Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1332 replies to this topic

#1301 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 13 October 2014 - 04:24 AM

FYI...

Fake Amazon SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
13 Oct 2014 - "'Your Amazon.co.uk order #} random letters and numbers' pretending to come from AMAZON .CO.UK <order@ amazon .co.uk> and all being sent to 1122@ eddfg .com with a bcc to your email address is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...n_order_Oct.png

13 October 2014 : 575-3010892-0992746.doc  Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is -NEVER- open any attachment to an email, unless you are expecting it... The best way is to just delete the unexpected zip and not risk any infection."
* https://www.virustot...sis/1413181748/

- http://blog.dynamoo....-spam-with.html
13 Oct 2014
___

Fake BankLine SPAM - malware
- http://blog.dynamoo....ceived-new.html
13 Oct 2014 - "A couple of unimaginative spam emails leading to a malicious payload.

   You have received a new secure message from BankLine
    From:     Bankline [secure.message@ bankline .com]
    Date:     13 October 2014 12:48
    Subject:     You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...

     You've received a new fax
    From:     Fax [fax@ victimdomain .com]
    Date:     13 October 2014 13:07
    Subject:     You've received a new fax
    New fax at SCAN2166561 from EPSON by https ://victimdomain .com
    Scan date: Mon, 13 Oct 2014 20:07:31 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    (Dropbox Drive is a file hosting service operated by Google, Inc.)


Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54*... Also dropped are a couple of executables, egdil.exe (VT 2/54**, Malwr report) and twoko.exe (VT 6/55***, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer .co.uk
phyccess .com
hotelnuovo .com
wirelesssolutionsny .com
isc-libya .com
"
* https://www.virustot...sis/1413208781/

** https://www.virustot...sis/1413210259/

*** https://www.virustot...sis/1413210280/
___

Barclaycard phishing ...
- http://myonlinesecur...shing-attempts/
13 Oct 2014 - "We are seeing quite a few Barclaycard phishing attempts today trying to get your Barclaycard details. These are not very well crafted and look nothing like any genuine Barclaycard emails. Do -not- click any links in these emails. Hover your mouse over the links and you will see  a web address that isn’t Barclaycard. Immediately delete the email and the safest way to make sure that it isn’t a genuine email from Barclaycard is to type the Barclaycard web address in your browser. and then log in to the account that way...

Screenshot: http://myonlinesecur...shing-email.png

... using what look like they are hijacked/compromised subdomains of a real website. All of them use a random subdomain and then the website name and then /clients/? The site looks like:
> http://myonlinesecur...ishing-site.png
Following the link in this Barclaycard or other spoofed emails  takes you  to a website that looks exactly like the real Barclaycard site.  You are then through loads of steps to input a lot of private and personal information. Not only  will this information enable them to clear out & use your Barclaycard account, but also your Bank Account, and potentially your email details and webspace (if you have it). They want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___

Fake Bank application SPAM - malware
- http://www.hoax-slay...are-email.shtml
Oct 13 2014 - "Email purporting to be from First National Bank of Omaha (FNBO) claims that your account application has been received and invites you to open an -attached- file to view documents about your application:
Re: Applicant #9908541042
Hello,
Your application for an FNBO Direct account has been received. As an FNBO Direct customer, not only will you receive an exceptional interest rate, you can be confident your accounts are held by a bank established in values of trust, integrity, and security.
Please find in the attached document information concerning your application.
Copyright © 2014 FNBO Direct, a division of First National Bank of Omaha. All Rights Reserved. Deposit Accounts are offered by First National Bank of Omaha,
Member FDIC. Deposits are insured to the maximum permitted by law.
P.O. Box 3707, Omaha, NE 68103-0707
For information on FNBO Direct's privacy policy, please visit [Link removed]
Email ID: A0963.6

(Email included attached file with the name: 'FNBO_Direct_application_9908541042.zip')

According to this email, which claims to be from First National Bank of Omaha (FNBO), your application for an FNBO Direct account has been received. The message advises that information about your application is contained in an -attached- document... it masquerades as a seemingly legitimate business message and uses the name of a real company... the attached .zip file... contains a .exe file. Clicking the .exe file would install a trojan on your computer... do -not- open any attachments or click any links that it contains. You can report fraudulent FNBO emails via the reporting address on the bank's website*."
* https://www.fnbodire...ail-fraud.fhtml
___

Fake FedEx SPAM
- http://blog.mxlab.eu...ontains-trojan/
Oct 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Payment Invoice Slip”. This email is send from the -spoofed- address “info@ ukboxingstore .co.uk” and has the following body:
    Dear customer.
    A parcel was sent to your home address.
    And it will arrive within 3 business day.
    More information and the tracking number are attached in the document.
    Please do not respond to this message. This email was sent from an unattended mailbox.
    This report was generated at approximately GMT on 06/10/2014.
    To learn more about FedEx Express, please visit our website at fedex.com.
    All weights are estimated.
    To track the latest status of your shipment, View on the tracking number on the attached document
    This tracking update has been sent to you by FedEx on the behalf of the Request or noted above.
    FedEx does not validate the authenticity of the requestor and does not validate,
    guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
    Thank you for your business.
    FedEx Customer Service


The attached ZIP file has the name FEDEX SHIPPING NOTIFICATION (1).zip and contains the 396 kB large file XXXX.exe. The trojan is known as TR/Dropper.Gen8, a variant of Win32/Injector.BNJA, HB_Ispi or Win32:Malware-gen. At the time of writing, 5 of the 55 AV engines did detect the trojan at VirusTotal*..."
* https://www.virustot...sis/1413096741/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 13 October 2014 - 02:06 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1302 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 14 October 2014 - 08:01 AM

FYI...

Fake DOC attachment SPAM - malware
- http://blog.dynamoo....lease-open.html
14 Oct 2014 - "This spam comes with a malicious DOC attachment:

    From:     Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@ bostonqatar .net]
    Date:     14 October 2014 11:09
    Subject:     Your document
    To view your document, please open attachment.


The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc. This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography .co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55* and the EXE file is just 2/54** ... UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55***..."
* https://www.virustot...sis/1413281775/

** https://www.virustot...sis/1413283670/

*** https://www.virustot...sis/1413287366/

- http://myonlinesecur...rd-doc-malware/
14 Oct 2014 - "... The email is very plain, simple and terse and just says:

To view your document, please open attachment.

14 October 2014: document_1720781.doc Current Virus total detections: 0/55* ..."
* https://www.virustot...sis/1413281933/
___

Fake Sales Order SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
14 Oct 2014 - "'Sales Order Number SON1410-000183' pretending to come from mail@ firwood .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    <html>
    <body bgcolor=”#FFFFFF”>
    <table width=”750″ border=”0″>
    <tr>
    <td>
    <font face=”verdana” size=”2″></font>
    <br><br>
    <font face=”verdana” size=”2″>Please find the attached document a summary
    of which is below:</font>
    </td>
    </tr>
    </table>
    <table width=”750″ border=”0″> ...
        </table>
    <font face=”verdana” size=”2″>Regards </br></br><B>Firwood Paints Ltd
    </B></br>Oakenbottom Road </br>Bolton BL2 6DP   England </br></br>Tel +44
    (0)1204 525231 </br>Fax +44 (0)1204 362522 </br>e mail mail@firwood.co.uk
    </br></font>
    </body>
    </html>
    Automated mail message produced by DbMail.
    Registered to X3 – Sage North America, License EDM2013051.
    This message has been scanned for viruses by BlackSpider MailControl ...


14 October 2014: Extracts to: SON141000-000183.pdf.exe
Current Virus total detections: 13/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413274440/
___

YouTube Ads lead to Exploit Kits ...
- http://blog.trendmic...hit-us-victims/
Oct 14, 2014 - "Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Countries affected by this malicious ad campaign:
> http://blog.trendmic...14/10/malad.jpg
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label. The ads we’ve observed do not -directly- lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers. In order to make their activity look legitimate, the attackers used the -modified- DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.) The traffic passes through two -redirection- servers (located in the Netherlands) before ending up at the malicious server, located in the United States. The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:
    CVE-2013-2460 – Java
    CVE-2013-2551 – Internet Explorer
    CVE-2014-0515 - Flash
    CVE-2014-0322 – Internet Explorer
Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical. The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible. Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure..."
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 14 October 2014 - 09:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1303 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 15 October 2014 - 06:52 AM

FYI...

