FYI...

Malware sites to block 13/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
13 August 2013 - "These IPs and domains belong to this gang* and this list follows on from the one I made last week**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-6813.html
___

Pharma sites to block
- http://blog.dynamoo.com/2013/08/pharma-sites-to-block.html
13 August 2013 - "These fake pharma sites and IPs seem related to these malware domains*, and follows on from this list last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html

** http://blog.dynamoo.com/2013/08/pharma-sites-to-block-6813.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 12
Fake Money Transfer Notification Email Messages - 2013 Aug 12
Fake Account Payment Notification Email Messages - 2013 Aug 12
Fake Product Order Notification Email Messages - 2013 Aug 12
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 12
Fake Payment Notification Email Messages - 2013 Aug 12
Fake Bank Details Reconfirmation Email Messages - 2013 Aug 12
Fake Documents Attachment Email Messages - 2013 Aug 12
Fake Portuguese Electrical Equipment Invoice Notification Email Messages - 2013 Aug 12
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 12
Fake Banking Account Information Email Messages - 2013 Aug 12
(More detail and links at the cisco URL above.)
___

LinkedIn Connection Spam
- http://threattrack.tumblr.com/post/58154197039/linkedin-connection-spam
Aug. 13, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
bobbiler.corewaysolution .com/images/wp-gdt.php?x95S4F4MY33PRBG0W
sharperspill .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/13ed45df65f2af6e95bfea2edb9ea921/tumblr_inline_mrh6bwqsx91qz4rgp.png
___

CNN Breaking News Rehtaeh Parsons Spam
- http://threattrack.tumblr.com/post/58154735687/cnn-breaking-news-rehtaeh-parsons-spam
Aug. 13, 2013 - "Subjects Seen:
CNN: ” Canadian teenager Rehtaeh Parsons”
Typical e-mail details:
2 face charges in case of Canadian girl who hanged self after alleged rape
Canadian teenager Rehtaeh Parsons
Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story »

Malicious URLs
retailers.truelinkswear .com/rundown/index.html
dp56148868.lolipop .jp/numeracy/index.html
ftp(DOT)equinejournal .com/apogee/index.html
ead-togo .com/croons/index.html
guterprotectionperfection .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/855def800a17058b6a6b61ca991cad41/tumblr_inline_mrh6o3wH431qz4rgp.png
___

Fake Bank of America SPAM / Instructions Secured E-mail.zip
- http://blog.dynamoo.com/2013/08/bank-of-american-spam-instructions.html
13 August 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From: "Alphonso.Wilcox" [Alphonso.Wilcox @bankofamerica .com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Thanks,
Amado.Underwood
Bank of America
Principal Business Relationship Manager...

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
The detection rate for this initial malware is just 9/45 at VirusTotal**.
This is a pony/gate downloader which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack*, and it also utilises a -hijacked- GoDaddy domain.
The download then attempts to download a second stage from the from the following locations (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs .com/D5F7G.exe
[donotclick]betterbacksystems .com/kvq.exe
[donotclick]www.printdirectadvertising .com/vfMJH.exe
[donotclick]S381195155.onlinehome .us/vmkCQg8N.exe
The second stage has an even lower detection rate of just 3/45*** ...
Recommended blocklist:
192.81.135.132
guterprotectionperfection .com
Missionsearchjobs .com
betterbacksystems .com
www .printdirectadvertising .com
S381195155.onlinehome .us "
* http://blog.dynamoo.com/2013/08/facebook-spam-guterhelmetcom.html

** https://www.virustotal.com/en-gb/file/f26a77b7df7f2f796ffd3961ed1fd48cc3b27629925f583812b2cee9dcd22177/analysis/1376406778/

*** https://www.virustotal.com/en-gb/file/0aa6884451982533ebf8d62c258182452966a8d24e43d3396fe2b4c8f94fff81/analysis/1376407672/

:fear: :mad:

FYI...

Bogus Firefox updates
- https://net-security.org/malware_news.php?id=2559
Aug. 13, 2013 - "A series of Internet campaigns pushing bogus Firefox updates onto unwary users have been spotted by researchers, and among them is one that lures them in through “Green Card Lottery” ads... According to ThreatTrack's analysis*, the website is capable of detecting which browser the user uses and to recommend an update for it. Nevertheless, the offered "update" is always the same: Firefox v13 (long outdated - the current version is 23), with several "add-ons, adware, toolbars and other malicious and irritating accompaniments" also trying to get installed via the installation wizard:
> http://www.net-security.org/images/articles/tt-13082013.jpg
Among this tag-along software is the Delta Toolbar, Webcake (a browser add-on that, among other things, serves ads), Optimizer Pro (a questionable PC-tune-up program), QuickShare (a deceptive browser plugin that steals data and redirects to unwanted websites) and an ad for “unlimited cloud storage”. All this "crapware" is sure to bring grief to the victims. It will slow down their computer, for sure, but the biggest problem is that they will end up with a outdated browser that can be successfully targeted with drive-by-download schemes, more additional malware and they will likely become victims of identity theft in the long run..."
* http://www.threattracksecurity.com/it-blog/outdated-browser-detected-firefox-update/
___

Malicious Spam Targets Virgin Media Patrons, Consul General
- http://www.threattracksecurity.com/it-blog/malicious-spam-targets-virgin-media-patrons-consul-general/
Aug. 13, 2013 - "... a fresh campaign of malicious spam that purports to originate from various brands and names but delivers the same malicious attachment to recipients. As of this time of writing, the spam is disguised as a mail coming from Virgin Media* and a notification of an expiring car insurance addressed to the Consul General of Suriname**... detections we have for related malicious files form these spam, as of this writing:
- Both compressed files are detected as Trojan.Zip.Bredozp.b (v).
- The uncompressed .EXE files, which are essentially one and the same, is detected as Win32.Malware!Drop.
The file it downloads is malicious, and it changes at random..."
* http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/virgin-media-spam.png

** http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/car-insurance-spam.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Aug 14
Fake MMS Notification Email Messages - 2013 Aug 14
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 14
Fake Package Delivery Information Email Messages - 2013 Aug 14
Fake Payment Confirmation Notification Email Messages - 2013 Aug 13
Fake Secure Message Notification Email Messages - 2013 Aug 13
Fake Debt Collection Notice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 13
Fake Account Payment Notification Email Messages - 2013 Aug 13
Fake Product Purchase Order Email Messages - 2013 Aug 13
Fake Xerox Scan Attachment Email Messages - 2013 Aug 13
Fake UPS Parcel Notification Email Messages - 2013 Aug 13
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 13
Fake Product Services Specification Request Email Messages - 2013 Aug 13
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
(More detail and links at the cisco URL above.)
___

Twitter Spam ...
- http://krebsonsecurity.com/2013/08/buying-battles-in-the-war-on-twitter-spam/
Aug 14, 2013 - "The success of social networking community Twitter has given rise to an entire shadow economy that peddles -dummy- Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University and the University of California, Berkeley, Twitter traditionally has done so only -after- these fraudulent accounts have been used to spam and attack legitimate Twitter users..."
(More detail at the krebsonsecurity URL above.)
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/58242338970/wells-fargo-important-documents-spam
Aug. 14, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Eleanor_Wyatt
Wells Fargo Advisors
817-246-9671 office

Malicious URLs
gutterprosmaryland .com/forum/viewtopic.php
gutterhelmetleafguardgutterprotection .com/forum/viewtopic.php
gutterguardbuyersguide .com/forum/viewtopic.php
gutterglovegutterprotection .com/forum/viewtopic.php
dp55197480.lolipop .jp/1ayPTHK.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg .biz/VKPqrms.exe
caribbeancinemas .net/MLEYCY9.exe

- https://www.virustotal.com/en/ip-address/64.71.35.14/information/

Malicious File Name and MD5:
DOC_<e-mail>.zip (B1342413F0AEE3E6440453689D26803B)
DOC_{_MAILTO_USERNAME}.exe (ABAFB7DA0F23112064F6BC3A1F93DDF6)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/058ad51983943283c252add34ea3da0b/tumblr_inline_mriyb83O4Y1qz4rgp.png
___

Fake ADP SPAM / hubbywifeburgers .com
- http://blog.dynamoo.com/2013/08/adp-spam-hubbywifeburgerscom.html
14 Aug 2013 - "This fake ADP spam leads to malware on hubbywifeburgers .com:
Date: Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From: "ADPClientServices @adp .com" [service @citibank .com]
Subject: ADP Security Management Update
ADP Security Management Update
Reference ID: 39866
Dear ADP Client August 2013
This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.
Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.
Please review the following information:
� Click here to view more details of the enhancements in Phase 2
� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)... The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Screenshot: https://lh3.ggpht.com/-33hn5xJdiRw/UgvV5vzDLkI/AAAAAAAABxM/-IcZiCFuBLo/s1600/adp-spam2.png

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate -hacked- site that tried to load one of the following three scripts:
[donotclick]e-equus.kei .pl/perusing/cassie.js
[donotclick]cncnc .biz/pothooks/addict.js
[donotclick]khalidkala .com/immigration/unkind.js
From there, the victim is sent to a malware site that uses a -hijacked- GoDaddy domain at [donotclick]hubbywifeburgers .com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here*). This IP probably contains other hijacked domains from the same owner.
Recommended blocklist:
199.195.116.51
hubbywifeburgers .com
e-equus.kei .pl
cncnc .biz
khalidkala .com "
* https://www.virustotal.com/en/ip-address/199.195.116.51/information/

:mad: :fear::fear:

FYI...

Something evil on 162.211.231.16
- http://blog.dynamoo.com/2013/08/something-evil-on-16221123116.html
15 August 2013 - "The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example*) which have been going on for some time [1] [2] and uses several domains... All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear .com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack. I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)
Recommended blocklist:
162.211.231.16 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4568967

1] https://www.virustotal.com/en-gb/ip-address/162.211.231.16/information/

2] http://urlquery.net/search.php?q=162.211.231.16&type=string&start=2013-07-31&end=2013-08-15&max=50
___

Fake "INCOMING FAX REPORT" SPAM / chellebelledesigns .com
- http://blog.dynamoo.com/2013/08/incoming-fax-report-spam.html
15 August 2013 - "A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns .com:
From: Administrator [administrator @victimdomain]
Date: 15 August 2013 16:08
Subject: INCOMING FAX REPORT : Remote ID: 1043524020
***********************INCOMINGFAXREPORT*****************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate -hacked- site and then on to one of three scripts:
[donotclick]millionaireheaven .com/mable/rework.js
[donotclick]pettigrew .us/airheads/testier.js
[donotclick]www .situ-ingenieurgeologie .de/tuesday/alleviation.js
from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns .com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server...
Recommended blocklist:
173.246.104.55 ..."
(More domains listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/173.246.104.55/information/
___

UPS Quantum View Spam
- http://threattrack.tumblr.com/post/58338584106/ups-quantum-view-spam
Aug. 15, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
chellebelledesigns .com/ponyb/gate.php
1800callabe .com/ponyb/gate.php
abemoussa .com/ponyb/gate.php
keralahouseboatstourpackages .com/FXx.exe

Malicious File Name and MD5:
UPS-Label_<random>.zip (607F7CBD6CEF3DDD5F5DB88612FC91B6)
UPS-Label_<date>.exe
(782D6C5633D139704221E927782195E0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4cbd61e5297fb8ae3aeb8970fb72312e/tumblr_inline_mrkyb1P4hG1qz4rgp.png

:fear: :mad:

FYI...

Fake ADP SPAM / ADP_week_invoice.zip|exe
- http://blog.dynamoo.com/2013/08/adp-spam-adpweekinvoicezipexe.html
16 August 2013 - "This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From: "run.payroll.invoice @adp .com" [run.payroll.invoice @adp .com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this* other malicious spam run which is running in parallel."
* http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html

ADP Payroll Invoice Spam
- http://threattrack.tumblr.com/post/58422233895/adp-payroll-invoice-spam
16 August 2013 - "Subjects Seen:
ADP Payroll INVOICE for week ending 08/16/2013
Typical e-mail details:
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.

Malicious URLs
hubbywifeco .com/forum/viewtopic.php
hubbywifedesigns .com/forum/viewtopic.php
hubbywifedesserts .com/forum/viewtopic.php
hubbywifefoods .com/forum/viewtopic.php
208.106.130.52 /39UvZmv.exe
demoscreactivo .com/DKM9.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg.biz/VKPqrms .exe
cccustomerctr .com/39UvZmv.exe

Malicious File Name and MD5:
ADP_week_invoice.zip (8C67BC641A95379867C4B9EBAE68446A)
ADP_week_invoice.exe
(6EBF2EA3DB16B3E912068D0A9E33320E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ce1dfc0558b95edf50e52a843b3ae948/tumblr_inline_mrmold4lru1qz4rgp.png
___

Fake Wells Fargo SPAM "CEO Portal Statements & Notices Event" -report_{DIGIT[12]}.exe
- http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html
16 August 2013 - "This fake Wells Fargo email has a malicious attachment:
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw @wellsfargo .com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46*. The Malwr report shows that this malware does various things**, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco .com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another -hijacked- domain, hubbywifecakes .com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52 /39UvZmv.exe
[donotclick]demoscreactivo .com/DKM9.exe
[donotclick]roundaboutcellars .com/Utuw1.exe
[donotclick]bbsmfg .biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46***... Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco .com
hubbywifecakes .com
208.106.130.52
demoscreactivo .com
roundaboutcellars .com
bbsmfg .biz "
*
https://www.virustotal.com/en-gb/file/a2fec44b5bc4abdb7c21589a107e379b49f7b4e559d16a1a4bcd6d06ceacfbea/analysis/1376665654/

** https://malwr.com/analysis/NjAxNGMwYmRiMWNjNDIzMDhlMmIxMjgwYmJlMWY3YzU/

*** https://www.virustotal.com/en-gb/file/1ba0ee97381c7e26589f56a8e45212c784ccfc41b9bb57eb783964be5afb49c9/analysis/1376666041/

- https://www.virustotal.com/en-gb/ip-address/66.151.138.80/information/

- https://www.virustotal.com/en-gb/ip-address/208.106.130.52/information/

:mad::fear::sad:

FYI...

