacked after they accessed a free, open, wireless Wi-Fi network.
And those are just a tiny selection of the cherries on that bountiful Wi-Fi tree. Of course, there is also the problem of protecting privacy on public Wi-Fi. In just the past year, we learned that businesses are using Wi-Fi to build shopper profiles on us, and in-flight WiFi providers have been helping feds spy on us..."
(More detail at the sophos URL above.)
Sophos - wireless security myths Video 4:26:
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 11 August 2014 - 01:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1254 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 12 August 2014 - 04:48 AM

FYI...

Fake Netflix email / Phish
- http://myonlinesecur...f-837-phishing/
12 Aug 2014 - "Your Netflix Account Requires Validation [NVF-837] is an attempt to get access to your Netflix Account... The phishing website in this example is so closely named to the genuine Netflix site, that almost anybody could be fooled by it http ://netflix-validate .com
Email looks like:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your accountFailure to complete the validation process will result in a suspension of your netflix membership.We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team ...


Following the link in this 'Your Netflix Account Requires Validation' email or other spoofed emails  takes you to a website that looks exactly like the real Netflix site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details. Not only  will this information enable them to use your Netflix account, but also your Bank Account, credit card details, Email details, webspace..."

192.99.188.111: https://www.virustot...11/information/

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 2638 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-08-11, and the last time suspicious content was found was on 2014-08-11... we found 373 site(s) on this network.. that appeared to function as intermediaries for the infection of 821 other site(s)... We found 745 site(s)... that infected 65282 other site(s)..."
___

Fake Order SPAM
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "Order take 8753884 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email with subject of Order take < random numbers> arrives with just a subject and no email content except an attachment. It appears to come from various random names at various random companies.

12 August 2014: order 1530875.zip (37 kb) : Extracts to   Order-8991617.exe
Current Virus total detections: 1/54* . This Order take 8753884 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407832220/
___

Fake new picture or video SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "A new picture or video message  pretending to come from getmyphoto@ vodafone .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one wants you to download the -malware- via a tiny URL link in the email, there is no actual attachment. Email looks like:
You have received a picture message from mobile phone number +447584905118
GET MY FOTO
Please note, the free reply expires three days after the original message is sent from the Vodafone network.
Vodafone Service


12 August 2014: f679RqP75G.exe - Current Virus total detections: 0/53*
This 'A new picture or video message' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407835450/
___

Fake IRS phish...
- http://myonlinesecur...et-refund-card/
12 Aug 2014 - "IRS Get Refund On Your Card pretending to come from IRS <refund@ irs .gov> is one of the phishing attempts to get your bank and credit card information. Email looks like:
We are writing to you because your federal Tax payment (ID: 66116572), recently sent is available for refund.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
For more information, please visit the following link
– https ://sa.www4.irs .gov/irfof/lang/en/irfofgetstatus.jsp?reenter=true
Your prompt response regarding this matter is appreciated.
Sincerely,
IRS Refund Team


Following the link in this 'IRS Get Refund On Your Card' email or -other- spoofed emails takes you  to a website that looks exactly like the real IRS site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 12 August 2014 - 10:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1255 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 13 August 2014 - 04:14 AM

FYI...

Fake Google drive SPAM - PDF malware
- http://myonlinesecur...019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this  email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
    Confirm request
    Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/


13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407913490/

178.238.236.109: https://www.virustot...09/information/
___

Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecur...alware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com  pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it  in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...

13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1407936811/
___

UK Land Registry Spam
- http://threattrack.t...d-registry-spam
Aug 13, 2014 - "Subjects Seen:
    Notification of direct debit of fees
Typical e-mail details:
    Notification Number: 4682787
    Mandate Number: LND4682787
    ###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
    This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
    Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
    You can access these by opening attached report.
    If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
    Thank you,
    Land Registry


Malicious File Name and MD5:
    LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
    LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)


Screenshot: https://gs1.wac.edge...Ihd01r6pupn.png

Tagged: UK Land Registry, Upatre
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 13 August 2014 - 03:09 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1256 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 14 August 2014 - 05:50 AM

FYI...

Fake Citicorp SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk .com


14 August 2014  Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408010403/
___

Fake Charity Trends SPAM ...
- http://blog.mxlab.eu...9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address  and has the following body:

    Dear *******@*******.co.uk,
    Please find attached invoice #9156230_08 from 13/08/2014.
    Thanks!
    Reyes Mcdaniel .
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx


The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408011038/

- http://blog.mxlab.eu...ontains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:

    Charity Trends®
    Dear *******@*******.com,
    Thank you for your generous donation of 2623 GBP, which we received today.
    Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
    You will find all information about your donation in zip archive.You are making a difference!
    Thanks again for your kindness,
    Elsa Nash ...