Fake delivery SPAM - word doc malware ...
- http://myonlinesecur...rd-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Thank you for buying at our store!
    Date ordered: October 14 2014
    This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
    Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
    Please review the attached document.


15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413361301/
___

Fake 'Shipping Info' SPAM
- http://blog.dynamoo....-spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Screenshot: https://3.bp.blogspo...ipping-info.png

The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspo...cal-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustot...sis/1413383394/

** https://www.virustot...sis/1413384221/

*** https://www.virustot...sis/1413384174/
___

Fake Paypal SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

     Unable to complete your most recent Transaction.
    Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please see attached payment receipt .


15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413387437/

 

:ph34r:  :grrr:


Edited by AplusWebMaster, 15 October 2014 - 04:23 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1304 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 16 October 2014 - 03:17 PM

FYI...

Fake Bank SPAM
- http://blog.dynamoo....t-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
    From:     Barclays Bank [Barclays@email .barclays .co.uk]
    Date:     16 October 2014 12:48
    Subject:     Transaction not complete
    Unable to complete your most recent Transaction.
    Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt below...


Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustot...sis/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustot....6/information/
88.208.252.216: https://www.virustot...16/information/

** https://www.virustot...sis/1413462507/

*** https://www.virustot...sis/1413462517/
___

Many .su and .ru domains leading to malware
- http://blog.dynamoo....leading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)

- https://www.abuse.ch/?p=3581

- http://blog.dynamoo....s-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."

___

Fake Invoice SPAM
- http://myonlinesecur...ke-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

     Please see attached copy of the original invoice.

16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustot....6/information/
5.77.44.47: https://www.virustot...47/information/
___

FBI warns of Chinese cyber campaign
- http://www.washingto...0453_story.html
Oct 15, 2014 - "The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. “These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People’s Liberation Army Unit 61398... whose activity was publicly disclosed and attributed by security researchers in February 2013,” said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant... The group, the FBI said, has deployed at least four “zero-day exploits” or hacking tools based on previously unknown flaws in Microsoft’s Windows operating system, which reflects a considerable degree of prowess as zero-day flaws are difficult to find in software. The bureau’s nine-page alert contained some “indicators of compromise” that companies could use to determine if they have been hacked by the group..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 16 October 2014 - 07:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1305 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 17 October 2014 - 05:41 AM

FYI...

Fake Sage Invoice SPAM - malware
- http://blog.dynamoo....am-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.

Screenshot: https://2.bp.blogspo...s1600/sage3.png

Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk
"
* https://www.virustot...sis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustot....6/information/
66.7.214.212: https://www.virustot...12/information/

** https://www.virustot...sis/1413540238/

*** https://www.virustot...sis/1413540261/
___

Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecur...update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustot...sis/1413556548/

** https://www.virustot...3c241/analysis/

1) https://techhelplist...ty-update-virus

The email looks like:
  Dear client,
     You are receiving this notification because your Salesforce SSL certificate has expired.
    In order to continue using Salesforce.com, you are required to update your digital certificate.
     Download the attached certificate. Update will be automatically installed by double click.
     According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation...  Thank you for using Salesforce .com


17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable)  file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413556548/
___

Fake eFax SPAM
- http://blog.dynamoo....60204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
    From:     eFax [message@ inbound .claranet .co.uk]
    Date:     17 October 2014 11:36
    Subject:     eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
    Fax Message [Caller-ID: 208-616-0204]
    You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
    * The reference number for this fax is lon2_did11-4056638710-9363579926-02.
    Please visit... to  view  this message in full...


The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).

Screenshot: https://1.bp.blogspo...s1600/efax2.png

The download link goes to  http ://206.253.165.76 :8080/ord/FAX_20141008_1412786088_26.zipwhich is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76
"
* https://www.virustot...sis/1413545028/  
___

Fake Virgin Media SPAM - phish/malware
- http://myonlinesecur...-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Virgin Media Automated Billing Reminder
    Date 17th October 2014
    This e-mail has been sent you by Virgin Media to inform you that we were  unable to process your most recent payment of bill. This might be due to one of the following reasons:
        A recent change in your personal information such as Name or address.
        Your Credit or Debit card has expired.
        Insufficient funds in your account.
        Cancellation of Direct Debit agreement.
        Your Card issuer did not authorize this transaction.
    To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
    Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...


 Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___

More Free Facebook Hacks ...
- https://blog.malware...surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
    fbwand(dot)com
> https://blog.malware...4/10/fbwand.png

    hackfbaccountlive(dot)com
> https://blog.malware...accountlive.png

One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malware...erify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malware...ckers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook...out/graphsearch
___

Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert....lware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___

CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmic...dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmic...ail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmic...ountries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmic...pambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___

WhatsApp Spam
- http://threattrack.t...8/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
    Voice Message Notification
Typical e-mail details:
    You have a new voicemail!
    Details:
    Time of Call: Oct-13 2014 06:02:04
    Lenth of Call: 07sec


Malicious URLs:
    p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
    VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
    VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)


Screenshot: https://gs1.wac.edge...SYyI1r6pupn.png

Tagged: Whatsapp, Kuluoz
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 17 October 2014 - 01:15 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1306 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 18 October 2014 - 10:57 PM

FYI...

Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo....-ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation:   ORG-EM25-RIPE
org-name:       eldar mahmudov
org-type:       OTHER
address:        ishveran 9
address:        75003 paris
address:        FR
e-mail:         mahmudik@ hotmail .com
abuse-mailbox:  mahmudik@ hotmail .com
phone:          +33.919388845
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
changed:        noc@ ovh .net 20140621
source:         RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block-  traffic going to it."
* http://malware-traff...0/06/index.html

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___

malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.     
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080
"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *

- 222.236.47.53: https://www.virustot...53/information/
- 195.206.7.69: https://www.virustot...69/information/
- 46.55.222.24: https://www.virustot...24/information/
- 162.144.60.252: https://www.virustot...52/information/
- 91.212.253.253: https://www.virustot...53/information/
- 95.141.32.134: https://www.virustot...34/information/

Bot Count Graphs
* https://www.shadowse...ountYearly#toc1
Page last modified on Sunday, 19 October 2014
___

- http://blog.dynamoo....-spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustot...sis/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustot...18/information/
185.20.226.41: https://www.virustot...41/information/
5.63.155.195: https://www.virustot...95/information/
___

RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattra...cryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo....60204-spam.html

206.253.165.76: https://www.virustot...76/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 19 October 2014 - 02:35 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1307 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 20 October 2014 - 06:46 AM

FYI...

Fake 'unpaid invoice' SPAM - xls malware
- http://myonlinesecur...el-xls-malware/
20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Acorn-Maintenance-Engineering-logo...
    October 20, 2014
    Head Office
    Acorn Engineering Limited trading
    as Acorn Maintenance
    Acorn House
    20 Wellcroft Road
    Slough
    Berkshire
    SL1 4AQ
    Tel: 01753 386 073
    Fax: 01753 409 672
    Dear ...
    Reference: 48771955-A8
    Court action will be the consequence of your ignoring this letter.
    Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
    If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
    You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
    To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
    Yours truly,
    signature-Mishenko.gif (626?272)
    Nadine Cox,
    Accountant
    Acorn Engineering Limited
    Enclosure (Attachment)


20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413800273/
___

Fake PDF invoice SPAM
- http://www.symantec....more-you-expect
Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Malicious .pdf file attached to suspicious email:
> http://www.symantec....031/Fig1_19.png
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
* http://www.symantec....1022-99&tabid=2
___

Fake 401k SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Oct 2014 - "An email pretending to come from Carla Rivers < CarlaRivers@ fidelity .com > giving detailks of the October 2014 401k fund performance results  with a subject of '401k June 2014 Fund Performance and Participant Communication' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Co-op 401k Plan Participants –
    Attached you will find the October 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
    If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
    Please contact me if you have any questions.
    Carla Rivers
    Employee Benefits/Plan Administrator ..


20 October 2014: October-2014-401k-Fund.zip : Extracts to: October-2014-401k-Fund.scr
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413823356/
... Behavioural information
DNS requests
cyba3 .co.uk (94.136.40.103)
TCP connections
188.165.214.6: https://www.virustot....6/information/
94.136.40.103: https://www.virustot...03/information/
___

Fake 'LogMeIn Security Update' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which  pretends to  come from LogMeIn .com < auto-mailer@ logmein .com >  with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...rity-update.png

20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413811609/
___

Fake 'my new photo ;)' SPAM - trojan variant
- http://blog.mxlab.eu...trojan-variant/
Oct 20, 2014 - "...  intercepted a new trojan variant distribution campaign by email with the subject “my new photo ;)”... sent from the spoofed email addresses and has the following short body:

    my new photo ;)

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1413812842/
___

Fake Invoice SPAM – word doc malware
- http://myonlinesecur...rd-doc-malware/
20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
    Adobe® logo     
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud
    Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service...


Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."

- http://blog.dynamoo....e-spam-adb.html
20 Oct 2014
Screenshot: https://1.bp.blogspo...s1600/adobe.png/

- https://www.virustot...sis/1413809174/
... Behavioural information
TCP connections
62.75.182.94: https://www.virustot...94/information/
208.89.214.177: https://www.virustot...77/information/
___

Dropbox phish - hosted on Dropbox
- http://www.symantec....-hosted-dropbox
Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
Fake Dropbox login page:
> http://www.symantec....1/Dropbox 1.png
The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Security warning:
> http://www.symantec....1/Dropbox 2.jpg
Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down. Any Dropbox-hosted phishing pages can be reported to the abuse@dropbox.com email address..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 October 2014 - 03:39 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1308 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 21 October 2014 - 07:00 AM

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
21 Oct 2014 - "An email pretending to come from 'Humber Merchants Group' ps [random number]@humbermerchants .co.uk with a word document attachment and the subject of 'Industrial Invoices' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Attached are accounting documents from Humber Merchants
    Humber Merchants Group
    Head Office:
    Parkinson Avenue
    Scunthorpe
    North Lincolnshire
    DN15 7JX
    Tel: 01724 860331
    Fax: 01724 281326 ...


21 October 2014: 15040BII3646501.doc - Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413890645/
___

Fake Adobe Invoice Spam
- http://threattrack.t...be-invoice-spam
Oct 21, 2014 - "Subjects Seen:
    Adobe Invoice
Typical e-mail details:
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service


Screenshot: https://gs1.wac.edge...AetU1r6pupn.png

Malicious File Name and MD5:
    invoice.zip (CABA79FCEB5C9FEF222C89C423AA2485)
    invoice.exe (29684FBB98C1883A7A08977CB23E90B6)


Tagged: Adobe, Wauchos
___

Fake Invoice SPAM - malware
- http://myonlinesecur...nvoice-malware/
21 Oct 2014 - "An email pretending to come from cato-chem .com < sales@ cato-chem .com > with a fake invoice has a subject of Please find attached PI copies of Invoice is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...ake-invoice.png

21 October 2014: proforma invoice.zip: Extracts to proforma invoice.exe
Current Virus total detections: 17/54*. This Please find attached PI copies of Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a barcode as the icon instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413858604/
___

ThetaRay turns to maths to detect cyber threats
- http://www.reuters.c...N0IA1JV20141021
Oct 21, 2014 - "As businesses face a growing threat of cyber attacks, Israeli start-up ThetaRay is betting on maths to provide early detection, enabling the shutdown of systems before damage can be done. The year-old company's first investor was venture capital firm Jerusalem Venture Partners. It is now also backed by heavyweights like General Electric, which uses ThetaRay to protect critical infrastructure such as power plants, and Israel's biggest bank, Hapoalim, which deployed the technology to detect bank account anomalies... Cyber security providers are moving away from protecting gateways with defenses such as firewalls to focus on detecting and preventing attacks before they penetrate organizations... Security experts estimate it can take more than -200- days to identify a cyber attack once it's been launched... Once a threat has been detected, ThetaRay leaves it up to humans to decide whether or not to shut down the system..."
___

U.S. national security prosecutors shift focus from spies to cyber
- http://www.reuters.c...N0IA0BM20141021
Oct 21, 2014 - "The U.S. Justice Department is restructuring its national security prosecution team to deal with cyber attacks and the threat of sensitive technology ending up in the wrong hands, as American business and government agencies face more intrusions. The revamp, led by Assistant Attorney General John Carlin, also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States... The agency is also renaming its counter-espionage section to reflect its expanding work on cases involving violations of export control laws... Such laws prohibit the export without appropriate licenses of products or machinery that could be used in weapons or other defense programs, or goods or services to countries sanctioned by the U.S. government... The result, according to experts, could be an uptick in the number of national security-related cases brought in federal court, a shift in focus from the National Security Division's prior mandate to investigate for intelligence-gathering purposes, and only prosecute a subset of cases... The counter-espionage section, which deals less with on-the-ground spies than it used to, will now be called the Counter Intelligence and Export Controls Section. A network of terrorism prosecutors around the country called the Anti-Terrorism Advisory Council, or ATAC, will also be renamed the National Security/ATAC network to make clear its broader responsibilities..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 21 October 2014 - 12:45 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1309 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 22 October 2014 - 08:09 AM

FYI...

Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of  'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

Screenshot: http://myonlinesecur...bt-recovery.png

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake customer service SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

    This email contains an invoice file attachment ID:VZY563200VA
    Thanks!
    Kelli Horn .


22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1413973355/
___

Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecur...-macro-viruses/
22 Oct 2014 - "We are seeing loads of  emails with  Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  Opening this malicious word document will infect you if Macros are enabled and simply previewing it in  windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

- http://blog.dynamoo....voice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspo...1600/image1.gif
VT1: https://www.virustot...sis/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustot....6/information/
TCP connections
178.250.243.114: https://www.virustot...14/information/
91.240.238.51: https://www.virustot...51/information/
VT2: https://www.virustot...sis/1413982865/
___

Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  You have received a secure message
     Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
     In order to view the secure message please download it using our Cloud Hosting...


22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustot....6/information/
82.98.161.71: https://www.virustot...71/information/
188.165.237.144: https://www.virustot...44/information/
80.157.151.17: https://www.virustot...17/information/
UDP communications
173.194.71.127: https://www.virustot...27/information/
___

Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malware...-vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe..../apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**...  stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malware...E-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com...re/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontn...-2014-0569.html

> https://blog.malware.../tag/fiesta-ek/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 22 October 2014 - 04:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1310 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 23 October 2014 - 07:39 AM

FYI...

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo....ernational.html
23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
    From:     Elouise Massey [Elouise.Massey@ supertouch .com]
    Date:     23 October 2014 10:52
    Subject:     Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com
"

1] http://blog.dynamoo....ants-group.html

62.75.182.94: https://www.virustot...94/information/
___

Fake 'bank detail' SPAM - trojan
- http://blog.mxlab.eu...ontains-trojan/
Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@bitstamp.net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
    New banking details
    Dear Bitstamp clients,
    We would like to inform you that Bitstamp now has new bank details, please check attached file.
    We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
    Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
    Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
    Best regards
    CEO, Nejc Kodrič
    Bitstamp LIMITED


The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
* https://www.virustot...sis/1414073432/
... Behavioural information
DNS requests
VBOXSVR. ovh .net: 213.186.33.6: https://www.virustot....6/information/
___

Two exploit kits prey on Flash Player flaw patched only last week
- http://net-security....ews.php?id=2892
23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
* https://web.nvd.nist...d=CVE-2014-0569 - 10.0

- http://atlas.arbor.n...ndex#1049793989
Elevated Severity
23 Oct 2014

- http://www.securityt....com/id/1031019
CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
Oct 14 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
Flash 15.0.0.189 released: https://helpx.adobe..../apsb14-22.html
Oct 14, 2014

For I/E:  http://download.macr...15_active_x.exe

For Firefox (Plugin-based browsers):  http://download.macr...r_15_plugin.exe

Flash test site: http://www.adobe.com...re/flash/about/
___

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo....ernational.html
23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
    From:     Elouise Massey [Elouise.Massey@ supertouch .com]
    Date:     23 October 2014 10:52
    Subject:     Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com
"
* http://blog.dynamoo....ants-group.html
___

Fake VoiceMail SPAM
- http://blog.dynamoo....icemailcom.html
23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
    From:  "Voice Mail" [voicemail_sender@ voicemail .com]
    Date:  Thu, 23 Oct 2014 14:31:22 +0200
    Subject:  voice message from 598-978-8974 for mailbox 833
    You have received a voice mail message from 598-978-8974
    Message length is 00:00:33. Message size is 264 KB.
    Download your voicemail message from dropbox service below (Google Disk
    Drive Inc.) ...


Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
188.165.214.6
inaturfag .com
"
* https://www.virustot...sis/1414075720/
___

Fake BoA SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
    EFT Amount:                          $ 6,200.00
    Remitted From: SSA TREAS 310 MISC PAY
    Designated for:                       UNKNOWN
    Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
    If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
    Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
    Thank you.
    Mamie French
    Senior Accountant
    Bank of America ...


