Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1751 replies to this topic

#1751 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,330 posts

Posted 21 July 2016 - 04:22 PM

FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malware...-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malware...itter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get  a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."
 

:ph34r: :ph34r:   :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1752 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,330 posts

Posted 22 July 2016 - 10:16 AM

FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo....rry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
    From: "Lizzie Carpenter"
    Subject: sales report
    Date: Fri, 22 Jul 2016 21:38:25 +0800
    I am truly sorry that I was not available at the time you called me yesterday.
    I attached the report with details on sales figures.
    Best of luck,
    Lizzie Carpenter
    SCHRODER GLOBAL REAL ESTATE SEC LTD ...


The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51
"
* https://virustotal.c...sis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecu...cky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
    Hi
    Please see Fedex label as attached
    Kindest Regards
    Mary Leons
    Customer Service Supervisor | Air Menzies International ...


22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:

    http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustot...65/information/
    http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162
: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
    http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustot...85/information/
    http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustot...62/information/
    http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustot...45/information/
    http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustot...64/information/
    http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustot...81/information/
54.187.26.65: https://www.virustot...65/information/
    http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustot...29/information/
    http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustot...51/information/
    http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustot...10/information/
    http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustot...48/information/
    http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
    http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
    http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustot...17/information/
 

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1469178299/

** https://malwr.com/an...DdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustot...sis/1469188310/
 
dillerator.chat .ru: 195.161.119.85: https://www.virustot...85/information/
>> https://www.virustot...6bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
    Please find document(s) attached.
    The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...


This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecu...cky-ransomware/

___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecu...b-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecu...il-1024x676.png

The -link- in the email goes to:
  http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecu...te-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustot....1/information/
 

:ph34r: :ph34r:   :grrr:


Edited by AplusWebMaster, 22 July 2016 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button