Malware sites to block 19/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
19 August 2013 - "These sites and IPs belong to this gang*, and this list follows one from this one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
___

Fake Facebook SPAM / hubbywifewines .com
- http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html
19 August 2013 - "This fake Facebook spam leads to malware on hubbywifewines .com:
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines .com/topic/able_disturb_planning.php hosted on 72.5.102.192* (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods .com
Recommended blocklist:
72.5.102.192
hubbywifewines .com
hubbywifefoods .com
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it"
* https://www.virustotal.com/en/ip-address/72.5.102.192/information/
___

Booking.com Confirmation Spam
- http://threattrack.tumblr.com/post/58704894229/booking-com-confirmation-spam
Aug. 19, 2013 - "Subjects Seen:
Confirmation <random>
Typical e-mail details:
BOOKING CONFIRMATION
Issued: 08/18/2013
BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE
====================================
Confirmation number: <removed>
Booking source: booking.com
(please refer to this brand when
communicating with the guest)
BOOKING SUMMARY
Check in: 29-Aug-2013
Check out: 31-Aug-2013
Total number of rooms: 1 per night
Total number of room nights: 1 (1 room for 1 night each)
Total booking amount: $314.00
Room: 1 Night 1-2 people
Number of guests: Adults: 1 Children: 0
Bedding configuration: One or 2 People
=====Comments=====
Guest comments: non-smoking
Any comments from the guest are by request only and have not been guaranteed...
The guest is also aware that you may require them to provide a security deposit at
check-in to guarantee payment of any incidental charges.
The Team Booking.com

Malicious File Name and MD5:
BOOKING ISSUED 18.Aug.2013.zip (61EE0B0EE92F717D50F42EB0171BAD6E)
BOOKING ISSUED 18.Aug.2013.pdf.exe (948FD2EA728F38886DF824AA2BB7FD3A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1f3cac9ae5c582f38bb7352037bd82ff/tumblr_inline_mrsd6ucgl61qz4rgp.png
___

Fake Facebook password SPAM / frankcremascocabinets .com
- http://blog.dynamoo.com/2013/08/you-requested-new-facebook-password.html
19 August 2013 - "This fake Facebook spam follows on from this one*, but has a different malicious landing page at frankcremascocabinets .com:
From: Facebook [update+hiehdzge @facebookmail .com]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets .com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server...
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it
giuseppepiruzza .com
frankcremascocabinets .com
gordonpoint .biz
hitechcreature .com
frankcremasco .com "
* http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html

- https://www.virustotal.com/en/ip-address/184.95.37.102/information/
___

UK Tax-Themed Spam leads to ZeuS/ZBOT
- http://blog.trendmicro.com/trendlabs-security-intelligence/uk-tax-themed-spam-leads-to-zeuszbot/
Aug 19, 2013 - "Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites. We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”. Sample spam with alleged VAT return “receipt”:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/Tax-season-uk-spam.jpg
The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email... The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information. The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss... we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors..."
___

Fake Citi SPAM / securedoc.zip
- http://blog.dynamoo.com/2013/08/you-have-received-secure-message-spam.html
19 August 2013 - "This fake Citi spam contains a malicious attachment:
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment...

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46*. The Malwr analysis** (and also ThreatExpert***) shows that the file first connects to [donotclick]frankcremascocabinets .com/forum/viewtopic.php (a -hijacked- GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas .com/0d8H.exe
[donotclick]ftp.ixcenter .com/GMMo6.exe
[donotclick]faithful-ftp .com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46****...
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets .com
giuseppepiruzza .com
gordonpoint .biz
gordonpoint .info
hitechcreature .com
frankcremasco .com
lobbyarkansas .com
ftp.ixcenter .com
faithful-ftp .com "
* https://www.virustotal.com/en/file/25ce3d9e23e53300bc0c166c2e6e768554b51b8d169ee8ac6e07ff038125fe61/analysis/1376945701/

** https://malwr.com/analysis/NjcwNGFhOWNjY2Y3NGNhMDgwNDU3NjdhNjk5ZDA1MTI/

*** http://www.threatexpert.com/report.aspx?md5=007da88f903a5c2c4fbf106d28218cf9

**** https://www.virustotal.com/en/file/2807f7c140029c6cb117aa7418f4eac1314fcdaa75d9be16cd26c47ff813f8c7/analysis/1376946672/

:fear::mad:

FYI...

Fake Browser Updates drop Shylock Malware
- http://www.threattracksecurity.com/it-blog/fake-browser-updates-drop-shylock-malware/
August 19, 2013 - "We’re no stranger to fake and often malicious Internet browsers* that are served up on equally fake and malicious Web sites. These latest samples found by... our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com. It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake “update” page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ff-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/chrome-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ie-shylock-wm.jpg
... Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page’s code, which we’ve seen before**. If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware... Win32.Malware!Drop... Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours. The website server is also known to house Blackhole Exploit kits... If users access browseratrisk(dot)com via their mobile devices and on OSX, they are redirected to FriendFinder, a popular online dating service, via the mirror site, stealthtec(dot)net. When it comes to software updates, it pays to be wary of random sites claiming your current Internet browser needs to be updated. It is best to -ignore- these pages and go straight to official pages..."
* http://www.threattracksecurity.com/it-blog/?s=browser&x=12&y=21

** http://www.threattracksecurity.com/it-blog/fake-critical-browser-update-site-serves-malware/

:mad: :fear:

FYI...

Fake Facebook SPAM / dennissellsgateway .com
- http://blog.dynamoo.com/2013/08/facebook-spam-dennissellsgatewaycom.html
21 August 2013 - "This fake Facebook spam leads to malware on dennissellsgateway .com:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Gene Maynard wants to be friends with you on Facebook.
facebook
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate -hacked- site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas .org/jonson/tried.js
[donotclick]italiangardensomaha .com/moocher/pawned.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there, the victim ends up on a -hijacked- GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway .com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains...
Recommended blocklist:
72.5.102.146
dennissellsgateway .com
justinreid .us
waterwayrealtyteam .us
www.it-planet .gr
italiangardensomaha .com
ftp.crimestoppersofpinellas .org "

>> Update: Another spam is circulating with a different pitch, but the -same- malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report ...

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/
___

Fake Malwarebytes scammer surveys ...
- http://blog.malwarebytes.org/news/2013/08/fake-malwarebytes-scammer-surveys-victims/
August 20, 2013 - "... a twitter account pretending to be speaking for Malwarebytes. The twitter account, @ malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! The link leads to a blogspot page titled “Malwarebytes Anti-Malware 1.75 Full + Serial” that is covered in our signage and provides a link to download “Malwarebytes Anti-Malware” with text and graphics directly from our own website.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMBlog-1024x810.png
After clicking on the “Download Now” button, you are presented with a download page requesting a small favor.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMOFfer.png
... Unfortunately for anyone who has fallen for this scam, this website does -not- belong to Malwarebytes nor is supported by one of our authorized distributors... Don’t become a victim and always download software from legitimate sites. Even if you just Google “Malware” or the phrase “Malware Removal,” legitimate sources to download our product are within the first few results. Tell your friends and if you encounter a survey site, maybe you should try finding your download somewhere else..."
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Attachment Email Messages - 2013 Aug 21
Fake Secure Message Notification Email Messages - 2013 Aug 21
Fake Confirmation of Payment Information Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 21
Fake UPS Parcel Notification Email Messages - 2013 Aug 21
Fake Product Solicitation Email Messages - 2013 Aug 21
Fake Product Purchase Request Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
(More detail and links at the cisco URL above.)
___

Fake Facebook SPAM / thenatemiller.co
- http://blog.dynamoo.com/2013/08/facebook-spam-thenatemillerco.html
21 August 2013 - "This fake Facebook spam leads to malware on thenatemiller .co:
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but -hacked- site that attempts to load the following three scripts:
[donotclick]gemclinicstore .com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup .com/toffies/ceiling.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller .co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains...
Recommended blocklist:
72.5.102.146
successchamp .com
dennissellsgateway .com
thenatemiller .co
thenatemiller .info
justinreid .us
waterwayrealtyteam .us
thenatemiller .biz
gemclinicstore .com
mathenyadvisorygroup .com
www.it-planet .gr ..."

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:mad: :fear:

FYI...

Fake Red Sox Baseball SPAM / lindoliveryct .net
- http://blog.dynamoo.com/2013/08/red-sox-baseball-spam-lindoliveryctnet.html
22 Aug 2013 - "This fake Red Sox spam leads to malware on lindoliveryct .net:
Date: Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From: ticketoffice@ inbound.redsox .com
Subject: Thank You for your order. ( RSXV - 4735334 - 0959187 )
Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.
Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.
Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.
Thanks again! We look forward to seeing you at the ballpark this season.
Boston Red Sox Ticketing Department...

Screenshot: https://1.bp.blogspot.com/-B_1VXJv600M/UhZUOCcg2NI/AAAAAAAABy0/pskZHcKamYw/s1600/redsox.png

The link goes through a legitimate -hacked- site (in this case using a WordPress flaw) and ends up on [donotclick]www.redsox .com.tickets-service.lindoliveryct.net/news/truck-black.php (report here*) which is actually the domain lindoliveryct .net rather than redsox .com... The WHOIS details for this domain are fake and indicate it is the work of the Amerika gang...
The malicious domain is multihomed on the following IPs which host several other malicious domains:
66.230.163.86 (Goykhman And Sons LLC, US)
86.183.191.35 (BT, UK)
188.134.26.172 (Perspectiva Ltd, Russia)
Recommended blocklist:
66.230.163.86
86.183.191.35
188.134.26.172 ..."
* http://urlquery.net/report.php?id=4682777
___

Chase Bank Remittance Spam
- http://threattrack.tumblr.com/post/59019303653/chase-bank-remittance-spam
Aug 22, 2013 - "Subjects Seen:
Remittance Docs <random>
Typical e-mail details:
Please find attached the remittance If you are unable to open the attached file, please reply to this email with a contact telephone number.
The Finance Dept will be in touch in due course.
Vanessa_Rodriquez
Chase Private Banking

Malicious URLs
watch-fp .ca/ponyb/gate.php
watch-fp .com/ponyb/gate.php
watch-fp .info/ponyb/gate.php
watch-fp .mobi/ponyb/gate.php
jatw.pacificsocial .com/VSMpZX.exe
richardsonlookoutcottages .nb .ca/Q5Vf.exe
riplets .net/Qa7nXVT.exe

Malicious File Name and MD5:
Docs_<name>.zip (37A1C5AC9C0090A07F002B0A2ED57D3D)
Docs_<date>.exe
(E9FBB397E66B295F5E43FE0AA3B545D7)

- Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/95eb6272862e0babe9ce34ae12e67471/tumblr_inline_mrxy44WuCD1qz4rgp.png
___

Discover Card Account Information Update Spam
- http://threattrack.tumblr.com/post/59025861611/discover-card-account-information-update-spam
Aug 22, 2013 - "Subjects Seen:
Your account login information updated
Typical e-mail details:
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.

Malicious URLs
aywright .com/parables/index.html
intuneuk .com/aspell/index.html
flagitak .poznan.pl/deceptiveness/index.html
carpentryunlimitedvermont .com/slangy/index.html
labs-srl .it/misquotations/index.html
75.103.99.168 /superintend/index.html
watch-fp .ca/topic/able_disturb_planning.php

- Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cc1d603ab8252f6a9904c26826e4f11b/tumblr_inline_mry2hgeDjI1qz4rgp.png

- http://blog.dynamoo.com/2013/08/discover-card-your-account-login.html
22 August 2013 - "This fake Discover card spam leads to malware on abemuggs .com:
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@ facebook .com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes...

Screenshot: https://3.bp.blogspot.com/-yFKra6yjZxQ/UhZqLgXefaI/AAAAAAAABzM/PbOV1lEPdbE/s1600/discover-card2.png

The link in the email uses the Twitter redirection service to go to [donotclick]t. co/9PsnfeL8hh then [donotclick]x .co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198 .netsolhost .com/frostbite/hyde.js
[donotclick]96.9.28.44 /dacca/quintilian.js
[donotclick]cordcamera.dakisftp .com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs .com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs .com
abesmugs .com
abemugs .com
andagency .com
mytotaltitle .com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs .com
02aa198.netsolhost .com
cordcamera.dakisftp .com "

- https://www.virustotal.com/en/ip-address/74.207.253.139/information/

- https://www.virustotal.com/en/ip-address/96.9.28.44/information/
___

Fake Remittance Docs SPAM / Docs_08222013_218.exe
- http://blog.dynamoo.com/2013/08/remittance-docs-2982780-spam.html
22 August 2013 - "This fake Chase spam has a malicious attachment:
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From: Jed_Gregory [Jed_Gregory@ chase .com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036 ...

The attachment is in the format Docs_victimdomain .com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46*. The Malwr analysis** shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp .ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial .com/VSMpZX.exe
[donotclick]richardsonlookoutcottages .nb .ca/Q5Vf.exe
[donotclick]idyno.com .au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46***. This appears to be a Zbot variant... The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server...
Recommended blocklist:
72.5.102.146 ..."
* https://www.virustotal.com/en/file/d4ef6d13b24a41dc7f10ef93b0c4580a1553d8512a7a97b3c32b25b0d49ab464/analysis/1377201922/

** https://malwr.com/analysis/YTNiNzMwZjUyZjMxNGE4ODhmNDJlZGFiYjY4YjU3ZmY/

*** https://www.virustotal.com/en/file/33f5e03f5d35274f58cb67fff503b0d9087c73d1019fedbf4261938b7e441d1d/analysis/1377202683/

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:fear: :mad:

FYI...

Fake Wells Fargo SPAM / WellsFargo_08232013.exe
- http://blog.dynamoo.com/2013/08/wells-fargo-spam-wellsfargo08232013exe.html
23 August 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From: Morris_Osborn@ wellsfargo .com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103...

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45*, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware. What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf**] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity... The WHOIS details for the domain huyontop .com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop .com as being potentially malicious and block it if you can."
* https://www.virustotal.com/en/file/b4d8e2fdb88a3d94dd421e5f0a016cb9cd37e202bc57b7cad5ecd091c6335759/analysis/1377272785/

** http://www.dynamoo.com/files/analysis_32325_00949d04acead6bc20e1bc1acd09feb3.pdf

- https://www.virustotal.com/en/ip-address/216.194.165.222/information/
___

Orbit Downloader - DDoS component found
- https://net-security.org/malware_news.php?id=2570
Aug 23, 2013 - "... The DDoS component has been discovered by ESET researchers* while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013)... ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD. Users are advised to deinstall the software and choose another one for their needs."

* http://www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool/
21 Aug 2013

** https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/

:mad::fear:

FYI...

