Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1493 replies to this topic

#1451 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 28 April 2015 - 03:29 AM

FYI...

Fake 'Privacy Policy' SPAM – malware
- http://myonlinesecur...butors-malware/
28 April 2015 - "An email in garbled English about a database of contributors and their Privacy Policy with a subject of 'RE: Hello' pretending to come from Chanda <faucibus.id@ aliquet .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    Dear user! We consider a database of contributors and we found that we have signed with you our “Privacy Policy” and that we have an updated CV. We will be audited in the near future, and we need to update the record. For this reason, is attached to this e-mail confidentiality agreement that we pray thee firm and return them by email or fax as soon as possible. We also need you, please send us your resume updated for inclusion in the database. If you have any questions, please contact me.
    With great respect !


28 April 2015: Privacy Policy.zip: Extracts to: Privacy Policy.doc.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430201347/
... Behavioural information
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

Fake 'INVOICE PD' SPAM - malicious attachment
- http://blog.dynamoo....-will-comm.html
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
    From:    richard will [contactwill@ hotmail .com]
    Date:    28 April 2015 at 09:05
    Subject:    INVOICE PD Will Comm
    Thank-you for your payment!
    Richard Will
    Will Communications, Inc.
    richard@ willcommunications .com


The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
* https://www.virustot...sis/1430209748/

** https://www.virustot...sis/1430209765/

*** https://www.virustot...sis/1430210575/

massachusettsselfstorage .com: 209.114.42.129: https://www.virustot...29/information/

- http://myonlinesecur...dsheet-malware/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
* https://www.virustot...sis/1430207999/

muebleseviajan .com: 185.14.56.96: https://www.virustot...96/information/
___

Bad Actor using Fiesta exploit kit
- https://isc.sans.edu...l?storyid=19631
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain.  I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to 136.243.227.9 [3].  We're currently seeing the gate lead to Fiesta EK on 205.234.186.114. Below is a flow chart for the infection chain:
> https://isc.sans.edu...ry-image-01.jpg
... Passive DNS on 136.243.227.9 shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised-  website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
3] http://urlquery.net/...q=136.243.227.9

205.234.186.114: https://www.virustot...14/information/

136.243.227.9: https://www.virustot....9/information/
___

Fake 'NatWest' SPAM – chm malware
- http://myonlinesecur...43-chm-malware/
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
    You have received a secure message.
    Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.  
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
    First time users – will need to register after opening the attachment...


There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Russel Whitlock
Level III Account Management Officer
817-267-1542 office
817-573-8940 cell
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...


All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not-  inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430217439/
SecureMessage.chm
___

Fake 'BACS payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a  zip attachment is another one from the current bot runs... The email looks like:
    Please find downloaded notification of your BACS payment from Essex County Council.  
    If you require further information please refer to the contact details in the attached document.
    BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
    Paramat 60
    85 rue des jacobins
    60740 Saint maximin
    Tel : 03.44.66.03.47


28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
81.7.109.65: https://www.virustot...65/information/
188.255.252.242: https://www.virustot...42/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'Email Locked' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
    Dear user,
    We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
    Please re-confirm your identity. See attached docs for full information.
    Evie Maccarter
    King Yvonne M Dr
    70 Exhibition Street, Kentville, NS B4N 4K9
    CANADA
    902-602-7131


The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1430215524/
___

Scammy Nepal earthquake donation requests
- https://isc.sans.edu...l?storyid=19635
2015-04-28 - "... like after every major hurricane or earthquake, the miscreants around the globe are currently scurrying to set up their -fake- charities and web pages, in order to solicit donations. The people of Nepal certainly can use our help and generosity to deal with the aftermath of the April 25 earthquake, but let's make sure the money actually ends up there. For our readers in the US, USAID.gov maintains a list of charities that they work with in Nepal at http://www.usaid.gov/nepal-earthquake.. but note how even USAID adds a disclaimer to be on the lookout for scams!..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 28 April 2015 - 11:26 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1452 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 29 April 2015 - 04:55 AM

FYI...

Fake 'pictures' SPAM - malware
- http://myonlinesecur...ctures-malware/
29 Apr 2015 - "An email saying 'Here are some pictures' with a subject of 'RE: Hello' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    Here are some pictures !!
    See you later!


29 April 2015: in_my_home.zip: Extracts to: in_my_home.scr
Current Virus total detections: 7/55*. Automatic analysis at MALWR show it to be a Zeus banking Trojan. Creates a windows hook that monitors keyboard input (keylogger), creates Zeus (Banking Trojan) mutexes, mutex: MPSWabDataAccessMutex, creates an Alternate Data Stream (ADS) file: C:\WINDOWS\system32\commtui2.exe:Zone.Identifier, Installs itself for autorun at Windows startup... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430289254/
___

JavaScript malware
- http://myonlinesecur...script-malware/
29 Apr 2015 - "JavaScript malware is a different way of spreading malware. We have been seeing a steady increase in a different form of malware spreading. The bad guys are sending javascript files inside a zip or at the end of a link. We have seen several different email templates for this method ranging from:

- E-Ticket 7694892 pretending to come from E-Ticket <online@ ticket .com>
> http://myonlinesecur...script-malware/

- Order 595775 which contains a simple email reading something like “Good Day! Find Order 595775 attached Thank you Jim Olsen” These also come in as -fake- invoices with random numbers and random names and senders. You normally find the name in body of email matches the name of the alleged sender.

These particular js files (JavaScript malware) download & install a cryptowall 3.0 malware which will encrypt all your files on the computer and prevent access to them. There is absolutely -no- fix once you are infected so it is essential to have a full working backup and make sure it is stored off the computer. These cryptowall Trojans are -network- aware and will -encrypt- -all- -network- disks and external hard discs as well as the computer hard disc.
All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. -Don’t- try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking-the-link in the email to see what is happening... The basic rule is NEVER open -any- attachment to an email, unless you are expecting it...

- http://blogs.cisco.c.../cryptowall-3-0
___

Fake 'HBSC credit' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 Apr 2015 - "'New credit terms from HSBC' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
     Sir/Madam,
    We are pleased to inform you that our bank is ready to offer you a bank loan.
    We would like to ask you to open the Attachment to this letter and read the terms.
    Yours faithfully,
    Global Payments and Cash Management
    HSBC


29 April 2015: mail2.zip: Extracts to: Payment.exe
Current Virus total detections: 1/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430307499/
___

 

Fake 'BACS payment' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
    Please find downloaded notification of your BACS payment from Essex County Council.  
    If you require further information please refer to the contact details in the attached document.
    BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
    Paramat 60
    85 rue des jacobins
    60740 Saint maximin
    Tel : 03.44.66.03.47


28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
81.7.109.65: https://www.virustot...65/information/
188.255.252.242: https://www.virustot...42/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Incoming MMS Spam
- http://threattrack.t...coming-mms-spam
Apr 29, 2015 - "Subjects Seen
    Incoming mms from +07452136643
Typical e-mail details:
    No.: +07452136643
    Size: 8971
    ID: OHB.45598A07E.7385
    Filename: OHB.45598A07E.7385.cab
    Billie Souto


Malicious File Name and MD5:
    OHB.45598A07E.7385.scr (d2843ca1919e48c16c98673210e0c3d2)


Screenshot: https://41.media.tum...1r6pupn_500.png

Tagged: MMS, ctb locker
___

Fake Chinese domain SCAMs
- http://blog.dynamoo....rycom-scam.html
29 Apr 2015 - "This spam email is actually part of a long-running Chinese scam.
    From:    Jim Bing [jim.bing@ cnwebregistry .cn]
    Date:    29 April 2015 at 14:27
    Subject:    Re:"[redacted]"
    Dear CEO,
    (If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)
    We are a Network Service Company which is the domain name registration center in Shanghai, China.
    We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?
    Best Regards,
    Jim
    General Manager


Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a -rogue- Chinese domain registrar to get you to buy -overpriced- and -worthless- domains. In this case the spam mentions the domain cnwebregistry .cn, but chinaygregistry .com is also on the same server and will be similarly fraudulent. This video I made a while ago explains the scam in more detail..."
(Video @ the dynamoo URL above.)
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 29 April 2015 - 11:19 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1453 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 30 April 2015 - 06:45 AM

FYI...

Fake 'Telephone order' SPAM -  malicious doc attachment
- http://blog.dynamoo....-mcdonnell.html
30 Apr 2015 - "This fake financial email is not from Gas Cylinders UK but is instead a simple -forgery- with a malicious attachment.
    From:    Rebecca McDonnell [rebecca@ gascylindersuk .co .uk]
    Date:    30 April 2015 at 09:54
    Subject:    Telephone order form
    Telephone order form attached
    Regards,
    Rebecca McDonnell
    Business Administrator
    340a Haydock Lane, Haydock Industrial Estate,
    St Helens, Merseyside, WA11 9UY
    DDI:  01744 304338
    Fax: 01942 275 312 ...


There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56* and contained this malicious macro... which downloaded a component from the following location:
http ://morristonrfcmalechoir .org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56**. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55***."
* https://www.virustot...sis/1430390792/

** https://www.virustot...sis/1430390534/

*** https://www.virustot...sis/1430392218/


- http://myonlinesecur...dsheet-malware/
30 Apr 2015
Screenshot: http://myonlinesecur...-order-form.png

30 April 2015 : TELEPHONE PURCHASE ORDER FORM.doc - Current Virus total detections: 4/55*
... which downloads and runs nishatdairy .com/143/368.exe which is saved as %Temp%\serebok3.exe and autoruns (virus Total**)..."
* https://www.virustot...sis/1430379008/

** https://www.virustot...sis/1430379609/
___

Fake 'Statement' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Apr 2015 - "'Statement of Account 5905779365764954' (random number) coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...79365764954.png

30 April 2015 : random name : Extracts to: statement.exe | Account_info.exe | Docs_23131445.exe
Current Virus total detections: 1/55* |1/55** | 1/55*** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430384002/

** https://www.virustot...sis/1430384014/

*** https://www.virustot...sis/1430384178/
___

Fake 'Amended Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
30 Apr 2015 - "'Attached Amended Invoice 115784 Re D/N 103674. 9/4/15' pretending to come from  accounts@ procterscheeses .co.uk with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email body is totally -blank-. This contains exactly the -same- malware as today’s earlier spam run of malicious word docs Telephone order form – Rebecca McDonnell — word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Nepal Earthquake Disaster - Email Scams
- https://www.us-cert....ter-Email-Scams
April 30, 2015 - "... potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for -fraudulent- charitable organizations commonly appear after these types of natural disasters..."
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 30 April 2015 - 09:23 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1454 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 01 May 2015 - 06:06 AM

FYI...

Fake 'Invoice' SPAM - doc/xls malware attached
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Berendsen UK Ltd Invoice 60022446 344' pretending to come from donotreply@ berendsen .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...0022446-344.png

1 May 2015 : IRN001610_60022446_I_01_01.doc - Current Virus total detections: 2/56*
... which connects to & download laurelwoodvirginia .com/654/46.exe which is saved as %temp%\serebok5.exe and -autorun- on your computer (virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430472222/

** https://www.virustot...sis/1430476073/
... Behavioural information
TCP connections
212.227.89.182: https://www.virustot...82/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

laurelwoodvirginia .com: 66.175.58.9: https://www.virustot....9/information/
___

Fake 'Claim' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Copy of claim passed for consideration to HM Courts Ref: [random numbers] from [random companies]' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like this, but be aware that every email will have a -different- random claim number and -different- company listed as the claimant:

    SOVEREIGN MINES OF AFRICA PLC has issued the claim against you and passed for consideration to HM Courts Ref:[EK8013GUH].The claim was read, and passed to the second reading. For these or other notarial acts, or the legalising of documents, please contact  SOVEREIGN MINES OF AFRICA PLC as soon as posible.

So far I have seen:
- Copy of claim passed for consideration to HM Courts Ref:[EK8013GUH] from SOVEREIGN MINES OF AFRICA PLC
- Copy of claim passed for consideration to HM Courts Ref:[UK1751MQV] from FALKLAND OIL & GAS
- Copy of claim passed for consideration to HM Courts Ref:[EI6841DHZ] from BREEDON AGGREGATES LTD
- Copy of claim passed for consideration to HM Courts Ref:[BB1620VDT] from WILLIAM HILL PLC
- Copy of claim passed for consideration to HM Courts Ref:[FZ8349DFN] from GAZPROM OAO
- Copy of claim passed for consideration to HM Courts Ref:[WY4077WQJ] from Hardy Amies Ltd
- Copy of claim passed for consideration to HM Courts Ref:[GX0331SJB] from Nathaniel Lichfield and Partners
25 February 2015 : EI6841DHZ.doc | EK8013GUH.doc |  UK1751MQV.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***
... at least one of these macros downloads from pastebin .com/download.php?i=XEKaxHCg and  verifed. acgfamilyoffices. com/ebn/logo.jpg (so far I have not been able to get the content but am still trying)..."
* https://www.virustot...sis/1430477322/

** https://www.virustot...sis/1430477337/

*** https://www.virustot...sis/1430477346/

- http://blog.mxlab.eu...ious-word-file/
May 1, 2015
> https://www.virustot...sis/1430480904/
File name: ZI2444LQN.doc
Detection ratio: 0/56
___

Fake 'Delivery confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 May 2015 - "'Delivery confirmation form for purchase BW91149JYA [random numbers]' from 30/04/15 coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Please fill out the attached form and return it to us.
    Best regards, Antonia Lang


The name in the body of the email matches the alleged sender. The purchase number in the subject matches the attachment name. The malware payload is exactly the -same- as the payload in today’s earlier spam run of malicious word docs 'Copy of claim passed for consideration to HM Courts Ref:...' – word doc or excel xls spreadsheet malware*. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 02 May 2015 - 07:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1455 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 04 May 2015 - 12:27 PM

FYI...

Fake 'Unaccepted account' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 May 2015 - "An email coming from random senders and random email addresses with subjects of  'Holded account notification' or 'Unaccepted account caution' or similar vaguely banking related subjects with a zip attachment is another one from the current bot runs... Some subjects seen with this series of spam emails are:
    Blocked bank operation report
    Holded account notification
    Unaccepted account caution
    Rejected operation warning
    Blocked transaction warning
Some attachment names are:
    block_warning_information.zip
    nullfication_alert_details.zip
    rejection_message_data.zip
    rejection_notification_form.zip
    invalidation_alert_document.zip
The email looks like:
    Be noted that your depositis rejected.
    Please see the report for detailed information.
    Susan Morgan
    Account Security Department

-Or-
    Be adviced that your payment not accepted.
    Please see the document for detailed information.
     Mary Roberts
    Senior Manager

-Or-
    We inform you that your fund not accepted.
    Please look the document for detailed information.
    Jane Jones
    Senior Manager


4 May : block_warning_information.zip | nullfication_alert_details.zip
Extracts to:  block_warning_report.exe | abrogation_warning_information.exe
Current Virus total detections: 1/55* | 1/55** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...0bbc1/analysis/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
91.211.17.201: https://www.virustot...01/information/
38.124.60.223: https://www.virustot...23/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/

** https://www.virustot...sis/1430748957/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustot...31/information/
91.211.17.201: https://www.virustot...01/information/
38.124.60.223: https://www.virustot...23/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/

- https://isc.sans.edu...l?storyid=19657
2015-05-05
___

ACH Spam
- http://threattrack.t...846488/ach-spam
May 4, 2015 - "Subjects Seen:
    ACH Approval Letter
Typical e-mail details:
    The Automated Clearing House (ACH) application for your company has been processed and the payer unit number assigned is 029762. This number identifies to the Federal Reserve Bank of Cleveland the account to be debited and is required input in the “ABI ACH Payment Authorization Input Record.” It is the responsibility of the payer to use the correct payer unit number in every transaction in which statements are paid via ACH.
    You may begin paying statements via ACH.  If you are a Customhouse broker who is using ACH for the first time, please contact your ABI client representative to request that your ABI records be updated to permit ACH filing. If you are already using ACH for other importer statement transmissions, you do not need to contact your ABI client representative. If you are a new ABI importer, please contact your ABI client representative to ensure that the appropriate ABI records are updated to permit you to transmit entry summaries, which will be filed under ACH...
    If you have any questions, you may contact ACH Help Desk at (317) 298-1200, extension 1098.
    Sincerely,
    Cindi Miller, Chief
    Collections Refunds and Analysis Branch
    Revenue Division
    Thank You,
    Kirsten Anderson


Malicious File Name and MD5:
    ACH_Import_Information.scr (bc7bb730e98fcde7044251784e0d8ceb)


Tagged: ACH, Upatre
___

Macro Malware: Old Tricks still Work ...
- http://blog.trendmic...ll-work-part-1/
May 4, 2015 - "Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:
Microsoft Word security warning for macros:
> https://blog.trendmi...04/Figure01.jpg
... We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEX, ROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year. What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware. We saw that macro malware detections in Q1 2015 drove huge numbers:
Q1 2015 MS Word and Excel malware detections:
> https://blog.trendmi...04/Figure-2.jpg
This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:
- The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
- You can see X2KM_DLOADR detections around the start of February.
- A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the 2nd week of March
- Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March... The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware. If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats... the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective..."
___

Fiesta EK wreaks havoc on popular Torrent Site
- https://blog.malware...r-torrent-site/
May 4, 2015 - "... Beside the illegal nature of the act in some countries, many sites that index torrents are filled with aggressive ads and pop ups often tricking the user to run programs and other junk that they don’t need. To get the actual content you were looking for is often a battle that could end with some unwanted toolbars added to your browser, or worse, malware. Such is the case with popular Torrent index SubTorrents .com, a very popular Torrent in Spain and Latin America... Users trying to download their favourite TV show may end up getting more than they were looking for. Upon browsing the site, a malicious -redirection- silently loads the Fiesta exploit kit and associated malware payload. Fortunately, Malwarebytes Anti-Exploit users were shielded from this threat... Given the large amounts of ads on the site, it would have been fair to suspect a malvertising issue, but this was not the case here. Rather, the site itself has been -compromised- and serves a well hidden iframe... the author had some fun trying to make things a little more complicated. Rather than directly inserting a malicious iframe (to the exploit kit landing), they chose to build it on the fly by retrieving the content from an external .js... The exploit kit is Fiesta EK and we noticed a new format, where semi colons are now commas... Downloading illegal Torrents is dangerous business. On top of fake files that waste your time and bandwidth, users have to navigate through a sea of misleading ads and pop ups. They may end up saving a few bucks off that latest movie but could also risk a lot more, like getting a nasty malware infection. Ransomware being so prevalent these days could mean that all of user’s files, including those movies and songs could be encrypted and held for ransom. Regardless, it is important to stay safe from such attacks by keeping your computer up-to-date..."
(More detail at the malwarebytes URL above.)
 

  :ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 May 2015 - 06:11 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1456 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 05 May 2015 - 06:01 AM

FYI...

Fake 'INVOICE' SPAM - doc/xls malware attached
- http://myonlinesecur...dsheet-malware/
5 May, 2015 - "'Ref: DW95009KSG [random characters] from 05/05/15 for review' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email  contains an image of an invoice downloaded from a website looks like:

Screenshot: http://myonlinesecur...ew-1024x686.png

If you have your email client set to read in plain text only, then you get an email which just reads as pure garbled junk text.
5 May 2015 : DW95009KSG.doc - Current Virus total detections: 0/56* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430822826/
___

Smartphone Apps secretly connect to User Tracking and Ad Sites
Security researchers have developed an automated system for detecting Android apps that secretly connect to ad sites and user tracking sites.
- http://www.technolog...g-and-ad-sites/
May 1, 2015 MIT - "There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more -open- because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious. But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware. But here’s the problem — this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover — if only they were able to... In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific... Most users of these apps will have little, if any, knowledge of this kind of behavior..."
(More detail at the technologyreview URL above.)
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 05 May 2015 - 08:04 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1457 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 06 May 2015 - 06:21 AM

FYI...

Fake 'SEPA' SPAM - malware attachment
- http://myonlinesecur...ayment-malware/
6 May 2015 - "'Urgent notice about your SEPA Payment' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    The SWIFT transaction, recently initiated from your company”s online banking account, was aborted by the Electronic Payments Association.
    Aborted transfer
    SWIFT Processing Case ID     G10536592
    Transaction Amount     38058.65 Pounds sterling
    E-mail     info@thespykiller .co .uk
    Reason of rejection     View details
    Please click the address given at the top to see the statement with all details about this case.

