Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1754 replies to this topic

#1751 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,334 posts

Posted 21 July 2016 - 04:22 PM

FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malware...-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malware...itter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get  a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1752 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,334 posts

Posted 22 July 2016 - 10:16 AM

FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo....rry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
    From: "Lizzie Carpenter"
    Subject: sales report
    Date: Fri, 22 Jul 2016 21:38:25 +0800
    I am truly sorry that I was not available at the time you called me yesterday.
    I attached the report with details on sales figures.
    Best of luck,
    Lizzie Carpenter
    SCHRODER GLOBAL REAL ESTATE SEC LTD ...


The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51
"
* https://virustotal.c...sis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecu...cky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
    Hi
    Please see Fedex label as attached
    Kindest Regards
    Mary Leons
    Customer Service Supervisor | Air Menzies International ...


22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:

    http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustot...65/information/
    http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162
: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
    http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustot...85/information/
    http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustot...62/information/
    http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustot...45/information/
    http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustot...64/information/
    http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustot...81/information/
54.187.26.65: https://www.virustot...65/information/
    http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustot...29/information/
    http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustot...51/information/
    http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustot...10/information/
    http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustot...48/information/
    http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
    http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
    http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustot...17/information/
 

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1469178299/

** https://malwr.com/an...DdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustot...sis/1469188310/
 
dillerator.chat .ru: 195.161.119.85: https://www.virustot...85/information/
>> https://www.virustot...6bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
    Please find document(s) attached.
    The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...


This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecu...cky-ransomware/

___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecu...b-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecu...il-1024x676.png

The -link- in the email goes to:
  http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecu...te-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustot....1/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 July 2016 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1753 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,334 posts

Posted 25 July 2016 - 08:00 AM

FYI...

Fake 'Emailing: Photo - Document' SPAM - malicious attachment
- http://blog.dynamoo....25-07-2016.html
25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
    From:    Rebeca [Rebeca3@ victimdomain .tld]
    Date:    25 July 2016 at 10:16
    Subject:    Emailing: Photo 25-07-2016, 34 80 10
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 25-07-2016, 34 80 10 ...


Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative -variant- comes with a malicious -Word- document:
    From:    Alan [Alan306@ victimdomain .tld]
    Date:    25 July 2016 at 12:40
    Subject:    Emailing: Document 25-07-2016, 72 35 48
    Your message is ready to be sent with the following file or link
    attachments:
    Document 25-07-2016, 72 35 48 ...


The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
"

77.222.54.202: https://www.virustot...02/information/
>> https://www.virustot...cfca9/analysis/
194.1.236.126: https://www.virustot...26/information/
>> https://www.virustot...5138c/analysis/
185.117.153.176: https://www.virustot...76/information/
>> https://www.virustot...d49bd/analysis/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 25 July 2016 - 08:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1754 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,334 posts

Posted 26 July 2016 - 06:51 AM

FYI...

Fake 'Attached Image' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
    From:    victim@ victimdomain .tld
    To:    victim@ victimdomain .tld
    Date:    26 July 2016 at 10:27
    Subject:    Attached Image ...


Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216
"
* https://malwr.com/an...WY0ZmFhZjEzZWY/
Hosts
62.24.202.31

** https://virustotal.c...daf25/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.234.35.216
31.41.47.41


- https://myonlinesecu...-email-address/
26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the  emails looks like:
From: your own email address
Date: Tue 26/07/2016 10:22
Subject: Attached Image
Attachment: 0324923_02.zip ...


26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
.. MALWR** shows a download of xxxx from
 http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
Hybrid Analysis[4] . This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1469524580/

** https://malwr.com/an...DdkMTNhNGY2OWM/
Hosts
89.42.216.118
*** https://www.virustot...sis/1469524971/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.42.216.118: https://www.virustot...18/information/
>> https://www.virustot...ac66e/analysis/
31.41.47.41: https://www.virustot...41/information/
91.234.35.216: https://www.virustot...16/information/
___

Fake 'list of activities' SPAM - leads to Locky
- http://blog.dynamoo....ties-leads.html
26 July 2016 - "This -fake- business spam has a malicious attachment:
    From     "Penelope Phelps"
    Date     Tue, 26 Jul 2016 23:02:43 +1100
    Subject     list of activities
    Hello,
    Attached is the list of activities to help you arrange for the coming presentation.
    Please read it carefully and write to me if you have any concern.
    Warm regards,
    Penelope Phelps
    ALLIED MINDS LTD
    Security-ID ...


The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
akva-sarat.nichost .ru/bokkdolx
There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
* https://malwr.com/an...TdiYzRjMmY0NjQ/
Hosts
195.208.0.150

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.0.150: https://www.virustot...50/information/
>> https://www.virustot...0300d/analysis/

*** https://virustotal.c...429e2/analysis/

4] http://blog.dynamoo....e-leads-to.html
___

Ransomware 2.0 ...
- http://www.techrepub...the-enterprise/
July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
"... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 26 July 2016 - 02:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1755 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,334 posts

Posted Yesterday, 05:33 AM

FYI...

Fake 'Sent from my Samsung' SPAM - leads to Locky
- http://blog.dynamoo....samsung_27.html
27 July 2016 - "This spam comes in a few different variations:
    From:    Lottie
    Date:    27 July 2016 at 10:38
    Subject:    scan0000510
    Sent from my Samsung device


The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244
"
* https://www.virustot...7dfda/analysis/

5.9.253.173: https://www.virustot...73/information/
>> https://www.virustot...5d145/analysis/
178.62.232.244: https://www.virustot...44/information/
>> https://www.virustot...e9b6e/analysis/
___

Fake 'updated details' SPAM - malicious attachment
- http://blog.dynamoo....is-updated.html
27 July 2016 - "This spam has a malicious attachment:
    Subject:     updated details
    From:     Faith Davidson (Davidson.43198@ optimaestate .com)
    Date:     Wednesday, 27 July 2016, 11:13
    Attached is the updated details about the company account you needed
    King regards
    Faith Davidson ...


The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
beauty-jasmine .ru/6dc2y
There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.1.120: https://www.virustot...20/information/
>> https://www.virustot...0ed8c/analysis/

** https://virustotal.c...a5de3/analysis/

*** http://blog.dynamoo....samsung_27.html
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, Yesterday, 02:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button