23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1414081814/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 24 October 2014 - 07:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1311 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 24 October 2014 - 06:26 AM

FYI...

Fake Invoice SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
    Thanks very much
     Kind Regards
     Sandra Lynch


24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustot...sis/1414141144/
___

Fake Fax SPAM.. again.
- http://blog.dynamoo....spam-again.html
24 Oct 2014 - "Another day, another -fake- fax spam.
    From:     Fax [fax@ victimdomain .com]
    To:     luke.sanson@ victimdomain .com
    Date:     24 October 2014 10:54
    Subject:     You've received a new fax
    New fax at SCAN2383840 from EPSON by https://victimdomain.com
    Scan date: Fri, 24 Oct 2014 15:24:22 +0530
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (eFax Drive is a file hosting service operated by J2, Inc.)


The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
188.165.214.6
rodgersmith .com
"
* https://www.virustot...sis/1414145184/

** https://www.virustot...sis/1414145764/

*** https://www.virustot...sis/1414145784/
___

Widespread malvertising - delivered ransomware
- http://net-security....ews.php?id=2894
24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
* http://www.proofpoin...izes-brands.php
___

Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
- http://net-security....ews.php?id=2895
24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
> http://www.net-secur...am-24102014.jpg
The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
> https://securelist.c...rus-or-malware/
According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
* https://www.us-cert....lware-Campaigns
Oct 16, 2014
** http://community.web...ttacks-Too.aspx
*** https://web.nvd.nist...d=CVE-2014-4114 - 9.3 (HIGH)
___

Phalling for the phish...
- http://blog.dynamoo....l-for-this.html
24 Oct 2014 - "... a simple phishing spam..
    From:     info@ kythea .gr
    Date:     24 October 2014 13:50
    Subject:     payment
    this mail is to inform you that the payment have been made
    see the attached file for the payment slip
    ANTON ARMAS


Attached is a file payment Slip (2).html which displays a popup alert:
   You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information

The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
> https://4.bp.blogspo.../multiphish.jpg
... do people really fall for this? The frightening answer is.. probably, yes."

bplaced .net: 5.9.107.19: https://www.virustot...19/information/
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 24 October 2014 - 09:25 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1312 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 25 October 2014 - 06:20 AM

FYI...

Fake 'New order' SPAM - malware
- http://myonlinesecur...-order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...r-new-order.png

25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1414216443/
 

:ph34r:  :hmmm:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1313 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 27 October 2014 - 06:41 AM

FYI...

Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service@ klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur..._air_ticket.png

27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to:  e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1414404573/
___

Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo....ice-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
    From:     Sandra Lynch
    Date:     27 October 2014 12:29
    Subject:     invoice 0544422 October
    Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
    Thanks very much
    Kind Regards
    Sandra Lynch


The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustot...sis/1414436717/

83.96.174.219: https://www.virustot...19/information/
___

Phish... linked with “Dyre” Banking Malware
- https://www.us-cert....lerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___

FTC gets courts to shut down tech support scammers
- http://www.theinquir...upport-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/n...ch-support-scam

> http://www.consumer.ftc.gov/blog
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 28 October 2014 - 07:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1314 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 28 October 2014 - 10:11 AM

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please find attached INVOICE number 224244 from Power EC Ltd

28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1414506485/

** http://myonlinesecur...-macro-viruses/

- http://blog.dynamoo....c-ltd-spam.html
28 Oct 2014
> https://www.virustot...sis/1414519923/
Recommended blocklist:
62.75.184.70: https://www.virustot...70/information/
116.48.157.176: https://www.virustot...76/information/
___

Fake 'Ebola Alert Tool' ...
- https://blog.malware...s-anything-but/
Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
> https://blog.malware...ts-1024x341.jpg
Below is a screenshot of the downloaded file with an overview of its details:
> http://blog.malwareb...0/ebolafile.png
EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
> https://blog.malware...tall5.png?w=564
Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
> http://blog.malwareb.../onlysearch.png
Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
> http://blog.malwareb...e-affiliate.png
Browser windows open to prompt user to install more programs:
> http://blog.malwareb...10/pckeeper.png
System Optimizer Pro executes:
> https://blog.malware...oexec.png?w=555
- Affected machine slows down
- Shortcut files are created on the desktop
During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."

* https://www.virustot...sis/1414142257/

** http://www.cdc.gov/vhf/ebola/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 28 October 2014 - 05:00 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1315 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 29 October 2014 - 07:13 AM

FYI...

Fake 'Order confirmation' from Amazon SPAM - trojan
- http://blog.mxlab.eu...ontains-trojan/
Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:

    Good evening,
    Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
    Order Details
    Order R:131216 Placed on October 09, 2014
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon...


The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1414490630/

- http://myonlinesecur...etails-malware/
29 Oct 2014
- https://www.virustot...sis/1414584579/
___

Phish - spoofed Google Drive
- http://blog.trendmic...gle-drive-site/
Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
Spammed message containing links to fake site:
> http://blog.trendmic...fakegdrive1.jpg
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Fake Google Drive site:
> http://blog.trendmic...fakegdrive2.jpg
To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
After logging in, users are redirected to a legitimate site:
> http://blog.trendmic...fakegdrive3.jpg
... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Screenshot of PDF prompt download in mobile devices:
> http://blog.trendmic..._drive_fig8.jpg
... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."

* http://blog.trendmic...h-google-drive/
    
** http://blog.trendmic...ultiple-emails/
___

Fake ticketmaster SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
 
    Thank you for choosing Ticketmaster.
    This email is to confirm ticket(s) have been purchased and attached:
    Your Delivery Option is: printed
    Your Transaction number is: 869064,00410 ...


29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
Extracts to:  tikets109873_order_type_print_order_details.pdf.exe
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1414593309/
___

'Virtual Assistant' - PUP download site
- https://blog.malware...tual-assistant/

Oct  29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
> https://blog.malware...10/virtual1.jpg
A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
Please upgrade your media player for faster hd playback.
It only takes a minute on broadband and theres no restart required
Just click this button and follow the easy steps onscreen.

> https://blog.malware...10/virtual2.jpg
... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
* https://www.virustot...sis/1414085568/
... Behavioural information
TCP connections
66.77.96.162: https://www.virustot...62/information/
87.248.208.11: https://www.virustot...11/information/
90.84.55.33: https://www.virustot...33/information/
63.245.201.112: https://www.virustot...12/information/

1] http://blog.malwareb...osvouchers5.jpg

2] http://blog.malwareb.../obamapads4.jpg
___

Hacks use Gmail Drafts to update their Malware and Steal Data
- http://www.wired.com...are-steal-data/
10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
* https://www.virusbtn...01408-IcoScript
___

Dangers of opening suspicious emails: Crowti ransomware
- http://blogs.technet...ransomware.aspx
28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
Daily encounter data for Win32/Crowti ransomware:
> http://www.microsoft...s/a/crowti1.png
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
> http://www.microsoft...s/a/crowti2.png
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
    VOICE<random numbers>.scr
    IncomingFax<random numbers>.exe
    fax<random numbers>.scr/exe
    fax-id<random numbers>.exe/scr
    info_<random numbers>.pdf.exe
    document-<random numbers>.scr/exe
    Complaint_IRS_id-<random numbers>.scr/exe
    Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 29 October 2014 - 03:49 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1316 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 30 October 2014 - 05:01 AM

FYI...

Fake Securitas SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk.com


30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1414659759/
___

Fake 'Accounts Payable' SPAM - malware .doc attachment
- http://myonlinesecur...rd-doc-malware/
30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from  random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
    Good afternoon,
     Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
    Thanking you in advance.
    Many Thanks & Kind Regards
    Vivian Dennis
    Senior Accounts Payable Clerk
    Finance Department ..


30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* http://myonlinesecur...-macro-viruses/

**  https://www.virustot...sis/1414671500/

- http://blog.dynamoo....-malicious.html
30 Oct 2014
... Recommended blocklist:
212.59.117.207: https://www.virustot...07/information/
217.160.228.222: https://www.virustot...22/information/
91.222.139.45: https://www.virustot...45/information/
81.7.3.101: https://www.virustot...01/information/
195.154.126.245: https://www.virustot...45/information/
___

Fake Job offer SPAM - malware
- http://myonlinesecur...er-job-malware/
30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...w-offer-job.png

30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1414662840/

** http://myonlinesecur...-photo-malware/
___

Malicious Browser Extensions
- http://blog.trendmic...ser-extensions/
Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Top affected countries:
> http://blog.trendmic...n-infection.jpg
... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
    4733c4ea00137497daad6d2eca7aea0aaa990b46 "
* http://housecall.trendmicro.com/
___

Popular Science site compromised
- http://community.web...ompromised.aspx
28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 30 October 2014 - 03:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1317 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 31 October 2014 - 07:15 AM

FYI...