-or-
    The online transaction, recently sent from your company”s checking account, was cancelled by the other financial institution.
    Rejected transfer
    Transaction Case ID     R89716531
    Total     21696.96 GBP
    Billing E-mail     amy@hedgehoghelp .co .uk
    Reason for rejection     View details
    Please click the address you can find above to open the MS Word document with the full info about this problem.


There are dozens if not -hundreds- of different -dropbox- links with this series of spam emails. It is very likely that each one will have a different sha256# so the detections on VirusTotal might well be incorrect.
6 May 2015: online Payment6688.zip : Extracts to: Rejected SWIFT Transaction.doc Word Document_86535.scr Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430902669/
___

Fake 'Invoice 37333' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 May 2015 - "'Invoice 37333 from CONTRACT SECURITY SERVICES LIMITED' pretending to come from accounts3 <accounts3@ contractsecurity .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...CES-LIMITED.png

6 May 2015 : Inv_37333_from_CONTRACT_SECURITY_SERVICES_LTD_3000.doc
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430904557/
___

Fake 'Check your requisite' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 May 2015 - "'Check your requisite' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

     Good morning
    Could You please check your requisite details under the contract #4HZKYN


The contract number in the body of the email matches the zip attachment name.
6 May 2015: QmXFW4.zip: Extracts to:  invalidation_invoice_report.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430906359/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustot...45/information/
91.211.17.201: https://www.virustot...01/information/
184.164.97.239: https://www.virustot...39/information/
90.84.60.97: https://www.virustot...97/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'Transport' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 May 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-for-London.png

6 May 2015 : AP0210780545.doc - Current Virus total detections: 2/57*
... which downloads from volpefurniture .com/111/46.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430908758/

** https://www.virustot...sis/1430909515/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustot...90/information/
90.84.60.97: https://www.virustot...97/information/

volpefurniture .com: 192.254.142.34: https://www.virustot...34/information/

- http://blog.dynamoo....nsport-for.html
6 May 2015
... Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201
..."
___

ADP Invoice Spam
- http://threattrack.t...dp-invoice-spam
May 6, 2015 - "Subjects Seen:
    ADP invoice for week ending 05/06/2015
Typical e-mail details:
    Your most recent ADP invoice is attached for your review.
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


Malicious File Name and MD5:
    invoice_400119471.exe (222ddd63ab85f03ff344c4328e58896c)


Tagged: ADP, Upatre
___

IRS e-Help Desk Spam
- http://threattrack.t...-help-desk-spam
May 6, 2015 - "Subjects Seen:
    E-mail Receipt Confirmation - Ticket#SD0180867
Typical e-mail details:
    The IRS e-help Desk has received your email on 05/06/15. A case has been opened in response to your question or issue.
    Your case ID is : SD0180867
    Details about this case has been attached.
    If additional contact is necessary, please reference this case ID.
    You will receive a reply within two business days.
    Thank you for contacting the IRS e-help Desk.


Malicious File Name and MD5:
    SD743299.exe (222ddd63ab85f03ff344c4328e58896c)


Tagged: IRS, Upatre
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 06 May 2015 - 02:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1458 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 07 May 2015 - 05:55 AM

FYI...

Fake 'order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'You order form:[XY12469DMM] from 06/05/15 recived; MYTRAH ENERGY LTD' ... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

We have received your order form [XY12469DMM]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.
 As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.
 The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.
Best regards, Hallie Foreman
MYTRAH ENERGY LTD


7May 2015 : XY12469DMM.doc - Current Virus total detections: 0/56*
The malicious macro in this example tries to connect to pastebin .com/download.php?i=VTd9HVkz where it downloads an encrypted/encoded text file which in turn is used to contact http ://91.226.93.14/stat/get.php and downloads test.exe (VirusTotal**). This also attempts to download an image from savepic .org/7260406.jpg... why or what purpose this is used for except to try to persuade you that the file is innocent. This image is of an orthodox Jewish man, but yesterday’s malicious word docs tried to use an image of the Russian President Vladimir Vladimirovich Putin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430990065/

** https://www.virustot...sis/1430990250/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustot...27/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

91.226.93.14: https://www.virustot...14/information/
___

Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'Your invoice from Price & Company 01537833 REP' pretending to come from focus@ price-regency .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email looks like:

    Attached is your invoice 01537833.

7 May 2015 : 01537833.doc - Current Virus total detections: 2/52*
... which tries to connect to hmcomercial .com.br/75/47.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430990459/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 May 2015 - "'Payslip for period end date 30/04/2015' pretending to come from noreply@ fermanagh .gov .uk with a zip attachment is another one from the current bot runs... The email when it arrives working looks like:

    Dear administrator
    Please find attached your payslip for period end 30/04/2015
    Payroll Section
    ————


7 May 2015: payslip.zip: Extracts to: payslip.exe
Current Virus total detections: 0/58 (virus Total currently down so will update later)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'Credit Note' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 May 2015 - "'Credit Note' pretending to come from sales@ scspackaging .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Thank you very much for getting in touch.
     Please find credit attached.
    Apologies for any inconvenience, we hope this covers everything.
     If you have any queries please don’t hesitate to get in touch.
     Thank you
    Regards
     SCS


7 May 2015: Credit Note.doc ... -same- malware payload as today’s earlier malicious word docs 'Your invoice from Price & Company 01537833 REP – word doc or excel xls spreadsheet malware'* although the copy I saw used a -different- download location. There are numerous different download locations around... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Lloyds Bank Spam
- http://threattrack.t...loyds-bank-spam
May 7, 2015 - "Subjects Seen:
    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 7262921/
Typical e-mail details:
    Please find attached our document pack for the above customer. Once completed please return via email to the below address.
    If you have any queries relating to the above feel free to contact us at
    MN2Lloydsbanking@ lloydsbanking .com


Malicious File Name and MD5:
    ReportonTitle770415.1Final 1.exe (8178ad46a72c44cdb9a6146f0952d5bf)


Tagged: Lloyds Bank, Upatre
___

Malvertising strikes dozens of top adult sites
- https://blog.malware...op-adult-sites/
May 7, 2015 - "We have been observing a very large malvertising campaign affecting dozens of top adult sites over the past week. All these attacks have a common element, a Flash based infection via a rogue advertiser abusing the AdXpansion ad network... this particular campaign is quite noticeable due to the number of sites affected and their popularity. According to stats from SimilarWeb .com, these adult portals account for a combined 250+ million monthly visits.
    drtuber .com 60.2 M
    nuvid .com 46.5 M
    hardsextube .com 43.7 M
    justporno .tv 32.5 M
    alphaporno .com 24.9 M
    eroprofile .com 18 M
    pornerbros .com 16.6 M
    pichunter .com 6.6 M
    iceporn .com 6.4 M
    tubewolf .com 6.2 M
    winporn .com 5.4 M
As we have seen lately, more and more malvertising attacks are self-contained. The same fraudulent Flash advert is also used as the exploit, making it much more streamlined and sometimes hard to pinpoint. The advert displaying sexual enhancement drugs, is loaded with malicious code that will immediately attempt to exploit the visitor, regardless of whether they click on the ad or not... The bogus advert can exploit Flash Player up until version 17.0.0.134, released less than two months ago... The malware payload may vary but could result in multiple different malicious binaries dropped via a Neutrino-like EK (credit Kafeine*)..."
* http://malware.dontn...700134-and.html
"... As spotted by FireEye on 2015-04-17**, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player (17.0.0.169)..."
** https://www.fireeye....exploiting.html
Apr 18 2015
___

Rombertik malware ...
- https://blog.malware...bout-rombertik/
May 6, 2015 - "... What’s mostly uncommon about Rombertik is that, unlike much of the other malware in circulation today, Rombertik will -trash- the user’s hard drive if certain hash values don’t line up. This is an uncommon practice in malware, although it does happen on occasion. Recall that the malware involved in the Sony Pictures hack of last year did the same thing, and even earlier attacks were happening against banks in South Korea that did the same thing... Unlike those examples though, Rombertik doesn’t appear to be a state-sponsored malware. Instead, it mostly appears in phishing messages and other spam which will fall into the hands of everyday users. Much like everyday malware, most of Rombertik’s actions aren’t too unique. When looking at the picture depicting Rombertik’s course of action*, its noted the malware performs a lot of the same techniques seen in malware over the last several years; things like creating “excessive activity” to blow up procmon logs or having the binary overwrite itself in memory with unpacked code (Run PE) isn’t anything new in the world of malware.
* https://blogs.cisco....ise-flow-wm.png
... In the case of Rombertik, the malware writes random bytes to memory many times before proceeding execution. This would be something that conventional malware sandboxes don’t account for, and therefore would be considered an anti-sandbox technique... For the full report on Rombertik by Talos, click here**."
** http://blogs.cisco.c...talos/rombertik
May 4, 2015 - "... Rombertik is a complex piece of malware with several layers of obfuscation and anti-analysis functionality that is ultimately designed to steal user data.  Good security practices, such as making sure anti-virus software is installed and kept up-to-date, -not- clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users. However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially..."

- https://atlas.arbor.net/briefs/
May 7, 2015 - "... Rombertik was the subject of recent reports. This new version employs numerous methods to -evade- sandbox forensics, including an attempt to overwrite the MBR if it believes it is being analyzed in memory. A recent spearphishing campaign against Taiwanese government officials targeted the victims through a common consumer grade messaging application. Regardless of the types of applications in use (enterprise or BYOD), attackers will leverage any possible vector in their attempts to fulfill campaign objectives..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 May 2015 - 05:28 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1459 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 08 May 2015 - 04:36 AM

FYI...

Fake 'Scanned tickets' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 May 2015 - "'Scanned tickets' pretending to come from Rebecca De Mulder <milestoneholdings@ yahoo .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Afternoon
    Attached are the tickets  you have requested
    Kinds Regards kath
    Milestone Holdings
    Tel:   01676 541133
    Mob: 07976 440015


08 May 2015: scan0079.xls - Current Virus total detections: 3/56*
Automatic analysis has not detected any network activity or malware download so far. Once we have full details of other analysis we will update this.
Update: manual analysis gives http ://wesleychristianschool .org/43/83.exe as the download location
(VirusTotal**). Note with these there will be -numerous- different macros with different download locations all giving the -same- actual malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431073205/

** https://www.virustot...sis/1431074156/
... Behavioural information
TCP connections
62.152.36.90: https://www.virustot...90/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/

wesleychristianschool .org: 192.185.166.117: https://www.virustot...17/information/
___

PayPal Phish ...
- https://blog.malware...-phishing-scam/
May 8, 2015 - "There’s a “Your account has been limited” email in circulation, targeting users of PayPal. The mail, which (bizarrely) claims to come from servicesATapple .com, claims that the account needs to be unlocked by confirming the potential victim’s identity.
> https://blog.malware...015/05/ppl1.jpg
The Email reads as follows:
Your Account PayPal Has Been Limited !
Dear Customer,
To get back into your PayPal account, you'll need to confirm your identity.
It's easy:
Click on the link below or copy and past the link into your browser.
Confirm that you're the owner of the account, and then follow the instructions.


The link leads to a .ma URL, which is the country code for Morocco:
confirm-identity(dot)me(dot)ma
The page is currently offline, but there’s a collection of related websites with similar URLs as per this VirusTotal page*.
* 72.55.165.59: https://www.virustot...59/information/
Some of these have been taken down, a few are still live so it’s probable there are multiple email campaigns leading to each of the -fake- sites... In -all- cases, delete the mail and don’t click on the URLs which aren’t official PayPal domains or secured with https (occasionally phish pages use https, but they’re pretty rare)..."
___

Word Macro Spam
- http://threattrack.t...word-macro-spam
May 8, 2015 - "Subjects Seen:
    #3zLT5
    #LvaX6
    ID: MrYSk

Typical e-mail details:
    Sent from my ipad

Malicious File Name and MD5:
    99HOaFRD.doc (6162c6b0abc8cab50b9d7c55d71e08fe)


Tagged: Word doc Macro, Upatre, iPad, dyre
___

Ad Network Compromised, Users Victimized by Nuclear Exploit Kit
- http://blog.trendmic...ar-exploit-kit/
May 7, 2015 - "MadAdsMedia, a US-based web advertising network, was -compromised- by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.
This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2:
> https://blog.trendmi.../05/MadAds1.jpg
We initially thought that this was another case of malvertising, but later found evidence that said otherwise. Normal malvertising attacks involve the -redirect- being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case... We found in our investigation that the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server... This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. MadAdsMedia serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga. The Flash exploits in use are targeting CVE-2015-0359*, a vulnerability that was patched only in April of this year. Some users may still be running -older- versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware... Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers. End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines..."
* https://web.nvd.nist...d=CVE-2015-0359
Last revised: 04/22/2015 - "Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x -before- 17.0.0.169 on Windows and OS X and -before- 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 May 2015 - 01:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1460 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 11 May 2015 - 07:45 AM

FYI...

Fake 'Fax' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 May 2015 - "'Patio furniture- Levy, Port St. Lucie' coming from random email addresses and random names with a zip attachment is another one from the current bot runs... The email looks like:
    Attention:
    Please see attached letter. I await your immediate response.
    Thank you,
    Anne Levy


11 May 2015: ONE example PutkTvy9XAf.zip: Extracts to: Fax_wqe32rq2vgwb_data.exe
Current Virus total detections: 0/56*. All the attachments have random names and extract to random names and numbers but all appear to start with -fax- so far today. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431341851/
___

Fake 'Water Line' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 May 2015 "'Huntsman Way Water Line' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
     HI,
    Was a pleasure talking with you again this morning.
    Find attached the quote you requested for your bid.
    Please contact us if you have any questions.
    Have a great day!
    Respectfully,
    Steve Geissen
    Estimating / Outside Sales (Beaumont / Lufkin)
    O:(409)813-2796 F:(409)813-2623 M:(409)363-3038 ...


11 May 2015: 8fs77CjN2XXh.zip: Extracts to:  Invoice_w543245345_4323.exe
Current Virus total detections: 3/56* . Another version as these appear to be random sizes and contents  N3dQrS51H469.zip extracts to Fax_11112436_4323.exe  
Current Virus total detections: 8/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431355859/

** https://www.virustot...sis/1431358936/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustot...31/information/
91.211.17.201: https://www.virustot...01/information/
67.219.166.113: https://www.virustot...13/information/
88.221.14.249: https://www.virustot...49/information/
___

Fake 'Payment details' SPAM - doc malware attachment
- http://blog.dynamoo....s-and-copy.html
11 May 2015 - "... using the analysis of an anonymous source (thank you)..
    From:    Kristina Preston [Kerry.df@ qslp .com]
    Date:    11 May 2015 at 12:56
    Subject:    Payment details and copy of purchase [TU9012PM-UKY]
    Dear [redacted]
    On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Kristina Preston
    Brewin Dolphin


The names and references -change- between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments... source has analysed that this downloads a VBS file from Pastebin... which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia). This binary has a detection rate of 2/56* and according to automated analysis tools... it communicates with:
46.36.217.227 (FastVPS, Estonia)
It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56**.
Recommended blocklist:
46.36.217.227
91.226.93.14
"
* https://www.virustot...sis/1431349548/
... Behavioural information
TCP connections
46.36.217.227: https://www.virustot...27/information/
88.221.14.249: https://www.virustot...49/information/

** https://www.virustot...1def8/analysis/

- http://blog.mxlab.eu...ious-word-file/
May 11, 2015
- https://www.virustot...66762/analysis/
Detection ratio: 1/56
Analysis date: 2015-05-11 14:33:59 UTC
___

Fake 'Fiserv' SPAM - zip malware attached
- http://blog.mxlab.eu...-upatre-trojan/
May 11, 2015 - "... intercepted a new trojan distribution campaign by email with the subject 'Fiserv Secure Email Notification – 8715217'. This email is sent from the -spoofed- address “Fiserv Secure Notification <secure.notification@ fiserv .com>” and has the following body:
    You have received a secure message
    Read your secure message by opening the attachment, SecureFile.zip.
    The attached file contains the encrypted message that you have received.
    To read the encrypted message, complete the following steps:
    – Double-click the encrypted message file attachment to download the file to your computer.
    – Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
    To access from a mobile device, forward this message to mobile@ res .fiserv .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.362.9972.
    2000-2015 Fiserv Secure Systems, Inc. All rights reserved.


The attached file SecureFile8715217.zip contains the 37 kB large file SecureFile.exe. The trojan is known as Virus.Win32.Heur.c, W32/Upatre.E3.gen!Eldorado, UDS:DangerousObject.Multi.Generic or Trojan.Win32.Qudamah.Gen.5. At the time of writing, 8 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...a45f6/analysis/
File name: SecureFile.vxe
Detection ratio: 9/56
Analysis date: 2015-05-11 15:01:00 UTC
___

"Breaking Bad" themed ransomware - Fake PDF attachment ...
- http://net-security....ews.php?id=3035
11.05.2015 - "A new type of ransomware is targeting Australian users, and its creators have decided to have some fun and express their love for the popular US TV show 'Breaking Bad' while trying to 'earn' some money:
> http://www.net-secur...os-11052015.jpg
It encrypts the usual assortment of file types - images, documents, audio and video files, archive and database files - with a random Advanced Encryption Standard (AES) key, which is then encrypted with an RSA public key. 'The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called PENALTY.VBS, which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file' Symantec researchers shared:
> http://www.symantec....ware-found-wild
.
>> http://www.symantec....-050723-5132-99
The crooks ask for the -ransom- to be paid in Bitcoin, and instruct victims on how to do this via a legitimate YouTube tutorial... the malware can be pretty damaging. The best protection against this type of destructive malicious software is to back up important files regularly."

>> http://www.symantec....e-how-stay-safe
___

Xerox Fax Spam
- http://threattrack.t.../xerox-fax-spam
May 11, 2015 - "Subjects Seen:
    You have received a new fax
Typical e-mail details:
    You have received fax from XEROX23685428 at <email domain>
    Scan date: Mon, 11 May 2015 15:40:57 +0100
    Number of page(s): 29
    Resolution: 400x400 DPI
    Name: Fax3516091


Malicious File Name and MD5:
    IncomingFax.exe (c6c2d72f2b36e854f51ff92680969918)


Tagged: Xerox, Upatre
___

Compromised .gov redirects to Apple ID Phish
- https://blog.malware...apple-id-phish/
May 11 2015 - "... a .gov .vn URL which was redirecting to a -phishing- expedition for Apple IDs... the email which sported a particularly French flavour:
> https://blog.malware...applephish1.jpg
... victim was sent to: skintesting(dot)com(dot)au/components/com_mailto/views/sent/tmpl/auth/
which looked like yet another compromised domain, asking for Apple login credentials:
> https://blog.malware...applephish3.jpg
... A .gov site is always going to be a juicy target for scammers so it’s crucial Admins keep everything patched and up to date – tracking back to where and how an attacker got in can be a long, arduous process. As for Apple ID owners, always -verify- you’re on the correct page before entering login details. Unless you specifically asked Apple to send you a link for some reason (a password reset, for example) then you should -avoid- random URLs sent your way*..."
* https://www.apple.co...pleid/security/

skintesting .com .au: 192.185.109.233: https://www.virustot...33/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 11 May 2015 - 12:54 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1461 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 12 May 2015 - 05:16 AM

FYI...