Fake UPS SPAM / UPS Invoice 74458652.zip
- http://blog.dynamoo.com/2013/08/ups-spam-ups-invoice-74458652zip.html
26 August 2013 - "This fake UPS invoice has a malicious attachment:
From: "UPSBillingCenter @ups .com" [UPSBillingCenter@ ups .com]
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
The VirusTotal detection rate is a so-so 18/46*. The Malwr analysis** is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint .org/forum/viewtopic.php
[donotclick]mierukaproject .jp/PjSE.exe
[donotclick]programcommunications .com/WZP3mMPV.exe
[donotclick]fclww .com/QdytJso0.exe
[donotclick]www .lajen .cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46***.
The domain gordonpoint .org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other -hijacked- domains...
Recommended blocklist:
74.207.229.45
gordonpoint .org
hitechcreature .com
industryseeds .ca
infocreature .com
itanimal .com
itanimals .com
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
mierukaproject .jp
programcommunications .com
fclww .com
www .lajen .cz "
* https://www.virustotal.com/en/file/34f66782c3e014a66c4600b3ff41d14ebd98a435c16d01feb5964b21364c13ae/analysis/1377553766/

** https://malwr.com/analysis/NTE2MGRjODQzNTQzNGQ2NjliZDVhYjgxYzUzY2NlOTg/

*** https://www.virustotal.com/en/file/d9125bca0f771f43db6f50d5877c9f45d0e6bed83331fb71597bfbb98ee8d0c6/analysis/1377552510/

- https://www.virustotal.com/en/ip-address/74.207.229.45/information/
___

PayPal Protection Services Spam
- http://threattrack.tumblr.com/post/59424449055/paypal-protection-services-spam
Aug 26. 2013 - "Subjects Seen:
Resolution of case #<random>
Typical e-mail details:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details
Sincerely,
Protection Services Department

Malicious URLs
8744f321834af6ba.lolipop .jp/monetary/index.html
scentsability .org/interlocks/index.html
batcoroadlinescorporation .com/misfire/index.html
gordonpoint .org/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cb09707a608c8202a7eab7570db2f066/tumblr_inline_ms5pg88gPk1qz4rgp.png

:fear::fear::mad:

FYI...

Fake email - Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification Email Message - 2013 Aug 27
Fake Money Transfer Notification Email Messages - 2013 Aug 27
Fake Bank Payment Notice Email Messages - 2013 Aug 27
Fake Account Payment Notification Email Messages - 2013 Aug 27
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 27
Fake Package Shipping Notification Email Messages - 2013 Aug 27
Fake Business Complaint Notification Email Messages - 2013 Aug 27
Fake Tax Return Information Email Messages - 2013 Aug 27
Email Messages with Malicious Attachments - 2013 Aug 27
Fake Product Purchase Order Request Email Messages - 2013 Aug 27
Fake Tax Documentation Email Messages - 2013 Aug 27
Fake Product Services Specification Request Email Messages - 2013 Aug 27
(More detail and links at the cisco URL above.)
___

UPS Email scam delivers Backdoor
- http://blog.trendmicro.com/trendlabs-security-intelligence/convincing-ups-email-scam-delivers-backdoor/
Aug 27, 2013 - "... most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications... We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/ups_spamrun_825.png
As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address. The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies... this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak. This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering..."

:fear: :mad:

FYI...

High Profile Domains under Siege
- http://blog.opendns.com/2013/08/27/high-profile-domains-under-siege/
August 27, 2013 - "We are actively seeing several high profile domains being -hijacked- at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons. The IP addresses and domains that have been involved in -redirection- have been blocked by OpenDNS... We are now blocking all requests that are coming from the known bad name servers... screenshots show the bad name server, 141.105.64.37, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack..."
(Screenshots at the opendns URL above.)

- https://www.virustotal.com/en/ip-address/141.105.64.37/information/

- https://isc.sans.edu/diary.html?storyid=16451
Last Updated: 2013-08-27 21:09:58 UTC

- http://www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/
27 August 2013

- http://arstechnica.com/security/2013/08/twitter-and-new-york-times-clash-with-hackers-for-control-of-their-sites/
Aug 27 2013, 10:10pm EST

:mad: :fear:

FYI...

Sendori software update - malware...
- https://isc.sans.edu/diary.html?storyid=16466
Last Updated: 2013-08-29 04:27:07 UTC - "Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process. The URL path (to be considered hostile) is: hxxp ://upgrade.sendori .com/upgrade/2_0_16/sendori-win-upgrader.exe...
VirusTotal results currently nine malware hits (9/46*). Malwr results** are rather damning, and as Kevin stated, Zeus-like... Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe ...
Sendori replied to Kevin's notification with; they are engaged and investigating:
'Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks Sendori Support team' ...
Comment(1): I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.
Kevin Branch..."

... sendori .com/consumer_problem.html
"Sendori software works in tandem with web browsers to dramatically speed access to tens of thousands of the most popular websites..."

* https://www.virustotal.com/en/file/11bd844bbea32f6d15107373f42c7a16eee991ec1b6c205bcb4cf768d70b441d/analysis/

** https://malwr.com/analysis/Y2E4ZDlkMzQ5MjkyNDdmYjhhNjhmZDVlMDcyMjk2NGU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake eFax Message Notification Email Messages - 2013 Aug 29
Fake Account Payment Notification Email Messages - 2013 Aug 29
Fake Purchase Order Request Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Fake Payment Information Email Messages - 2013 Aug 29
Fake Shipping Information Email Messages - 2013 Aug 29
Fake Product Order Email Messages - 2013 Aug 29
Fake Account Information Request Email Messages - 2013 Aug 29
Fake Photo Sharing Email Messages - 2013 Aug 29
Fake Product Purchase Request Email Messages - 2013 Aug 29
Fake Invoice Notification Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Email Messages with Malicious Attachments - 2013 Aug 29
Fake Account Deposit Notification Email Messages - 2013 Aug 29
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 29
Fake Product Services Specification Request Email Messages - 2013 Aug 29
Fake Product Purchase Order Email Messages on August 28, 2013 - 2013 Aug 29
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 29
Fake Scanned Document Attachment Email Messages - 2013 Aug 29
(More detail and links at the cisco URL above.)

:mad::mad: :fear:

FYI...

Visa/PayPal Spam
- http://threattrack.tumblr.com/post/59770780239/visa-paypal-spam
Aug 30, 2013 - "Subjects Seen:
Resolution of case #PP<random>
Typical e-mail details:
Dear Visa card holder,
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details on the Usa.visa.com/personal/
Visa does not tolerate fraud or illegal activities. Your complaint has been noted in the record of the Visa card holder you reported. If we find this user has violated our policies, we will investigate and take appropriate action. If this occurs, you may be contacted in the future about the status of this complaint.
To make sure future transactions proceed smoothly, we suggest you visit the PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid fraudulent sellers in the “Fraud Prevention Tips for Buyers” section.

Malicious URLs
dp56148868.lolipop .jp/brassing/index.html
rossizertanna .it/occupancy/index.html
abesgrillnbar .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6b4311944316d5383c145d75adb41405/tumblr_inline_msci80fxum1qz4rgp.png
___

Paychex Insurance Spam
- http://threattrack.tumblr.com/post/59780780295/paychex-insurance-spam
Aug 30, 2013 - "Subjects Seen:
Paychex Insurance Agency
Typical e-mail details:
The security of your personal information is of the utmost importance to Paychex, so we have sent the attached as a secure electronic file.
For more details please see on the page. View all details »
Note: The attached file contains encrypted data. In order to view the file, you must have already installed the decryption software that was previously provided by Paychex.
If you have any question please call us at 800-472-0072, option 4. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
Paychex Insurance Agency

Malicious URLs
ftp(DOT)willetthofmann .com/logistically/index.html
ftp(DOT)willetthofmann .com/shadiest/index.html
abesonthego .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f18448ee24343c4fee8bc51c0e2416dc/tumblr_inline_mscq91NzEx1qz4rgp.png
___

Federal Reserve Suspicious Activity Spam
- http://threattrack.tumblr.com/post/59791687246/federal-reserve-suspicious-activity-spam
Aug 30. 2013 - "Subjects Seen:
FW: IMPORTANT - Suspicious Activity <random>
Typical e-mail details:
Greetings, addressing you is Ariel Howe, Superior Accounting Officer at Federal Reserve. We have received an inquiry from your Financial Institution regarding an incoming money transfer from Harvey Norman Holdings Ltd. retail with concern on the company’s current activity which is valued as “High Risk Activity”. In order to release the funds to your account please complete the attached form “IIMT Form 401”.
Please note if no further action will be taken the funds will be remain locked in the Federal Reserve System or returned to the Money transfer initiator.
Ariel Howe
Superior Accounting Officer
Office of Inspector General
c/o Board of Governors of the Federal Reserve System

Malicious File Name and MD5:
Case_<random>.zip (35C95C02EB974CA2302D2BA3EB7E5322)
Case_<date>.exe (F9A37404F1150C48AEC238BAC44977FC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3d7169caf0ef1841e4365d4763f60ab2/tumblr_inline_mscxwbY9v51qz4rgp.png

:mad::fear::sad:

FYI...

Malware sites to block 2/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
2 Sep 2013 - "These IPs and domains are associated with this gang* and should all be considered as malicious. This list follows on from this earlier one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
___

Fake Facebook SPAM / london-leather .com
- http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html
2 Sep 2013 - "This fake Facebook spam leads to malware on london-leather .com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: Victoria Carpenter commented on your status...
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute"
Go to comments
Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]...

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem .cz/5xxb8 then [donotclick]93.93.189.108 /exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj .com/mummifies/stabbed.js
[donotclick]mobileforprofit .net/affected/liberal.js
[donotclick]tuviking .com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy...
Recommended blocklist:
173.246.104.184
london-leather .com
kitchenwalla .com
kidswalla .com
jerseyluggage .com
jerseycitybags .com
kiddypals .com
kennethcolenyoutlet .com
codebluesecuritynj .com
mobileforprofit .net
tuviking .com"

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

MONK SPAM tries to profit from WAR threat
- http://blog.dynamoo.com/2013/09/monk-spam-tries-to-profit-from-war.html
2 Sep 2013 - "The MONK (Monarchy Resources Inc) pump-and-dump spam continues*. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
From: belova04@ jeel .com
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!...

As previously discussed*, the stock price for this company has tanked** and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me. Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares...

* http://blog.dynamoo.com/2013/08/monk-monarchy-resources-inc-pump-and.html

** http://www.nasdaq.com/symbol/monk/interactive-chart?timeframe=1y&charttype=line

:mad: :fear::fear:

FYI...

Fake PayPal SPAM / londonleatheronline .com
- http://blog.dynamoo.com/2013/09/paypal-spam-londonleatheronlinecom.html
3 Sep 2013 - "This fake PayPal spam leads to malware on londonleatheronline .com:
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@ int .paypal .com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@ paypal .com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal ...

The link in the email goes to a legitimate -hacked- site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni .com/liquids/pythias.js
[donotclick]tuviking .com/trillionth/began.js
[donotclick]walegion.comcastbiz .net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack* ...
Recommended blocklist:
173.246.104.184
jerseycitybags .com
jerseyluggage .com
kennethcolenyoutlet .com
kiddypals .com
kidswalla .com
kitchenwalla .com
london-leather .com
londonleatheronline .com
ftp.casacalderoni .com
tuviking .com
walegion.comcastbiz .net "
* http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

Breaking Bad Spam lurks - note pasting site
- http://www.threattracksecurity.com/it-blog/breaking-bad-spam-lurks-on-note-pasting-site/
Sep 3, 2013 - "... fresh links being dumped across a site designed to let users paste notes and images then share with their friends, in a similar manner to Pastebin... frantic posting of links galore... The site itself has Bidvertiser ads placed above and below the “watch now” graphic, which may cause end-users to think they’re related to the image. Not so – clicking the “Download” button took us to an internet speed test. Clicking the Breaking Bad image took us to a second Tumblr which is so excited about offering up ads that it ends up sliding a scroll ad right behind the survey splash.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste3.jpg
... They just can’t decide what they want you to click on first! Another link takes end-users to a video player install complete with various advertising related additions.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste4.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste5.jpg
... As with all of these spam runs, you’re better off avoiding. At best, you’ll end up with some terrible grainy rip of a TV show on some free file host (after filling in a bunch of offers); at worst, you’ll end up with no TV show, unwanted installs and advert clickthroughs which lead to who-knows-where (after filling in a bunch of offers)."
___

Facebook News feed Suggestion Spam
- http://threattrack.tumblr.com/post/60178964754/facebook-news-feed-suggestion-spam
Sep 3, 2013 - "Subjects Seen:
Hi <name>, here are some Pages you may like
Typical e-mail details:
Like these Pages to get updates in your News Feed...

Malicious URLs
iecc .com .au/complying/index.html
pictondental .com .au/hilda/index.html
ladiscoteca .org/john/index.html
bonway-onza .com/thalami/index.html
watchfp .mobi/topic/able_disturb_planning.php
mvwebsites .com .au/bmSe4BN.exe
mystatesbororealestate .com/rhdkD6.exe
mit-stolz-vorbei-dollbergen .de/w8BDM.exe
petrasolutions .com/JpVsf.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/70eeb14216ad4eeb475912677f4f64a4/tumblr_inline_msk090lk5B1qz4rgp.png

:mad: :fear::fear:

FYI...

Facebook SPAM / watchfp .net
- http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html
4 Sep 2013 - "All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp .net:
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1 @facebookmail .com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:
> https://lh3.ggpht.com/-qWsaS5oax8Y/UiZl5ycfTdI/AAAAAAAAB2M/YGE-dNgQjlo/s1600/facebook4.png
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u .to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa .de/triassic/index.html which loads one of the following:
[donotclick]safbil .com/stashed/flout.js
[donotclick]ftp.spectrumnutrition .ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste .de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp .net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
watchfp .net
safbil .com
ftp.spectrumnutrition .ca
schornsteinfeger-helmste .de "
___

Something evil on 174.140.168.239
- http://blog.dynamoo.com/2013/09/something-evil-on-174140168239.html
4 Sep 2013 - "The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239 ..."
(More listed at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=174.140.168.239&type=string&start=2013-06-20&end=2013-09-04&max=400

2) https://www.virustotal.com/en-gb/ip-address/174.140.168.239/information/

3) http://blog.dynamoo.com/2013/06/hp-spam-hpscan06292013398zip-fail.html
___

Something very wrong with Gandi US (AS29169 / 173.246.96.0/20)
- http://blog.dynamoo.com/2013/09/something-is-very-wrong-with-gandi-us.html
4 Sep 2013 - "Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago. The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites... the warnings I have given about this IP range just in this blog alone* (ignoring all external sources)... Google prognosis**... there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host. Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185 ..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Gandi

** http://www.google.com/safebrowsing/diagnostic?site=AS:29169
___

Fake PayPal SPAM / dshapovalov .info
- http://blog.dynamoo.com/2013/09/paypal-spam-dshapovalovinfo.html
4 Sep 2013 - "This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov .info:
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@ int. paypal .com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions

The link in the email goes through a URL shortening service at [donotclick]url7 .org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23 /observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169 /garrotting/rumples.js
[donotclick]northeastestateagency .co .uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro ,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack*. There are other hijacked GoDaddy domains on the same domain...
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
journeyacrossthesky .com
dshapovalov .info
watchfp .net
dshapovalov .info
mineralmizer.webpublishpro .com
northeastestateagency .co .uk
81.143.33.169 "
* http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html

Current PayPal related Spam Ploys
- http://threattrack.tumblr.com/post/60269257866/current-paypal-related-spam-ploys
Sep 4, 2013 - "Subjects Seen:
Resolution of case #PP-<random>
With your balance was filmed - 500 $ -Resolution of case #PP-<random>
Identity Issue #PP-<random>
History of transactions #PP-<random>
Typical e-mail details:
Resolution of Case:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably. For more details please see on the page View all details
Sincerely,
Protection Services Department ..."