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo....dispatched.html
31 Oct 2014 - "This -fake- Amazon email comes with a malicious Word document attached:
    From:     Amazon.co.uk [auto-shipping@ amazon .co.uk]
    Reply-To:     "auto-shipping@ amazon .co.uk" [auto-shipping@ amazon .co.uk]
    Date:     31 October 2014 09:12
    Subject:     Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
    Dear Customer,
    Greetings from Amazon .co.uk,
    We are writing to let you know that the following item has been sent using  Royal Mail.
     For more information about delivery estimates and any open orders, please visit ...
    Your order #203-2083868-0173124 (received October 30, 2014) ...


The Word document contains a malicious macro... but is currently undetected at VirusTotal* (the Malwr report doesn't say much...). The macro then downloads http ://ctmail .me/1.exe and executes it. This malicious binary has a detection rate of 4/52**... 84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54***.
Recommended blocklist:
213.143.97.18
84.40.9.34
ctmail .me
"
* https://www.virustot...sis/1414752406/

** https://www.virustot...sis/1414752639/

*** https://www.virustot...sis/1414754766/

- http://myonlinesecur...rd-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecur...868-0173124.png
* https://www.virustot...sis/1414744958/
___

Fake 'Confirmation' SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
31 Oct 2014 - "An email saying 'Please find attached Remittance and BACS confirmation for September and October Invoices' pretending to come from  random names, companies and email addresses with a subject of 'Remittance Confirmation [random characters]' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Good morning,
     Please find attached Remittance and BACS confirmation for September and October Invoices
     Best Wishes
     Lynn Blevins
    Accounts Dept Assistant
    Site Management Services (Central) Ltd ...


31 October 2014 : CU293705.doc - Current Virus total detections: 0/52*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1414747524/
___

Chrome 40 to terminate use of SSL ...
- http://www.theregist...ts_down_poodle/
31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
* https://groups.googl...dev/Vnhy9aKM_l4

** https://support.micr...9008#FixItForMe

*** https://blog.mozilla...end-of-ssl-3-0/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 31 October 2014 - 11:31 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1318 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 03 November 2014 - 08:47 AM

FYI...

Fake invoice SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
3 Nov 2014 - "An email saying 'A new invoice has been created. Please find it attached' pretending to come from TM Group Helpdesk Billing with a subject of 'A new invoice [random characters]' has been created for You' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear Client,
     A new invoice, WJ7647670C  has been created. Please find it attached.
     Kind regards, Marcellus Powell
    TM Group
    Helpdesk Billing


3 November 2014 : PI646028B.doc - Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415010191/

- http://blog.dynamoo....34567c-has.html
3 Nov 2014
... Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208
"
___

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo....dispatched.html
UPDATE 1: 2014-11-03 - "... different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54* and contains this malicious macro... This downloads a file from http ://hilfecenter-harz .de/1.exe which also has zero detections at VirusTotal... It also downloads a malicious DLL... this as a version of Cridex...
Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter- harz .de
garfield67 .de

* https://www.virustot...sis/1415004635/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 03 November 2014 - 05:56 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1319 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 04 November 2014 - 06:56 AM

FYI...

Fake 'New order' SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering'  pretending to come from random names at random companies  with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be blank when opened...

Screenshots: http://myonlinesecur...0-from-site.png

- http://myonlinesecur...view-macros.png

4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415093505/
___

Fake 'Remittance' SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Dear Sir/Madam
     Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
     Regards,
    Domenic Burton
    Accounts Payable Department DUCO


4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415106043/

- http://blog.dynamoo....ember-spam.html
4 Nov 2014
- https://www.virustot...sis/1415110852/
... Behavioural information
TCP connections
91.222.139.45: https://www.virustot...45/information/
213.140.115.29: https://www.virustot...29/information/
___

'C-93 Virus Alert' - Phish ...
- http://www.hoax-slay...hing-scam.shtml
Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
Dear Outlook Member,
A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
Click on Optimal Scan and Log in to apply the service.
Thank you ...


If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
___

Bitcoin bonanza - or blunders?
- https://www.virusbtn.../2014/11_04.xml
4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
> https://www.virusbtn...Pontiroli-1.jpg
Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
(More detail at the top virusbtn URL.)

- https://www.virusbtn...2014/10_31a.xml
31 Oct 2014
___

Facebook: gov't requests for user data rises 24%
- http://www.reuters.c...N0IO21Z20141104
Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 04 November 2014 - 05:00 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1320 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 05 November 2014 - 08:22 AM

FYI...

Backoff PoS malware - stealthier, more difficult to analyze
- http://net-security....ews.php?id=2906
Nov 5, 2014 - "... Backoff infections are still on the rise. Fortinet researchers* have recently managed to get their hands on a new Backoff variant that shows that its authors haven't been idle. This version also does not have a version number, but has been given the name Backoff ROM. Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries... Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified... for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions..."
* http://blog.fortinet...off-pos-malware

- https://www.damballa...report-q3-2014/
10/24/2014
> https://www.damballa...soi-q3-2014.jpg

- http://atlas.arbor.n...ndex#1351521298
Elevated Severity
6 Nov 2014
Analysis: Since approximately Sep 8, 2014, this new version of the Backoff PoS malware has been classified in the ASERT malware analysis infrastructure, which contains at least three hundred distinct instances of Backoff... Easily compromised systems proliferate, and weak remote access deployments are often the culprit. Among the more difficult to compromise systems, tactics such as spear phishing, vendor compromise, partner attacks featuring lateral movement and other strategies well-known to more dedicated threat actors are bearing fruit for the attackers. Proper isolation, hardening, and monitoring of PoS deployments and associated infrastructure are crucial to reducing risks and detecting attackers that may already be present. PoS is squarely in the sights of many threat actors which means that organizations running PoS and their support infrastructure must realize that they are a target...
Source: http://www.net-secur...ews.php?id=2906
___

Banking Trojan DRIDEX uses Macros for Infection
- http://blog.trendmic...-for-infection/
Nov 5, 2013 - "... DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
Sample spammed message
> http://blog.trendmic.../11/dridex1.png
The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled — which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware:
Malicious attachment instructing users to enable the macro feature:
> http://blog.trendmic.../11/dridex2.png
It then performs information theft through methods like form grabbing, screenshots, and site injections... Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature...
Top affected countries, based on data from September-October 2014:
> http://blog.trendmic.../11/dridex4.jpg
We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
Top DRIDEX spam sending countries:
> http://blog.trendmic.../11/dridex5.jpg
... best to make sure to enable the macro security features* in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings..."
* https://office.micro...P001049689.aspx
___

'Free' Netflix Accounts: Good Luck With That...
- https://blog.malware...luck-with-that/
Nov 5, 2014 - "We’ve seen a number of Netflix themed websites which claim to offer up accounts / logins for fans of TV and movie streaming to get their fix -without- having to register or -pay- up to use the service...
1) freenetflixaccount(dot)info
This one is rather cookie-cutter and claims to have lots of accounts up for grab, linking to numerous “Netflix premium account” URLs further down the page.
> https://blog.malware...nflx1.jpg?w=564
However, all of the live links lead to the same survey page:
> https://blog.malware...14/11/nflx4.jpg
To get your hands on the supposed account credentials, you’d have to fill in an offer or sign up to whatever happens to be presented to you. Am I sensing an incoming theme here?…
2) freenetflixaccountasap(dot)com
This website has the visitor play an extremely long-winded and elaborate game of “click the thing”, distracting them with lots of options to choose from in order to watch some movies.
> https://blog.malware...14/11/nflx5.jpg
... According to the text underneath the many scrolling blue bars, they claim to log you into an account from your chosen region via proxy, set up a bunch of options then log you out. They then “upload the account details” to Fileice, and ask the visitor to “Click below to download the login details”.
> https://blog.malware...4/11/nflx12.jpg
... > https://blog.malware...4/11/nflx13.jpg
... Interesting to note that the “newly created” page has an entry on VirusTotal* from just over a week ago... Always be wary when presented with supposedly free accounts – remember that there’s something in it for the person offering them up, and it could be anything from survey scam affiliate cash and fakeouts to phishing and Malware attacks..."
* https://www.virustot...45e95/analysis/
___

E-ZPass SPAM/Phish ...
- http://www.networkwo...lware-ploy.html
Nov 3, 2014 - "The Internet Crime Complaint Center* today said it has gotten more than 560 complaints about a rip-off using the E-ZPass vehicle toll collection system that uses phishing techniques to deliver malware to your computer. E-ZPass is an association of 26 toll agencies in 15 states that operate the E-ZPass toll collection program..."
* https://www.ic3.gov/...014/141103.aspx
"... The IC3 has received more than 560 complaints in which a victim receives an e-mail stating they have not paid their toll bill. The e-mail gives instructions to download the invoice by using the link provided, but the -link- is actually a .zip file that contains an executable with location aware malware. Some of the command and control server locations are associated with the ASProx botnet..."