Fake 'invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 May 2015 - "'Copy of your 123-reg invoice ( 123-015309323 )' pretending to come from no-reply@ 123-reg .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-015309323-.png

12 May 2015 : 123-reg-invoice.doc - Current Virus total detections: 5/57*
... this particular macro downloads greenmchina .com/432/77.exe (virus Total**) other macros will download the same malware from other locations... Other download locations so far are:
http ://hydrocapital .com/432/77.exe
http ://fosteringmemories .com/432/77.exe
http ://k-insects .com/432/77.exe
http ://andrewachsen .com/432/77.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431420411/

** https://www.virustot...sis/1431420983/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustot...16/information/
5.178.43.49: https://www.virustot...49/information/

- http://blog.dynamoo....ur-123-reg.html
12 May 2015
"... Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201
"
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 May 2015 - "'CITY OF PORT Arthur – STORM SEWER Project' coming from random names and random email addrrsses with a zip attachment is another one from the current bot runs... The email looks like:
    Please see attachment for contract.  Please sign and return.
    Thanks
    Fred Stepp – Office Manager
    McInnis Construction, Inc.,
    675 South 4th Street
    Silsbee, Texas 77656
    email: fred@ mcinnisprojects .com
    Phone: 409-385-5767
    Fax: 409-385-2483


12 May 2015: m7Tfq4u1cS5i.zip: Extracts to:  contract_DGSASGQ34G_erwr.exe
Current Virus total detections: 23/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431424842/
___

Fake 'Outstanding Invoices' SPAM - malicious attachment
- http://blog.dynamoo....g-invoices.html
12 May 2015 - "This -spam- comes with random senders and reference numbers, but in all cases includes a malicious attachment:
    From:    Debbie Barrett
    Date:    12 May 2015 at 11:14
    Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]
    Dear anthony,
    Kindly find attached our reminder and copy of the relevant invoices.
    Looking forward to receive your prompt payment and thank you in advance.
    Kind regards


The attachment name combines the recipient's email address with the -fake- reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools* manages to analyse it though, showing several steps in the infection chain. First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu
Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.**
This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56***. There are several different attachments... Recommended blocklist:
92.63.88.0/24
46.36.217.227
"
* https://www.hybrid-a...environmentId=4

** https://www.virustot...sis/1431431603/

*** https://www.virustot...sis/1431432524/
___

Australian Tax Office Spam
- http://threattrack.t...tax-office-spam
May 12, 2015 - "Subjects Seen:
    Australian Taxation Office - Refund Notification
Typical e-mail details:
    IMPORTANT NOTIFICATION
    Australian Taxation Office - 12/05/2015
    After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 0736.22 AUD.
    For more details please follow the steps bellow :
    - Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
    - Select the location into which you want to download the file and choose Save.
    - Unzip the attached file.
    Iris Simmons,
    Tax Refund Department
    Australian Taxation Office


Malicious File Name and MD5:
    ATO_TAX_724491.exe (3da854cd500c3cb5b86df19e151503cc)


Tagged: ATO, Upatre
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 May 2015 - 09:20 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1462 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 13 May 2015 - 05:53 AM

FYI...

Fake 'WhatsApp audio letter' SPAM – mp3 malware
- http://myonlinesecur...ke-mp3-malware/
13 May 2015 - "'You just accepted an audio letter! v8p' pretending to come from WhatsApp with  a zip attachment is another one from the current bot runs... The email looks like:

     Savion Dale

13 May 2015:  72katheryne.zip : Extracts to:   montag.mp3  _______________________________________.exe

Current Virus total detections:15/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper mp3 file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431496654/
___

Fake 'PAYMENT ACCOUNT DETAILS' SPAM - malware
- http://myonlinesecur...-67000-malware/
13 May 2015 - "'PAYMENT ACCOUNT DETAILS CONFIRMATION OF $67,000' pretending to come from jimmy cliff <jimmycliff2015@ hotmail .com> (email headers show that this does appear to be coming via Hotmail, so we have to assume a hacked/compromised Hotmail account) with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Sir
    Please, confirm your bank details in your invoice before we proceed with
    your payment to avoid mistakes that can lead to delay.
    Best Regards,
    Afraa Shaymaa Maloof
    PURHASING MANAGER
    mediondirect INT.
    708 N VALLEY ST STE C
    ANAHEIM CA 92801-3837


Todays Date: BANK DETAILS.zip (1,288,813 bytes): Extracts to: PO#0001BH04_20_15.zip
... which in turn extracts to  PO#0001BH04_20_15.exe - Current Virus total detections: 21/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431502495/
___

Fake 'Invoice #00044105' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 May 2015 - "'Invoice #00044105; From Deluxebase Ltd' pretending to come from Anna <anna@ deluxebase .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hello
    Thank you for your order which has been dispatched, please find an invoice for the goods attached.
    Please contact us immediately if you are unable to detach or download your Invoice.
    As a valued customer we look forward to your continued business.
    Regards
    Accounts Department
    Deluxebase Ltd ...


13 May 2015 : ESale.doc - Current Virus total detections: 5/55*
... which downloads sundialcompass .com/58/39.exe (VirusTotal**) other versions of these macros will deliver a download form other locations. They will all be the same malware.
Other download locations so far discovered are:
http ://fundacionsidom .com .ar/58/39.exe | http ://cartermccrary .com/58/39.exe |
http ://clin .cn/58/39.exe ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431505840/

** https://www.virustot...sis/1431506138/
... Behavioural information
TCP connections
37.143.15.116: https://www.virustot...16/information/
88.221.14.249: https://www.virustot...49/information/
___

Fake 'INVOICE No.517-01' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 May 2015 - "'INVOICE No. 517-01 FOR WORK AT CRYSTAL BEACH' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    in the attachment

13 May 2015: OX6qoPp98h48.zip: Extracts to: scan_32r23rf234gt34_3424ef.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431513162/
___

Fake 'Financial info' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 May 2015 - "An email with the subject of 'Financial information' or 'Important information' or 'Need your attention, Important notice' coming from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment that is named after the email recipient is another one from the current bot runs... The email looks like:
    Good morning
    Please find attached a remittance advice, relating to a payment made to you.
    Many thanks
    Regards,
    Madeline Mosley
    Seniour Finance Assistant

-Or-
    Good Afternoon,
    We have received a payment from you for the sum of £ 670.  Please would you provide me with a remittance, in order for me to reconcile the statement.
    I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1515  less the £3254.00 received making a total outstanding of £ 845.  We would very much appreciate settlement of this.
    As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.
    If you need any copy invoices please do not hesitate to contact us
    Regards,
    Victoria Barnett

-Or-
    Good Afternoon,
    Please see attached the copy of the remittance.
    Please can you send a revised statement so we can settle any outstanding balances.
    Kind Regards,
    Ingrid Hammond
     

13 May 2015: ron.schorr_AD8441271C40.doc | xerox.device1_D9A263380D.doc
Current Virus total detections: 0/56* | 0/56**  both macros eventually download 91.226.93.110/bt/get1.php which is saved as crypted.120.exe (virus Total***) after going through a download from pastebin which gives the download location in encoded form... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431512840/

** https://www.virustot...sis/1431512565/

*** https://www.virustot...sis/1431512119/
... Behavioural information
TCP connections
159.253.20.116: https://www.virustot...16/information/
88.221.15.80: https://www.virustot...80/information/

91.226.93.110: https://www.virustot...10/information/

- http://blog.dynamoo....-need-your.html
13 May 2015
"... Recommended blocklist:
46.36.217.227
91.226.93.110
"
___

Fake 'ACH' SPAM - PDF malware
- http://myonlinesecur...-pdf-malware-2/
13 May 2015 - "'ACH – Bank account information form' pretending to come from Kris Longoria <Kris.Longoria@ jpmchase .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please fill out and return the attached ACH form along with a copy of a voided check.
    Kris Longoria,
    JPMorgan Chase
    GRE Project Accounting
    Vendor Management & Bid/Supervisor...


13 May 2015: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 9/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431533270/
___

Fake 'Bond Alternative' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 May 2015 - "'Surety Bond Alternative coming from random names and email addresses with a random named zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Alternative.png

12 May 2015: XwJ4IR8V0F1ar.zip: Extracts to:  invoice_ghrt6h65h_fwefw3.exe
Current Virus total detections: 2/56* (one example only, all these have different sha256 # and a random selection of file names). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431536544/
___

Dyre Botnet using malicious Word Macros
- http://www.threattra...ft-word-macros/
May 11, 2015 - "The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document -macros- instead of the usual executable types, such as .exe files contained in a .zip. Dyre’s Hedsen spambot*, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot. As always, users should -disable- Macros in Office documents, and avoid the temptation to open suspicious attachments..."
> http://www.threattra...15/05/Macro.jpg

* http://www.threattra...ificates-https/
"...  Dyre was increasing its target range and altering the type of spambots it uses..."

** http://www.threattra...-more-websites/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 13 May 2015 - 03:42 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1463 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 15 May 2015 - 04:19 AM

FYI...

Fake 'Self Bill' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 May 2015 - "'Self Bill SB026336 Attached' pretending to come from Reliance Scrap Metal <enquiries@ reliancescrapmetal .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please Find Enclosed Self Bill Number SB026336 Dated 07/05/2015
     C Phillips
    enquiries@ reliancescrapmetal .com


15 May 2015 : Attachment.doc - Current Virus total detections: 0/56* which downloads bwsherwood .com/34/140.exe (VirusTotal**). There will be other download locations... All locations will deliver the same malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431678745/

** https://www.virustot...sis/1431677370/
... Behavioural information
TCP connections
151.236.216.254: https://www.virustot...54/information/
88.221.15.80: https://www.virustot...80/information/

bwsherwood .com: 69.49.101.51: https://www.virustot...51/information/
___

Fake email Invoices April 2015 with attached malicious Word file
- http://blog.mxlab.eu...ious-word-file/
May 15, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Financial information: Invoices April 2015
Important notice: Invoices April 2015
Important information: Invoices April 2015
Need your attention: Invoices April 2015
This email is sent from the -spoofed- address and has the following body:
    Congratulations
    Hope you are well
    Please find attached the statement that matches back to your invoices.
    Can you please sign and return.
    Robin Wolfe

    Dear Sir/Madam,
    I trust this email finds you well,
    Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.
    Best Regards,
    Sophia Watts
    Accounts Receivables

    Good morning
    Hi,
    Please find attached a recharge invoice for your broadband.
    Many thanks,
    Tabatha Murphy


The 49kB large attached file is named veizaioj_87B9A16BB5.doc (characters will vary) is a malicious Word file with embedded macro that will download -other- malware on the system. The Word file is labelled as Malware!9f6e by 1 of the 57 AV engines at Virus Total*..."
* https://www.virustot...38314/analysis/
___

Unknown hacks attack German parliament data network
- http://www.reuters.c...N0Y63P720150515
May 15, 2015 - "Unknown hackers have attacked the German Bundestag lower house of parliament's computer system, a parliamentary spokeswoman said on Friday. German news magazine Der Spiegel's online edition had earlier said that the internal data network had been subject to an attack. It said experts had noticed several days ago that unknown attackers had tried to get into the data network. At almost the same time experts from Germany's domestic intelligence agency (BfV) at the government's cyber defence centre noticed the spying attempt and warned the Bundestag administration, the report said. 'There was an attack on the Bundestag's IT system', parliamentary spokeswoman Eva Haacke said, giving no further details. 'Experts from the Bundestag and the BSI (the German Federal Office for Information Security) are working on it'. In January, German government websites, including Chancellor Angela Merkel's page, were hacked in an attack claimed by a group demanding Berlin end support for the Ukrainian government, shortly before their leaders were to meet."
- http://www.reuters.c...N0Y70HH20150516
May 16, 2015 - "The German Bundestag lower house of parliament is trying to repair its computer system after a hacking attack but there are no indications yet that hackers accessed information, a parliamentary spokeswoman said on Saturday. The Bundestag is analysing what happened and experts from the Bundestag administration and the BSI (the German Federal Office for Information Security) are working to repair the system, the spokeswoman said..."
___

Cyberattack on Penn State said to have come from China
- http://www.reuters.c...N0Y66PD20150515
May 15, 2015 - "Pennsylvania State University said on Friday that -two- cyberattacks at its College of Engineering, including one in 2012 that originated in China, compromised servers containing information on about 18,000 people. Penn State, a major developer of technology for the U.S. Navy, said there was no evidence that research or personal data such as social security or credit card numbers had been stolen. Cybersecurity firm Mandiant has confirmed that at least one of the two attacks was carried out by a "threat actor" based in China, Penn State said. The source of the other attack is still being investigated. Penn State was alerted about a breach by the Federal Bureau of Investigation in November, Penn State executive vice president Nicholas Jones said in a statement. Mandiant, the forensic unit of FireEye Inc, discovered the 2012 breach during the investigation. Penn State's Applied Research Laboratory spends more than $100 million a year on research, with most of the funding coming from the U.S. Navy..."
- http://it.slashdot.o...na-based-attack
May 15, 2015 - "Penn State's College of Engineering has disconnected its network* from the Internet in response to two sophisticated cyberattacks – one from a what the university called a "threat actor based in China" – in an attempt to recover all infected systems. The university said there was no indication that research data or personal information was stolen in the attacks, though usernames and passwords -had- been compromised.*"
* http://news.psu.edu/...e-sophisticated

- http://arstechnica.c...ious-intrusion/
May 15, 2015
___

Chinese snoops hid Malware commands On MS TechNet
- http://www.forbes.co...microsoft-site/
May 14, 2015 - "Hackers often try to hide their tracks and ensure their illicit operation is never taken down by hosting pieces of their infrastructure on websites owned by legitimate companies. Usually that’s Twitter, Facebook, Google or other huge, publicly-editable and accessible services. According to security firm FireEye*, Chinese digital spies chose an ideal yet risky target for storing slices of their command and control functions: TechNet, a Microsoft site dedicated to security and IT support. Though TechNet itself was not compromised, the so-called APT17 hackers left encoded IP addresses used to send updates and commands to the group’s ‘BLACKCFFEE’ malware** in legitimate Microsoft TechNet profile pages and forum threads. The encoding would have made it more difficult to determine the true domain used by the attackers. FireEye and Microsoft worked to block the attackers’ accounts from accessing their profiles, whilst blocking the malicious activity stemming from the site.
** https://a248.e.akama...at-11.18.58.png
The APT17 crew, which had previously used search engines Google and Bing to store their command and control domains, but abusing Microsoft’s TechNet was especially smart, as most businesses rely on using Microsoft services every day. Blocking them would probably cease business operations. “Even with knowledge and detection, blocking traffic to Microsoft sites is impossible to do as every business needs access to their site. Hiding in plain sight is becoming more and more popular as it’s both hard to find and impossible to block,” said Jason Steer, chief security strategist for FireEye in EMEA. “This evolution of technique really is the response from hackers to keep one step ahead of law enforcement agencies. As hackers realised law enforcement can track back, they have had to evolve their tools and techniques from plain text instructions on an IP address in China, to encoding instructions, to using popular websites to ensure their network remains up for as long as possible and undetected for as long as possible.” The APT17 crew have a penchant for playing with western tech companies. FireEye believes they were responsible for the hit on security firm Bit9 in 2013. They also targeted US government entities, the defense industry, law firms, information technology companies and mining organisations."
* https://www.fireeye....plain_sigh.html
May 14, 2015
> https://www.fireeye....t17-graphic.jpg

- https://atlas.arbor....ndex#-181898354
May 14, 2015
> http://www.net-secur...ews.php?id=3038
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 19 May 2015 - 08:24 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1464 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 18 May 2015 - 04:37 AM

FYI...

Fake 'Amazon Order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 May 2015 - "'Order Details 89920-02119-38881-73110' pretending to come from Amazon .co .uk <order@ anazon .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Amazon... does -not- send word doc or pdf attachments to emails so this is obviously a spoof designed to either infect you or steal information...

Screenshot: http://myonlinesecur...38881-73110.png

18 May 2015 : ORD-89920-02119-38881-73110.doc - Current Virus total detections: 3/57*
... which downloads infraredme .com/556/455.exe (Virus Total**). There will be other download locations but they all deliver the same Dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1431938632/

** https://www.virustot...sis/1431939201/
... Behavioural information
TCP connections
185.15.185.201: https://www.virustot...01/information/
88.221.15.80: https://www.virustot...80/information/

infraredme .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'picture message' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 May 2015 - "An email saying 'Here’s a picture message you’ve been sent from 07711888963' with -no- subject pretending to come from +447711862559@mediamessaging .o2 .co .uk (random phone numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...07711888963.png

18 May 2015: PM8963.doc - Current Virus total detections: 3/57**
... the -same- malware downloader and downloading the -same- Dridex banking Trojan as today’s other word doc malware Amazon .co .uk Order Details 89920-02119-38881-73110 – word doc or excel xls spreadsheet malware* ..."
* http://myonlinesecur...dsheet-malware/
** https://www.virustot...sis/1431940970/
___

Fake multiple Invoice SPAM -  malicious attachments
- http://blog.dynamoo....-stands-in.html
18 May 2015 - "This -fake- financial spam run is similar to this one last week*, and comes with a malicious attachment.

     From:    Aida Curry
    Date:    18 May 2015 at 11:40
    Subject:    Your reasoning stands in need
    Good Afternoon,
    We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
    I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
    As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
    If you need any application of bills please do not hesitate to contact us
    Regards,
    Aida Curry
    -------------------
    From:    Cornelius Douglas
    Date:    18 May 2015 at 11:39
    Subject:    Your reasoning stands in need
    Good morning
    Please find attached   a remittance advice, relating to a outpayment made to you.
    Many thanks
    Regards,
    Cornelius Douglas
    Seniour Finance Assistant
    -------------------
    From:    Jewell Shepard
    Date:    18 May 2015 at 11:37
    Subject:    Have a need in your thought
    Please, see the attached similar of the remittance.
    Please, can you remit a revised pronouncing so we can settle any outstanding balances.
    Kind Regards,
    Jewell Shepard


Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration
   There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe. This executable has a VirusTotal detection rate of 4/57**. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57***."
Recommended blocklist:
5.63.154.228
193.26.217.220
"
* http://blog.dynamoo....-need-your.html

** https://www.virustot...sis/1431946975/

*** https://www.virustot...sis/1431947900/

- http://myonlinesecur...dsheet-malware/
18 May 2015
> https://www.virustot...sis/1431950899/
... Behavioural information
TCP connections
178.255.83.2: https://www.virustot....2/information/
88.221.15.80: https://www.virustot...80/information/
___

VENOM vulnerability
- https://blogs.oracle...t_cve_2015_3456
May 15, 2015 - "Oracle just released Security Alert CVE-2015-3456* to address the recently publicly disclosed VENOM vulnerability, which affects various virtualization platforms. This vulnerability results from a buffer overflow in the QEMU's virtual Floppy Disk Controller (FDC). While the vulnerability is not remotely exploitable without authentication, its successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system. As a result, a successful exploitation of the vulnerability can allow a malicious attacker with the ability to escape the confine of the virtual environment for which he/she had privileges for... Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customers apply the relevant fixes as soon as they become available...
The list of Oracle products that may be affected by this vulnerability is published at:

- http://www.oracle.co...56-2542653.html "

- https://isc.sans.edu...l?storyid=19701
2015-05-16 - "... This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic.
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms..."

* https://web.nvd.nist...d=CVE-2015-3456
Last revised: 05/14/2015
7.7 - (HIGH)
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 18 May 2015 - 08:20 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1465 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 19 May 2015 - 07:06 AM

FYI...

Fake 'PO :5182015' SPAM - zipped malware
- http://myonlinesecur...182015-malware/
19 May 2015 - "'PO :5182015'  pretending to come from shuiling <shuilingroup .com > with a zip attachment is another one from the current bot runs... The email looks like:
     Please kindly find the attached file for the new Order we want to place in your esteem company
    Kindly send your proforma invoice with your banking information, so that we will start with the needful
    Thanks and regards
    ATTILIO PASCUCCI
    ATTEX S.R.L.
    VIA ADIGE, 4 – 22070 LUISAGO – CO (ITALY)
    TEL. 0039 031 921648 – FAX 0039 031 3540133
       REG. IMPRESE COMO – COD.FISC. – PARTITA IVA: 01542400138


19 May 2015: PO 5182015.zip: Extracts to: PO 5182015.exe
Current Virus total detections:  15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1431986200/
... Behavioural information
TCP connections
186.202.127.118: https://www.virustot...18/information/
77.88.21.11: https://www.virustot...11/information/
93.158.134.3: https://www.virustot....3/information/
___

Fake 'Tax Refund' Phish ...
- http://myonlinesecur...efund-phishing/
19 May 2015 - "An email received with a subject of 'Lloyds Bank Refund' -or- 'refund' -or- '2014 Tax Refund' pretending to come from Lloyds Bank. Some of  of the major common subjects in a phishing attempt are Tax returns or Bank refunds, especially in UK, you need to submit your Tax Return online. This one only wants your personal bank log in details...