Malicious URLs
ervinscarpet .com/impartially/index.html
jp-intarsia .de/concurred/index.html
hadjis-law .com/creamy/index.html
taylorandgregory .co .uk/assent/index.html
shiing01.x-y .net/stopping/index.html
fonotape.com .ar/bosun/index.html
fonotape.com .ar/supplicate/index.html
dshapovalov .info/topic/able_disturb_planning.php
dshapovalov .info/forum/viewtopic.php
petrasolutions .com/JpVsf.exe
mystatesbororealestate .com/rhdkD6.exe
mvwebsites .com .au/bmSe4BN.exe

Screenshots: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8f9dd09dcd52a551aa1a9a1d67e8035b/tumblr_inline_msltkrWOF91qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/268629cbc000450e262f18991b58d388/tumblr_inline_mslu2htvkm1qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/356a262119b3aaa8e9e4a97cd666a70e/tumblr_inline_mslu3jsH031qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/359086776870e0b49d03e36c88d3077d/tumblr_inline_mslu4ypOP01qz4rgp.png
___

Fake HSBC SPAM / Original Copy (Edited).zip
- http://blog.dynamoo.com/2013/09/hsbc-spam-original-copy-editedzip.html
4 Sep 2013 - "This fake HSBC spam links to a malicious ZIP file:
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@ hsbc .com .hk]
Reply-To: hsbcadviceref@ mail .com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC ...

Screenshot: https://lh3.ggpht.com/-Oj2DePefzfQ/UidKx0UPuHI/AAAAAAAAB4A/kpV1gytxjg8/s1600/hsbc.png

The link in the email goes to a file sharing site at [donotclick]ge .tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16*. The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report** shows some network activity including a suspect connection to ftp.advice .yzi .me (185.28.21.26, Hostinger International US) which might be worth blocking."
* https://www.virustotal.com/en-gb/file/ea61bbf9195c4887a3f52273f0b811a96b4eb39a2956faa6e15d92afff36c09b/analysis/1378306613/

** http://www.threatexpert.com/report.aspx?md5=e7a3e70ca76f5445e898215a282488de

- https://www.virustotal.com/en/ip-address/185.28.21.26/information/

:mad: :fear:

FYI...

More Fake Facebook SPAM / kapcotool .com
- http://blog.dynamoo.com/2013/09/facebook-spam-kapcotoolcom.html
5 Sep 2013 - "This fake Facebook spam leads to malware on kapcotool.com:
From: Facebook [no-reply@ facebook .com]
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
facebook
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request ...

The -link- in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa .com/97855 and then to [donotclick]magic-crystal .ch/normalized/index.html, and at this point it attempts to load the following three scripts:
[donotclick]00398d0.netsolhost .com/mcguire/forgiveness.js
[donotclick]202.212.131.8 /ruses/nonsmokers.js
[donotclick]japanesevehicles .us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains...
Recommended blocklist:
74.207.227.154
jgburgerlounge .ca
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
justcreature .com
justmonster .com
kalcodistributors .com
kapcotool.com00398d0.netsolhost .com
japanesevehicles .us
202.212.131.8 "

- https://www.virustotal.com/en/ip-address/74.207.227.154/information/
___

NACHA SPAM / nacha-ach-processor .com
- http://blog.dynamoo.com/2013/09/nacha-spam-nacha-ach-processorcom.html
5 Sep 2013 - "This fake NACHA spam... leads to malware on nacha-ach-processor .com:
From: The Electronic Payments Association - NACHA [leansz35@ inbound .nacha .com]
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
Cancelled transaction
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
About NACHA
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate -hacked- site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor .com/news/ach-report.php (report here**) which is hosted on the following IPs:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang*. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains*.
Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60 ..."
(More listed at the dynamoo URL above.)

* http://blog.dynamoo.com/search/label/Amerika

** http://urlquery.net/report.php?id=4976262
___

Citizens Bank Issue File Processed Spam
- http://threattrack.tumblr.com/post/60376948329/citizens-bank-issue-file-processed-spam
Sep 5, 2013 - "Subjects Seen:
Issue File <random> Processed
Typical e-mail details:
Regarding Issue File <random> -
Total Issue Items # 36 Total Issue Amount $38,043.98
This will confirm that your issue file has been processed. Please verify the information in attached report; if you find there are discrepancies in what you believe your totals should be and what we have reported, please contact the Reconciliation Department at 1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24 hours after you receive this notice.

Malicious File Name and MD5:
issue_report_<random>.zip (1189CEBD553088A94EC3BC2ECB89D34B)
issue_report_<date>.exe (6C66CAE230E0772B75A327AE925F648A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f5818d25ae6d60cd7ddad29a290953d5/tumblr_inline_mso1f929LQ1qz4rgp.png
___

Websense - Java/Flash research - Dangerous Update Gap...
- http://community.websense.com/blogs/securitylabs/archive/2013/09/05/new-java-and-flash-research-shows-a-dangerous-update-gap.aspx
5 Sep 2013 - "... Nearly 50 percent of -enterprise- traffic used a Java version that was more than two years out of date... Nearly 40 percent of users are not running the most up-to-date versions of Flash... nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old..."

:mad: :sad:

FYI...

Something evil on 37.59.164.209 (OVH)
- http://blog.dynamoo.com/2013/09/something-evil-on-3759164209-ovh.html
6 Sep 2013 - "37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux..."
(Long list of URLs at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/37.59.164.209/information/
___

CNN Breaking News SPAM: “The United States began bombing!”
- http://threattrack.tumblr.com/post/60455017144/cnn-breaking-news-spam-the-united-states-began
Sep 6. 2013 - "Subjects Seen:
CNN: “The United States began bombing”
Typical e-mail details:
(CNN) — Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus. Full story »
Rescuing Hannah Anderson
*Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
*No one has claimed responsibility for her death, but police suspect militants
*Banerjee wrote “A Kabuliwala’s Bengali Wife” about her escape from the Taliban

Malicious URLs
nevisconservatories .co .uk/soupy/index.html
axsysfinancial .biz/mingle/index.html
holatorino .it/favor/index.html
luggagepoint .de/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9c019d6af9e4c0ccc006be202891c543/tumblr_inline_mspnesVMT61qz4rgp.png

- http://blog.dynamoo.com/2013/09/cnn-united-states-began-bombing-spam.html
6 Sep 2013 - "This fake CNN spam leads to malware on luggagepreview .com:
Date: Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From: CNN [BreakingNews@ mail .cnn .com]
Subject: CNN: "The United States began bombing"
The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013 ...

Screenshot: https://lh3.ggpht.com/-BbuqrJRRbjc/UioW1yo_RwI/AAAAAAAAB50/04oyPrWRzGc/s1600/cnn-bombing.png

The link in the email is meant to go to [donotclick]senior-tek .com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo .it/disburse/ringmaster.js
[donotclick]stages2saturn .com/scrub/reproof.js
[donotclick]www.rundherum .at/rabbiting/irritate.js
From there the visitor is sent to a malicious payload at [donotclick]luggagepreview .com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains...
Recommended blocklist:
174.140.171.207 ..."

- https://www.virustotal.com/en/ip-address/174.140.171.207/information/

- http://www.symantec.com/connect/fr/blogs/chemical-attack-syria-used-enticement-targeted-attack
6 Sept 2013
___

"Scanned Document Attached" SPAM / FSEMC.06092013.exe
- http://blog.dynamoo.com/2013/09/scanned-document-attached-spam.html
6 Sep 2013 - "This fake financial spam contains an encrypted attachment with a malicious file in it.
Date: Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From: Fiserv [Lawanda_Underwood@ fiserv .com]
Subject: FW: Scanned Document Attached
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Adam_Paul@ fiserv .com
To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Saturday Sep 07, 2013 at 17:50:42
EDT4
If you have any questions, please contact your Fiserv representative...

Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47*. The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data... What happens next is unclear, but you can guarantee that it is nothing good. Blocking access to ce-cloud .com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it."
* https://www.virustotal.com/en/file/6fcd54235ec7883cd551d9f8b043d5b9ce82832e0e476c8b2c4a79e5f228eb30/analysis/1378501983/
___

More new Facebook SPAM / www .facebook.com.achrezervations .com
- http://blog.dynamoo.com/2013/09/facebook-spam-wwwfacebookcomachrezervat.html
6 Sep 2013 - "This fake Facebook spam leads to malware on www .facebook.com.achrezervations .com:
Date: Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From: Facebook [notification+puppies9@ mail .facebookmail .net]
Reply-To: noreply [noreply@ postmaster .facebookmail .org]
Subject: Cole Butler confirmed your Facebook friend request
facebook
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
Daren Douglas
1 mutual friends
Add Friend
Gertrude Souza
14 mutual friends
Add Friend
Brice Kelly
3 mutual friends
Add Friend ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe...

Screenshot: https://lh3.ggpht.com/-vdq1WhJkOzY/Uinn23pxApI/AAAAAAAAB5k/mb7uFKXCU2I/s1600/facebook.png

The link in the email goes to a legitimate -hacked- site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations .com/news/implement-circuit-false.php (report here*) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)
The following IPs and domains are all malicious and belong to this gang**, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60 ..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4996887

** http://blog.dynamoo.com/search/label/Amerika
___

Threat Outbreak Alerts cover the latest data regarding malicious email-based and web-based threats, including spam, phishing, viruses, malware, and botnet activity.
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Account Payment Notification Email Messages - 2013 Sep 06
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 06
Fake Product Quote Email Messages - 2013 Sep 06
Fake Order Payment Confirmation Email Messages - 2013 Sep 05
Fake Airline Ticket Order Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Link - 2013 Sep 05
Fake Photo Sharing Email Messages - 2013 Sep 05
Fake Money Transfer Notification Email Messages - 2013 Sep 05
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 05
Fake Product Order Confirmation Email Messages - 2013 Sep 05
Fake Invoice Notification Email Messages - 2013 Sep 05
Fake Document Attachment Email Messages - 2013 Sep 05
Fake Shipping Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Attachments - 2013 Sep 05
Fake Shipping Confirmation Email Messages - 2013 Sep 05
Fake Scanned Document Attachment Email Messages - 2013 Sep 05
Fake Product Purchase Request Email Messages - 2013 Sep 05
Fake Personal Picture Sharing Email Messages - 2013 Sep 05
Fake Product Order Email Messages - 2013 Sep 05
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 05
(More detail and links available at the cisco URL above.)

:mad: :fear::fear:

FYI...

Quotation.zip SPAM with malicious VBS script
- http://blog.dynamoo.com/2013/09/dealerbidcouk-quotationzip-spam-with.html
7 Sep 2013 - "The website dealerbid.co .uk has been compromised and their servers -hacked- in order to send spam to their customer list. Something similar has happened before a few months ago*. In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [christopher.r@ kema .com]
Date: 7 September 2013 14:04
Subject: Quotation
Hello,
We have prepared a quotation, please see attached
With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability ...

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www .dealerbid .co .uk and mail.dealerbid .co .uk. The email is sent to an address ONLY used to register at dealerbid .co .uk. So, the upshot is that this domain is compromised and it is compromised right now. The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text... Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46**... it attempts to download further components from klonkino.no-ip .org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip .org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip .org
146.185.24.207 ... "

* http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html

** https://www.virustotal.com/en/file/46472cd1655cc46dc31b026960edf6b50afa9384a9d8e83d63e2eb73d5230f02/analysis/1378571897/

- https://www.virustotal.com/en/ip-address/146.185.24.207/information/
___

Adware spread with Mevade variants ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/
Sep 6, 2013 - "... rise in the number of Tor users... directly attributed to the Mevade malware... The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different... The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication... The IP addresses that host these C&C servers are located in Russia. Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected... In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing -adware- and -toolbars- ... Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical... How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to -avoid- visiting and downloading files from unverified websites or links from email, social media etc..."

:mad: :fear::fear:

FYI...

Malware sites to block 9/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
9 Sep 2013 - "These domains and IPs are associated with this gang*, this list supersedes (or complements) the one I made last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
___

Malware sites to block 9/9/13, part II
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913-part-ii.html
9 Sep 2013 - "Another set of IPs and domains related to this attack* detailed by Sophos, and overlapping slightly with the malicious servers documented here**. I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja .cc) to do evil things.
46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110 ..."
(Long list at the dynamoo URL above.)
* https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-ADKW/detailed-analysis.aspx

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Shipping Notification Email Messages - 2013 Sep 09
Fake Processed Payment Notification Email Messages - 2013 Sep 09
Fake Account Payment Notification Email Messages - 2013 Sep 09
Fake Important Documents Notification Email Messages - 2013 Sep 09
Fake Anti-Phishing Email Messages - 2013 Sep 09
Fake Product Order Email Messages - 2013 Sep 09
Fake Real Estate Inquiry Email Messages - 2013 Sep 09
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 09
Fake Shipping Confirmation Email Messages - 2013 Sep 09
Fake Bank Transfer Notice Email Message - 2013 Sep 09
Fake Invoice Statement Attachment Email Messages - 2013 Sep 09
Fake Product Order Quotation Email Messages - 2013 Sep 09
Fake Business Complaint Notification Email Messages - 2013 Sep 09
Fake Product Purchase Order Email Messages - 2013 Sep 09
Fake Product Order Request Email Messages - 2013 Sep 09
Fake Letter of Intent Attachment Email Messages - 2013 Sep 09
Fake Product List Attachment Email Messages - 2013 Sep 09
Fake Account Deposit Notification Email Messages - 2013 Sep 09
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 09
Fake Purchase Order Request Email Messages - 2013 Sep 09
(More detail and links at the cisco URL above.)

:mad::fear:

FYI...

Fake FISC ACH SPAM / fiscdp.com.airfare-ticketscheap .com
- http://blog.dynamoo.com/2013/09/ach-file-id-999107-has-been-processed.html
10 Sep 2013 - "This fake FISC ACH spam leads to malware on www .fiscdp .com.airfare-ticketscheap .com:
Date: Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From: Financial Institution Service [improvehv89@ m.fiscdp .gov]
Subject: ACH file ID "999.107" has been processed successfully
Files FISC Processing Service
SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83 ...