- http://stopmalvertis...-to-asprox.html
9 July 2014
Screenshot: http://stopmalvertis...pass-asprox.jpg
___

20 million new strains of malware - Q3 2014
- http://www.pandasecu...ied-in-q3-2014/
Oct 31, 2014 - "... some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day. Similarly, the global infection ratio was 37.93%, slightly up on the previous quarter (36.87%)... Trojans are still the most common type of malware (78.08%). A long way behind in second place come viruses (8.89), followed by worms (3.92%)...  Trojans also accounted for most infections during this period, some 75% of the total, compared with 62.80% in the previous quarter. PUPs are still in second place, responsible for 14.55% of all infections, which is down on the second quarter figure of 24.77. These are followed by adware/spyware (6.88%), worms (2.09%), and viruses (1.48)..."
 

:grrr:  :ph34r: :ph34r:


Edited by AplusWebMaster, 07 November 2014 - 09:54 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1321 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 06 November 2014 - 07:14 AM

FYI...

Fake Amazon SPAM - Word doc malware
- http://blog.mxlab.eu...spatched-order/
Nov 6, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Amazon .co.uk order has dispatched (#203-2083868-0173124)”. This email is sent from the spoofed address “Amazon .co.uk” <auto-shipping@ amazon .co.uk>” and has the following body:
    Dear Customer,
    Greetings from Amazon .co.uk,
    We are writing to let you know that the following item has been sent using Royal Mail.
    For more information about delivery estimates and any open orders, please visit: http ://www.amazon .co.uk/your-account
    Your order #203-2083868-0173124 (received November 5, 2014)
    Your right to cancel:
    At Amazon .co.uk we want you to be delighted every time you shop with us. O=
    ccasionally though, we know you may want to return items. Read more about o=
    ur Returns Policy at: http ://www.amazon .co.uk/returns-policy/
    Further, under the United Kingdom’s Distance Selling Regulations, you have =
    the right to cancel the contract for the purchase of any of these items wit=
    hin a period of 7 working days... If you’ve explored the above links but still need to get in touch with us, = you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can= not accept incoming e-mail.

Please do not reply to this message.=20
Thank you for shopping at Amazon .co.uk


The attached  file has the name Mail Attachment.doc and is approx. 230 kB large file. The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus. At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total*..."
* https://www.virustot...sis/1415272790/

- http://myonlinesecur...rd-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecur...868-0173124.png
- https://www.virustot...56238/analysis/
___

Fake 'Order' SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
6 Nov 2014 - "An email saying 'This is a notice that the invoice has been generated on 05.11.2014' pretending to come from random names at random companies with a subject of 'Successfull_Order 032574522' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
    Dear Customer, [redacted]
    This is a notice that the invoice has been generated on 05.11.2014.
    Your payment method is: credit card.
    The order reference is 468824369.
    Your credit card will be charged for 47.40 USD.
    The payment and delivery information is in attached file.
    Regards,
    Systems Company,
    Crocitto Greta


6 November 2014 : Order561104111.doc - Current Virus total detections: 6/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... embedded malware or macro..."
* https://www.virustot...sis/1415152827/
___

Fake Bank SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 Nov 2014 - "'The Bank INTERAC to Guillaume Gilnaught was accepted' pretending to come from RBC Banque Royale < ibanking@ rbc .com >  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer...

Screenshot: http://myonlinesecur...as-accepted.png

6 November 2014: INTERAC_pmt_11062014_0345875.zip: Extracts to:  INTERAC_pmt_11062014_0345875.exe
Current Virus total detections: 5/53* . This 'The Bank INTERAC to Guillaume Gilnaught was accepted" is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1415290279/
___

Western Union Payment Confirmation Spam
- http://threattrack.t...nfirmation-spam
Nov 6, 2014 - "Subjects Seen:
    WUBS Outgoing Payment Confirmation for SOTR4465838
Typical e-mail details:
... This is an automatically generated response: please do not reply to this e-mail. For enquiries please contact Customer Service.
    Attached you will find the Outgoing Payment Confirmation for SOTR4465838. Please confirm all details are correct and notify us immediately if there are any discrepancies.
    Thank you for your business!


Malicious File Name and MD5:
    9574536_11062014.zip (5ED4C6DE460B2869088C523606415B4B)
    9574536_11062014.exe (C8A8F049313D1C67F1BAAF338FE5EDE0)


Screenshot: https://gs1.wac.edge...98aI1r6pupn.png

Tagged: Western Union, Upatre
___

Apple blocks apps infected with WireLurker malware targeting iPhones and iPads
- http://www.theinquir...ds-via-mac-os-x
Nov 6, 2014 - "... Palo Alto Networks* discovered the malware threat that targets iPhones and iPads through Apple's Mac OS X operating system, putting an end to the age-old belief that iOS is virus-free. Apple has since responded, and said it has -blocked- third-party apps infected with the malware, which Palo Alto describes as the "biggest in scale" it has ever seen... "As always, we recommend that users download and install software from trusted sources.” Palo Alto discovered the new family of malware dubbed 'WireLurker', which is the first known malware that can attack iOS applications in a similar way to a traditional virus. Palo Alto describes the threat as heralding "a new era in malware attacking Apple's desktop and mobile platforms", and said that the malware is "the biggest in scale we have ever seen". WireLurker can attack iOS devices through Mac OS X using USB, and does so by installing third-party applications on non-jailbroken iPhones through 'enterprise provisioning'. The malware seems to be limited to China at present, where it is targeting devices via the Maiyadi App Store, a third-party Mac app store. WireLurker has been found in -467- OS X apps at Maiyadi, which Palo Alto claims have been downloaded 356,104 times so far... The firm also said that enterprises using Mac computers should ensure that mobile device traffic is routed through a threat prevention system."
* http://researchcente...-x-ios-malware/
___

Hacks devise new simplified Phishing
- http://www.darkreadi.../d/d-id/1317242
Nov 5, 2014 - "...  a more efficient way to get unwary online shoppers to part with their personal data and financial account information. The new technique, dubbed 'Operation Huyao' by the security researchers at Trend Micro* who discovered it, basically lessens the time and effort needed for attackers to mount a phishing campaign while also making such attacks harder to spot... only when the user actually attempts to make a purchase that the proxy program serves up a modified page that walks the victim through a checkout progress designed to extract personal information and payment card or bank account information...  the phishers employed various blackhat SEO techniques to ensure that people doing specific product-related searches online were served up with results containing malicious links to the targeted store. Users who clicked on the links were then routed to the department store's website via the malicious proxy... In the first half of 2014 for instance, the median uptime for phishing attacks was 8 hours and 42 minutes, meaning that half of all phishing attackers were active for less than nine, the APWG** has noted... Even so, phishing continues to be a major problem. In the first six months of 2014, the industry group counted more than 123,700 unique phishing attacks which was the highest since the second half of 2009. A total of -756- institutions were specifically targeted in these attacks, the largest number ever during a six-month period. Of these companies -Apple- was the most phished brand."
* http://blog.trendmic...peration-huyao/

** http://docs.apwg.org...ort_1H_2014.pdf
___

CVE-2014-1772 – IE vuln analysis
- http://blog.trendmic...-vulnerability/
Nov 5, 2014 - "... privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035*... this vulnerability was already patched some time ago... This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better..."
* https://technet.micr...y/ms14-035.aspx - Critical
Updated: Jun 17, 2014
V1.1 (June 17, 2014): Corrected the severity table and vulnerability information to add CVE-2014-2782 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
- https://web.nvd.nist...d=CVE-2014-1772 - 9.3 (HIGH)
Last revised: 06/26/2014
- https://web.nvd.nist...d=CVE-2014-2782 - 9.3 (HIGH)
Last revised: 06/26/2014
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 06 November 2014 - 03:48 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1322 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 07 November 2014 - 08:05 AM

FYI...