Screenshot: http://myonlinesecur...efund-phish.png

If you are unwise enough to follow the link you see a webpage looking like the genuine Lloyds log in page, look carefully at the -url- in the top bar and you can see it isn’t Lloyds at all but a -fake- site:
- http://myonlinesecur...sh_webpage1.png
If you still haven’t realised that it is a -phishing- attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get -bounced- on to the genuine Lloyds Bank site. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Tax increase alert' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 May 2015 - "'Tax increase alert' -or- 'adjustment guidance' are 2 of the subjects that appear in a whole series of mal-spam emails with the basic subject of VAT increases or changes that are being spammed out. They come with a random named zip attachment coming from random senders and random email addresses is another one from the current bot runs... The name of the alleged sender does NOT match the name in the body of the email. Some of the subjects seen in this series of mal-spam emails are:
Tax increase alert, adjustment guidance, adjustment report, adjustment notice, change guidance, Custom increase notification, Custom change alert, Duties increase notification, Toll increase notification, Tax change reminder, Levy increase guidance, Duties adjustment alert, change notification, Toll change report and loads of other similar variations on this tax theme... The email looks like:
    We inform you that VAT increases from Wednesday.
    View the document below.
    Remeber that levy values to be settled to the treasury are going to be reevaluated.
     Susan Lewis
    Senior Consultant

-Or-
    Be noted that VAT doubles until Wednesday.
    Observe the act enclosed.
    Do not forget that tax amounts to be paid to the state will be reestimated.
     Rebecca Morgan

-Or-
    Tax Consultant
    Be noted that VAT increases on Friday.
    Observe the file below.
    Note that tax amounts to be paid to the treasury will be reevaluated.
     Rebecca Nelson
    Chief accountant

-Or-
    Please be informed that VAT alters until Tuesday.
    Observe the file attached.
    Remeber that sums to be paid to the state are going to be reevaluated.
     Susan Jackson
    Tax authority


19 May 2015: Doc#844931.zip: Extracts to: fax2_info.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432035348/
___

Fake 'eFax msg' SPAM - malware links
- http://blog.dynamoo....ion-office.html
19 May 2015 - "Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?
    From:    Australian Taxation Office [noreply @ ato .gov .au]
    Date:    19 May 2015 at 12:48
    Subject:    eFax message - 2 page(s)
    Fax Message [Caller-ID: 408-342-0521]
    You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.
    * The reference number for this fax is
    min2_did16-0884196800-3877504043-49.
    View this fax using your PDF reader...


Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile .com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr. This executable has a detection rate of 5/57*. Automated analysis tools... shows that it downloads a further component from:
http ://employmentrisk .com/images/1405uk77.exe
In turn, this has a detection rate of 4/57** and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).
Recommended blocklist:
employmentrisk .com
194.28.190.183
"
* https://www.virustot...sis/1432038054/

** https://www.virustot...sis/1432038513/

employmentrisk .com: 74.116.2.117: https://www.virustot...17/information/

storage-ec2-24.sharefile .com: 52.0.190.130: https://www.virustot...30/information/

eFax Corporate Spam
- http://threattrack.t...-corporate-spam
May 19, 2015 - "Subjects Seen:
    eFax message - 3 page(s)
Typical e-mail details:
    Fax Message [Caller-ID: 626-271-6819]
    You have received a 3 pages fax at 2015-05-19 08:18:18 AM EST.
    * The reference number for this fax is
    min2_did48-5711163227-0231815252-98.
    View this fax using your PDF reader.


Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious URLs
    storage-usw-8.sharefile.com/download.ashx?dt=dtba0aacb3cd344005be90d949470aa333&h=9Ueg3YdEIMuDH72YnA29c7h2EL7zh355nI387gxb7Kc%3d


Malicious File Name and MD5:
    Fax_00491175.scr (a6aa82995f4cb2bd29cdddedd3572461)

Tagged: eFax, Upatre
___

Bad taste left in Angler EK by MBAE
- https://blog.malware...arebytes-users/
May 19, 2015 - "... as discovered by Kafeine*, the latest version of Angler EK... also checks to see if either Malwarebytes Anti-Malware or Anti-Exploit are installed on the target system... If Malwarebytes software is installed, then the exploit kit will silently exit and not even attempt to launch further exploits or malware..."
* http://malware.dontn...q=CVE-2013-7331

 

Malwarebytes Anti Exploit - Free: https://www.malwareb...rg/antiexploit/
___

How much money do cyber crooks collect via crypto ransomware?
- http://net-security....ews.php?id=3042
19.05.2015 - "FireEye researchers* have calculated that the cybercriminals wielding TeslaCrypt and AlphaCrypt have managed to extort $76,522 from 163 victims in only two months..."
* https://www.fireeye....t_followin.html
___

 

Bitly Imitation leads to Malware...
- https://blog.malware...lware-download/
May 18, 2015 - "URL shortening services can be a marketing person’s and social media buff’s best friend. However, they can become a worry for users who are conscious about the security of their systems and personal information. Not only do these services trim down the character count of a URL while monitoring clicks, online -criminals- also use such services to mask malicious URLs. Among the URL shorteners available online, Bitly remains one of the three most popular brands, alongside Goo.gl and Ow.ly. Although the bit.ly URL has been in service since 2008, we’re only beginning to see several -bogus- iterations of it being used in the wild. We’ve seen a number of accounts on YouTube and others sharing various links to game cracks from the imitation Bitly URL, btly[DOT]pw... Elsewhere, another imitation Bitly link — this time, btly[DOT]org—is said to be used in a spam campaign that led recipients to a fake BBC site that advertises questionable Garcinia Cambogia dietary supplements. Please be reminded that the official website for Bitly where users can visit to shorten URLs is https ://bitly .com. Shortened URLs always begin with bit. ly. Everything else that resembles the real thing may need to be ignored, reported, and/or blacklisted."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 May 2015 - 04:22 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1466 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 21 May 2015 - 05:07 AM

FYI...

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo....1-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
    From:    PGOMEZ@polyair .co .uk
    Date:    21 May 2015 at 08:58
    Subject:    Invoice# 2976361 Attached
    Invoice Attached - please confirm..


Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that -other- versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195
"
* https://www.virustot...sis/1432196986/

** https://www.virustot...sis/1432197071/

*** https://www.virustot...sis/1432198215/


- http://myonlinesecur...dsheet-malware/
21 May 2015
> https://www.virustot...sis/1432194451/
000001.DOC

mercury.powerweave .com: 50.97.147.195: https://www.virustot...95/information/
___

Fake 'Travel order confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
21 May 2015 - "'Travel order confirmation 0300202959' pretending to come from  overseastravel@ caravanclub .co .uk with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for your travel order.
    Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
    Now you have booked your trip why not let The Club help you make the most of your stay?
    Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
    Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
    If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online. 

     Yours sincerely
    The Caravan Club
    This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA...


21 May2015 : Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads -same- Dridex malware as today’s other word doc malspam run Invoice# 2976361 Attached – word doc or excel xls spreadsheet malware:
- http://myonlinesecur...dsheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432197951/

 

- http://blog.dynamoo....nfirmation.html

21 May 2015 - "... Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run*."
* http://blog.dynamoo....1-attached.html
___

Fake 'Pampered Chef' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 May 2015 - "'Recipes for your new Pampered Chef Baker' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Hello!
    I know you’ll love your new Pampered Chef baker! Thank you for your order.
    Attached are Deep Covered Baker recipes.
    Many Deep Covered Baker Recipes can also be made in the smaller, Round Covered Baker.
    For microwave recipes, use half the ingredients and half the bake time suggested. For oven recipes, use half the
    ingredients but follow recommended bake times or visual indicators in the recipe.
    Enjoy!
    Please contact me if you have questions or concerns.
    Thank you,
    Robbin 


21 May 2015: Pampered_ingredients.zip: Extracts to: Pampered_ingredients.exe
Current Virus total detections: 3/57* . There are several different versions of the malware floating around. This is just one example. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432205437/
___

Fake 'Unpaid Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 May 2015 - "'Unpaid Invoice' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with  a zip attachment is another one from the current bot runs... The email looks like:
     Please pay this invoice at your earliest opportunity.

21 May 2015: invoice_8467_08202014.zip: Extracts to: invoice_8467_08202014.scr
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432226961/
___

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo....1-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
    From:    PGOMEZ@ polyair .co .uk
    Date:    21 May 2015 at 08:58
    Subject:    Invoice# 2976361 Attached
    Invoice Attached - please confirm...


Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195
"
* https://www.virustot...sis/1432196986/

** https://www.virustot...sis/1432197071/

*** https://www.virustot...sis/1432198215/
___

Exploit kits delivering Necurs
- https://isc.sans.edu...l?storyid=19719
2015-05-21 - "In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering -malware- identified as Necurs... Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]... I saw Necurs as a malware payload from Nuclear and Angler EKs last week... In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249..."
(More detail at the isc URL above.)

1] https://www.symantec...-121212-2802-99

2] https://www.microsof...an:Win32/Necurs

185.14.30.218: https://www.virustot...18/information/

91.121.63.249: https://www.virustot...49/information/
___

“Facebook Recovery” accounts share Phishing link, offer Tech Support
- https://blog.malware...r-tech-support/
May 21, 2015 - "We’ve seen a certain j.mp -shortened- URL being shared by what we believe are
-rogue- (if not compromised) accounts within Facebook a couple of days ago. In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery” — a truly -fake- one... that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP:
> https://blog.malware...y-spam-post.png
The URL, of course, hides the below phishing page:
> https://blog.malware...age-default.png
The blurb on the page is the same as the spammed message on Facebook. Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are -redirected- to this payment page, which asks for his/her full name, credit card details, and billing address:
> https://blog.malware...ing-payment.png
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”. We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present... It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL. Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this*.
* https://www.virustot...sis/1432202719/
Furthermore, the majority of clicks are mostly from Asian countries and the United States:
> https://blog.malware...per-country.png
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40... If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to -ignore- it and warn your network about an on-going -spam- campaign."

recovery-page-php .zz .mu: 185.28.21.145: https://www.virustot...45/information/
___

"Logjam"...
- https://blog.malware...u-need-to-know/
May 20, 2015 - "... Dubbed as Logjam, the vulnerability affects home users -and- corporations alike, and over 80,000 of the top one million domains worldwide were found to be vulnerable. The original report on Logjam can be found here:
- https://weakdh.org/
... While much of the research is performed against a Diffie-Hellman 512-bit key group, the researchers behind the Logjam discovery also speculate that 1024-bit groups could be vulnerable to those with “nation-state” resources, making a suggestion that groups like the NSA might have already accomplished this... . A comprehensive look at all of their research can be found here:
- https://weakdh.org/i...ard-secrecy.pdf
... At the time of this writing, patches are still in works for all the major web browsers, including Chrome, Firefox, Safari, and Internet Explorer. They should be released in the next day or two, so ensure your browser updates correctly once its released. These updates should reject Diffie-Hellman key lengths that are less that 1024-bits..."

Also see:
- https://isc.sans.edu...l?storyid=19717
2015-05-20
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 21 May 2015 - 02:13 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1467 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 22 May 2015 - 06:00 AM

FYI...

Fake 'Australian Tax' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 May 2015 - "'Australian Taxation Office – Remittance Advisory Email' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> with a link to download a zip file is another one from the current bot runs... The bots seem to be getting very confused today and are mixing up Lloyds Bank with Australian Taxation Office and even using a date 1 year in the past. Nobody should fall for these. The links in the emails currently are set to download from:
-  https ://storage-ec2-13.sharefile .com/download.ashx?dt=dt8fdfcdfa200a4b01b93e2643fa61fcc1&h=xw9ZAT0fvavEwl7uRL2DX3xEJcw6II19IbZfNyN1ix0%3d
Update: we are now seeing several -different- sharefile .com download links. All appear to be the same malware, regardless of the link. The same set of download links are being spammed out in other emails from the same bot net with subjects of 'You’ve received a new fax' appearing to come from fax@ your own domain and 'Internal ONLY' pretending to come from Administrator@ your own domain both alleging to contain a fax message. The email looks like:

 

     Monday 22 May 2014
    This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc. Please review the details of the payment here.
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637
    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813...


22 May 2015 : FAX_82QPL932UN_771.zip: Extracts to: FAX_82QPL932UN_771.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432286982/

 

storage-ec2-13.sharefile .com: 54.84.9.118: https://www.virustot...18/information/

- http://blog.dynamoo....ter-advice.html
22 May 2015
"... Recommended blocklist:
209.15.197.235
217.23.194.237
"
___

Fake 'Invoice IN278577' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
22 May 2015 - "'Your Invoice IN278577 from Out of Eden pretending to come from sales@ outofeden .co .uk  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Out-of-Eden.png

22 May 2015 : Invoice IN278577 (emailed 2015-05-21).doc
Current Virus total detections: 1/57*... Which downloads www .footingclub .com/85/20.exe which is a Dridex banking Trojan (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432288366/

** https://www.virustot...sis/1432288878/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustot...91/information/
2.18.213.208: https://www.virustot...08/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 May 2015 - 06:42 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1468 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 26 May 2015 - 04:58 AM

FYI...

Fake 'Blank 11' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 May 2015 - "'Blank 11' pretending to come from hannah.e.righton@ gmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a completely blank body.
 
26 May 2015: Blank 11.doc - Current Virus total detections: 2/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432633538/
___

Fake 'Invoice' SPAM -  doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 May 2015 - "'Your Invoice (ref: INV232654) from thomsonlocal' pretending to come from Pleasedonotreply@ thomsonlocal .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...cal_corrupt.png

... It is supposed to look like or read:
> http://myonlinesecur...omson_local.png

26 May 2015: Invoice INV232654.doc - Current Virus total detections: 2/56*
... downloads the same Dridex banking malware as described in today’s other word macro malware downloaders being spammed out 'Blank 11 hannah.e.righton' – word doc or excel xls spreadsheet malware**. This particular macro version downloads from http ://crestliquors .com/73/20.exe
(VirusTotal***) but all the downloads are identical, just from multiple different locations.The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432634028/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1432631807/
File name: 20_exe
... Behavioural information
TCP connections
144.76.238.214: https://www.virustot...14/information/
88.221.14.249: https://www.virustot...49/information/

crestliquors .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'Underreported Income' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 May 2015 - "'Notice of Underreported Income' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> and 'Outdated Invoice' pretending to come from Sage Invoice <invoice@ sage .com> with a -link- in the body of the email to download a zip file is another one from the current bot runs... The  Australian Taxation Office email looks like:

    Taxpayer ID: ufwsd-000008882579UK Tax Type: Income Tax Issue: Unreported/Underreported Income (Fraud Application) Please review your tax income statement on HM Revenue and Customs ( HMRC). Download your HMRC statement. Please complete the form...

The links in these emails go to https ://a .uguu .se/hivjca_Invoice_00471200.zip  (Note the HTTPS) which gives a not found message. If you drop the S and just use a standard HTTP link then you get the malware. The Sage invoice looks like:

    Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https ://invoice .sage .co.uk/Account?769525=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@ sage .com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies...


26 May 2015: ytuads_Invoice_00471206.zip: Extracts to: Invoice_00471206.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432638854/
Invoice_00471203.scr
... Behavioural information
 TCP connections
104.238.136.31: https://www.virustot...10/information/
93.185.4.90: https://www.virustot...90/information/
66.215.30.118: https://www.virustot...18/information/
88.221.14.249: https://www.virustot...49/information/

uguu .se:
104.28.24.2: https://www.virustot....2/information/
104.28.25.2: https://www.virustot....2/information/
___

Fake 'Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 May 2015 - "'775 Westminster Avenue APT D5 Fw: Invoice' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The email looks like:
    Name: Invoice
    Customer ID: 718527
    Street Address
    775 Westminster Avenue APT D5
    Brooklyn, NY, 01748
    Phone: (235) 194-2842


The customer ID number, The NY code and the Phone numbers are all random and different in each email. The attachment zip names are also random but all extract to the same invoice_company.exe
26 May 2015: 030018-.zip: Extracts to: invoice_company.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1432647309/
___

Tesco – Phish ...
- http://myonlinesecur...tesco-phishing/
26 May 2015 - "'Collect a 80GBP reward!' pretending to come from Tesco <postmaster@ tescoina .com>. It is the end of May, just after the bank holiday. You have spent up to your limit on the credit cards and are wondering how to pay they bills until the next pay cheque arrives, when what looks like a miracle happens. An email arrives apparently from Tesco saying Collect a 80GBP reward! that offers you £80 for filling in a Tesco customer satisfaction -survey... it is a -scam- and is a phishing fraud designed to steal your bank and credit card details... If you open the link you see a webpage looking like this: (I had to split it into 2 parts to take a screenshot):

> http://myonlinesecur...sco-survey1.png

http://myonlinesecur...sco-survey2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 May 2015 - 10:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1469 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 27 May 2015 - 08:12 AM

FYI...

Fake 'INV-152307' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Anthony Alexandra Associates MAY INV-152307 GBP 418.80' pretending to come from Lauren Braisby <lauren.braisby@ reed .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-GBP-418.80.png

25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 1/57*
... which downloads Dridex banking malware from http ://wingtouch .com/776/331.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1432725577/

** https://www.virustot...sis/1432727693/
... Behavioural information
TCP connections
185.11.247.226: https://www.virustot...26/information/
88.221.14.249: https://www.virustot...49/information/

wingtouch .com: 64.29.151.221: https://www.virustot...21/information/
___

Fake 'Invoice charge' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Announce of importance: Invoice charge' coming from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails looks like:
    Hi,
    Please see attached the copy of invoice from 22/05/2015.
    Please can you send a revised statement so we can settle any outstanding balances.
    Kind Regards,
    Mason Lloyd

-Or-
    Your monthly Rainbow Communications invoice is attached to this mail.
    This bill is for account RT963382
    Please note that for those who receive multiple reports you may need to check your attachment field on your e-mail program to ensure that you have received them all.
    Louie Hood
    Business Account Manager

-Or-
    Good morning,
    Our billing department have identified that you are getting both a hard copy and an e-mail copy of your bill. As a result you will be getting a monthly £3 hard copy fee.
    Can you let me know if the hard copy can be removed?
    Kind regards
    Angie Ayers
    Business Account Manager


27 May 2015 : F6F0_C6C7DE4EE83EDC.doc - No detections anywhere and all automatic analysis has failed. The file appears to be base 64 encoded text that I haven’t yet managed to decode and find a working content...
Update: 2nd version 25B5F_7B101029E76005.doc (VirusTotal*), so far I haven’t found a payload and the only automatic analysis hasn’t found anything... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432729315/
File name: 25B5F_7B101029E76005.doc
Detection ratio: 0/57
___

Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 May 2015 - "'Statement from [random company]' coming from random companies, names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please see attached statement.
    Please be advised that our company is now incorporated andtrades as DOMINO’S PIZZA GROUP PLC. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
    Sort Code: 98-12-30
    Account Number: 10991670
    Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
    Our company number isNI624042.
    DOMINO’S PIZZA GROUP PLC VAT registration number: GB184578365.
    We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
    Regards,
    Della Medina
    Accounts Dept.

-Or-
    Please see attached statement.
    Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
    Sort Code: 98-12-30
    Account Number: 10991670
    Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
    Our company number isNI624042.
    Cleantec Equipment Ltd VAT registration number: GB184578365.
    We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
    Regards,
    Dallas Dickerson
    Accounts Dept.


27 May 2015: 0A15_968CD62833A4B.doc - Current Virus total detections: 0/56*
... Once again today Analysis -fails- to give any download locations. It looks like the same behaviour as today’s earlier attempt Announce of importance: Invoice charge – word doc or excel xls spreadsheet malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432735276/

** http://myonlinesecur...dsheet-malware/
___

Chrome Lure used in Facebook Attack ...
- http://blog.trendmic...les-new-policy/
May 26, 2015 - "... cybercriminals keep using Google Chrome and Facebook to infect their victims with malware... We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store. Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.
Message on Facebook: Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the -malicious- site led to the automatic download of a file titled Chrome_Video_installer.scr. The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.
Malicious page with the Facebook design: This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file — possibly the final payload — but the site is currently down. However, it should be noted that KILIM malware are known to be -malicious- Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection... We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S... these countries are the same ones reported to have the highest percentage in terms of Facebook penetration... Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. -Never- click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center* can also be used to check if websites are safe or not. The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment..."
* http://global.sitesa...trendmicro.com/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 27 May 2015 - 02:33 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1470 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 28 May 2015 - 06:54 AM

FYI...