Screenshot: https://lh3.ggpht.com/-Iz3whiN6ueg/Ui8p3ZBdj8I/AAAAAAAAB6U/vbU8dZM88fM/s400/fisc.png

The link in the email goes to a legitimate -hacked- site and then on to a malware landing page at [donotclick]www.fiscdp .com.airfare-ticketscheap .com/news/opens_heads_earlier.php (reports here* and here**) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)
The WHOIS details for airfare-ticketscheap .com are -fake- and the domain was registered just yesterday... The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89 ..."
(More URLS listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=5071327

** http://wepawet.iseclab.org/view.php?hash=475d28a937b23a953b975e1f28ecf035&t=1378821965&type=js

- https://www.virustotal.com/en/ip-address/174.142.186.89/information/
___

Fake BBB SPAM / Case_0938818_2818.exe
- http://blog.dynamoo.com/2013/09/bbb-spam-case09388182818exe.html
10 Sep 2013 - "This fake BBB spam has a malicious attachment:
Date: Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From: Better Business Bureau [Aldo_Austin@ newyork .bbb .org]
Subject: FW: Case IN11A44X2WCP44M
The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.
In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.
We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46* at VirusTotal. Automated analysis of the malware is inconclusive... but it does generate outbound traffic to kwaggle .com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife .co .uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.
Recommended blocklist:
64.50.166.122
kwaggle .com
thisisyourwife .co .uk "
* https://www.virustotal.com/en-gb/file/dac2e647bbeadaa7b33ef264f2cbf43d9f3469533b42bc12c9d2e9d4e5d1046c/analysis/1378823569/

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/

:fear::mad:

FYI...

Threats - Online Bullying ...
- http://www.threattracksecurity.com/it-blog/ask-fm-threats-go-beyond-online-bullying/
Sep 11, 2013 - "Three weeks ago... co-founders of social networking site Ask.fm, released a statement regarding some changes on the site’s safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site’s anonymity feature has sadly become the means for some users to deliberately target and verbally assault others. The proposed changes are no quick fix, nor are they remedies to the deeper problems of what motivates one to bully someone online. However, I believe that it’s a good first step to achieve the objective. Giving users the option to opt out of accepting and entertaining anonymous questions and/or comments could be a big blow to trolls. Some victims of online bullying in Ask.fm have taken upon themselves to resolve the matter of anonymity by attempting to unmask who these people are. How? They look for tools online... that will lead to trouble... We have come across a number of sites hosting files that -pretend- to unmask Ask.fm users. Upon closer inspection, however, they’re malicious in nature at worse. These files can range from simple malware droppers to Bitcoin miners to PUPs bearing a gamified marketing tactic or something more dubious.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/06A8F73D66FA9256970848DFA6ABA7AD.jpg
Sadly, such files like the above are easy to find. Users who find themselves installing -any- of these files on their computer will discover that they got something more than what they bargained for..."
___

Fake USPS SPAM / Label_FOHWXR30ZZ0LNB1.zip
- http://blog.dynamoo.com/2013/09/usps-spam-labelfohwxr30zz0lnb1zip.html
11 Sep 2013 - "This fake USPS spam has a malicious attachment:
Date: Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Missed package delivery
Priority: High Priority 1 (High)
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global...

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47*.... attempted connection to a -hijacked- GoDaddy domain drippingstrawberry .com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection, URLquery shows** some of the things going on with this server.
Recommended blocklist:
64.50.166.122 ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/e895123dfed32e5855c2d91f3f9d6410633b84020bead54086f47ce687a5e70a/analysis/1378926663/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-08-27&end=2013-09-11&max=50

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Xerox WorkCentre Pro SPAM
- http://threattrack.tumblr.com/post/60947146663/xerox-workcentre-pro-spam
Sep 11, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: <e-mail domain>
Number of Images: 3
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name:
Attached file is scanned image in PDF format.

Malicious File Name and MD5:
Scan_<random>.zip (1BE34606E5B1D54C5E394982A3DD8965)
scanned_doc_<date>.exe (2E318671CEC024166586943AD04520C1)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a1d06659e9d1e04299fc707dcb569734/tumblr_inline_msz3pw9f951qz4rgp.png
___

Fake AVG Android Apps ...
- http://blogs.avg.com/mobile-2/examples-fake-avg-android-apps/
Sep 9, 2013 - "Our mobile security research team has found at least 33 applications that contain aggressive advertising components in the official Google Play store. The developers of these applications choose to imitate well-known companies like Google, Microsoft, Twitter, AVG among others. Here’s an example of some applications found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-11.png
... Below you can see another example of a -fake- AVG anti-virus app that can be found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-6.png
Remember, if you want to pay for a PRO version of an app, you absolutely must make sure that it is the legitimate version of the app you’re looking for... When you install one of these fake applications, it requests the user to change configurations related to the search options:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-31.png
After the user accepts the conditions, commericals for adult services are shown:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-4.png
Later, the app itself offers none of the functionality advertised (such as antivirus protection). This is a new advertising vector that takes advantage of people who might not be familiar with official company accounts... when you look for AVG’s Android solutions on Google Play you might find apps that are -not- released by AVG (the official developer is AVG Mobile) but from opportunistic scammers..."

- http://www.fireeye.com/blog/technical/2013/09/android-malware.html
Sep 10, 2013 - "... Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform... the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility. To protect yourself from malicious Android applications, please follow these simple steps:
1. Disable the “Allow installation of apps from Unknown Sources” setting.
2. Always install apps from trusted app markets."

:mad: :sad:

FYI...

Fake QuickBooks SPAM / Invoice_20130912.zip
- http://blog.dynamoo.com/2013/09/quickbooks-spam-invoice20130912zip.html
12 Sep 2013 - "This fake QuickBooks spam has a malicious attachment:
Date: Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Quentin Sprague ...

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46*... the file attempt to communicate with the domain leightongriffiths .com on an apparently compromised server at 64.50.166.122 which has been seen before. Given that there are now several domains serving malware on the same server**... it is probably safe to assume that all the domains on that server are malicious and should be blocked.
Recommended blocklist:
64.50.166.122 ..."
* https://www.virustotal.com/en/file/5ac94782513f480dec9c6661559aedcf88ed67f812abc716ad52285e28f75234/analysis/1379012535/

** https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Fake Online Message - Mint Internet Banking
- http://security.intuit.com/alert.php?a=86
9/12/13 - "People are receiving fake emails with the title "Online Message from Mint Internet Banking' ...
> http://security.intuit.com/images/mint.jpg
... This is the end of the fake email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

Fake AV and PRISM warning on hijacked website
- http://research.zscaler.com/2013/09/fake-av-and-prism-warning-on-hijacked.html
Sep 9, 2013 - "While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
kringpad.websiteanddomainauctions .com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq .com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball .net:972/duty_therefore.txt?e=21
The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer... FakeAV remains a popular technique to lure targets into paying attackers...
- FakeAV scan of the computer
> https://lh3.ggpht.com/-XH8fcTYMAPQ/Uio9HCB6IfI/AAAAAAAAsyI/batvgm9HvrA/s1600/fakeav-2103-1.jpeg
- FakeAV claims to have found threats
> https://lh3.ggpht.com/-4jJX3X52nRw/Uio9QYzv6JI/AAAAAAAAsyQ/_7SEkFXS0gw/s1600/fakeav-2013-2.jpeg
The scan claims to have found 18 threats. Two have been cured, but the victim must -pay- to get the remaining 16 threats taken care of...
PRISM warning... The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service...
- No less than 5 federal agencies are "blocking" your computer!
> https://lh3.ggpht.com/-_QJ4pSmyYqw/UipBeh9bnLI/AAAAAAAAsyo/oiQcSHvEc3o/s320/prism-1.jpeg
- Victim needs to pay up $300 to get his computer back.
> https://lh3.ggpht.com/-C4h73XCNJLM/UipB1WzBmZI/AAAAAAAAsyw/ZnFGY7A9BUs/s1600/prism-2.jpeg
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
37.139.53.199
64.120.167.162
64.191.122.10
I expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims."

:fear: :mad::mad:

FYI...

Fake Walls Fargo SPAM- / WellsFargo - Important Documents.zip
- http://blog.dynamoo.com/2013/09/walls-fargo-spam-wellsfargo-important.html
16 Sep 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From: Harrison_Walsh @ wellsfargo .com
Subject: IMPORTANT Documents - WellsFargo
Please review attached documents.
Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh @wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47*. Automated analysis tools... detect network traffic to [donotclick]www .c3dsolutions .com hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server."
* https://www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/1379342203/
___

ZeuS/ZBOT: Most Distributed malware by Spam in August
- http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-most-distributed-malware-by-spam-in-august/
Sep 16, 2013 - "... resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants. ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE...
Malware families spread by spam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Zeus-spam-percentage.jpg
... the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Spoofed-email-fareit-254x300.jpg
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market. FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT..."
___

Fake eFax SPAM / rockims .com
- http://blog.dynamoo.com/2013/09/efax-spam-rockimscom.html
16 Sep 2013 - "This fake eFax spam leads to malware on rockims .com:
Date: Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Corporate eFax message - 1 pages
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Fax Message [Caller-ID: 854-349-9584]
You have received a 1 pages fax at 2013-16-09 01:11:11 CST.
* The reference number for this fax is latf1_did11-1237910785-2497583013-24.
View this fax using your PDF reader.
Click here to view this message ...
Thank you for using the eFax service! ...

Screenshot: https://lh3.ggpht.com/-g0-MrOF8Xvw/UjdWvoTurOI/AAAAAAAAB84/BQAkE0cb-dM/s1600/efax.png

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online .de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools .ac .cy/initials/casanovas.js
[donotclick]ade-data .com/exuded/midyear.js
These then lead to a malware payload at [donotclick]rockims .com/topic/seconds-exist-foot.php which is a -hijacked- GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains...
Recommended blocklist:
192.81.133.143 ..."
(More URLs listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/192.81.133.143/information/

:mad::fear:

FYI...

Amazon Gift Card -phish- ...
- http://www.threattracksecurity.com/it-blog/50-amazon-gift-card-phish-makes-use-of-data-uri-technique/
Sep 17, 2013 - "Be wary of emails landing in mailboxes claiming to offer up “complimentary £50 gift cards” from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/amazonfakemail1.jpg
The mails are nice and professional looking, and the only real giveaway is that hovering over the “Redeem gift card” button displays a Tinyurl link -instead- of the expected Amazon URL... Clicking the Tinyurl link takes end-users to a very nice looking set of pages designed to offer up the so-called gift card, then extract personal information including cc number and name / address / dob... Once end-users have selected their card design, they’re suddenly informed that “Our constant security review has shown us that your account has been inactive. Please confirm your updated card information below. Once your details have been confirmed with our system, we will then post your free gift card to you” …along with a message that their card has expired and a billing information update is required... The concept of using this in a phish attack has been around for a while, but it isn’t too often you come across them... Amazon themselves list a lot of scam types on their Security & Privacy page* so you may want to familiarise yourselves with those. As always, if it sounds too good to be true then it probably is..."
* http://www.amazon.co.uk/gp/help/customer/display.html/ref=help_search_1-1?ie=UTF8&nodeId=492866&qid=1370954895&sr=1-1
___

Fake ADP SPAM / ADP_831290760091.zip
- http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
17 Sep 2013 - "This fake ADP spam has a malicious attachment:
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48*. Automated analysis [1] [2] [3] shows a connection attempt to awcoomer .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps.."
* https://www.virustotal.com/en-gb/file/333342d7e7790daee364f7da003a8c690550df12647ccb72a022bd70bf2285ae/analysis/1379432239/

1) https://malwr.com/analysis/MDM2MmVmYThiMzAwNGE4OGIyOTlmZjEyODIzZjE5YTI/

2) http://camas.comodo.com/cgi-bin/submit?file=333342d7e7790daee364f7da003a8c690550df12647ccb72a022bd70bf2285ae

3) http://anubis.iseclab.org/?action=result&task_id=118929c3bd33d5cf4558fb39a8199c677&format=html
___

FedEx spam FAIL
- http://blog.dynamoo.com/2013/09/fedex-spam-fail.html
17 Sep 2013 - "This fake FedEx spam is presumably -meant- to have a malicious payload:
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@ virginmedia .com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered...

Screenshot: https://lh3.ggpht.com/--53hJkHQbuU/Ujh2GyxXzbI/AAAAAAAAB9Q/8HFvlXVNoHM/s1600/fedex.png

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care."
___

FDIC Spam
- http://threattrack.tumblr.com/post/61500209698/fdic-spam
Sep 17, 2013 - "Subjects Seen:
FDIC: About your business account
FDIC: Your business account
Typical e-mail details:
Dear Business Customer,
We have important information about your bank.
Please View to view detailed information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Malicious URLs
data.texosn .ru/insurance.problem.html
no-mice .ru/insurance.problem.html
fdic.gov.horse-mails .net/news/fdic-insurance.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/67c51721046f2bb32a14ba2919e3a939/tumblr_inline_mt9y7xPKjB1r6pupn.png

- http://blog.dynamoo.com/2013/09/fdic-spam-horse-mailsnet.html
17 Sep 2013 - "This fake FDIC spam leads to malware on www .fdic.gov.horse-mails .net:
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@ fdic .gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC Questions for FDÌC?
Contact Us...
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 ...

Screenshot: https://lh3.ggpht.com/-YGld7C9xZtw/Ujh69VMQLsI/AAAAAAAAB9g/15BqbI3D7QM/s1600/fdic.png

The link goes through a legitimate -hacked- site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails .net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs...:
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US) ...
new feature (pictured below)
> https://lh3.ggpht.com/-IXC9yHDKq48/Ujh85gQNIRI/AAAAAAAAB9s/nryohN6ihzQ/s1600/os-detection.png
Recommended blocklist...:
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55 ..."

:fear: :mad:

FYI...