'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.c...N0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmed...r=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/n...n-federal-court
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo....l-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
    From:     Sue Morckage
    Date:     7 November 2014 13:10
    Subject:     inovice 9232088 November
    This email contains an invoice file attachment


The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustot...89/information/
http ://heartgate .de/bin.exe > https://www.virustot...56/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustot...sis/1415369050/

1] https://www.virustot...sis/1415365398/

2] https://www.virustot...sis/1415368736/

- http://myonlinesecur...rd-doc-malware/
7 Nov 2014
https://www.virustot...sis/1415372037/
___

Fake job sites ...
- http://blog.dynamoo....r-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
>

* https://twitter.com/...628073264517120

** (Long list at the dynamoo URL at the top.)
___

Fake Tech Support website infections ...
- https://blog.malware...u-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malware...ed-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malware...er-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malware...-support-scams/

- http://www.symantec....meet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec....ansomlock 2.png
Fake BSoD lock screen:
> http://www.symantec....lock 3 edit.png ..."

- http://www.ftc.gov/n...ch-support-scam
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 09 November 2014 - 05:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1323 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 10 November 2014 - 06:03 AM

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

    Please find attached your November invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
    Thanks very much
    Kate Williams


10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415612495/

- http://blog.dynamoo....6-november.html
10 Nov 2014 - "...  the malware connecting to 84.40.9.34 (Hostway, UK)..."

1] https://www.virustot...sis/1415613432/

2] https://www.virustot...sis/1415613431/

84.40.9.34: https://www.virustot...34/information/
___

Fake Amazon SPAM - malware-macros
- http://net-security....ews.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an 'order confirmation' from Amazon .com:
> http://www.net-secur...0112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed invoice file attached is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver...oliday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___

'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquir...-via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.c...-darkhotel-apt/
Nov 10, 2014
___

Home Depot drops Windows for Mac ...
- http://www.theinquir...after-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.co...ndor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___

'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.c...long-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
>
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.c...1/Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1©, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.c...11/IMG_0001.jpg
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 10 November 2014 - 07:04 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1324 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 11 November 2014 - 07:23 AM

FYI...

Fake 'Bank Payment' SPAM - malicious attachment
- http://blog.dynamoo....chley-bank.html
11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
    From:     Accounts Finchley [accounts.finchley@ nazarethcare .com]
    Date:     11 November 2014 10:34
    Subject:     Bank Payments
    Good Afternoon,
    Paying in sheet attached
    Regards
    Sandra Whitmore
    Care Home Administrator
    Nazareth House
    162 East End Road
    East Finchley
    London...
    Nazareth Care Charitable Trust...


... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
http ://www.grafichepilia .it/js/bin.exe
http ://dhanophan .co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal** as Dridex."
1] https://www.virustot...sis/1415703941/

2] https://www.virustot...sis/1415703952/

* https://www.virustot...sis/1415704632/

** https://www.virustot...sis/1415705610/


- http://myonlinesecur...rd-doc-malware/
11 Nov 2014
Screenshot: http://myonlinesecur...ts-Finchley.png
___

Fake 'Duplicate Payment' SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
     I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
     I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.  
     If you have any queries regarding this matter, please do not hesitate to contact me.
     I look forward to hearing from you .
     Many thanks
    Lenora Dunn
    Accounts Department


11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415704035/

- http://blog.dynamoo....d-spam-has.html
11 Nov 2014
... Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108
"
___

Trojan SMS Found on Google Play
- https://blog.malware...on-google-play/
Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
> https://blog.malware...ScreenShot1.jpg
... This tactic has been seen since malware started appearing on Android devices.  If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
> https://blog.malware...ScreenShot3.jpg
... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
___

Predator Pain and Limitless... the Fraud
- http://blog.trendmic...hind-the-fraud/
Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
Predator Pain/Limitless Victims by Country:
> http://blog.trendmic...ribution-01.jpg
Predator Pain/Limitless Victims by Industry:
> http://blog.trendmic...ribution-01.jpg

- http://www.trendmicr...-predator-pain/
"... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."
___

NRF says Congress should include Banks under Data Breach Law
- https://nrf.com/news...data-breach-law
Nov 6, 2014 - "NRF told Congress today that a federal data breach notification law should cover banks, not just retailers. “Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” NRF said in a letter*. “Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit". “Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data,” the letter said. “Consumers deserve to know when they are placed at risk regardless of where the risk arises". The letter was sent to House and Senate leaders and was signed by NRF and 43 other organizations representing retailers, restaurants, hotels and other businesses..."
* https://nrf.com/site...Data Breach.pdf

2014 DBIR:
- http://www.verizonen....com/DBIR/2014/
"... “We have more incidents, more sources, and more variation than ever before — and trying to approach tens of thousands of incidents using the same techniques simply won’t cut it..."
 

:ph34r:  :grrr:  :(


Edited by AplusWebMaster, 11 November 2014 - 07:57 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1325 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 12 November 2014 - 08:59 AM

FYI...

Fake 'Police' SPAM ...
- http://blog.dynamoo....eadquaters.html
12 Nov 2014 - "I got a lot of these yesterday..
 

    From:     omaniex@ investigtion .com
    Subject:     Exchange House Fraud (Police Headquaters)
    please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
   Note: come along with your report as it will be needed
    regards,
    Police headquarters.
    Investigtion dept.


Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar
... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
* https://www.virustot...sis/1415792881/
___

ADP Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Nov 12, 2014 - "Subjects Seen:
    ADP Past Due Invoice#54495150
Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


Malicious URLs:
    kurdogluhotels .com/docfiles/invoice_1211.php
    kevalee .ac.th/docfiles/invoice_1211.php
Malicious File Name and MD5:
    invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
    invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)


Screenshot: https://gs1.wac.edge...Bx451r6pupn.png

Tagged: ADP, Upatre

- http://blog.dynamoo....11564-spam.html
12 Nov 2014
... Recommended blocklist:
188.165.206.208
shahlart .com
mboaqpweuhs .com
"

- http://www.threattra...e-invoice-spam/
Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
Screenshot: http://www.threattra...Due-Invoice.png

94.23.49.77: https://www.virustot...77/information/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 14 November 2014 - 08:11 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1326 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 13 November 2014 - 10:49 AM

FYI...

Fake 'BankLine' SPAM - targets RBS customers
- http://blog.mxlab.eu...-rbs-customers/
Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
    You have received a secure message.
    Read your secure message by following the link bellow:
    link-
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
    First time users – will need to register after opening the attachment...


The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

216.251.43.98: https://www.virustot...98/information/
... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
___

Fake 'Voice mail' SPAM ...
- http://blog.mxlab.eu...ecurity-threat/
Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:

    Voice redirected message
    hxxp ://crcmich .org/bankline/message.php
    Sent: Thu, 13 Nov 2014 11:54:24 +0000


The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

69.160.53.51: https://www.virustot...51/information/
... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
___

Alert (TA14-317A)
Apple iOS "Masque Attack" Technique
- https://www.us-cert....lerts/TA14-317A
Nov 13, 2014
Systems Affected:
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview:
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
(More detail at the URL above.)
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 13 November 2014 - 04:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1327 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 14 November 2014 - 09:28 AM

FYI...

Fake 'Amazon frozen account' – Phish ...
- http://myonlinesecur...arily-phishing/
14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecur...shing-email.png
If you open the -attached- html file you see a webpage looking like:
> http://myonlinesecur...mazon_login.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
> http://myonlinesecur...erification.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

CoinVault - new ransomware
- http://www.webroot.c...1/14/coinvault/
Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
CoinVault GUI:
> https://i.imgur.com/ADEO21U.png
Here is the background* that it creates – also very similar.
* https://i.imgur.com/LAHkjT8.png
... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
> http://i.imgur.com/F3enAqN.png
... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."