The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen  or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustot...sis/1408011666/
___

Fake Citibank SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
    citibank .com
    RE: Account Documents
    To: <REDACTED>
    Case: C4055427
    Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...


14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408029154/
___

ZeroLocker
- http://www.webroot.c...14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot....08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___

Suspicious login message Faked, distributes Backdoor
- http://blog.trendmic...butes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmic...4/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmic...4/08/login2.png
...  while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised-  website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___

Beware of Risky Ads on Tumblr
- https://blog.malware...-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.

dailynewsz[dot]tumblr[dot]com

We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malware...ynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing...site=yllix.com/

** http://labs.sucuri.n...klist=yllix.com

*** https://www.mywot.co...ecard/yllix.com
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 August 2014 - 04:50 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1257 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 15 August 2014 - 09:03 AM

FYI...

Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu...ojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
    Transaction is completed. 8678 GBP has been successfully transfered.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached.
    *** This is an automatically generated email, please do not reply ***
    Barclays.Net 2013 Corporation. All rights reserved.


The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408097500/
___

Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu...d-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
    Thank you for ordering from VOIP Inc.
    This message is to inform you that your order has been received and is currently being processed.
    Your order reference is 488910845598.
    You will need this in all correspondence.
    This receipt is NOT proof of purchase.
    We will send a printed invoice by mail to your billing address.
    You have chosen to pay by credit card. Your card will be charged for the amount
    of 805.74 USD and “VOIP Inc.”
    will appear next to the charge on your statement.
    Your purchase information appears below in the file.


The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustot...sis/1408099896/
 

:ph34r: :ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1258 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 19 August 2014 - 12:01 PM

FYI...

Fake Companies House Spam
- http://threattrack.t...ual-return-spam
Aug 19, 2014 - "Subjects Seen:
    (AR01) Annual Return received
Typical e-mail details:
    Thank you for completing a submission Reference # (9586474).
        (AR01) Annual Return
    Your unique submission number is 9586474
    Please quote this number in any communications with Companies House.
    Check attachment to confirm acceptance or rejection of this filing.


Malicious File Name and MD5:
    AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
    AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)


Screenshot: https://gs1.wac.edge...ZubX1r6pupn.png

Tagged: Companies House, Upatre
___

JPMorgan Chase Secure Message Spam
- http://threattrack.t...re-message-spam
Aug 19, 2014 - "Subjects Seen:
    Daily Report - August 19, 2014
Typical e-mail details:
   This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.


Malicious URLs:
    192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe

Malicious File Name and MD5:
    message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
    Java_update.exe (38d75db0a575891506b1ff0484a03cd0)


Screenshot: https://gs1.wac.edge...JVOT1r6pupn.png

192.241.124.71: https://www.virustot...71/information/

Tagged: JPMorgan, Chase, Dyreza
___

- http://myonlinesecur...9-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:

Screenshot: http://myonlinesecur...ust-19-2014.png

... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecur...t-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*  
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...12a96/analysis/
___

Fake Evernote extension serves Ads
- https://blog.malware...advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malware...8/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malware...e_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malware...08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malware...hrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
https://www.virustot...3fbf4/analysis/
___

Fake Scotiabank SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear Clients
    Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
    This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
    We take this opportunity to inform you that the operations of International Transfers can be made &#8203;&#8203;via our internet platform banking the need to complete these types of forms.
    Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...


18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408393889/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 August 2014 - 06:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1259 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 20 August 2014 - 05:58 AM

FYI...

Cryptolocker flogged on YouTube
- http://www.theregist...ged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.u...19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.u.../fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregist...hoo_ad_network/

> https://www.virusbtn...otovNavaraj.xml
___

Fake Order SPAM – PDF malware
- http://myonlinesecur...er-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecur...chments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408523288/

** https://www.virustot...sis/1408523722/
___

'Reveton' ransomware adds powerful password stealer
- https://www.computer...assword_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.co...rously-evolved/

** http://blog.trendmic...ivity-nabbed-2/
___

Linux Trojan makes the jump to Windows
- http://www.theinquir...jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.co...c=23&lng=en&p=1

** http://news.drweb.co...903&lng=en&c=14

*** https://projectshiel...hgoogle.com/en/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 20 August 2014 - 02:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1260 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 21 August 2014 - 08:26 AM

FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malware...-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malware...AVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malware...07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malware...14/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustot...04/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustot...35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecur...-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecur...iness-onile.png

21 August 2014  Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
...  targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecur...rd-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear <REDACTED>
    You have obtain a copy of your credit reference file.
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
    Lynn Buck.