Ajax Oracle Quotation Spam
- http://threattrack.tumblr.com/post/61803135323/ajax-oracle-quotation-spam
Sep 20, 2013 - "Subjects Seen:
my subject
Typical e-mail details:
Dear Sir/Madam
I am the Purchase Manager of AJAX ORACLE TRADING COMPANY LTD.We are a
major trading company located in Ontario Canada.
We are interested in purchasing your products as exactly shown in the DATA
SHEET as attached in this mail. Please check and get back to us as soon as
possible with your last price, payment terms and delivery time.
Your response will be highly appreciated.
Sincerely Yours.
Danny Davies
Sales Department
Ajax Oracle Trading Co.Ltd

Malicious File Name and MD5:
Quotation.zip (85E02878328919ABE4BB01FDEBD90E6)
Quotation.scr (3B56864260399FBB0259F817749E959C)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7365813051d152bf0f4f625b390fc6a2/tumblr_inline_mtg9dazzKD1r6pupn.png
___

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
- http://blog.dynamoo.com/2013/09/whatsapp-3-new-voicemails-spam-and.html
20 September 2013 - "I am indebted to Gary Warner for his analysis* of this malware... This malware is particularly cunning...
> https://lh3.ggpht.com/-b6Aj4avuPQc/Ujy7tgfwSwI/AAAAAAAAB-Q/Q1ADawDWL6s/s1600/whatsapp.png
... it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48**, but who runs anti-virus software on their Android?... the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before... Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe."
(More detail at the dynamoo URL above.)
* http://garwarner.blogspot.com/2013/09/fake-av-malware-hits-android.html

** https://www.virustotal.com/en/file/1d5390ff7fa9e813d47e12a2137dc5f67df12212196e614ec9f72ba6bbb85535/analysis/1379711360/
___

Shylock Financial Malware Back and Targeting Two Dozen Major Banks
- https://atlas.arbor.net/briefs/index#-1822006250
Elevated Severity
September 20, 2013 21:24
The Shylock banking trojan malware, also known as Caphaw, is active and targeting at least twenty-four banking institutions.
Analysis: Shylock has "man in the browser" capabilities whereby it takes over the users system during banking transactions to commit fraud. As the fraud comes from the authorized user from the authorized system, the deviceprint is no longer a useful indicator of malicious activity. Shylock is increasing in popularity and is now aimed at more targets. Previously, it had a smaller number of regional targets.
Source: http://threatpost.com/shylock-financial-malware-back-and-targeting-two-dozen-major-banks/102343
"... researchers provided the list of 24 banks being targeted..."
___

Beta Bot malware blocks users A/V ...
- http://www.ic3.gov/media/2013/130918.aspx
Sep 18, 2013 - "The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it -redirects- the user to compromised websites...
> https://www.ic3.gov/images/130918.png
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."
- https://atlas.arbor.net/briefs/index#64584071
Title: FBI Warning Users About Beta Bot Malware
Published: Fri, 20 Sep 2013 21:24:05 +0000
The Beta Bot malware has caught the attention of the FBI, who have issued a warning bulletin.
___

Backdoor installed via Java 6 exploit...
- http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit/
Sep 20, 2013 - "... this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at -extreme- risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey. Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected... we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493*, that has been exploited since February 2013. It was patched in March... The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up... it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493 - 10.0 (HIGH)
Last revised: 08/22/2013

:mad: :fear:

FYI...

Fake FDIC emails serve client-side exploits and malware ...
- http://www.webroot.com/blog/2013/09/23/spamvertised-fdic-business-account-themed-emails-server-client-side-exploits-malware/
Sep 23rd, 2013 - "Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/09/FDIC_Email_Spam_Spam_Campaign_Spamvertised_Malware_Malicious_Software_Exploits_Social_Engineering.png
Sample redirection chain: hxxp ://stranniki-music .ru/insurance.problem.html (62.173.142.30) -> hxxp ://www.fdic .gov.horse-mails .net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@ writeme .com ... MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9*. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c**. Once executed, the sample phones back to... C&C servers..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b34459b573637cb5e6fc938f989a24d79d0b83e9cb3fac272e5f7ecaad90519a/analysis/
Detection ratio: 28/48
** https://www.virustotal.com/en/file/07e7008fe60355714115364ad774b553b92d3515c2a810c2299f394c39d5f652/analysis/
Detection ratio: 9/48
___

FBI Ransomware forcing child porn on infected computers
- http://www.webroot.com/blog/2013/09/23/threatvlog-episode-6-fbi-ransomware-forcing-child-porn-infected-computers/
Sep 23, 2013 - "... new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level..."
Video 2:27: https://www.youtube.com/embed/FAoRSLvtkA4
___

LinkedIn Invitation Spam
- http://threattrack.tumblr.com/post/62068030698/linkedin-invitation-spam
Sep 23, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
67.215.196.13 /images/wp-gdt.php?x1MVGHILHO0IT6347
exitdaymonthyear .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3f99bf146a26fce1803ff953fd9d26ab/tumblr_inline_mtl6hnaHBA1r6pupn.png

- https://www.virustotal.com/en/ip-address/67.215.196.13/information/

Tagged: Blackhole, Sirefef, LinkedIn

:mad: :fear:

FYI...

Fake DivX plug-in leads to Malware ...
- http://www.threattracksecurity.com/it-blog/fake-divx-plug-leads-picture-popping-malware/
Sep 23, 2013 - "Fans of semi-humorous Internet videos be warned: there’s a batch of files doing the rounds which pretend to be image files acting as DivX plug-ins... Sites pushing the files will claim you have the wrong type of DivX Plugin installed, with a new one being required to view the content. The first port of call (now replaced by a page-full of Javascript which we’re taking a look at) is / was located at sjsinternational(dot)com/shirleen
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx1.jpg
“DivX plug-in required!
You don’t have the plugin required to view the video
Save the video and run it locally”
A rogue file – which appears to have been compiled in Russia – will be offered up to the end-user, typically offering up filenames that suggest photographs of a lewd and / or salacious nature. The files come from a .ua URL... one of the oldest tricks in the book is being used here – all the files claim to be gifs, jpegs and tif files, when they are (of course) anything but. Elsewhere on the same domain, we have a page which claims “You need to download and execute the Facebook app to see it! It’s amazing!” with yet another file being offered up. This page is still active, and located at sjsinternational(dot)com/marguerite.html
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx2.jpg
... various URLs serving up the Malware have been very busy... More often than not, “Run this file to see a picture” results in no pictures and lots of files (bad ones, at that). This one is at least a little bit unusual if only because the end-user receives a (not very impressive) “reward” at the end of the hoop jumping. However, that reward comes loaded with Malware and should be avoided at all costs, whether posing as image files, Facebook apps or anything else you care to mention."
___

Fake Wire Transfer SPAM / INTL_Wire_Report-09242013.zip
- http://blog.dynamoo.com/2013/09/international-wire-transfer-spam.html
24 Sep 2013 - "This fake wire transfer spam has a malicious attachment:
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@ wellsfargo .com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700 ...

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48*... network traffic to ta3online .org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site. Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this."
* https://www.virustotal.com/en/file/cb920789573b15518b19cc3b413ebe6f1dada6c8c15f841e51d9369b85e285a1/analysis/1380058931/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Wire Transfer Failure Notification Email Messages - 2013 Sep 24
Fake Payment Information Email Messages - 2013 Sep 24
Fake Unpaid Debt Invoice Email Messages - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Fake Shipping Order Information Email Messages - 2013 Sep 24
Fake Picture Delivery Email Messages - 2013 Sep 24
Fake Account Payment Notification Email Messages - 2013 Sep 24
Fake Fax Document Delivery Email Messages - 2013 Sep 24
Fake Media File Sharing Email Messages - 2013 Sep 24
Fake Bank Payment Information Email Messages - 2013 Sep 24
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 24
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 24
(More detail and links at the cisco URL above.)

:mad: :fear::fear:

FYI...

Fake Intuit SPAM / Invoice_3056472.zip
- http://blog.dynamoo.com/2013/09/intuit-spam-invoice3056472zip.html
25 Sep 2013 - "It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From: Lewis Muller [Lewis.Muller @ intuit .com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48*... the usual sort of badness, including a call home to gidleybuilders .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week**. Two compromised domains in a week seems a bit more than a coincidence... legitimate domains are also on that same server..."
* https://www.virustotal.com/en/file/ab746f564e12257dc839c64b4d04a78979a2039c134c18dff3b6f487eef88607/analysis/1380130529/

** http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
___

Fake Phish - FW: Invoice 8428502
- http://security.intuit.com/alert.php?a=87
9/25/2013 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Please be advised that that the attachment (Invoice_092513.exe) received with this email was removed in accordance with the Assante Virus policy. If you are aware of the contents of this attachment and you require it for business reasons please contact the IT Helpdesk (its@assante.com OR 888 955 8886). Please contact the sender if you are unsure of the contents or purpose for the attachment.
Your invoice is attached.
Sincerely,
Cliff Jeffers

This is the end of the -fake- email..."
___

Fake AICPA SPAM / children-bicycle .net
- http://blog.dynamoo.com/2013/09/aicpa-spam-children-bicyclenet.html
25 Sep 2013 - "This fake AICPA spam leads to malware on the domain children-bicycle .net:
From: Reggie Wilkins [blockp12@ clients.aicpa .net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants...

Screenshot: https://lh3.ggpht.com/-bGGHCaxMLis/UkL6RAFRnFI/AAAAAAAAB_c/04BZbMByhJ8/s1600/aicpa.png

... The link in the email goes to a legitimate -hacked- site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle .net/news/aicpa-all.php (report here*).. but only if the visitor is running Windows (more of which in a moment). The domain children-bicycle .net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang... The payload is hosted on the following IP addresses (all also listed here**):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa .org website:
> https://lh3.ggpht.com/-9WjcD-F-6Hk/UkL9_bvLrVI/AAAAAAAAB_o/5D0WOTEyMMU/s1600/aicpa-code.png
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29 ..."
* http://urlquery.net/report.php?id=5941489

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2492013.html
___

6rf .net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
- http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html
25 Sep 2013 - "Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf .net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant .biz. The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains... That IP hosts various exploit kits* and is suballocated to a Russian customer... Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer... But that's not the only infection that 6rf .net is punting, as there is another malicious domain of [donotclick]yandex .ru.sgtfnregsnet .ru in use (report here**) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot .ru ***) which is also serving up an exploit kit... It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf .net ..."
(More listed at the dynamoo URL aqbove.)
* http://urlquery.net/search.php?q=198.50.225.121&type=string&start=2013-09-10&end=2013-09-25&max=50

** http://urlquery.net/report.php?id=5939386

*** http://urlquery.net/report.php?id=5924098

:mad: :fear:

FYI...

Something evil on 91.231.98.149 and boats .net
- http://blog.dynamoo.com/2013/09/something-evil-on-9123198149-and.html
26 Sep 2013 - "This injection attack* on boats .net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards .biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards .biz/_cp/crone/ which cannot be anything good. What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar... A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites... I don't know what the payload is, but the IP address was also used in this recent malware attack**. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping .biz
gamelikeboards .biz
sixteenups .biz
sorelyzipmagics .biz
technicaltutoring .biz
zarazagorakakaxx1 .org
zarazagorakakaxx2 .com
* [url]http://urlquery.net/report.php?id=5960880

** https://malwr.com/analysis/YjQ1ZmIyNDYyMzQ1NDdiYjliODBhZTU2NDU2NDgzNmE/

Added: it looks like this site has been compromised before*** ..."
*** http://news.softpedia.com/news/Outdoor-Network-Starts-Notifying-Customers-After-Boats-net-and-Partzilla-com-Hack-382161.shtml
___

Print A Tree, Pop An Ad
- http://www.threattracksecurity.com/it-blog/print-tree-pop-ad/
Sep 26, 2013 - "... We first noticed this one as part of a larger Installcore bundler from a pop up on a “free video” site:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint5.png
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint6.jpg
Quite what our chosen subject matter has to do with videos I’ve no real idea, but never let relevance detract from an Adware bundle. Here it is during the main install of “FLV Player Setup”, and it is called “Print-A-Tree”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint2.jpg
... Some of the other programs installed from the Installcore bundle included Web Connect (Yontoo variant), Bonanza Deals and O-to-Lyrics... This is where things go horribly wrong, because not only do you have ads injected onto numerous websites, you also end up with pop-ups which often lead to additional installs (with additional Adware!)... The pop-up ad promotes a web browser which will offer up more adware at install, to sit alongside whatever applications you happen to have on board from the first bundle... You can see more about the original bundler file over at VirusTotal*, which currently has it pegged at 8/41..."
* https://www.virustotal.com/en/file/4183c49f0a97ebbec42ea3c928e36624674704f4d4a2566d7c40c22a9a17055f/analysis/1380126410/
File name: FlvPlayerSetup.exe_
Detection ratio: 8/41 ...
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Xerox Scan Attachment Email Messages - 2013 Sep 26
Fake Package Delivery Invoice Notification Email Messages - 2013 Sep 26
Fake Account Payment Notification Email Messages - 2013 Sep 26
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 26
Fake Sales Receipt Notification Email Messages - 2013 Sep 26
Fake Product Order Email Messages - 2013 Sep 26
Fake Voice Messages Delivery Email Messages - 2013 Sep 26
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 26
Fake Purchase Order Request Email Messages - 2013 Sep 26
Fake Product Requirements List Email Messages - 2013 Sep 26
Fake Product Sample Request Email Messages - 2013 Sep 26
Blank Email Messages with Malicious Attachments - 2013 Sep 26
Fake Financial Document Delivery Email Messages - 2013 Sep 26
(More detail and links at the cisco URL above.)

:mad::mad:

FYI...

Fake Facebook SPAM / directgrid .org
- http://blog.dynamoo.com/2013/09/facebook-you-have-new-notifications.html
27 Sep 2013 - "This fake Facebook spam leads to malware on directgrid .org:
Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX @facebookmail .com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages
11 friend requests
21 friend suggestions
14 photo tags
View Notifications
Go to Facebook ...

Screenshot: https://lh3.ggpht.com/-7H6j4ml6nRk/UkWZHoxgKnI/AAAAAAAACAA/QM-UWgx5SDg/s1600/facebook2.png

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes .com/starker/manipulator.js
[donotclick]dtwassociates .com/marry/sullies.js
[donotclick]repairtouch .co .za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a -hijacked- GoDaddy domain at [donotclick]directgrid .org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains...
Recommended blocklist:
50.116.10.71 ..."
(More listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/50.116.10.71/information/

:fear::mad:

FYI...

Fake IRS SPAM / oooole .org
- http://blog.dynamoo.com/2013/09/irs-invalid-file-email-reminder-spam.html
30 Sep 2013 - "This fake IRS spam leads to malware on oooole .org:
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From: "Fire@irs.gov" [burbleoe9@ irs .org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012...

The link in the email goes through a legitimate -hacked- site and then -redirects- through one of the following three scripts:
[donotclick]savingourdogs .com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns .biz/resonators/sunbonnet.js
[donotclick]polamedia .se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole .org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains...
Recommended blocklist:
75.98.172.238 ..."

- https://www.virustotal.com/en/ip-address/75.98.172.238/information/
___

Fake Wells Fargo SPAM - malicious ZIP file
- http://blog.dynamoo.com/2013/09/wells-fargo-important-documents-spam.html
30 Sep 2013 - "This fake Wells Fargo spam comes with a malicious attachment:
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From: Bryon Faulkner [Bryon.Faulkner@ wellsfargo .com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe). The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48*... attempted connection to the site demandtosupply .com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago**. Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box... so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply .com
ce-cloud .com"
* https://www.virustotal.com/en/file/32845402bb571205b36923c74f3c67ea68ca30efe2ceead4118183437b4845da/analysis/1380564661/

** http://blog.dynamoo.com/2013/09/scanned-document-attached-spam.html

- https://www.virustotal.com/en/ip-address/84.22.177.37/information/

:fear: :mad:

FYI...