- http://arstechnica.c...m-drug-dealers/
Nov 14 2014
___

Fraudulent Online Ads For Autos, RV.s, Boats, and other Outdoor Equipment leading to $20 Million losses
- https://www.ic3.gov/...014/141114.aspx
14 Nov 2014 - " From June 2009 to June 2014 the Internet Crime Complaint Center (IC3) received over -6800- complaints regarding criminals targeting online consumers by posting false advertisements for high priced items such as automobiles, boats, heavy equipment, recreational vehicles, lawn mowers, tractors, and other similar items. These complaints total more than $20 million in reported losses. The scam initiates when the criminals post a false advertisement offering the item for sale. The advertisement usually includes a fraudulent photo to entice the consumer to purchase the item. Within the advertisement, the criminal includes a contact telephone number. The consumer leaves a message and the perpetrator responds via text message. The text message normally requests that the consumer provide an e-mail address. Once the e-mail address is provided the consumer is sent additional details to include multiple images of the item for sale. The perpetrator provides logical reasons for offering the item at such a discounted price such as moving to another location; therefore, the item needs to be sold quickly; the sale was part of a divorce settlement; or overseas deployment. Consumers normally negotiate a price. Many -scammers- advise the consumer the transaction will be conducted through -Ebay- to ensure a safe and easy transaction. In reality the scammer is only pretending to use Ebay. The consumer receives a -false- e-mail that appears to be legitimate from Ebay. The e-mail provides instructions on how to complete the transaction. The perpetrator provides the consumer with all the information necessary to complete the wire transfer - the bank account name, address, and account number. The scammer provides a fraudulent toll-free Ebay customer service number for the consumer to use when they are ready to wire the money. These numbers were also used by many victims to confirm a successful wire transfer or to check transaction status and shipping information. After the transaction, the consumer is sent a false Ebay confirmation e-mail that includes the fraudulent transaction or confirmation number and the expected delivery date of the item. Any follow-up calls, text messages or e-mails to the perpetrator(s) are normally ignored and many victims report the toll-free customer service telephone numbers provided are constantly busy. As a result, the consumer never receives the purchased item(s) and suffers a financial loss. The FBI recommends that consumers ensure they are purchasing the actual merchandise from a reputable source by verifying the legitimacy of the seller. Below are some consumer tips when purchasing items online:
- Use search engines or other websites to research the advertised item or person/company selling the item.
- Search the Internet for any negative feedback or reviews on the seller, their e-mail addresses, telephone numbers, or other searchable identifiers.
- Research the company policies before completing a transaction. For example, ensure the seller accepts payments via credit card as Ebay does -not- conduct wire transfers and only uses PayPal to conduct transactions.
- Be cautious when responding to advertisements and special offers.
- Be cautious when dealing with persons/companies from outside the country.
- Maintain records for all online transactions..."
___

Flash Player updated ...
- https://blog.malware...r-flash-player/
Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
> https://blog.malware...11/adobupd1.jpg
The above site claims:
It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
> https://blog.malware...11/adobupd2.jpg
The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
* http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)
 

:ph34r:  :(  :grrr:


Edited by AplusWebMaster, 16 November 2014 - 01:35 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1328 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 17 November 2014 - 08:00 AM

FYI...

Fake Fax SPAM - malicious .DOCM attachment
- http://blog.dynamoo....ssion-spam.html
17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
    From:     Interfax [uk@ interfax .net]
    Date:     13 November 2014 20:29
    Subject:     Failed Fax Transmission to 01616133969@ fax .tc<00441616133969>
    Transmission Results
    Destination Fax:      00441616133969
    Contact Name:      01616133969@ fax .tc
    Start Time:      2014/11/13 20:05:27
    End Time:      2014/11/13 20:29:00
    Transmission Result:      3220 - Communication error
    Pages sent:      0
    Subject:      140186561.XLS
    CSID:     
    Duration (In Seconds):      103
    Message ID:      485646629
    Thank you for using Interfax ...


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
* https://www.virustot...sis/1416221806/

** https://www.virustot...sis/1416222127/

*** https://www.virustot...sis/1416222797/

84.40.9.34: https://www.virustot...34/information/

- http://myonlinesecur...rd-doc-malware/
17 Nov 2014
> https://www.virustot...sis/1416212735/
___

Fake Investment SPAM ...
- http://myonlinesecur...reland-malware/
17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...-in-Ireland.png

Todays Date: investmentareas.rar: Extracts to:  investmentareas.scr
Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416215003/
___

Fake 'Payment Declined' Phish ...
- http://myonlinesecur...lined-phishing/
17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecur...nt-Declined.png

The link in the email leads you to a webpage looking like:
Screenshot2: http://myonlinesecur...fake-log-in.png

That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
Screenshot3: http://myonlinesecur...ake-details.png

Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
Screenshot4: http://myonlinesecur...ls-success-.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
___

Fake 'Test message' SPAM plague continues..
- http://blog.dynamoo....-continues.html
17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
    From: Hollie <Laurie.17@ 123goa .com>
    Date: 17 November 2014 19:04
    Subject: Test 8657443T
  test message.
    Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
    Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard...
..."
* http://www.proofpoin...g-customers.php
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 17 November 2014 - 06:05 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1329 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 18 November 2014 - 06:11 AM

FYI...

Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecur...rd-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    This email contains an invoice file attachment

So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb)       Current Virus total detections: 1/55*

18 November 2014 : invoice_1952581.doc (41kb)      Current Virus total detections: 1/55**

18 November 2014 : invoice_80943810.doc (22kb)      Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416303264/

** https://www.virustot...sis/1416304606/

*** https://www.virustot...sis/1416304325/
___

Another Fake FAX SPAM run ...
- http://blog.dynamoo....lets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From:     Incoming Fax [no-reply@ efax .co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...


This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de
"
* https://www.virustot...sis/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustot...24/information/
178.254.0.111: https://www.virustot...11/information/

** https://www.virustot...sis/1416318784/

- http://myonlinesecur...ke-pdf-malware/
18 Nov 2014
- https://www.virustot...sis/1416321619/
___

Fake Voice msg SPAM again - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@  voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
     You have received a voice mail message from 685-869-9737
    Message length is 00:00:30. Message size is 225 KB.
    Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...


18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416321619/
 

:grrr:  :ph34r:


Edited by AplusWebMaster, 18 November 2014 - 01:08 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1330 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 19 November 2014 - 09:19 AM

FYI...

Fake Bank phish ...
- http://myonlinesecur...count-phishing/
19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
  -We’re improving your current account
    -There have been unauthorised or suspicious attempts to log in to your account, please verify
    -Your account has exceeded its limit and needs to be verified
    -Your account will be suspended !
    -You have received a secure message from < your bank>
    -New Secure Message
    -We are unable to verify your account information
    -Update Personal Information
    -Urgent Account Review Notification
    -We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    -Confirmation of Order


This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
Email looks like:

Screenshot: http://myonlinesecur...ent-account.png

This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
___

Azure cloud outages - MSN web portal offline
- http://www.reuters.c...N0J309E20141119
Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
* http://azure.microso...status/#history

>> http://azure.microso...e-interruption/
Nov 19, 2014
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 November 2014 - 08:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1331 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted 20 November 2014 - 10:56 AM

FYI...

Angler Exploit Kit adds New Flash Exploit...
- http://threatpost.co...014-8440/109498
Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
* http://malware.dontn...-2014-8440.html

> https://web.nvd.nist...d=CVE-2014-844010.0 (HIGH)
Last revised: 11/12/2014

Flash test site: https://www.adobe.co...re/flash/about/
___

 

Fake Donation Overpayment SCAM
- https://www.ic3.gov/...014/141120.aspx
Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."

 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 20 November 2014 - 08:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1332 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted Yesterday, 12:54 PM

FYI...

 

Something evil on 46.8.14.154

- http://blog.dynamoo....n-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___

 

Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo....-spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
 From:     Enid Tyson
 Date:     21 November 2014 15:36
 Subject:     INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
 Accounts Department

 

 In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
 http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustot...sis/1416584784/

** https://www.virustot...sis/1416584533/

 

:ph34r:


Edited by AplusWebMaster, Today, 09:47 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1333 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,201 posts

Posted Today, 04:58 PM

FYI...

Fake 'Herbal Root' email SCAM
- http://blog.dynamoo....-root-scam.html
22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
From:     Mr. Tom Good Hope [mrtomgood@ gmail .com]
Reply-To:     mrtomgoodhope@ gmail .com
Date:     22 November 2014 02:24
Subject:     SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary ...


... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth.
___

Fake 'my new photo' SPAM - malware - Google’s webp images
- http://myonlinesecur...es-webp-images/
22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8  "
(Comparison example images shown at the URL at the top.)
 

:ph34r:   :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





6 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users


    Bing (2), Google (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button