21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.c...N0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcover...ou-need-to-know

> https://www.brainyqu...infr122731.html
"Distrust and caution are the parents of security" - Ben Franklin
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 21 August 2014 - 03:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1261 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 22 August 2014 - 07:44 AM

FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecur...loiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.n...-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...


22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to   2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408710186/

- http://threattrack.t...aud-update-spam
22 Aug 2014 - "Subjects Seen:
    ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edge...Ga8i1r6pupn.png

Malicious File Name and MD5:
    2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
    2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)


Tagged: ADP, Upatre
___

Backoff Point-of-Sale Malware Campaign
- https://www.us-cert....alware-Campaign
August 22, 2014 - "US-CERT is aware of Backoff malware compromising a significant number of -major-  enterprise networks as well as small and medium businesses. US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert* to help determine if your network may be affected. Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office."
* https://www.us-cert....lerts/TA14-212A
Last revised: Aug 22, 2014 - "... the Secret Service currently estimates that over 1,000 U.S. businesses are affected..."

Backoff malware Q&A
- https://www.trustwav...malware-danger/
"In light of a recent string of breaches involving a new point-of-sale malware family that our Trustwave researchers identified and named "Backoff," we have received many questions about the threat and how businesses can protect themselves..."
- https://gsr.trustwav...lware-overview/
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmic...to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmic.../08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmic...-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 22 August 2014 - 09:30 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1262 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 24 August 2014 - 05:26 AM

FYI...

My Photos SPAM - malware
- http://myonlinesecur...photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1408799346/

zip .net / 200.147.99.195: https://www.virustot...95/information/
- http://quttera.com/d..._report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustot...08/information/
- http://quttera.com/d...report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.c...N0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic... Sony is hoping its PlayStation network, with 52 million active users, can serve as a centerpiece of its plans to rebuild its business after years of losses in its flagship electronics operations..."

- http://www.reuters.c...N0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

> http://support.xbox....box-live-status
 

:grrr: :grrr:  :ph34r:


Edited by AplusWebMaster, 25 August 2014 - 06:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1263 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 25 August 2014 - 06:45 AM

FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecur...ke-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
    WALSALL
    MAHON RD IND EST. PORTADOWN
    CO. ARMAGH BT62 3EH
    T:028 3833 5316
    F:028 3833 8453
    Please find attached Invoice No. 3036 – 8340637
    Best
    Branch Manager
    Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...


25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*  
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408955315/

** https://www.virustot...sis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
    A fax has arrived from remote ID ’866-905-0884′.
    ————————————————————
    Transmission Record
    Received from remote ID: ’866-905-0884′
    Inbound user ID derek, routing code 669164574
    Result: (0/352;0/0) Successful Send
    Page record: 1 – 2
    Elapsed time: 00:39 on channel 34 ...


25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.t...vity-alert-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Screenshot: https://gs1.wac.edge...Tu861r6pupn.png

Malicious File Name and MD5:
    report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
    report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)


Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slay...gram-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slay...gram-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It is generated from an unattended mailbox.


25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.t...ch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
    You have received a secure message from Bank of America Merrill Lynch
    Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
    If you have concerns about the validity of this message, contact the sender directly.
    First time users - will need to register after opening the attachment.


Malicious URLs:
    161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
    securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
    jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)


Screenshot: https://gs1.wac.edge...RagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustot...83/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 25 August 2014 - 06:07 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1264 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 26 August 2014 - 04:14 AM

FYI...