Fake 'latest invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 May 2015 - "'Your latest invoice from The Fuelcard Company UK Ltd' pretending to come from invoicing@ fuelcards .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find your latest invoice attached.
     If you have any queries please do not hesitate to contact our Customer
    Service Team at invoicing@ fuelcards .co .uk
     Regards
     The Fuelcard Compa


28 May 2015: invoice.doc - Current Virus total detections: 2/57*
... This malicious macro downloads http ://contesafricains .com/01/59.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432800000/

** https://www.virustot...sis/1432800544/
... Behavioural information
TCP connections
134.0.115.157: https://www.virustot...57/information/
88.221.15.80: https://www.virustot...80/information/

contesafricains .com: 213.186.33.19: https://www.virustot...19/information/
___

Fake 'Chasing delivery' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 May 2015 - "'212-B59329-23A – Chasing delivery' pretending to come from Rachel.Hopkinson@ anixter .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ng-delivery.png

28 May 2015 : RR1A240D.doc - Current Virus total detections: 2/57*
... downloads http ://swiftlaw .com/01/59.exe** which is same Dridex banking malware as today’s earlier malicious word doc malspam run 'Your latest invoice from The Fuelcard Company UK Ltd – word doc or excel xls spreadsheet malware'**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1432811062/

** http://myonlinesecur...dsheet-malware/

swiftlaw .com: 216.251.32.98: https://www.virustot...98/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 28 May 2015 - 07:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1471 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 01 June 2015 - 06:54 AM

FYI...

Fake email SPAM - doc/xls malware attachment
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Uplata po pon 43421' pretending to come from Mirjana Prgomet <mirjana@ fokus-medical .hr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body with just an attachment.

1 June 2015: report20520159260[1].doc - Current Virus total detections: 1/56*
... downloads Dridex banking malware from http ://jcmartz .com/1/09.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433147275/

** https://www.virustot...sis/1433147275/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustot...50/information/
88.221.15.80: https://www.virustot...80/information/

jcmartz .com: 66.175.58.9: https://www.virustot....9/information/

- http://blog.dynamoo....-pon-43421.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214
"
___

Fake 'slide1' SPAM - doc/xls malware attachment
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200' pretending to come from  Simon Harrington <simonharrington@ talktalk .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ling-slide1.png

1 Jun 2015 : slide1.doc - Current Virus total detections:2/56*
... which connects to and downloads http ://216.22.14.37/~congafx/1/09.exe which is an updated Dridex banking malware (VirusTotal**)... It is using the same file name as today’s earlier malspam run but is a totally different file size Uplata po pon 43421 -Mirjana Prgomet – fokus-medical – word doc or excel xls spreadsheet malware***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433162360/

** https://www.virustot...5ab09/analysis/

*** http://myonlinesecur...dsheet-malware/

216.22.14.37: https://www.virustot...37/information/

- http://blog.dynamoo....alktalknet.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214
..."
___

Fake 'Order confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Jun 2015 - "'Order confirmation 300-2015001469' with no apparent -from- address or -sender- & a
-blank- empty body that is addressed to:
To: <p.pichler@ allfi .com<randomname>@ Your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely blank body.

1 June 2015: Order confirmation 300-2015001469.doc - Current Virus total detections: 4/56*   ... downloads the same Dridex banking Trojan as one of today’s earlier word based malspam runs Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200 – Simon Harrington – word doc or excel xls spreadsheet malware**. The single version I examined downloaded from http ://irpanet .com/1/09.exe but there are -multiple- download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433170304/

** http://myonlinesecur...dsheet-malware/

irpanet .com: 64.29.151.221: https://www.virustot...21/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 June 2015 - 12:11 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1472 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 02 June 2015 - 06:54 AM

FYI...

DYRE Banking Malware Upsurge - Europe and North America Most Affected
- http://blog.trendmic...-most-affected/
June 2, 2015 - "Online banking users in Europe and North America are experiencing the upsurge of DYRE*, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow... We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like... What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX. This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can -disable- detection, thus making it easier for the download of DYRE or other malware into user systems. Specifically, its additional functions include the following:
- Disabling firewall/network related security by modifying some registry entries.
- Disabling firewall/network related security via stoppage of related services.
- Disabling window’s default anti-malware feature (WinDef)
Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers. Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to -scare- users into opening an attached .EXE file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam. Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences... It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via -spammed- mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions..."
* http://blog.trendmic...malware-part-1/
___

Fake 'Rental Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Jun 2015 - "'June 2015 Rental Invoice' pretending to come from Alex Batts <abatts@ bbsp .co .uk> is being delivered mangled and malformed. It is supposed to come with a malicious word doc or Excel XLS spreadsheet attachment but that is being embedded as a base 64 encoded set of text in the mangled body of the email, rather than being attached. Most users should be protected from this malware, but be aware that some mail servers will automatically fix this sort of garbled corruption and deliver the email as a warning email with a zip of the extracted content. Do-not-click on or open the word doc inside the zip... The email which comes in -garbled- looks like:
[Garbled text...]
Hi
Please find attached the Rental Invoice for June 2015 – which is due for pa=
yment on or before 10st June.
Have a lovely afternoon.
Kind regards
Alex Batts
Forum Receptionist
Telephone : 0117 370 7700
Mobile : 0750 083 5323 ...
 [More garbled text...]


2 June 2015: June 2015 Rental Invoice – Inv 103756.doc - Current Virus total detections: 1/56* | 2/57**
The second -malicious- macro downloads http ://amagumori.3dfxwave .com/7/8.exe Which is a Dridex banking malware (VirusTotal***). The first will also download the same malware but from a different location... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433243825/

** https://www.virustot...sis/1433250642/

*** https://www.virustot...sis/1433248974/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustot...50/information/
5.178.43.49: https://www.virustot...49/information/

amagumori.3dfxwave .com: 202.129.207.121: https://www.virustot...21/information/
___

Fake 'Invoice ID' SPAM - malware attachment
- http://blog.mxlab.eu...ontains-trojan/
June 2, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Invoice ID”. This email is sent from a -spoofed- address and has the following short body:
    INVOICE
    Invoice ID: 6568469164
    Store id: 9135


The attached file 6568469164_9135.zip contains the 156 kB large file invoice_company.exe. The trojan is known as PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24. At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1433259213/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
188.120.194.101: https://www.virustot...01/information/
173.243.255.79: https://www.virustot...79/information/
90.84.60.99: https://www.virustot...99/information/
188.120.194.101: https://www.virustot...01/information/
___

2015 Malvertising infected millions of users
- http://net-security....ews.php?id=3049
June 2, 2015 - "New research from Malwarebytes has found that -malvertising- is one of the primary infection vectors used to reach millions of consumers this year. The analysis looked at the three large scale zero-day attacks affecting Flash Player*, and the results have been presented at Infosecurity Europe 2015:
> http://www.net-secur...ys-02062015.jpg
Analysis of one particular zero-day attack instigated using the HanJuan Exploit Kit showed that cybercriminals paid an average of 49p for every 1,000 infected adverts impressions on major websites at highly trafficked times of day. This amount could even drop as low as 4p per infected ad impression on lesser-known websites and during quieter times of day. Malicious adverts placed on popular websites including The Huffington Post, Answers.com and Daily Motion, which all boast monthly unique users in the millions, are responsible for exposing vast numbers of consumers to zero-day attacks. Even consumers and businesses running the -latest- versions of Internet Explorer, Firefox and Flash Player are susceptible to becoming immediately infected when exposed to this type of threat which makes it particularly lucrative for the criminal community. Further, with one zero-day remaining active for almost two months of the analysis period there is scope for exploits to have especially wide-reaching effects. The nefarious use of the online ad industry is facilitated by real-time bidding as this allows advertisers to bid in real-time for specific targets and weed out non-genuine users or those that should not be targeted by exploits... This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware. Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy."
* https://www.malwareb.../threezerodays/
"... new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges... While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant... To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 02 June 2015 - 03:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1473 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 03 June 2015 - 07:37 AM

FYI...

Fake 'your receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
3 Jun 2015 - "'your receipt' pretending to come from Amy Morley <amymorley@ howardcundey .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...our-receipt.png

3 June 2015: 20150414151213550.doc - Current Virus total detections: 3/57*
The malicious macro in this version connects to and downloads anthonymaddaloni .com/~web/5/0.exe  which is a Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433318349/

** https://www.virustot...sis/1433318155/
... Behavioural information
TCP connections
37.140.195.177: https://www.virustot...77/information/
5.178.43.34: https://www.virustot...34/information/

anthonymaddaloni .com: 69.72.240.66: https://www.virustot...66/information/
___

Myfax malspam wave - links to malware and Neutrino exploit kit
- https://isc.sans.edu...l?storyid=19759
2015-06-03 - "... there have been more waves of malicious spam (malspam) spoofing myfax .com. On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader. Tuesday's messages also had links pushing Neutrino exploit kit (EK). Spoofed myfax emails are nothing new. They've been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day... I noticed similar messages last week, but they were all blocked. At that time, I wasn't able to investigate any further. On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break... Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:
> https://isc.sans.edu...y-image-03a.jpg
The above example shows 2 types of URLs. The first points to a zip file. The second points to URLs ending in fax.php that push Neutrino EK. Last week's malspam only had links to the zip files... In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK..."
(More detail at the isc URL above.)
___

Fake email “Fax to” contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 3, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Fax to”.
This email is send from a -spoofed- address and has the following body:
    Fax Massege:
    Fax ID: 1500566473
    User ID: 429286424


The attached file fax-1500566473_429286424.zip contains the 148 kB large file Document_invoice.exe.
The trojan is known as Downloader-FAVN!A43A201F788E, Trj/Genetic.gen, PE:Malware.Obscure!1.9C59 or Win32.Trojan.Fakedoc.Auto. At the time of writing, 4 the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1433353970/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...01/information/
92.38.41.38: https://www.virustot...38/information/
88.221.15.80: https://www.virustot...80/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 03 June 2015 - 03:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1474 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 04 June 2015 - 06:56 AM

FYI...

Fake 'Scan' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 June 2015 - "'Scan number: 3744444093' [all the numbers are random] coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Scan number: 3744444093
    Pages: 54


4 June 2015: scan-3744444093_54.zip: Extracts to: Document_invoice.exe
Current Virus total detections: 0/58* | 1/57** This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433413368/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...10/information/
94.103.54.19: https://www.virustot...19/information/
5.178.43.35: https://www.virustot...35/information/

** https://www.virustot...sis/1433412921/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
188.120.194.101: https://www.virustot...10/information/
185.47.89.249: https://www.virustot...49/information/
5.178.43.49: https://www.virustot...49/information/
188.120.194.101: https://www.virustot...10/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
4 June 2015 - "'Eclipse Internet Invoice – 17987580EC' pretending to come from customer@ eclipse .net.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for choosing to receive your invoice by email. Please find this attached.
    If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password, at www .eclipse .net.uk/billing. Alternatively, you can contact our Customer Service Team, Monday to Friday 9am – 5.30pm, on the telephone number...
    Kind regards
    Eclipse Internet
    This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any... [blah, blah, blah]


4 June 2015 : invoice_EC_17987580_20141013081054.doc - Current Virus total detections: 2/57*
... the macro connects to http ://empreinte .com.ar/42/91.exe which is a Dridex banking malware (virusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433415353/

** https://www.virustot...sis/1433415107/

empreinte .com.ar: 200.68.105.31: https://www.virustot...31/information/
___

Dyre banking Trojan infections up 125%
- http://net-security....ews.php?id=3050
June 4, 2015 - "Cybercriminal interest in online banking continues to grow, and crooks wielding the Dyre/Dyreza banking Trojan continue spewing out spam emails delivering a new variant of the malware:
> http://www.net-secur...re-04062015.jpg
'There has been a 125% increase of Dyre-related infections worldwide this quarter compared to the last', Trend Micro researchers have noted*. 'Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.' In early May, there was a considerable spike in these spam emails targeting the APAC region. 'We looked closely at the financial institutions whose URLs were contained in the Dyre malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like,' the researchers shared. As before, Dyre is -not- delivered directly via email. Instead, the malicious attachments hold the Upatre downloader, which then downloads Dyre. Upatre also got updated, and these newer versions have the ability to disable firewall/network related security by modifying some registry entries and via -stoppage- of related services, and to disable Windows' default anti-malware feature (Windows Defender). The emails delivering the malware try to -scare- users into opening the attached file by claiming that the recipients' tax payments have doubled. So far, they have been mostly in English, but Trend Micro expects more regionalized messages in the future, as the attackers are looking to expand globally."
* http://blog.trendmic...-most-affected/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 04 June 2015 - 07:38 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1475 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 05 June 2015 - 06:03 AM

FYI...

Fake 'PPL invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
5 June 2015 - "'Your PPL invoice is attached' pretending to come from no-reply@ PPLUK .COM with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Please find attached your PPL invoice for your licence to use recorded music (whether via CDs, Radio/TV broadcasts, background music systems or other sources) at your premises.
    Permission to use PPL repertoire under the terms of the licence will only be effective once payment has been made. Payment of your invoice can be made online at ppluk.com/payonline or you can call us on 020 7534 1070 to pay by credit or debit card. All payment methods can be found on the back of your invoice.
    This is an automated email. If you have any queries about the invoice or requirements for a PPL licence, please refer to the contact information below.
    Yours faithfully,
    PPL Customer Services
    PPL
    1 Upper James Street London W1F 9DE
    T +44 (0)20 7534 1070 ...


5 June 2015 : P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC
Current Virus total detections: 3/57* . The malicious macro in this version downloads Dridex banking malware from http ://g6000424 .ferozo .com/25/10.exe (VirusTotal**). Other download locations downloading the same Dridex banking malware that I have been informed about are:
http ://zolghadri-co .com/25/10.exe
http ://elkettasandassociates .com/25/10.exe
http ://segurosdenotebooks .com.br/25/10.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433498590/

** https://www.virustot...sis/1433496324/
... Behavioural information
TCP connections
203.151.94.120: https://www.virustot...20/information/
88.221.15.80: https://www.virustot...80/information/
___

Fake 'General Election 2015 Invoices' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
5 June 2015 - "'General Election 2015 Invoices' pretending to come from SIMSSL@ st-ives .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Sir/Madam
    Please find attached your invoice 62812 for GE2015
    Please could payment be quoted with your constituency name/Invoice numbers
    Our Bank Details are:
    St Ives Management Services Limited
    HSBC
    Sort Code: 40-04-24
    Account Number: 71419501
    Account Name: St Ives Management Services Limited
    Remittance advices should be emailed to simsAR@ st-ives .co.uk
    If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:
     St Ives Management Services Limited
    c/o Branded3
    2nd Floor, 2180 Century Way
    Thorpe Park
    Leeds
    LS 8ZB
    If you have already paid by credit card then there is no need for you to make payment again.
    For payment queries please contact Steven Wilde 0113 306 6966
    For invoice queries please contact Emily Villiers 0207 902 6449
    Kind Regards
    SIMS Sales Ledger...


5 June 2015 : 1445942147T0.doc ... which is -exactly- the same malware as described in 'Your PPL invoice is attached – word doc or excel xls spreadsheet malware'*
* http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo....ction-2015.html
5 June 2015
"... Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40
"
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 05 June 2015 - 07:01 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1476 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 08 June 2015 - 05:09 AM

FYI...

Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecur...uk-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecur...c4-1024x423.png
The email (which has random amounts) looks like:
    Dear client
    Please find attached a bank payment for £3033.10 dated 10th June 2015
    to pay invoice 1757. With thanks.
    Kind regards
    Sarah
    Accounts


Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-a...environmentId=2

** https://www.virustot...sis/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustot...26/information/
88.221.15.80: https://www.virustot...80/information/

*** https://www.virustot...sis/1433751824/

hundeschulegoerg .de: 212.40.179.111: https://www.virustot...11/information/

- http://blog.dynamoo....nk-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40
"
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 08 June 2015 - 06:27 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1477 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 09 June 2015 - 05:17 AM

FYI...

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 June 2015 - "'Re: Invoice' coming from random senders and random email addresses with  a semi random zip attachment the zip is always called 'invoice(random number).zip' is another one from the current bot runs... other emails today pretending to come from RBC Express <ISVAdmin@ rbc .com> with a subject of 'invoices', along with a 'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 4084583/'. These 2 have a different malware payload (VirusTotal*)... The email looks like:

    Check Invoice number

9 June 2015: Invoice (42).zip: Extracts to: Invoice_store.exe - Current Virus total detections: 2/57**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1433843143/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
188.120.194.101: https://www.virustot...01/information/
216.254.231.11: https://www.virustot...11/information/
88.221.15.80: https://www.virustot...80/information/
188.120.194.101: https://www.virustot...01/information/

** https://www.virustot...sis/1433843556/
___

Fake 'Password Confirmation' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 June 2015 - "'Password Confirmation  [742263403307] T82' pretending to come from steve.tasker81@ thomashiggins .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email (which has random numbers in the subject) looks like:

    Full document is attached

09 June 2015: 1913.doc - Current Virus total detections: 2/57*
... which connects to and downloads a Dridex banking malware from speakhighly .com/42/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1433841783/

** https://www.virustot...sis/1433842088/
... Behavioural information
TCP connections
173.230.130.172: https://www.virustot...72/information/
5.178.43.48: https://www.virustot...48/information/

speakhighly .com: 77.73.6.74: https://www.virustot...74/information/

- http://blog.dynamoo....nfirmation.html
9 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250
"
___

Fake 'Unpaid invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 June 2015 - "'Unpaid invoice' pretending to come from  Debbie Spencer <Debbie@ burgoynes-lyonshall .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi
    Could you let me know when the attached will be paid?
    Many thanks
    Debbie
    Deborah Spencer
    Company Accountant
    Burgoynes (Lyonshall) Ltd
    Lyonshall
    Kington
    Herefordshire HR5 3JR
    01544 340283 ...


The malware in this email is exactly the -same- as described in today’s earlier malspam run with word docs 'Password Confirmation [742263403307] T82 – word doc or excel xls spreadsheet malware'*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

The HTTPS-Only Standard
- https://https.cio.gov/
___

Beware of Emails Bearing Gifts
- http://www.darkreadi.../a/d-id/1320769
6/9/2015 - "Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating. In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks* believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom. The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business... Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework."
* http://www.securewor...hreat-analysis/
___

Flash malware jumps over 300 percent - Q1-2015
- http://www.theinquir...quarter-of-2015
Jun 09 2015 - "MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. New figures in the McAfee Labs Threats Report May 2015 (PDF*) show that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014...
* http://www.mcafee.co...eat-q1-2015.pdf
Spam continues ever onward with six trillion messages sent in Q1. A total of 1,118 spam domains were discovered in the UK alone, beating Russia (1,104) and Japan (1,035). Phishing domains hit 887 in the UK, compared with France (799) and the Netherlands (680). Overall, McAfee Labs observed 362 phishing attacks a minute, or six every second..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 09 June 2015 - 01:51 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1478 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 10 June 2015 - 06:22 AM

FYI...

Fake 'BTT telephone bill' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Jun 2015 - "'Your monthly BTT telephone bill' pretending to come from Hayley Sweeney <admins@ bttcomms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Please find attached your telephone bill for last month. This message was sent automatically.
    For any queries relating to this bill, please contact Customer Services on 01536 211100.


10 June 2015 : Invoice_68362.doc - Current Virus total detections: 5/57*
... Which downloads a Dridex banking malware from www .jimaimracing .co.uk/64/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustot...sis/1433931273/

** https://www.virustot...sis/1433932505/

jimaimracing .co.uk: 91.194.151.37: https://www.virustot...37/information/

- http://blog.dynamoo....ey-sweeney.html
10 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10
"
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 10 June 2015 - 08:26 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1479 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 11 June 2015 - 05:15 AM

FYI...