Fake AMEX phish ...
- http://threattrack.tumblr.com/post/62810863752/american-express-credentials-phish
Oct 1, 2013 - "Subjects Seen:
Fraud Alert : Irregular Card Activity
Typical e-mail details:
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 1st October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
americanexpress.com
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.

Malicious URLs
kaindustries.comcastbiz .net/boulevards/index.html
theswordcoast.awardspace .com/catalepsy/index.html
i37raceway .com/hovers/index.html
pizzapluswindsor .ca/americanexpress/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f9f15d03e1e7ddf46f7964a8469f9f67/tumblr_inline_mtzvalp01I1r6pupn.png
___

Fake NACHA SPAM - malware on thewalletslip .com
- http://blog.dynamoo.com/2013/10/fake-nacha-spam-leads-to-malware-on.html
1 Oct 2013 - "This fake NACHA spam leads to malware on thewalletslip .com:
Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From: ACH Network [markdownfyye396@ nacha .org]
Subject: Your ACH transfer
The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.
Aborted transfer
ACH transfer ID: 428858072307
Reason of Cancellation Notice information in the report below
Transaction Report View Report 428858072307
About NACHA ...

Screenshot: https://lh3.ggpht.com/-Fs6-J6CBRpE/UkrNz0uc4JI/AAAAAAAACAY/0P9Qc8C6gK0/s1600/nacha.png

The link in the email goes through a legitimate -hacked- site and then runs one of three scripts:
[donotclick]theodoxos .gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home .org/volleyballs/cloture.js
[donotclick]www.knopflos-combo .de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip .com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy... It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday*."
Recommended blocklist:
75.98.172.238 ..."
* http://blog.dynamoo.com/2013/09/irs-invalid-file-email-reminder-spam.html

- https://www.virustotal.com/en/ip-address/75.98.172.238/information/
___

Apple spikes as Phishing Target
- http://blog.trendmicro.com/trendlabs-security-intelligence/apple-spikes-as-phishing-target/
Oct 1, 2013 - "... Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers. Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:
Number of identified Apple-related phishing sites
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-graph.png
Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:
Phishing site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-phish-2.gif
... Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device. Not only that, users from all over the world are being targeted. For example, this phishing site is in French:
Apple ID phishing site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-phish-france-4.gif
... It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed. This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well..."
___

Pinterest Facebook Friend Spam
- http://threattrack.tumblr.com/post/62823818697/pinterest-facebook-friend-spam
Oct 1, 2013 - "Subjects Seen:
Your Facebook friend <removed> joined Pinterest
Typical e-mail details:
Your Facebook friend <removed> just joined Pinterest. Help welcome <removed> to the community!

Malicious URLs
ats.webd .pl/caskets/index.html
theodoxos .gr/hairstyles/defiling.js
web29.webbox11.server-home .org/volleyballs/cloture.js
knopflos-combo .de/subdued/opposition.js
pizzapluswindsor .ca/topic/latest-blog-news.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bf61cd5a0995ac279cf8940470bf8ae5/tumblr_inline_mu050u7D5p1r6pupn.png
___

Tens of thousands of fake Twitter accounts passed off and sold as 'followers'
- https://www.virusbtn.com/blog/2013/09_20.xml
20 Sep 2013
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Attachments - 2013 Oct 01
Fake Commissions Statement Notification Email Messages - 2013 Oct 01
Fake Product Order Request Email Messages - 2013 Oct 01
Fake Purchase Order Notification Email Messages - 2013 Oct 01
Fake Product Order Delivery Information Email Messages - 2013 Oct 01
Fake Multimedia Message Delivery Email Message - 2013 Oct 01
Fake Product Order Email Messages - 2013 Oct 01
Fake Bank Payment Notification Email Messages - 2013 Oct 01
Fake Court Document Email Messages - 2013 Oct 01
Fake Document Filing Notification Email Messages - 2013 Oct 01
Fake Debt Collection Notification Email Messages - 2013 Oct 01
Fake Account Payment Notification Email Messages - 2013 Oct 01
Fake Product Purchase Order Email Messages - 2013 Oct 01
Fake Product Specification Request Email Messages - 2013 Oct 01
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 01
Fake Shipment Invoice Email Messages - 2013 Oct 01
Fake Payment Information Email Messages - 2013 Oct 01
Blank Email Messages with Malicious Attachments - 2013 Oct 01
(More detail and links at the cisco URL above.)

:fear::mad::fear:

FYI...

Fake T-Mobile message emails lead to malware
- http://www.webroot.com/blog/2013/10/02/t-mobile-mms-message-arrived-themed-emails-lead-malware/
Oct 2, 2013 - "A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs. Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – * W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto .org – 69.65.19.117 ... subdomains are also known to have phoned back to the same IP in that past... malicious MD5s are also known to have phoned back to the same domain/IP in the past..."
* https://www.virustotal.com/en/file/a9e3c6ff238cd1e4a5a2d3312bfad59091c25698e6c072623af279a58ebbe254/analysis/1379599644/
___

Fake Facebook Mobile Page Steals Credit Card Details
- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-mobile-page-steals-credit-card-details/
Oct 1, 2013 10:28 pm (UTC-7) - "... a mobile phishing page that looks very similar to the official Facebook mobile page. However, looking closely into the URL address, there are noticeable differences. The real Facebook page is located at https://m.facebook.com/login and has the lock icon to show that the page is secured.
Fake vs. legitimate Facebook mobile page
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Facebook-phishingvsreal-pag.gif
This page tries to steal more than Facebook credentials. Should users actually try to log in, the page then prompts users to choose a security question. This may sound harmless, but these same security questions might be used across several different sites, and can compromise your security as well.
Fake Facebook security page
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/fake-facebook-security-page.gif
Once users are done, they are led to another page, this time asking for their credit card details.
Page asking for credit card details
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/fake-facebook-page-creditca.gif
In cases like these, users should always be careful and double-check the URLs of sites they are entering personal information into, particularly those that claim to belong to a particular service. In addition, Facebook does -not- ask for a user’s credit card information unless they are making a purchase..."
___

"microsoft support" calls - now with ransomware
- https://isc.sans.edu/diary.html?storyid=16703
Last Updated: 2013-10-02 04:16:32 UTC - "Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions). Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found out the other day, when he received a call. They now install -ransomware- which will lock the person out of their computer until a fee has been been paid. In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was too late. The ransomware itself looks like it replaced some start up parameters to kick in the lockout rather than encrypting the drive or key elements of the machine. However for most users that would be enough to deny access. So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things. Firstly, BACKUP YOUR STUFF. Secondly, tell them "when you receive a call from "microsoft support", the correct response is to hang up."
___

Fake Staples SPAM leads to malware on tootle .us
- http://blog.dynamoo.com/2013/10/fake-staples-spam-leads-to-malware-on.html
2 Oct 2013 - "This fake Staples spam leads to malware on a site called tootle .us:
Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From: support@ orders.staples .com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review ...

Screenshot: https://lh3.ggpht.com/-q6p692ui0yA/UkwxpO-DKdI/AAAAAAAACBA/jtONVL3tAfI/s1600/staples.png

The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation .org/inventory/symphony.js
[donotclick]apptechgroups .net/katharine/bluejacket.js
[donotclick]ctwebdesignshop .com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle .us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another -hijacked- GoDaddy domain (there are some more on this server...)..."
Recommended blocklist:
23.92.22.75
tootle .us ..."

- https://www.virustotal.com/en/ip-address/23.92.22.75/information/

:fear::mad:

FYI...

Fake Amazon SPAM - uses email address harvested from Comparethemarket .com
- http://blog.dynamoo.com/2013/10/fake-amazon-spam-uses-email-address.html
3 Oct 2013 - "This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket .com.
From: Amazon.com [ship-confirm@ amazon .com]
Reply-To: "Amazon.com" [ship-confirm@ amazon .com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon .com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154 ...

Screenshot: https://lh3.ggpht.com/-c8R7xg-gpdY/Uk2X8G-KMAI/AAAAAAAACB4/RIr-Fimvkxs/s1600/amazon.png

How the email address was extracted from Comparethemarket.com is not known. The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi .de/unclear/unsettle.js
[donotclick]sigmarho.zxq .net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online .de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc .info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). This is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252 ..."

- https://www.virustotal.com/en/ip-address/96.126.103.252/information/

USPS Express Services Spam
- http://threattrack.tumblr.com/post/62995873638/usps-express-services-spam
Oct 3, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel <random> )
USPS - Missed package delivery
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: <random>
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services.

Malicious File Name and MD5:
USPS_Label_<random>.zip (43BA7C2530EF2F69DEF845FE5E10C6C7)
USPS_Label_<date>.exe (7EAC25BFC4781CA44C5D991115AAF0B4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9b894dabc36a9a3ca56b389f8998f4e3/tumblr_inline_mu3kgsMMFH1r6pupn.png

:fear: :mad:

FYI...

Fake Dropbox SPAM - leads to malware on adelect .com
- http://blog.dynamoo.com/2013/10/fake-dropbox-spam-leads-to-malware-on.html
4 Oct 2013 - "This fake Dropbox spam leads to malware:
Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [no-reply@ dropboxmail .com]
Subject: Please update your Expired Dropbox Password
Hi [redacted].
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
Reset Password
Thanks!
- The Dropbox Team

Screenshot: https://lh3.ggpht.com/-8446bMdKtno/Uk6__aJc2AI/AAAAAAAACCM/mnPJHVUoqbE/s1600/dropbox.png

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75 /molls/smudgier.js
[donotclick]freetraffic2yourweb .com/palermo/uneconomic.js
[donotclick]www.bathroomchoice .com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect .com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server..."
Recommended blocklist:
66.150.155.210
wrightleasing .com
renewalbyandersendayton .com
adelect .com
12.158.190.75
freetraffic2yourweb .com
www .bathroomchoice .com"

- https://www.virustotal.com/en/ip-address/66.150.155.210/information/

:fear: :mad:

FYI...

Fake National Bankruptcy Services SPAM
- http://threattrack.tumblr.com/post/63378601795/national-bankruptcy-services-spam
Oct 7, 2013 - "Subjects Seen:
6253-9166
Typical e-mail details:
Please see the attached Iolta report for 6253-9166.
We received a check request in the amount of $19,335.05 for the above referenced file. However, the attached report reflects a $0 balance. At your earliest convenience, please advise how this request is to be funded.
Thanks.
Milton_Forrest *
Accounts Payable
National Bankruptcy Services, LLC

Malicious File Name and MD5:
6253-9166.zip (47E464919165F040B03160BAA38FD5E3)
report_<date>.exe (0798687A993B98EBF5E87A6F78311F32)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/de9cee914246610c515325efaea015fa/tumblr_inline_mub2myCgf21r6pupn.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Account Complaint Resolution Document Email Messages - 2013 Oct 07
Fake Payment Receipt Notification Email Messages - 2013 Oct 07
Fake Payment Confirmation Notification Email Messages - 2013 Oct 07
Fake Account Payment Notification Email Messages - 2013 Oct 07
Fake Commissions Invoice Email Messages - 2013 Oct 07
Fake Hotel Reservation Confirmation Email Messages - 2013 Oct 07
Fake Product Order Email Messages - 2013 Oct 07
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 07
Fake Financial Document Email Messages - 2013 Oct 07
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 07
Fake Shipping Notification Email Messages - 2013 Oct 07
Fake Document Attachment Email Messages - 2013 Oct 07
Fake Payment Confirmation Email Messages - 2013 Oct 07
Fake Product Quote Request Email Messages - 2013 Oct 07
Fake Electronic Payment Cancellation Email Messages - 2013 Oct 07
Fake Bank Account Details Inquiry Email Messages - 2013 Oct 07
Fake Personal Picture Sharing Notification Email Messages - 2013 Oct 07
Fake Portuguese Personal Picture Notification Email Messages - 2013 Oct 07
Fake Order Shipment Tracking Information Email Messages - 2013 Oct 07
Fake Business Complaint Notification Email Messages - 2013 Oct 07
(More detail and links at the cisco URL above.)

:mad: :fear:

FYI...

Fake Well Fargo SPAM - malicious attachment / lasub-hasta .com
- http://blog.dynamoo.com/2013/10/fake-well-fargo-spam-comes-with.html
8 Oct 2013 - "This fake Wells Fargo spam is a retread of this one*, but comes with a slightly different attachment:
Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From: "Harry_Buck@ wellsfargo .com" [Harry_Buck@ wellsfargo .com]
Subject: Documents - WellsFargo
Please review attached files.
Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48**. Automated analysis... shows that the malware tries to phones home to lasub-hasta .com on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity*** on this server which you might want to take into account if you are thinking of -blocking- this IP."
* http://blog.dynamoo.com/2013/09/wells-fargo-important-documents-spam.html

** https://www.virustotal.com/en-gb/file/eab00b325890f6a92f9e4888b7f394732760d0ccf36095731a1b5764c6fa79d3/analysis/1381222163/

*** https://www.virustotal.com/en-gb/ip-address/205.251.152.178/information/
___

Spoofed APEC 2013 email mixes old threat tricks
- http://blog.trendmicro.com/trendlabs-security-intelligence/spoofed-apec-2013-email-mixes-old-threat-tricks/
Oct 8, 2013 - "... threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect veil for their spoofed emails. The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/apec-summit-email.jpg
... the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158*), an old vulnerability that was also exploited in other targeted attacks... This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. Once done, the exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll. This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries). BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather exfiltrate important data, leading to serious repercussions to the targeted parties..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013 - "... triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability"..."
___

Fake "Voicemail" SPAM ...
- http://www.threattracksecurity.com/it-blog/kuluoz-voicemail-spam-drops-signed-certificate-winwebsec/
Oct 7, 2013 - "... fake WhatsApp email messages leading to various forms of mobile infection. Over the last day or so, our Labs have noticed a shift into other realms – namely, Fake AV. Whenever we see Kuluoz, it is typically using compromised boxes to host payloads – and those payloads are usually Winwebsec and Medfos. Fake emails are the name of the game, and as you can see the run the full range of wedding invites, airline spam, DHL / Fedex notifications and more besides. In this case, we begin with the now familiar WhatsApp spam email messages:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/winwebsec0.jpg
Instead of links taking end-users to malicious mobile downloads, they’ll be taken to a .biz.ua URL offering up a Kuluoz.B executable file which will download WinWebSec onto the target PC. Winwebsec has been signed by a valid cert, which is increasingly becoming a problem where Malware is concerned. The Winwebsec variant is fairly recent, dating from mid to late August. It downloads Fareit and Ursnif, which are both infostealers (of course, the Fake AV – called Antivirus Security Pro – will try to convince end-users to pay up for non-existent infection removal. It will completely ignore the genuine infections dropped on the PC, but you wouldn’t expect anything less really).
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/winwebsec1.jpg
... At time of writing, Virustotal has the Kuluoz pegged at 16/48... VIPRE Antivirus will find it is detected as Trojan.Win32.Generic.pak!cobra. Fake voicemail messages are a great way for scammers to target individuals and corporations, especially if sent to less technologically inclined victims. Expect the payloads of these spam messages to keep changing, and be very wary of running any executable files sent via email – no matter how tempting the supposed message waiting for you is..."
___

Verizon Wireless Picture Messaging Spam
- http://threattrack.tumblr.com/post/63468757888/verizon-wireless-picture-messaging-spam
Oct 8, 2013 - "Subjects Seen:
No Subject
Typical e-mail details:
This message was sent using the Picture and Video Messaging service from Verizon Wireless!