Fake Vodafone SPAM
- http://blog.dynamoo....lware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
    From:     Vodafone MMS service [mms813562@ vodafone .co.uk]
    Date:     26 August 2014 12:00
    Subject:     IMG Id 813562-PictQbmR TYPE--MMS


The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1409051519/

** https://www.virustot...sis/1409052175/

192.254.186.106: https://www.virustot...06/information/
___

Phishers hook Facebook Users via SMS
- https://blog.malware...-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
    wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malware...2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malware.../dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malware.../08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malware...efend-yourself/

193.107.17.68: https://www.virustot...68/information/
___

Vacation SCAMS ...
- https://blog.malware...-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justthefl...his-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by  pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/...ingle-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/...p-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___

SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malware...ck-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustot...om/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
https://www.virustot...sis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustot...sis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustot...sis/1408996125/

dnsdynamic .com - 84.45.76.100: https://www.virustot...00/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 26 August 2014 - 01:44 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1265 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 27 August 2014 - 05:43 AM

FYI...

Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
    From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
    Date:     27 August 2014 10:43
    Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14
    Hello ,   
    Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
    Thank you      
    Regards
    Gladness B Madikwe
    Sales & Marketing Clerk
    Morupule Coal Mine ...


Screenshot: http://1.bp.blogspot...00/moropule.png

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustot...sis/1409133512/
___

Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.c...-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
    Java .com
    Deviantart .com
    TMZ .com
    Photobucket .com
    IBTimes .com
    eBay .ie
    Kapaza .be
    TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
    198.27.88.157: https://www.virustot...57/information/
    94.23.252.38: https://www.virustot...38/information/
    178.32.21.248: https://www.virustot...48/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___

"Customer Statements" - malware SPAM
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
    Fom:     Accounts [hiqfrancistown910@ gmail .com]
    Date:     27 August 2014 09:51
    Subject:     Customer Statements
    Good morning,attached is your statement.
    My regards.
    W ELIAS


Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustot...sis/1409135030/
___

Royal Bank of Canada Payment Spam
- http://threattrack.t...da-payment-spam
Aug 27, 2014 - "Subjects Seen:
    The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
    The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
    The transfer is now complete.
    Message recipient: The rating was not provided.
    See details in the attached report.
    Thank you for using the Service INTERAC Bank RBC Royal Bank.


Malicious File Name and MD5:
    INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
    INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D


Screenshot: https://gs1.wac.edge...OUqn1r6pupn.png

Tagged: RBC, Upatre
___

AT&T DocuSign Spam
- http://threattrack.t...t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
    Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
    Hello,
    AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.


Malicious URLs:
    79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
    Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
    Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)


Screenshot: https://gs1.wac.edge...fIWp1r6pupn.png

79.172.51.73: https://www.virustot...73/information/

Tagged: ATT, DocuSigin, Upatre

- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014
___

ADP Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Aug 27, 2014 - "Subjects Seen:
    ADP Past Due Invoice
Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here...


Malicious URLs:
    81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
    invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
    invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)


Screenshot: https://gs1.wac.edge...SD3h1r6pupn.png

81.80.82.27: https://www.virustot...27/information/

Tagged: ADP, Upatre
___

Fake Payment Advice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Disclaimer:
    This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
    AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
    Cell 270 547-9194


27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)  
Extracts to   Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409154303/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 27 August 2014 - 03:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1266 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 28 August 2014 - 07:05 PM

FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malware...wn-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malware...rlight_only.png
Flash only:
> https://blog.malware.../Flash_only.png
Silverlight and Flash:
> https://blog.malware...t_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)
 

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1267 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted 29 August 2014 - 05:31 AM

FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecur...-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

    my new photo  ..
    if you like my photo to send me u photo


29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1409297373/
___

Netflix PHISH ...
- https://blog.malware...u-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malware...hish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malware.../08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustot...54/information/

netflix-ssl .net / 92.222.121.100: https://www.virustot...00/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slay...cam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malware...s-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malware...08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malware...08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov....y/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmic...etail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicr...em-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquir...s-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows...-windows-store/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 31 August 2014 - 08:03 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1268 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted Yesterday, 04:56 AM

FYI...

Tesco Phish ...
- http://myonlinesecur...wards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
    Tesco Customer Satisfaction program selected you to take part in our quick survey.
    To earn your 150 £ reward, please click here and complete the form.


Screenshots:
- http://myonlinesecur...k-_rewards1.png

- http://myonlinesecur...k-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

    Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarket...=10&qpcustomd=0
Browser Market Share
- http://www.netmarket...d=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.c...N0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 09:44 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1269 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 8,997 posts

Posted Today, 05:56 AM

FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo....1188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-t...8/29/index.html

** http://blog.dynamoo....el/DINETHOSTING
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.o...t-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.nam...internet-users/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, Today, 08:07 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button