Fake 'Western Union' SPAM – PDF malware
29 Sep 2015 - "An email with the subject of 'Contract 61936417 About to Expire: Final Notice – Western Union Business Solutions Online FX for Corporate' pretending to come from Western Union via random email addresses and companies with a zip attachment is another one from the current bot runs...
29 September 2015: WU Business Contract 45827544.zip:
Extracts to: WU Business Contract 770352457.scr
Current Virus total detections 18/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Fake 'Blocked profile' SPAM – PDF malware
29 Sep 2015 - "An email with the subject of 'Blocked profile management notification' pretending to come from NAB Bank Australia with a zip attachment is another one from the current bot runs... The content of the email says :
We have detected suspicious activity with Your Online-Banking profile. Please be informed that
the access and some capabilities of Your profile were restricted for security reasons. Temporarily
You cannot conduct transactions with online-banking profile. In order to obtain full management
powers You have to fill in and send back the attached form.
Please use codename for authorization (contained in the attachment).
Online-Banking profile: 8947626947780852875
Code Name: no doubt insolvent noncancerogenic
Our security department representative will contact You later to provide further instructions.
NAB Support Team.
29 September 2015: Bank_no doubt insolvent noncancerogenic_protection.zip:
Extracts to: whose noodle soullessness.exe
Current Virus total detections 15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake 'SantanderBillpayment' SPAM - malware attachment
29 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From "Santanderbillpayment-noreply@ SantanderBillPayment .co.uk" [Santanderbillpayment-noreply@ SantanderBillPayment .co.uk]
Date Tue, 29 Sep 2015 12:33:56 GMT
Subject Info from SantanderBillpayment .co.uk
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 29 September 2015 at 09:11:36.
Payment type: VAT
Customer reference no: 0343884
Card type: Visa Debit
Amount: GBP 4,683.00
For more details please check attached payment slip.
Your transaction reference number for this payment is IR0343884.
Please quote this reference number in any future communication regarding this payment.
Banking Operations ...
The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 184.108.40.206 in Nigeria which is worth -blocking- or monitoring."
Fake 'Attorney-client' SPAM – PDF malware
29 Sep 2015 - "An email with the subject of 'Attorney-client agreement' pretending to come from random names and random companies with a zip attachment is another one from the current bot runs... The content of the email says :
It went OK. The court understood that it may be that you might not have much relevant
information but he couldn’t rule as a matter of law that you had no relevant information
and did not need to appear. However he ordered the other side to make clear when they were
going to call you and provide information on that so that you are not standing around
waiting to be called. He also made it clear that I preserve my right to object to their
questions on grounds of relevance, so, you need to be available on Monday or Tuesday the
29th and 30th to appear but I will let you know as we get closer what time and day.
We will also need to prepare for your testimony the week before.
With regard to the other motions, the court ruled that they cannot present any evidence as
damages of costs incurred or the fee received while Gary Ferguson was representing the
Grover’s. That is pretty good ruling.
As to many of the other issues he simply punted them for trial, preserving our arguments
The only issue that we need to discuss is the Court’s willingness to consider their claim
for breach of contract. The court is going to allow them to assert a claim for breach of
contract. The Court indicated that it was a close call, but they have one paragraph in
their complaint suggesting a claim for breach of contract, but he limited the breach of
contract claim to their allegation that under the fee agreement you would not take any
money without paying the Grovers under your retainer agreement. That is the only breach
of contract claim. If you look at the retainer agreement attached, I don’t think it says
that (paragraph 1) . What it says is that if the case is settled, you can take your fee
and pay costs. However they are arguing that the whole case had to be settled before you
took any fee.
Even if that were the case, then you should have been able to receive the 63,665 at the end
of the case after they lost to Timpanogos (either under P&M’s agreement or your agreement.)
and they would’ve had to pay the costs. In other words, I think we have the stronger
argument here. And, if we win, we will be able to assert a claim for attorny’s fees.
But if they win, they also have that right.
However, because the court allowed them to assert this claim for breach of contract ruled
that he would allow me to conduct more limited discovery before trial if I think I needed to.
Upon first glance of the issue, I don’t think I need any additional discovery. But I wanted
to run this by you guys. Let me know your thoughts as soon as possible. He also said he
might consider bumping the trial if I tell him why I need to for this new claim. but I think
if it is limited to that issue. I don’t think ‘ll be able to convince him to bump the trial
unless I simply demand it.
I would like your thoughts.