Fake 'order reference' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Jun 2015 - "'Your order reference is 05806' pretending to come from inform <john.wade@ precisionclubs .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear client,
    Thank you for the order,  
    your credit card will be charged for 312 dollars.
    For more information, please visit our web site ...
    Best regards, ticket service.
    Tel./Fax.: (828) 012 88 840


11 June 2015: payment_n09837462_pdf.zip:
Extracts to:   payment_n09837462_pdf_  _ _ _ _ _ _ _ _ _ _  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe           

Current Virus total detections: 5/57*. Note the series of _ after the pdf. That is designed to try to fool you into thinking that the .exe file is a pdf so you open it. Most windows computers won’t show the .exe in windows explorer if enough spaces or _ are inserted. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434002812/
___

Fake 'New_Order' email / Phish...
- http://blog.dynamoo....structions.html
11 Jun 2015 - "I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters.. The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section:
Screenshot: https://4.bp.blogspo...Y/s640/hf-1.jpg

An examination of the underlying PDF file shows two URLs... In turn these redirect... The second URL listed 404s, but the first one is active. According to the URLquery report*, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page... This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report**]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort. The "megatrading .hol.es" (hosted on 31.220.16.16 by Hostinger - VT report***) landing page looks like a straightforward phish:
Screenshot: https://4.bp.blogspo...k/s640/hf-2.png

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct:
> https://2.bp.blogspo...g/s320/hf-3.png
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183
"

* http://urlquery.net/...d=1434011774093

** https://www.virustot...83/information/

*** https://www.virustot...16/information/
___

Mystery continues to surround the nude celebrity iCloud hack
- http://www.hotforsec...hack-11990.html
June 11, 2015 - "Sure, companies and governments get hacked all the time. But for the mainstream media to *really* take an interest, you need to add a twist of celebrity (preferable nude and female). That’s what happened last year when the so-called 'Fappening' saw the intimate and private photographs of scores of female celebrities and actresses, many of them topless or nude, leak onto 4Chan and the seedier corners of Reddit. Famous names who had their privacy violated by the leak included Jennifer Lawrence, Kate Upton, Victoria Justice, Kirsten Dunst, Hope Solo, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Ariana Grande, and Mary Elizabeth Winstead, amongst many others... According to Gawker has revealed a search warrant and affidavit, revealing that the FBI has seized computers belonging to a Chicago man in connection with the hack. And it appears that the documents back Apple’s claim that their iCloud service did -not- suffer a breach as such, but instead was the victim of a targeted attack after celebrities’ passwords and security questions were determined. In the affidavit, FBI cybercrime special agent Josh Sadowsky says that an IP address assigned to one Emilio Herrera was “used to access approximately 572 unique iCloud accounts” between May 13 2013 and August 31 2014. According to the statement, a number of the accounts accessed belonged to celebrities who had photos leaked online. In all, iCloud accounts were accessed -3,263- times from the IP address. In addition, the IP address was used from a computer running Windows 7 to reset -1,987- unique iCloud account passwords. Unsurprisingly, law enforcement officers visited Herrera’s house in Chicago and walked away with computers, phones, SD cards, and other devices that no doubt they planned to submit to forensic scrutiny. In particular they would be interested in uncovering any evidence of activity which might suggest phishing, the usage of hacking tools or email forwarding. But here’s where things get interesting. According to Gawker, Herrera has -not- been charged with any crime and is not even considered a suspect at this point. It would certainly be surprising if someone involved in such an industrial-scale account hijacking operation would not have taken elementary steps to hide their true IP address, so is it possible that Herersa’s computers were being used by the hackers of nude celeb’s iCloud accounts -without- Hererra’s knowledge or permission? If that is the case, then it’s yet another reason why all computer users need to learn the importance of proper computer security. Keeping your computer protected with a layered defence and patched against the latest vulnerabilities reduces the chance of a remote-hacker gaining control of your PC. Because the very last thing you want is to be implicated in a crime that you didn’t commit, because hackers have been able to commandeer your computer for their own evil ends."
- Graham Cluley
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 11 June 2015 - 08:51 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1480 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 12 June 2015 - 06:23 AM

FYI...

Fake 'Confirmation transfer' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 June 2015 - "'Confirmation of the transfer' pretending to come from HSBC (random name@random email address) with a zip attachment is another one from the current bot runs... The email looks like:
    Transfer:
    Number of Transfer: 359880-67692630-94464
    To: [redacted]
    Bank sender: HSBS
    Country Poster: England
    City Poster: London


12 June 2015: transfer-England-359880-67692630-94464.zip(random numbers):
Extracts to: New_docs.exe - Current Virus total detections: 4/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434111878/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
188.120.194.101: https://www.virustot...01/information/
24.19.25.40: https://www.virustot...40/information/
88.221.14.249: https://www.virustot...49/information/
___

Malvertising 'Pop-under ads' lead to CryptoWall
- https://blog.malware...cryptowall-3-0/
June 11, 2015 - "...  malvertising leverages the infrastructure provided by ad networks to distribute malicious content to end users while they browse the Internet... a prolific ad network (over 180M hits/month according to SimilarWeb) being used by online fraudsters to distribute malware and other nuisances. 'Popcash' is a pop-under ad network that offers services for both publishers and advertisers: https://blog.malware...popcashlogo.png
'Pop-under ads are similar to pop-up ads, but the ad window appears -hidden- behind the main browser window rather than superimposed in front of it... They usually remain -unnoticed- until the main browser window is closed or minimized, leaving the user’s attention free for the advertisement... users therefore react 'better' to pop-under advertising than to pop-up advertising because of this different, delayed 'impression'. — Wikipedia**
** https://en.wikipedia...d#Pop-under_ads
... In this case, we received a URL used as a gate to an exploit kit:
> https://blog.malware...redirection.png
The Magnitude EK starts with a simplified landing page that contains the code to launch a Flash exploit and an iframe to perform an Internet Explorer exploit... The Flash exploit (VT)[3]  is CVE-2015-3090 as reported on malware.dontneedcoffee[4]:
3] https://www.virustot...sis/1434044838/
4] http://malware.dontn...700169-and.html
... The Internet Explorer exploit (CVE-2014-6332 or CVE-2013-2551 thanks @kafeine) is prepared via a heavily encoded piece of JavaScript... Several URLs are loaded but only a couple actually loaded the same binary (VT)[5] detected by Malwarebytes Anti-Malware as Trojan.Dropper.Necurs, which eventually loads CryptoWall 3.0... other slots are available and could be filled with different malware families by the exploit kit operator...
5] https://www.virustot...sis/1434001814/
... CryptoWall 3.0: Magnitude EK, just like many other exploit kits recently, is pushing crypto ransomware, possibly one of the worst strains of malware because it uses genuine encryption to lock down a user’s personal files. Soon after the ransomware takes over the PC, it will prompt a message warning of what just happened and giving details on how to proceed:
> https://blog.malware...ELP_DECRYPT.png
In this case, one needs to pay $500 to get their files back within the deadline, otherwise that amounts doubles:
> https://blog.malware.../2015/06/BT.png
Conclusions: Because malvertising involves multiple players in order to work (publishers, ad networks, visitors) each has its own role to play in combatting this problem. Publishers (should) be wise in choosing their third-party advertisers by choosing reputable ones (although it is not a 100% guarantee (nothing is) that incidents will not happen). Ad networks can and should also ensure that the traffic they serve is clean. We contacted Popca$h on two separate occasions through their official “report malware” page, but -never- received a response... The campaign is still -ongoing- and not only serving exploits but -also- tech support scams[6] customized for your browser, ISP, city, etc:
6] https://blog.malware.../06/warning.png "
(More detail at the malwarebytes URL at the top of this post.)

- http://windowssecret...office-updates/
June 11, 2015 - "... Flash Player 18.0.0.160 addresses 13 vulnerabilities, some of which have already been used in ransomware attacks..."
 

:ph34r: :ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 12 June 2015 - 09:49 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1481 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 15 June 2015 - 06:25 AM

FYI...

Fake 'Payment Confirmation' SPAM - doc/xls malware
- http://blog.dynamoo....nfirmation.html
15 Jun 2015 - "This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
    From: reed .co.uk Credit Control [mailto:creditcontrol.rol@ reed .co.uk]
    Sent: Monday, June 15, 2015 11:10 AM
    Subject: Payment Confirmation 29172230
    Dear Sirs,
    Many thanks for your card payment. Please find payment confirmation attached below.
    Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
    Kind Regards
    Credit Control Team
    T: 020 7067 4584
    F: 020 7067 4628
    Email: creditcontrol.rol@ reed .co.uk


The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57*] which contains this malicious macro... which downloads a component from the following location:
http ://www .freewebstuff .be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57**. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools... show traffic to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report[3], it also drops a Dridex DLL with a detection rate of 18/57[4].
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10
"
* https://www.virustot...sis/1434362701/

** https://www.virustot...sis/1434362861/

3] https://malwr.com/an...TA0YzFlMzk2MDA/

4] https://www.virustot...sis/1434362861/

freewebstuff .be: 46.21.172.135: https://www.virustot...35/information/

- http://myonlinesecur...dsheet-malware/
15 Jun 2015
Screenshot: http://myonlinesecur...onfirmation.png
> https://www.virustot...sis/1434364970/
___

Fake 'Nyfast Payment' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 Jun 2015 - "'[Nyfast] Payment accepted' pretending to come from  Nyfast <sales@ nyfast .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...5/06/nyfast.png

15 June 2015: 101153.doc -  Current Virus total detections: 3/57*
... Which connects to and downloads Dridex banking malware from http ://webbouw .be/34/44.exe ( VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434364039/

** https://www.virustot...sis/1434362861/

webbouw .be: 46.21.172.135: https://www.virustot...35/information/
___

Fake 'PI-ORDER' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jun 2015 - "'PI-ORDER' with a zip attachment pretending to come from suiming <suiminggroup@ cs .ename .net> is another one from the current bot runs... The email looks like:
    Dear Sir/madam,
    Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment.kindly confirm the PO and send PI asap.
    kind Regards
    suiming Group


15 June 2015: PI-ORDER.zip: Extracts to:  PI-ORDER.exe - Current Virus total detections: 9/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434339886/
___

Fake 'New Doc' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
15 Jun 2015 - "'Will Kinghan henryhowardfinance .co .uk New Doc' pretending to come from  Will Kinghan <WKinghan@hhf .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ill-kinghan.png

15 June  2015 : New doc.doc ... which is the -same- malware as described in today’s other word doc malspam runs Payment Confirmation reed .co .uk Credit Control* – word doc or excel xls spreadsheet malware and [Nyfast] Payment accepted** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* http://myonlinesecur...dsheet-malware/

** http://myonlinesecur...dsheet-malware/
___

'Let us help you make your online banking with HSBC more secure' - PHISH
- http://myonlinesecur...ecure-phishing/
15 Jun 2015 - "An email saying 'Let us help you make your online banking with HSBC more secure' is one of today’s -phishing- attempts. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order


... It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. That is also false... The link in the email directs you to a -fake- site, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):
>> http://myonlinesecur..._phish_site.png
... luckily the phishing site has been deactivated by the webhosts, but be careful and remember that banks don’t send emails saying 'follow-the-link' to change anything..."
___

Fake 'Notice DHL' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jun 2015 - "'Notice DHL' pretending to come from HSBC (random name @ random email address) with a zip attachment is another one from the current bot runs... The waybill number is random in each email but -matches- the attachment name. The email looks like:
    Notice DHL
    Courier our company was unable to deliver the goods.
    CAUSE: was lost your number
    Delivery Status: Active
    Services: delivery in one day
    Waybill number for your cargo: WL4OY-k5qvML-0136
    Special sticker attached to the letter. Print sticker and show it in your post office.


15 June 2015: Sticker-WL4OY-k5qvML-0136.zip: Extracts to: New_docs.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434373340/
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 15 June 2015 - 11:02 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1482 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 16 June 2015 - 07:15 AM

FYI...

Magnitude Exploit Kit uses Newly Patched Adobe Vuln ...
- http://blog.trendmic...e-most-at-risk/
Jun 16, 2015 - "Adobe may have already patched a Flash Player vulnerability last week, but several users — especially those in the US, Canada, and the UK — are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15... Adobe’s regular June Update for Adobe Flash Player... upgraded the software to version 18.0.0.160*. However, many users are still running the previous version (17.0.0.188), which means that a lot of users are still at risk... cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon..."
* https://www.adobe.co...tribution3.html
___

Fake 'Travel order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Travel order confirmation 0300202959' pretending to come from  overseastravel@ caravanclub .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    Thank you for your travel order.
    Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
    Your booking confirmation document is stored as a DOC file which requires the use of Microsoft Word software to view it.
    Yours sincerely
    The Caravan Club
    This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
    Regulation The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890
    This email is sent from the offices of The Caravan Club Limited...


16 June 2015: Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads Dridex banking malware from  aspectaceindia .in/90/72.exe (VirusTotal**). Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434440780/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustot...48/information/
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2016 - "'Invoice' pretending to come from Carol Young <carol@ baguette-express. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Invoice Attached
    Carol Young
    Accounts Manager
    Office:0845 070 4360
    Email: carol@ baguette-express .co.uk
    Web: www .baguette-express .co.uk
    1 Cranston Crescent
    Lauder
    Borders
    TD2 6UB


16 June 2015: A4 Inv_Crd Unit Price, With Discount.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from dubrovnik-marryme .com/90/72.exe (VirusTotal**) This is the -same- malware payload as described in today’s other malspam word macro malware 'The caravan Club Travel order confirmation 0300202959'*** – word doc or excel xls spreadsheet malware..."
* https://www.virustot...sis/1434441322/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

*** http://myonlinesecur...dsheet-malware/

dubrovnik-marryme .com: 188.40.57.166: https://www.virustot...66/information/
___

Fake 'Invoice copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Invoice copy no. 252576' pretending to come from kathy@ almondscateringsupplies .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached DOC document with invoice copy no. 252576
     Kind regards,
     Gary Almond


16 June 2015 : DespatchNote_-_252576_160615_063107663.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**)
Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434440780/

** https://www.virustot...sis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.15.80: https://www.virustot...80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustot...48/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Jun 2015 - "'Eclipse Internet Invoice is available online – 36889843EC' pretending to come from  customer@ eclipse .net.uk with a malicious word doc called EC_36889843_88113463.doc is another one from the current bot runs... The email looks like:
    Dear Customer,
    Thank you for choosing to receive your invoice by email. Please find this attached.
    If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password... Alternatively, you can contact our Customer Service Team, Monday to Friday 8am – 6pm, on the telephone number published...
    Kind regards
    Eclipse Internet


The number in the subject which is random -matches- the word attachment name, so everybody gets a different named email and attachment. The malicious macro and the downloaded Dridex banking malware is exactly the -same- as described in today’s earlier other word macro malspam runs:

1]'Gary Almond almondscateringsupplies .co.uk Invoice copy no. 252576 – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/

2]'Carol Young baguette-express Invoice – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/

3]'The caravan Club Travel order confirmation 0300202959 – word doc or excel xls spreadsheet malware':
- http://myonlinesecur...dsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
___

Trojan uses steganography to hide itself in image files
- http://net-security....ews.php?id=3058
16.06.2015 - "The Dell SecureWorks* CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code. Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys... Stegoloader's main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules... Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware's backup C&C, but the researchers note that it could represent an emerging trend in malware... researcher Saumil Shah recently demonstrated at the Hack in the Box conference**, it's possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions."
* http://www.securewor...mation-stealer/

** http://www.net-secur...ld.php?id=18443
___

Dutch Users: victims of Large Malvertising Campaign
- https://blog.malware...ising-campaign/
June 15, 2015 - "Security firm Fox-IT* has identified a large malvertising campaign that began affecting Dutch users on June 11:
* http://blog.fox-it.c...he-netherlands/
In their blog post, they say that several major news sites were loading the -bogus- advertisement that ultimately lead to the Angler exploit kit. Looking at our telemetry we also noticed this attack, and in particular on Dutch news site Telegraaf[.]nl via an advert from otsmarketing .com, which according to Fox-IT is -more- than a suspicious ad network:
> https://blog.malware.../06/diagram.png
The ad silently loaded a Google shortened URL used to -redirect- to the exploit kit... This latest malvertising case illustrates the efficacy of leveraging ad networks to selectively infect end users while also demonstrating that there is a clear problem with identifying rogue advertisers. As stated by Fox-IT, the company responsible for the malvertising was not 'loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action'. This leaves some serious questions about the additional scrutiny in place for new advertisers and how it made it through security checks."

107.181.187.81: https://www.virustot...81/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 16 June 2015 - 04:21 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1483 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 17 June 2015 - 07:51 AM

FYI...

Fake 'PayPal Receipt' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 June 2015 - "'Receipt for Your Payment to OMER SALIM' pretending to come from service@ intl .paypal .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-OMER-SALIM.png

17 June 2015: Receipt99704.zip: Extracts to: Receipt99704.PDF.exe
Current Virus total detections: 10/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434488522/
___

Fake 'Refunds for overpaid taxes' – Phish ...
- http://myonlinesecur...taxes-phishing/
17 June 2015 - "'Refunds for overpaid property taxes' pretending to come from HM Revenue & Customs <ecustomer.support@ hmrc .gateway .gov.uk> is an email pretending to come from HM Revenue & Customs... This one wants your personal details and your bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... This particular email has a zip attachment that when unzipped has html webpage that asks you to fill in bank details. If you open the html attachment you see a webpage looking like this where they want your bank details, name and birth date:

Phish Screenshot: http://myonlinesecur...perty-taxes.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Document Service' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 June 2015 - "'Document Service, Order Id: 14262781 pretending to come from ICC <orders@ icc .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-Order-Id.png

17 June 2015: 14262781_FMM_751061928.doc - Current Virus total detections:4/57*
The malicious macro in this particular word doc downloads Dridex banking malware from http ://cheshiregunroom .com/23/07.exe. There are normally between 5 and 10 other download sites, all giving the same Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434529913/

** https://www.virustot...sis/1434531876/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustot...65/information/
88.221.14.249: https://www.virustot...49/information/

cheshiregunroom .com: 92.63.140.197: https://www.virustot...97/information/
___

Fake 'Message from KMBT' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Jun 2015 - "Message from KMBT_C280' pretending to come from scanner@ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email comes in with a completely -empty- body and just the subject line of Message from KMBT_C280.

17 June 2015 : SKMBT_C28015061614410.doc - Current Virus total detections: 4/57*
This particular malicious macro downloads Dridex banking malware from http ://businesssupportsoutheastlondon .co.uk/23/07.exe which is the -same- as described in today’s other malspam word doc campaign Document Service, Order Id: 14262781** - LE BISTROT PIERRE LIMITED – ICC – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434531806/

** http://myonlinesecur...dsheet-malware/

businesssupportsoutheastlondon .co.uk: 88.208.248.144: https://www.virustot...44/information/
___

Botnet-based malicious SPAM seen this week
- https://isc.sans.edu...l?storyid=19807
2015-06-17 - "Botnets continually send out malicious spam (malspam). As mentioned in previous diaries, we see botnet-based malspam delivering Dridex and Dyre malware almost every day [1, 2]. Recently, someone sent us a malicious Word document from what appeared to be Dridex malspam on Tuesday 2015-06-16... Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns we've previously seen with Dridex [1]... Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam... Macros are -not- enabled in the default installation for Microsoft Office. To infect a computer, most people will have to -enable- macros after the document is opened, as shown below:
> https://isc.sans.edu...ry-image-04.jpg
...
> https://isc.sans.edu...ry-image-05.jpg..."

1] https://isc.sans.edu... activity/19687

2] https://isc.sans.edu...d malspam/19657
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 17 June 2015 - 12:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1484 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 18 June 2015 - 07:26 AM

FYI...

Fake email “Bank query alert” contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 18, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Bank query alert”. This email is sent from spoofed email addresses and has the following body:
    Good day!
    Please note that we have received the bank query from Your bank regarding the current account.
    You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
    June in order to avoid the security hold of the account. Please also confirm the following
    account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
    so that we could duly forward it to the bank manager. If you have any questions feel
    free to contact us on: 677-77-90.
    Thanks in advance.
    Best regards, Michael Forester Managing Partner


The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe. The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...f11da/analysis/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.93.194.202: https://www.virustot...02/information/
173.248.29.43: https://www.virustot...43/information/
88.221.15.80: https://www.virustot...80/information/
___

Fake 'CVD Insurance' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
18 Jun 2015 - "'CVD Insurance – documents attached' pretending to come from Lowri Duffield <lowri.duffield@ brightsidegroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-attached.png

18 June2015: 3098_001.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from http ://evolutionfoundationcollege .co.uk/66/71.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1434619773/

** https://www.virustot...sis/1434619280/

evolutionfoundationcollege .co.uk: 188.121.55.128: https://www.virustot...28/information/
___

Fake 'Transfer to your account blocked' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Jun 2015 - "'Transfer to your account blocked' coming from random names at random email addresses with  a zip attachment is another one from the current bot runs... The email  which has random ID numbers that -match- the attachment name looks like:

    Transfer has been blocked, details in an attachment.
    ID Transfer: 96907740967
    Date of formation: Thu, 18 Jun 2015 13:35:45 +0100


18 June 2015: id96907740967_Transfer_details.zip: Extracts to: Transfer_blocked.exe
Current Virus total detections: 3/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434629016/
___

Fake 'banking invoice' SPAM - leads to malware
- http://blog.dynamoo....ronica-cod.html
18 Jun 2015 - "These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

    From: sac.contact4e74974737@ bol .com.br
    To:    mariomarinho@ uol .com.br
    Date:    18 June 2015 at 08:46
    Subject:    NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
    Signed by:    bol .com.br ...


The reference numbers and sender change slightly in each version. I've seen three samples before, each one with a different download location... which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57*. Comments in that report indicate that this may be the Spy.Banker trojan. The Malwr report indicates that it downloads components from the following locations:
http ://donwup2015 .com.br/arq/point.php
http ://tynly2015 .com.br/upt/ext.zlib
... These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be -blocked-. Furthermore, Malwr shows that it drops a file with a detection rate of 2/57**...
Recommended blocklist:
108.167.188.249
187.17.111.104
..."
* https://www.virustot...sis/1434618710/
... Behavioural information
TCP connections
1] 108.167.188.249: https://www.virustot...49/information/

2] 187.17.111.104: https://www.virustot...04/information/

** https://www.virustot...sis/1434619879/
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 18 June 2015 - 12:10 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1485 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 19 June 2015 - 10:25 AM

FYI...

Fake 'New instructions' SPAM - malicious payload
- http://blog.dynamoo....structions.html
19 June 2015 - "This rather terse spam comes with a malicious payload:
    From:    tim [tim@ thramb .com]
    Date:    19 June 2015 at 16:40
    Subject:    New instructions
    New instructions payment of US banks, ask to read


Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe. The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57*]. Automated analysis tools... show traffic to: 93.93.194.202 :13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID ... which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33 :443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection. In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33
"
* https://www.virustot...sis/1434725207/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.93.194.202: https://www.virustot...02/information/
66.196.63.33: https://www.virustot...33/information/
88.221.14.249: https://www.virustot...49/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 19 June 2015 - 10:39 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1486 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 22 June 2015 - 06:32 AM

FYI...

Fake 'Shareholder alert' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Jun 2015 - "'Shareholder alert' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to
    resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner


22 June 2015: instructions.zip size=21120.zip : Extracts to: instructions_document.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1434971131/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.93.194.202: https://www.virustot...02/information/
109.86.226.85: https://www.virustot...85/information/
88.221.15.80: https://www.virustot...80/information/

- http://blog.dynamoo....lder-alert.html
22 June 2015
"... Recommended blocklist:
64.111.36.35
93.93.194.202
"
___

Fake 'Tax inspection notification' SPAM - malicious payload
- http://blog.dynamoo....inspection.html
22 June 2015 - "This -fake- tax notification comes with a malicious payload.
    Date:    22 June 2015 at 19:10
    Subject:    Tax inspection notification
    Good day!
    Trust this e-mail finds You well.
    Please be notified that next week the revenue service is going to organize tax inspections.
    That is why we highly recommend You to file the attached form in order to be prepared.
    Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
    According to our records, the inspectors license No. is 090-96919-5886-935. Please check  as it is an important procedure rule.
    We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
    Bruce Climt,
    Tax Advisor


Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57*...  Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http ://93.93.194.202 :13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://93.93.194.202 :13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today[1] and it belongs to Orion Telekom in Serbia. This VirusTotal report*** also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report[2] also shows traffic to 37.57.144.177 (Triolan, Ukraine). Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57***] and sveezback.exe [VT 15/57****]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177
"
* https://www.virustot...92f40/analysis/

** https://www.virustot...92f40/analysis/

*** https://www.virustot...sis/1434994679/

**** https://www.virustot...sis/1434994696/

1] http://blog.dynamoo....lder-alert.html

2] https://www.hybrid-a...environmentId=1
___

'Password recovery' SCAM hitting Gmail, Outlook and Yahoo Mail users
- http://net-security....ld.php?id=18537
22 June 2015 - "A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns*. 'To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort... The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their -mobile- phone.' Once the verification code is sent to the legitimate user's mobile phone, it's followed by a message by the scammer, saying something like: 'Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.' The victim sends the verification code to the scammers, and they use it to access the email account.
Occasionally, the code is sent too late and doesn't work anymore, so the scammers -reiterate- the need for the code to be sent in. When they finally get access to the email account, they don't shut the real owner out. Instead, they usually add an -alternate- email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS ('Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]') in order to complete the illusion of legitimacy. 'The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups'... It's likely that they use those email accounts to gain access to other online accounts tied to them. Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did -not- request one, and check their authenticity directly with their email provider."
*
Video 2:17
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 22 June 2015 - 02:24 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1487 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 23 June 2015 - 08:57 AM

FYI...

Fake 'list of missing documents' SPAM - malicious attachment
- http://blog.dynamoo....-finds-you.html
23 June 2015 - "This spam comes with a malicious attachment:
    Date:    23 June 2015 at 14:14
    Subject:    Hope this e-mail finds You well
    Good day!
    Hope this e-mail finds You well.
    Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
    However there are some forms missing.
    We made the list of missing documents for Your ease (the list is attached below).
    Please kindly check whether these forms are kept in your records.
    In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
    Stacey Grimly,
    Project Manager


Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually -match- the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters. Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52* or 3/54**. Automated analysis tools... indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
... Malwr reports... show dropped files named yaxkodila.exe (two versions, VT 5/54*** and 5/55****) plus a file jieduk.exe (VT 8/54)[5].... the VirusTotal analysis also throws up another IP address of: 104.174.123.66 (Time Warner Cable, US). The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
"
* https://www.virustot...sis/1435063484/

** https://www.virustot...sis/1435063502/

*** https://www.virustot...sis/1435064473/

**** https://www.virustot...sis/1435064478/

5] https://www.virustot...sis/1435064476/

- http://myonlinesecur...e-pdf-malware/#
23 June 2015
- https://www.virustot...sis/1435062320/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.93.194.202: https://www.virustot...02/information/
72.230.82.80: https://www.virustot...80/information/
___

Fake 'Agreement' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 June 2015 - "'Agreement' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Hello,
    As per your question please find attached the application form.
    Please fill out each detail and returnit back to us via emailsoon as possibleWith this information we will be able to help you resolve this issue.
    Thank you.


23 June 2015: new_filling_form.zip: Extracts to: new_application_form.exe
Current Virus total detections: 10/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1435078814/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.93.194.202: https://www.virustot...02/information/
216.254.231.11: https://www.virustot...11/information/
 

:ph34r:   :grrr:


Edited by AplusWebMaster, 23 June 2015 - 12:25 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1488 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 24 June 2015 - 07:35 AM

FYI...

Fake 'Hilton Hotels' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 June 2015 - "'A for guest WARDE SAID' pretending to come from CTAC_DT_Hotel@ Hilton .com with a zip attachment is another one from the current bot runs... The email looks like:
    Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
    Enclosed is a copy of your receipt(FOLIODETE_9601395.pdf). Should you require any further assistance please do not hesitate to contact us directly.
     We look forward to welcoming you back in the near future.
     This is an automatically generated message. Please do not reply to this email address...


24June 2015: FOLIODETE_9601395.zip: Extracts to: FOLIODETE_2015_0006_0024.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1435142883/
___

Fake 'Considerable law alternations' SPAM - malicious payload
- http://blog.dynamoo....erable-law.html
24 June 2015 - "This -fake- legal spam comes with a malicious payload:
    Date: Wed, 24 Jun 2015 22:04:09 +0900
    Subject: Considerable law alternations
    Pursuant to alternations made to the Criminal Code securities have to be reestimated.
    Described proceeding is to finish until April 2016.
    However shown levy values to be settled last in this year.
    Please see the documents above  .
    Pamela Adams
    Chief accountant


In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55*. Automated analysis tools... show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55**) and qppwkce.exe (VT 3/55***). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35
"
* https://www.virustot...sis/1435151345/

** https://www.virustot...sis/1435153236/

*** https://www.virustot...sis/1435153268/
___

Fake Bank of America Twitter Feed Leads to Phish ...
- https://blog.malware...-phishing-page/
June 24, 2015 - "Over the last day or so, a Twitter feed claiming to be a support channel for Bank of America has been sending links and messages to anybody having issues with their accounts. Here’s the dubious BoA Twitter account in question:
> https://blog.malware...oatwitfeed1.jpg
... In most cases, they direct people to a URL where they can supposedly fix their problems, which is
sclgchl1(dot)eu(dot)pn/index(dot)html
They’ve also been seen asking for credentials directly via DM (Direct Message). They appear to be using that classic Twitter -phishing- technique: look for people sending help messages to an official account, then inject themselves into the conversation:
> https://blog.malware...oatwitfeed2.jpg
Here’s a sample list of messages they’ve been sending to BoA customers:
> https://blog.malware...witterstorm.jpg
Some things to note: the Twitter account is -not- verified, and the page collecting personal information is not HTTPS secured which is never a good sign where sending banking credentials to someone is concerned. If you land on their page with JavaScript disabled, you’ll be asked to switch it on again:
> https://blog.malware...oatwitfeed3.jpg
The site asks for the following information: Online ID, Passcode, Account Number, Complete SSN or Tax Identification Number and Passcode. Once all of this information is entered, the victim is redirected to the real Bank of America website... At time of writing, the site is being flagged by Chrome for phishing:
> https://blog.malware...oatwitfeed7.jpg
We’ve also spotted another page on the same domain which looks like a half-finished Wells Fargo “Security Sign On” page:
> https://blog.malware...oatwitfeed8.jpg
We advise customers of BoA to be very careful where they’re sending account credentials – note that the official BoA Twitter feed has a -Verified- icon, and that small but crucial detail could make all the difference where keeping your account secure is concerned."

sclgchl1(dot)eu(dot)pn: 83.125.22.211: https://www.virustot...11/information/
___

Samsung laptops deliberately disable Windows Update with bloatware
- http://www.theinquir...-with-bloatware
Jun 24 2015 - "... Samsung, in common with a number of manufacturers, has an app for finding the latest drivers and updates to, well, frankly, bloatware. In Samsung's case the app is called SW Updater. Samsung describes it thus: 'Find easy ways to install and maintain the latest software, protect your computer, and back up your music, movies, photos and files'... a teardown from Microsoft MVP Patrick Barker* has revealed that Samsung laptops -include- an executable file called Disable_Windowsupdate.exe which kind of explains itself really. What's really disturbing about this, as if it wasn't enough already, is that if you turn Windows Update back on, SW Updater goes back and turns it back -off- again..."
* http://bsodanalysis....ng-windows.html

- http://www.neowin.ne...p-your-settings
Jun 24, 2015
___

Instapaper App vulnerable to Man-in-the-Middle Attacks
- http://labs.bitdefen...middle-attacks/
June 23, 2015 - "... analyzed popular Android app Instapaper and found it can be vulnerable to man-in-the-middle attacks that could expose users’ signup/login credentials when they try to log in into their accounts. The vulnerability may have serious consequences, especially if users have the same password for more than one account, leaving them potentially vulnerable to intrusions.
The Problem: Instapaper allows users to save and store articles for reading, particularly for when they’re offline, on the go, or simply don’t have access to the Internet. The application works by saving most web pages as text only and formatting their layout for tablets or phone screens. Everyone who wants to use the application is required to sign-up and create an account to check out notes, liked articles or access other options. However, the vulnerability lies not in the way the application fetches content, but in the way it implements (or in this case, doesn’t implement) certificate validation. Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, he could use a self-signed certificate and start “communicating” with the application...
The Attack: If a user were to sign into his account while connected to a Wi-Fi network that’s being monitored by an attacker, his authentication credentials (both username and password) could easily be intercepted using any fake certificate and a traffic-intercepting tool...
Implications: While the attacker might seem to only gain access to your Instapaper account, most people use the same password for multiple accounts. A cybercriminal could try and use your Instapaper password to access your social media or email accounts. Studies have shown that more than 50% of users reuse the same password, so the chances are -better- than even that more than one account could be vulnerable if your Instapaper credentials have been stolen. We have notified the development team behind the Android Instapaper app about the found vulnerability, but they have yet to confirm when a fix will become available..."
___

SEC hunts hacks who stole corp emails to trade stocks
- http://www.reuters.c...N0P31M720150623
Jun 23, 2015 - "U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cybersecurity consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye Inc about a sophisticated hacking group that it dubbed 'FIN4'. Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report*..."
* https://www.fireeye....ling_insid.html
Nov 30, 2014

- http://www.reuters.c...nel=cyber-crime
Video 2:08
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 June 2015 - 07:11 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1489 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 25 June 2015 - 07:47 AM

FYI...

Dyre emerges as main financial Trojan threat
- http://www.theregist..._symantec_says/
25 Jun 2015 - "...  the masterminds behind the Dyre banking malware are putting in full five-day working weeks to maintain some -285- command and control servers handling stolen banking credentials. The malware is one of the worst in circulation using its fleet of command and control servers to handle the reams of bank account data blackhats steal using phishing websites. Symantec says* the attacks are confined largely to Europe outside of Russia and Ukraine where most of the command and control servers are located..."
* http://www.symantec....l-trojan-threat
23 Jun 2015 - "... After a number of recent takedowns against major financial threats such as Gameover Zeus, Shylock, and Ramnit, the threat posed by these groups has receded but Dyre has taken their place as one of the main threats to ordinary consumers. Detected by Symantec as Infostealer.Dyre, Dyre targets Windows computers and can steal banking and other credentials by attacking all three major web browsers (Internet Explorer, Chrome, and Firefox). Dyre is a two-pronged threat. Aside from stealing credentials, it can also be used to infect victims with other types of malware, such as adding them to -spam- botnets... the number of Dyre infections began to surge a year ago and the attackers behind this malware have steadily improved its capabilities and continued to build out supporting infrastructure:
Dyre detections over time:
> http://www.symantec....031/Fig1_24.png
... Dyre is mainly spread using spam emails. In most cases the emails masquerade as businesses documents, voicemail, or fax messages. If the victim clicks-on-an-email’s-attachment, they are -redirected- to a malicious website which will install the Upatre downloader on their computer... In many cases, the victim is added to a -botnet- which is then used to power further spam campaigns and infect more victims..."

>> https://www.symantec...fographic_1.jpg
___

Web security subtleties and exploitation of combined vulnerabilities
- https://isc.sans.edu...l?storyid=19837
2015-06-25 - "The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application... what we exploit with the XSS vulnerability in the first place: typically the attacker tries to steal cookies in order to gain access to the victim’s session. Since here sessions are irrelevant, the attacker will not use XSS to steal cookies but instead to change what the web page displays to the victim. This can be used for all sorts of -phishing- exploits and, depending on the URL and context of the attack, can be even more devastating than stealing the sessions."
(More detail at the isc URL above.)
___

Fraud Alert Issued on Business Email Compromise Scam
- https://www.us-cert....Compromise-Scam
June 24, 2015 - " The Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies have released a joint alert warning companies of a sophisticated wire payment scam referred to as business email compromise (BEC). Scammers use fraudulent information to trick companies into directing financial transactions into accounts scammers control. Users and administrators are encouraged to review the BEC Joint Report (link is external*) for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* https://www.fsisac.c...oduct_Final.pdf

** https://www.us-cert....s/tips/ST04-014
"... Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information..."

- http://blogs.cisco.c...ker#more-172509
June 24, 2015 - "... Attackers are constantly targeting user data and attempting to trick users into leaking sensitive information through phishing campaigns. These phishing attempts are targeting normal users who represent the customers of the various businesses being targeted. If the emails come through a work email, the user can take advantage of a layered approach to security that will usually indicate these attacks as spam or even malicious. Most home users, however, do not have the same layered security configuration on their home networks. Many of these phish also attempt to try to place time pressure on the user to get them to act quickly and without taking the time to think about what they are doing. Therefore, it is important for users to be constantly vigilant, and to remain -calm- when they receive that cleverly crafted phishing email. Users should always take time to think -before- revealing any sensitive information, whether it is on the phone, via email, or through the web..."
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 25 June 2015 - 11:21 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1490 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 26 June 2015 - 08:01 AM

FYI...

Fake 'Xerox Scan' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 June 2015 - "'Scanned from a Xerox Multifunction Printer' pretending to come from Xerox (random number) @ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Printer.
    Attachment File Type: DOC, Multi-Page
    Multifunction Printer Location:
    Device Name: XRX9C934E5EEC46 ...


26 June 2015: Scanned from a Xerox Multifunction Printer.doc
Current Virus total detections: 4/56* ... downloads Dridex banking malware from  http ://sudburyhive .org/708/346.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435301557/

** https://www.virustot...a4b93/analysis/
... Behavioural information
TCP connections
68.169.49.213: https://www.virustot...13/information/
88.221.15.80: https://www.virustot...80/information/

sudburyhive .org: 104.27.172.61: https://www.virustot...61/information/
104.27.173.61: https://www.virustot...61/information/
___

Fake 'Vehicle Tax' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 June 2016 - "'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)'  pretending to come from directdebit@ taxdisc.service .gov .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Important: Confirmation of your successful
    Direct Debit instruction
    Dear customer
    Vehicle registration number: FG08OEE
    Thank you for arranging to pay the vehicle tax by Direct Debit.
    Please can you check that the details attached below, and your payment schedule are correct.
    If any of the above financial details are incorrect please contact your bank as soon as possible.
    However, if your details are correct you don’t need to do anything and your Direct Debit will be
    processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the
    Direct Debit Guarantee is included with this letter.
    For your information, the collection will be made using this reference, and this is how your
    payment will be detailed on your bank statements:
        DVLA Identifier: 295402
        Reference: FG08OEE
    Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new
    payment schedule at the time of renewal.
    Yours sincerely
    Rohan Gye
    Vehicles Service Manager
    Driver a& Vehicle Licencing Agency logo


26 June 2015 : FG08OEE.doc - Current Virus total detections: 4/55* . This downloads the same Dridex banking malware in exactly the -same- way as today’s other malspam word macro downloader 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435304855/

** http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....of-vehicle.html
26 June 2015
werktuigmachines .be: 46.30.212.5: https://www.virustot....5/information/
___

Fake 'Order Confirmation' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 June 2015 - "'Order Confirmation RET-385236 250615' pretending to come from [1NAV PROD RCS] <donotreply@ royal-canin .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

[Garbled text in body]... When it is repaired it then reads:

    Please find attached your Sales Order Confirmation
    Note: This e-mail was sent from a notification only e-mail address that
    cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.


This has an attachment as described below:
25 February 2015: Order Confirmation RET-385236 250615.doc - Current Virus total detections: 4/56*
... which is a macro downloader that downloads Dridex banking malware in exactly the -same- way and from the same series of locations as today’s other malspam runs 'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)' - word doc or excel xls spreadsheet malware -and- 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435313019/

- http://blog.dynamoo....mation-ret.html
26 June 2015
"... Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155
"

colchester-institute .com: 213.171.218.136: https://www.virustot...36/information/
___

Fake 'Transport' SPAM - doc/xls malware
- http://myonlinesecur...heet-malware-2/
26 June 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
     Dear Customer,
    Please open the attached file to view correspondence from Transport for
    London.
     If the attachment is in DOC format you may need Adobe Acrobat Reader to
    read or download this attachment.
     Thank you for contacting Transport for London.
     Business Operations
    Customer Service Representative
    This email has been scanned by the Symantec Email Security.cloud service...


26 June 2015: AP0210932630.doc - Current Virus total detections: 5/54*
... which is yet another in today’s -malspam- series of macro malware downloaders that deliver Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435315714/
___

Samsung's bundled SW Update tool actively -disables- Windows Update on reboot
- http://arstechnica.c...some-computers/
Updated, June 25... "... We have reached out to both Samsung and Microsoft for comment, but they hadn't replied at the time of publishing... SW Update is included on many Samsung PCs, but it's possible that Disable_Windowsupdate.exe is only being executed on a subset of devices that are "incompatible" with Windows Update. If you have a Samsung laptop, perhaps go and check if Windows Update is still enabled..."
> Unresolved.