Ana Marvin | Grady-Wintheiser | 49544 Josue Hills | Lake Kennith City, 32914
Direct: (628) 652-6347 | Facsimile: (628) 652-6347 ... vCard
This email is from a law firm and may contain privileged or confidential information.
Any unauthorized disclosure, distribution, or other use of this email and its contents
is prohibited. If you are not the intended recipient, please contact the sender and
delete this email. Thank you.
29 September 2015: View financial bargain.zip: Extracts to: Finish past due invoice.exe
Current Virus total detections 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Instagram Account preys on Trust Issues
Sep 29, 2015 - "Questionable posts from random users — usually from those with a significant number of (bot) followers — are already becoming not uncommon within the photo- and video- sharing social site, Instagram. In fact, we have encountered a number of them before, with some falsely claiming to increase your follower count — an attempt we’ve seen floating around on Twitter and Facebook in the past — and with others attesting to a mass purge of accounts unless they have been verified. Recently, we’ve discovered an attempt at baiting users with the lure of catching his/her potentially cheating partner red-handed using a “trusted” service. All one needs is their target’s phone number.
Below is mobile screenshot of the post that my test account received:
... whoever came up with this kind of bait has been following stories revolving around the Ashley Madison hacking incident, probably a little too closely. Anyway, the link on the profile page of @INSTANTPHONELOOKUP is a bit.ly shortened URL that points to the destination, cheaterslookup[DOT]com:
As of this writing, traffic to the destination has reached more than -100K- clicks since the bit.ly URL has been created last month. And this is just one of the many high-trafficked sub-pages from the same domain we’ve seen so far:
Clicking the shortened link points to try[DOT]textspy[DOT]us, wherein one is asked to enter their target’s mobile number. Once done, he/she sees a series of pages that were created to make him/her believe that the site is scanning for data related to the number. The final destination is an advertorial piece written on instantcheckmate[DOT]com... Users of Malwarebytes Anti-Malware are already protected from accessing cheaterslookup[DOT]com, including other sites such as the following that are found to be similar or related to it:
Although it’s tempting to try out such services either out of curiosity or for the fun of it, it’s still best to -avoid- shenanigans such as these. Your wallet and perhaps your partner will thank you for it."
caughtcheating[DOT]co: 220.127.116.11: https://www.virustot...93/information/
spytext[DOT]us: 18.104.22.168: https://www.virustot...44/information/
textingspy[DOT]com: 22.214.171.124: https://www.virustot...40/information/
textspy[DOT]us: 126.96.36.199: https://www.virustot...48/information/
cheaterslookup[DOT]com: 188.8.131.52: https://www.virustot...92/information/
Scam Texts 'Phish' for Banking Info
Sep 29, 2015 - "Watch out for this text message scam. Con artists are trying to fool users into sharing personal information by sending text messages that look like alerts from banks.
How the Scam Works:
You receive a text message that appears to be from a bank. It’s prompting you to update your profile and provides a link to a website. The link may even have the bank’s name as -part- of the domain...
If you click on the URL, you will be taken to a form that looks-like part of the bank’s website. The page will prompt to “confirm” your identity by entering your name, user ID, password and/or bank account number.
Don’t do it! Sharing this information puts you at-risk for identity theft.
Protect yourself from text message scams.
> Just hit delete! -Ignore- instructions to confirm your phone number or visit-a-link. Some scam texts instruct you to text “STOP” or “NO” to prevent future texts. But this is a common ploy by scammers to confirm they have a real, active phone number.
> Read your phone bill. Check your phone bill for services you haven’t ordered. Some charges may appear only once, but others might be monthly 'subscriptions'..."
Malvertising Via Google AdWords - Fake BSOD
Sep 28, 2015 - "... fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before. Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason. And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service:
Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel. This really makes it look like a click-on-the-link would take you directly to YouTube but unfortunately that was not the case:
Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous Blue Screen of Death.The BSOD is a popular theme as of late and an effective way to display -bogus- but legitimate error codes that would trouble many internet users. As with most similar -scam- pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages. Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts:
The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page... Both of these domains are hosted on IP address 184.108.40.206 where the rest of the -fraudulent- sites also reside... We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page*."
Compromised WordPress Campaign - Spyware Edition
Sep 25, 2015 - "... started investigating multiple WordPress related security events earlier this month and came across a -new- widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo* and has been reported by some users on official WordPress forums**...
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a -fake- Adobe Flash Player application is downloaded...
... Conclusion: WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements..."
Edited by AplusWebMaster, 29 September 2015 - 12:52 PM.