- http://www.neowin.ne...p-your-settings
Jun 24, 2015
___

Critical flaw in ESET products...
- http://www.infoworld...s-programs.html
Jun 24, 2015 - "Several antivirus products from security firm ESET had a critical vulnerability that was easy to exploit and could lead to a full system compromise. The discovery of the flaw, which has now been patched*, comes on the heels of a report that intelligence agencies from the U.K. and the U.S. are reverse engineering antivirus products in search for vulnerabilities and methods to bypass detection..."
* http://www.virusrada...date/info/11824
2015-06-22 - "A security vulnerability has been -fixed- in the scanning engine..."
___

Memo Spam
- http://threattrack.t...83493/memo-spam
26 June 2015 - "Subjects Seen:
    Memo dated 9th June
    Memo dated 13th March


Screenshot: https://36.media.tum...1r6pupn_500.png

Typical e-mail details:
    Be acknowledged that on Monday the 6th of May a letter was forwarded to chief accountant The indicated act has important information considering the levy refund procedure
    We ask you to verify the proper receiving of the facsimile .
    For Your convenience this document had been attached.
    Helen Smith
    Tax Officer


Malicious File Name and MD5:
    fragment_of_the_forwarded_prescript.exe (d8885ab98d6e60295a4354050827955e)


Tagged: Memo, Upatre
___

Stop Spamming Me Spam
- http://threattrack.t...pamming-me-spam
25 June 2015 - Subjects Seen
    stop spamming me

Screenshot: https://40.media.tum...1r6pupn_500.png

Typical e-mail details:
    stop sending me offers from towcaps.com
    i am not interested.
    i have attached the email i received from jmcfarland@ towcaps .com.
    please stop


Malicious File Name and MD5:
    email_message.doc (26185bf0c06d8419c09c76a0959d2b85)


Tagged: Word Macro Exploit, Fareit, Stop Spamming
___

Signed CryptoWall 3.0 variant delivered via MediaFire
- http://research.zsca...-delivered.html
June 4, 2015 - "... search lead us to this e-mail campaign* where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire..."
* https://techhelplist...hase-co-malware
>> https://malwr.com/an...GIyOWZjM2I3YTU/
"... Hosts..."
[CryptoWall 3.0] / -Still- -all- pumping badness 6.26.2015 !!
IP
188.165.164.184: https://www.virustot...84/information/
184.168.47.225: https://www.virustot...25/information/
62.221.204.114: https://www.virustot...14/information/
80.93.54.18: https://www.virustot...18/information/
50.62.160.229: https://www.virustot...29/information/
217.70.180.154: https://www.virustot...54/information/
184.168.174.1: https://www.virustot....1/information/
64.202.165.42: https://www.virustot...42/information/
46.235.40.4: https://www.virustot....4/information/
194.6.233.7: https://www.virustot....7/information/
 

:ph34r: :grrr: :ph34r:


Edited by AplusWebMaster, 26 June 2015 - 03:30 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1491 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 29 June 2015 - 05:26 AM

FYI...

Multiple Exploit kits abuse CVE-2015-3113
- http://malware.dontn...800160-and.html
June 29, 2015 - "Patched... (2015-06-23) with Flash 18.0.0.194*, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks. It's now making its path to Exploit Kits...
Magnitude: 2015-06-27 ... IE11 in Windows 7... 2015-06-27
Angler EK: 2015-06-29 ... IE11 in Windows 7... 2015-06-29
* https://helpx.adobe..../apsb15-14.html

> https://technet.micr...ecurity/2755801
June 23, 2015
___

Fake 'Hello' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
29 June 2015 - "'Hello' pretending to come from  Willa <swaffs@ tiscali .co.uk> with a malicious word doc rtf attachment is another one from the current bot runs... The email looks like:
    I reserved for myself and friends three double rooms with 30.06 to 14:06.
    I wanted to change a reservation!
    Because some friends canceled, I would like to change reservation to two double room!
    Thanks!
    Therese.


28 June 2015: document.rtf - Current Virus total detections: 8/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435533593/
___

Fake 'WhatsApp Chat' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
29 June 2015 - "'WhatsApp Chat with Jay Stephenson' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Chat history is attached as “WhatsApp Chat: Jay Stephenson.txt” file to this email.

29 June 2015 : WhatsApp Chat_ Jay Stephenson.doc     Current Virus total detections: 4/55*
... Which downloads Dridex banking malware from http ://dev.seasonsbounty .com/543/786.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435562464/

** https://www.virustot...sis/1435564213/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustot...58/information/
88.221.14.249: https://www.virustot...49/information/

seasonsbounty .com: 104.28.28.38: https://www.virustot...38/information/
104.28.29.38: https://www.virustot...38/information/
___

Fake 'CEF Documents' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
29 June 2015 - "'CEF Documents pretending to come from Dawn.Sandel@ cef .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached the following documents issued by City Electrical Factors:
    Invoice – BLA/176035 – DUCHMAID
    If you have any problems or questions about these documents then please do not hesitate to contact us.
    Regards,
    Dawn Sandel ...


29 June 2015 : BLA176035.doc - Current Virus total detections: 5/56*
... Downloads the same Dridex banking malware as described in today’s earlier malspam run of malicious word docs 'WhatsApp Chat with Jay Stephenson' – word doc or excel xls spreadsheet malware** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435572586/

** http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....-documents.html
29 June 2015
"... Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5
"
___

Fake 'Payslip' SPAM - malicious payload
- http://blog.dynamoo....period-end.html
29 June 2015 - "This -fake- financial spam comes with a malicious payload:
    From:    noreply@ fermanagh .gov.uk [noreply@ fermanagh .gov.uk]
    Date:    29 June 2015 at 11:46
    Subject:    Payslip for period end date 29/06/2015
    Dear [redacted]
    Please find attached your payslip for period end 29/06/2015
    Payroll Section


Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55*. Automated analysis... shows a file being downloaded from:
http :// audileon .com.mx/css/proxy_v29.exe . That binary has a detection rate of just 2/55 [Malwr analysis**] Also, Hybrid Analysis... shows the following IPs are contact for what looks to be malicious purposes:
69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is..."
Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242
"
* https://www.virustot...sis/1435584105/

** https://malwr.com/an...WE1Y2RkYTg2Mzc/

audileon .com.mx: 69.73.179.87: https://www.virustot...87/information/
___

Fake 'Paypal' PHISH...
- http://myonlinesecur...k-com-phishing/
28 June 2015 - "'Receipt for your PayPal payment to Zynga Games@ facebook .com' pretending to come from  service@ paypal .com.au  <payment.refunds@ netcabo .pt> is one of the latest -phish- attempts to steal your Paypal account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur...phish_email.png

The link in the email when you hover over it sends you to http ://guyit64d43tyw45uaer .saves-the-whales .com/ATERJT 8OYG8 JHG5R8 YRDTDY JYUGH DRYCJ/
If you follow the link you see a webpage looking like:
> http://myonlinesecur...pal-login-1.png
After entering email and password, you get sent to a page saying your account has been -frozen- due to fraud, continue to resolution centre to sort it out.
> http://myonlinesecur...hales-phish.png
Following that link gets you to the nitty-gritty of the phishing scam and you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecur...pal-login-2.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

saves-the-whales .com: 204.13.248.119: https://www.virustot...19/information/

afrikids .com.mx: 192.185.140.214: https://www.virustot...14/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 29 June 2015 - 04:13 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1492 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 30 June 2015 - 06:23 AM

FYI...

Fake Twitter Verification Profile leads to Phishing, Credit Card Theft
- https://blog.malware...dit-card-theft/
June 30, 2015 - "... we’ve come across a -bogus- Twitter account harbouring a nasty surprise for anybody taken in by their fakery. Twitter Feed “Verified6379″ claims to be an “Official Verification Page” with a link to a shortened Goo.gl URL. The site it directs visitors to is:
verifiedaccounts(dot)byethost9(dot)com/go(dot)html
Here’s the Twitter feed in question:
> https://blog.malware...ketwtverif0.jpg
... This week has seen 3,000+ click the link so far, with the majority of visitors coming from the US and UK. What do those with a thirst for verification see upon hitting the page? A rather nasty double whammy of phishing and payment information theft. First up, the -phish- which aks for Username, Password and Email along with questions about why the victim thinks they should be verified, if they’ve ever been suspended and how many followers they have. Note that once the accounts have been compromised, information such as follower count makes it easy for the phisher to work out which are the best ones to use to spread more malicious links:
> https://blog.malware...ketwtverif1.jpg
After this, the verification hunter will be presented with the below screen:
> https://blog.malware...ketwtverif2.jpg
The page reads as follows:
Congratulations! You are one step away from being verified, please understand we require each user to pay the $4.99 verification fee. Processing this fee allows us to verify your identity much faster.
Uh oh. They then go on to ask for card number, expiration date, CVV, name, address, phone number, state, country and zip code along with a confirmation email. There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials. Note that the so-called payment page doesn’t have a secured connection either, so if a third party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one. We’ve seen a number of possibly related accounts pushing out similar links, all offline / suspended at time of writing. There’s sure to be others floating around, so please be careful with your logins... more information on Twitter Verification, you should read their FAQ page. From a related article:
'Twitter currently does -not- accept applications for verification. If we identify your account as being eligible, we will reach out to you to start the verification process'.
The only Twitter feed you should pay any attention to with regards the little blue tick is the Official Verification account – anybody else should be treated with caution, especially if asking for logins via Direct Message or websites asking for -credentials- and / or -payment- information..."

verifiedaccounts(dot)byethost9(dot)com: 185.27.134.210: https://www.virustot...10/information/
___

Fake 'Bank payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
30 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached a bank payment for 28th June 2015 for £288.00
    to pay inv 1631 less cr 1129. With thanks.
     Kind regards
     Sarah
    Accounts
    SBP Beauty & Lifestyle


30 June 2015: Bank payment 281014.doc - Current Virus total detections: 3/56*
... Downloads Dridex banking malware from:
 http ://www .medisinskyogaterapi .no/59/56.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435652743/

** https://www.virustot...sis/1435653462/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustot...58/information/
88.221.14.249: https://www.virustot...49/information/
___

Fake 'Payment due' SPAM - malicious attachment
- http://blog.dynamoo....navipondev.html
30 June 2015 - "This -fake- invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:
    From     "Donna Vipond" [donna.vipond@ ev-ent .co.uk]
    Date     Tue, 30 Jun 2015 13:13:28 +0100
    Subject     Payment due - 75805
    Please advise when we can expect to receive payment of the attached
    invoice now due?  I await to hear from  you.
    Kind Regards
    Donna Vipond
    Accounts
    Event Furniture Ltd T/A Event Hire
    Tel: 01922 628961 x 201


Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis). The samples I saw downloaded a file from either:
www .medisinskyogaterapi .no/59/56.exe
www .carpstory .de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55*. The various analyses including Malwr report and Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany). The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58 "
* https://www.virustot...sis/1435667157/

medisinskyogaterapi .no: 178.164.11.101: https://www.virustot...01/information/

carpstory .de: 81.169.145.164: https://www.virustot...64/information/

- http://myonlinesecur...dsheet-malware/
30 June 2015 - "... -same- Dridex banking malware as today’s other malspam run of macro enabled word docs Bank payment SBP Beauty & Lifestyle hairandhealth .co.uk* – word doc or excel xls spreadsheet malware..."
> https://www.virustot...sis/1435667097/

* http://myonlinesecur...dsheet-malware/
___

RFC 7568 Deprecates SSLv3 As Insecure
- http://tech.slashdot...lv3-as-insecure
June 30, 2015 - "SSLv3 should -not- be used*, according to the IETF's RFC 7568. Despite being replaced by three versions of TLS, SSLv3 is still in use. Clients and servers are now recommended to reject requests to use SSLv3 for secure communication. "SSLv3 Is Comprehensively Broken" ** say the authors, and lay out its flaws in detail."
* http://tools.ietf.org/html/rfc7568

** http://tools.ietf.or...c7568#section-4
___

Malvertising targeting the Netherlands
- http://blog.fox-it.c...he-netherlands/
Update 16-06-2015: "After coordinating with the advertisers the malicious host was -blocked- and removed from their advertisement platforms. Indicators of Compromise:
The following IP and domain should be -blocked- in order to avoid the current campaign:
    otsmarketing[.]com / 107[.]181[.]187[.]81
The Angler Exploit kit typically installs the Bedep Trojan, which installs -additional- malware. Bedep can typically be found by looking at consecutive POST requests to the following two websites:
    earthtools .org/timezone/0/0
    ecb.europa .eu/stats/eurofxref/eurofxref-hist-90d.xml
We have yet to identify the final payload."

107.181.187.81: https://www.virustot...81/information/

earthtools .org: Could not find an IP address for this domain name.

ecb.europa .eu: 208.113.226.171: https://www.virustot...71/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 30 June 2015 - 01:12 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1493 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 01 July 2015 - 06:43 AM

FYI...

Fake 'swift bank transfers' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 July 2015 - "A series of emails on the theme of swift bank transfers pretending to come from random email addresses and random senders with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... Some subjects seen are:
    Fw: Automated Clearing House VRD4OB
    Fw: Notification 9XLM1B
    Fwd Invoice A6MV0KAOT ... The email looks like these:
    The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
    DeniedZ SWIFT transfer
    Transaction4 Case ID     8L515KJY
    Total Amount     3526.76 USD ...
    Reason of abort     See attached statement
    Please click the file given with this email to get more information about this issue.

-Or-
    The SWIFTD transfer, recently sent from your company’s online bank account, was aborted by the Electronic Payments AssociationV.
    Denied2 transaction
    TransferB Case ID     CUV0RUF
    Total Amount     1953.61 US Dollars ...
    Reason of abort     See attached word document
    Please click the doc file attached below to get more info about this issue.

-Or-
    The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
    DeniedZ SWIFT transfer
    Transaction4 Case ID     8L515KJY
    Total Amount     3526.76 USD ...
    Reason of abort     See attached statement
    Please click the file given with this email to get more information about this issue.


1 July 2015: EBRSONOU.doc | JIZES.doc | XWUDNJK.doc
Current Virus total detections: 4/56* | 4/56** | 4/56*** |
... All of which try to connect to these 2 sites and download a base64 encoded text file from first location and a simple test text from second location.
www .fresh-start-shopping .com/wp-content/uploads/2015/06/167362833333.txt
www .gode-film .dk/wp-content/uploads/2015/06/kaka.txt
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435729795/

** https://www.virustot...sis/1435729826/

*** https://www.virustot...sis/1435729851/

fresh-start-shopping .com: 192.186.246.136: https://www.virustot...36/information/

gode-film .dk: 81.19.232.168: https://www.virustot...68/information/
___

Fake 'HMRC taxes application' SPAM - leads to malware
- http://blog.dynamoo....pplication.html
1 July 2015 - "This -fake- tax spam leads to malware:
    From     "noreply@ taxreg.hmrc .gov.uk" [noreply@ taxreg .hmrc .gov.uk]
    Date     Wed, 1 Jul 2015 11:20:37 +0000
    Subject     HMRC taxes application with reference L4TI 2A0A UWSV WASP received
    The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
    agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
    now be verified. HMRC will contact you if further information is needed.
    Please download/view your HMRC documents here:    http ://quadroft .com/secure_storage/get_document.html
    The original of this email was scanned for viruses by the Government Secure Intranet
    virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
    Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded
    for legal purposes.d 


If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake -404- page will be generated:
> https://1.bp.blogspo...00/document.png
The page then forwards to the real HMRC login page but attempts to dump a -malicious- ZIP from another source at the same time:
> https://2.bp.blogspo...0/fake-hmrc.png
In this case, the ZIP file was Document_HM901417.zip which contains a -malicious- executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55* (identified as the Upatre downloader). Automated analysis... shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55**. The payload is almost definitely the Dyre banking trojan.
* https://www.virustot...sis/1435748839/

** https://www.virustot...sis/1435750980/

93.185.4.90: https://www.virustot...90/information/
___

Fake 'Document Order' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 July 2015 - "'Document Order 555-073766-24707377/1' (random numbers) pretending to come from web-filing@ companies-house .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Order: 555-073766-24707377 29/06/2015 09:35:46
    Companies House WebFiling order 555-073766-24707377/1 is attached.
    Thank you for using the Companies House WebFiling service.
    Email: enquiries@ companies-house .gov.uk   Telephone +44 (0)303 1234 500
    Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.


1 July 2015: compinfo_555-073766-24707377_1.doc - Current Virus total detections: 4/56*
... Downloads Dridex banking malware from:
 http ://ferringvillage .co.uk/75/85.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435735503/

** https://www.virustot...sis/1435735797/

ferringvillage .co.uk: 217.72.186.4: https://www.virustot....4/information/
___

Fake 'Underreported Income' SPAM - links to malware
- http://blog.dynamoo....erreported.html
1 July 2015 - "The second HMRC spam run of the day..
    From:    HM Revenue and Customs [noreply@ hmrc .gov.uk]
    Date:    1 July 2015 at 11:36
    Subject:    Notice of Underreported Income
    Taxpayer ID: ufwsd-000004152670UK
    Tax Type: Income Tax
    Issue: Unreported/Underreported Income (Fraud Application)
    Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
    Please complete the form. You can download HMRC Form herc


In this case, the link goes to bahiasteel .com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run* today."
* http://blog.dynamoo....pplication.html

bahiasteel .com: 213.186.33.16: https://www.virustot...16/information/
___

Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 July 2015 - "'Statement JUL-2015' pretending to come from Phil <phil@ twococksbrewery .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...n-processed.png

25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 7/55*
... Which downloads the -same- Dridex banking malware as today’s earlier examples 'Document Order 555-073766-24707377/1- Companies House WebFiling** – word doc or excel xls spreadsheet malware and 'Document Order 555-073766-24707377/1- Companies House WebFiling*** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1435755731/

** http://myonlinesecur...dsheet-malware/

*** http://myonlinesecur...dsheet-malware/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 01 July 2015 - 08:46 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1494 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,642 posts

Posted 02 July 2015 - 06:37 AM

FYI...

Angler Exploit Kit pushing CryptoWall 3.0
- https://isc.sans.edu...l?storyid=19863
2015-07-02 - "... Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler... Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK.  We first noticed CryptoWall 3.0 from Angler near the end of May 2015:
> https://isc.sans.edu...ry-image-01.jpg
Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day..."
(More detail at the isc URL above.)

148.251.167.57: https://www.virustot...57/information/

148.251.167.107: https://www.virustot...07/information/
___

The 'Grey Side' of Mobile Advertising
- https://blog.malware...le-advertising/
July 2, 2015 - "... Mobile advertising is a headache because of its intrusiveness, the amount of bandwidth used, and other unexpected nefarious behaviors. I get it, there’s money to be made–the good guys are trying to sell us something, the bad guys are trying to steal something, and the grey guys are doing a little of both. Grey hats do their work in between the good and the malicious sides of computing and often push the limits of maliciousness when it comes to making a quick buck. Some advertisers have been pushing this grey line by using shady tactics in order to get app installs for some time now. These pay-per-install ad campaigns use the same scarevertising* messaging we see from malware authors like; “You are infected” or “System Alert.” Unlike -fake- alerts that lead to malware, these alerts often -redirect- to legitimate apps residing in Google’s Play Store, like battery saving and security type apps... Most of these ad campaigns use the same wording, images, and fake scans used by malware authors. Because of this, we wanted to spread the word to ignore these ads and hopefully take away some of their impact. Shutting them down and tracking their creators have been difficult. The ads don’t stick around long and Ad Networks have a difficult time preventing because of their small footprint compared to all the ‘good’ ad traffic–they get lost in the chaos.
Don’t fall for the bait. If you come across any of these -fake- messages you can back out of the page or close the tab to dismiss. If they persist it might be necessary to clear out browser history and cookies..."
* https://en.wikipedia.../wiki/Scareware
 

:ph34r: :grrr: :ph34r:


Edited by AplusWebMaster, 02 July 2015 - 02:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button