Malicious File Name and MD5:
<random>Img_Picture.zip (0FF888E38099617CBD03451DA72F5FC4)
<random>Img_Picture.jpeg.exe
(67355A28A8EA584D0A08F17BE10E251E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f33ac38030657107b6232750e43bcf1f/tumblr_inline_mucv43J0sn1r6pupn.png
___

Mileage Reimbursement Form Spam
- http://threattrack.tumblr.com/post/63473640689/mileage-reimbursement-form-spam
Oct 8, 2013 - "Subjects Seen:
Annual Form - Authorization to Use Privately Owned Vehicle on State Business
Typical e-mail details:
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Malicious File Name and MD5:
Form_<e-mail domain>.zip (00D3C33F37DEE0B3AB933C968BE8043A)
Form_20130810.exe
(6828091CBF4AACEC10195EDBFA804FA7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/26e9269e0b0f01eb8c891d2c35692e8a/tumblr_inline_mucyp5HE2x1r6pupn.png

:mad: :fear:

FYI...

Fake Business form SPAM / warehousesale .com .my
- http://blog.dynamoo.com/2013/10/annual-form-authorization-to-use.html
9 Oct 2013 - "This oddly-themed spam has a malicious attachment:
Date: Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From: Waldo Reeder [Waldo@ victimdomain .com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.

The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename. VirusTotal detections are not bad at 25/48*. Automated analysis... shows an attempted connection to warehousesale .com .my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you -block- both the IP and domain as a precaution.
Recommended blocklist:
warehousesale .com .my
42.1.61.90"
* https://www.virustotal.com/en-gb/file/2c3c1cbe50fdeecf665faf00cadff094c08f49000c96b57983546c1db197038c/analysis/1381305964/
File name: Form_20130810.exe

- https://www.virustotal.com/en-gb/ip-address/42.1.61.90/information/
___

Fake GMail emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/10/09/fake-4-missed-emails-gmail-themed-emails-lead-pharmaceutical-scams/
Oct 9, 2013 - "Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams_01.png
Sample screenshot of the landing pharmacautical scams page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams.png
... Landing URL: shirazrx .com – 85.95.236.188 – Email: ganzhorn@ shirazrx .com ... pharmaceutical scam domains are also known to have responded to the same IP (85.95.236.188)... This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy. Our advice? Never bargain with your health, spot the scam and report it."

- https://www.virustotal.com/en-gb/ip-address/85.95.236.188/information/

:mad: :fear:

FYI...

Malware served up by Bad Bing Ads
- http://www.threattracksecurity.com/it-blog/sirefef-malware-served-bad-bing-ads/
Oct 10, 2013 - "We’re seeing our old friend “rogue ads in Bing” doing the rounds – should you go searching for “Youtube” and click on the rogue ad (in this case, the one in the bottom right hand corner under “Ads related to Youtube”) you’ll be taken to a site which redirects to an exploit.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/bingexploit1.png
The scammers behind this could well be targeting other keywords... The exploit attempts to drop Sirefef, which we’ve seen being used in malicious Bing adverts back in March 2013..."
___

Fake Payroll Intuit email
- http://security.intuit.com/alert.php?a=89
10/10/13 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Dear,
We received your payroll on October 9, 2013 at 4:59 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
__
This is the end of the fake email.
Steps to Take Now:
Do -not- open the attachment in the email...
Delete the email..."
___

Fake 'Companies House' SPAM
- http://blog.dynamoo.com/2013/10/companies-house-phish.html
10 Oct 2013 - "This fake Companies House spam appears to be some sort of phishing attempt:
Date: Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From: Companies House [contact@ companieshouse .co .uk]
Subject: Compulsory Companies House WebFiling Update #90721
Compulsory Companies House WebFiling Update #90721
This is an important notice to inform you as a registered company to update your details.
This will make it easier to update our database and keep records of our company...

Screenshot: https://lh3.ggpht.com/-KaNlD25nUrA/UlambOUdY_I/AAAAAAAACDw/E6Hgxigjzlk/s1600/companies-house-1.png

The link in the email goes to [phish]www.misspanama .net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.
> https://lh3.ggpht.com/-1wLNfJ2PxG8/Ulanw6MaEJI/AAAAAAAACD8/VSykobTiQn4/s1600/companies-house-2.png
Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse .gov .uk/forms/introduction.shtml
> https://lh3.ggpht.com/-5V2piX6jidM/UlaoEJYJiPI/AAAAAAAACEE/M64-umwPBtc/s1600/companies-house-3.png
So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose. It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse .gov .uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!"

:mad: :fear:

FYI...

Fake Facebook App - Phishers Use Malware
- http://www.symantec.com/connect/fr/blogs/phishers-use-malware-fake-facebook-app
9 Oct 2013 - "Phishers frequently introduce -bogus- applications to add new flavor into their phishing baits... In this particular scam, phishers were trying to steal login credentials, but their means of data theft wasn’t with the phishing bait alone. Their ploy also used malware for harvesting users’ confidential information. The phishing site spoofed the login page of Facebook and was hosted on a free web hosting site.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/figure1_0.png
The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook. A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site -redirected- to a legitimate Facebook page... If users fell victim to the phishing site by entering their login credentials, the phishers would have successfully stolen their information for identity theft purposes..."
___

Twitter still being used by Hacks...
- http://blog.trendmicro.com/trendlabs-security-intelligence/twitter-still-being-used-by-shady-hackers/
Oct 10, 2013 - "... Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device. It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro... Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except -all- four accounts were clearly malicious:
Accounts/lists added:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/twitter-list.png
Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5s...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/twitter-tool.jpg
It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well. Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page* that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions. We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services)..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-mobile-page-steals-credit-card-details/

:mad: :fear::fear:

FYI...

Phish take to the Skies
- http://www.threattracksecurity.com/it-blog/flying-blue-phish-takes-skies/
Oct 14, 2013 - "FlyingBlue, the frequent flyer program of Air France and KLM, are sending emails to members warning of a phishing campaign...
“Some Flying Blue members report receiving an e-mail in which they are advised to secure their “Air France-KLM account” by clicking on a link and logging into the “secured Flying Blue network”. This e-mail was not sent by AIR FRANCE, KLM or Flying Blue. Do not log in using this link. Please make sure that you only log into your Flying Blue account if you are in the trusted Flying Blue environment. If you clicked on a link in the fake Flying Blue e-mail, we advise you to check your account now. If you cannot access your account, please contact the Flying Blue Service Centre.”
You can see what one of the phish pages looked like, courtesy of Urlquery(dot)net*.
“We need to verify your email address to confirm you are the owner of this account. In order to protect your privacy, we will never store your password or send emails without your consent”
It seems likely they were after email accounts at a minimum and email & airmiles accounts at a maximum, with airmiles being particularly useful to scammers the World over. We don’t need to tell you how bad it would be to have your email address compromised (or maybe we do!) but many would overlook the significance of having their airmiles targeted. Whether you collect them for business, pleasure or both you should be cautious of -any- emails asking you to login to confirm details. If in doubt, always type the URL into your browser and visit a site directly rather than click blindly and hope for the best. You can see a little more information about the scam currently in circulation by reading the notice on the Flying Blue homepage**..."
* https://urlquery.net/report.php?id=6411611

** http://www.flyingblue.com/news/1603/warning-beware-of-phishing-attempts-in-fake-flying-blue-e-mails.html

> https://urlquery.net/screenshot.php?id=6411611

- https://www.virustotal.com/en/ip-address/5.9.87.109/information/

- http://google.com/safebrowsing/diagnostic?site=AS:24940
___

Fake T-Mobile themed emails ...
- http://www.webroot.com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typemms-themed-emails-lead-malware/
Oct 14, 2013 - "The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign* have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message. Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e ** ... Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004 / ShimCacheMutex / 85485515
It then (once again) phones back to networksecurityx.hopto .org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932***) that has phoned back to the same C&C server (networksecurityx.hopto .org) is also known to have phoned back to dahaka.no-ip .biz (89.136.186.200)..."
* https://www.webroot.com/blog/2013/10/02/t-mobile-mms-message-arrived-themed-emails-lead-malware/

** https://www.virustotal.com/en/file/6769e4686aa701956d90a5e850d1f795a2db5c71f6a94c410d40b6596aee09ad/analysis/

*** https://www.virustotal.com/en/file/556140429ad90142a2f29ffdd63d68378a38f9c7b5dbf74ae3b08c4f825f1f3a/analysis/

:mad: :fear:

FYI...

Fake USPS SPAM / Label_ZFRLOADD5PGGZ0Z_USPS.zip
- http://blog.dynamoo.com/2013/10/usps-spam-labelzfrloadd5pggz0zuspszip.html
15 Oct 2013 - "This fake USPS spam has a malicious attachment:
Date: Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From: USPS Express Services [service-notification@ usps .com]
Subject: USPS - Missed package delivery
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.

There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename). VirusTotal shows just 4/46* vendors detect it at present. Automated analysis... shows an attempted communication with traderstruthrevealed .com on 103.8.27.82 (SKSA Technology, Malaysia). There is also another email using this format with the same payload."
Recommended blocklist:
103.8.27.82
traderstruthrevealed .com"
* https://www.virustotal.com/en-gb/file/b0a7f2a03b6718ed522dc3bc63ee43e31823132ba69ea5e7b62740c7d38d0242/analysis/1381850132/

- https://www.virustotal.com/en-gb/ip-address/103.8.27.82/information/
___

Fake Intuit SPAM / payroll_report_147310431_10112013.zip
- http://blog.dynamoo.com/2013/10/payroll-received-by-intuit-spam.html
15 Oct 2013 - "This fake Intuit spam comes with a malicious attachment:
Date: Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From: Intuit Payroll Services IntuitPayrollServices@ payrollservices.intuit .com]
Subject: Payroll Received by Intuit
Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later. If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later. YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time. Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.
Sincerely, Intuit Payroll Services...

The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files). That executable currently has a detection rate of 9/46* at VirusTotal. Automated analysis shows that it attempt to make a connection to mtfsl .com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server."
* https://www.virustotal.com/en/file/b2b5f9ea3202520e4a1c75b2500dc200cda9158034d83bd98963ac93e4681aff/analysis/1381861232/

- https://www.virustotal.com/en/ip-address/184.22.215.50/information/

:mad: :fear:

FYI...

Fake Pinterest SPAM - alenikaofsa .ru
- http://blog.dynamoo.com/2013/10/your-facebook-friend-andrew-hernandez.html
16 Oct 2013 - "This fake Pinterest spam leads to a malicious download on alenikaofsa .ru:
Date: Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From: Pinterest [pinbot@ pinterest .biz]
Subject: Your Facebook friend Andrew Hernandez joined Pinterest
A Few Updates...
[redacted]
Andrew Hernandez
Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
Visit Profile
Happy pinning! ...

Screenshot: https://lh3.ggpht.com/-1wTZhiRwP5o/Ul7ovSINeHI/AAAAAAAACGY/N8QUzfcsIhw/s1600/pinterest2.png

... The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here*) that attempts to download [donotclick]alenikaofsa .ru:8080/ieupdate.exe which has a VirusTotal detection rate of just 1/48** (only Kaspersky detects it.. again)... alenikaofsa .ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip .ru is also hosted on these IPs. What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.
Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa .ru
alionadorip .ru
Footnote:
The malware page uses a similar script to that used here*** although with the rather cheeky comment
// It's "cool" to let user wait 2 more seconds :/ ..."
* http://urlquery.net/report.php?id=6856407

** https://www.virustotal.com/en/file/807f43d9649976a3ac7bc4b2506947ccedea2235eb80ac69a8246fb2b8c1a1b4/analysis/1381951170/

*** http://blog.dynamoo.com/2013/09/aicpa-spam-children-bicyclenet.html
___

Fake LinkedIn SPAM / Contract_Agreement_whatever.zip
- http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html
16 Oct 2013 - "This fake LinkedIn spam has a malicious attachment:
Date: Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From: Shelby Gordon [Shelby@ linkedin .com]
Attached is your new contract agreements.
Please read the notes attached, then complete, sign and return this form.
Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@ linkedin .com ...

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48*. Automated analysis tools... show an attempted connection to miamelectric .com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain."
* https://www.virustotal.com/en/file/67762ad4b6bdf79eb52256e699a1409a1671c4581dcdaea70704c6c485e93797/analysis/1381954740/
___

Fake job offer - Atlantics Post LLC
- http://blog.dynamoo.com/2013/10/atlantics-post-llc-fake-job-offer.html
16 Oct 2013 - "A bit of Money Mule recruiting that isn't really trying very hard..
Date: Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From: Atlantics Post [misstates7@ compufort .com]
Subject: Career with Atlantics Post LLC
Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.
Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them
Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands ...
Originating IP is 181.165.70.97 in Argentina. Avoid."

:fear: :mad:

FYI...

Flash exploits, Fake browser updates - Mass iFrame injection campaign...
- http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads-adobe-flash-exploits/
Oct 17, 2013 - "We’ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place... a social engineering campaign pushing fake browser updates... iFrame URL: mexstat210 .ru – 88.198.7.48 ... Sample detection rate for the malicious script: MD5: efcaac14b8eea9b3c42deffb42d59ac5 * ... Trojan-Downloader.JS.Expack.sn; Trojan:JS/Iframe.BS ... malicious MD5s are also known to have been hosted on the same IP (88.198.7.48)... Client-side exploits serving URL: urkqpv.chinesenewyeartrendy .biz:39031/57e2a1b744927e0446aef3364b7554d2.html – 198.50.225.114
Domain name reconnaissance: chinesenewyeartrendy .biz - 46.105.166.96 known to have responded to the same IP is also appearancemanager .biz ...
... the iFrame injected/embedded URL includes a secondary iFrame pointing to a, surprise, surprise, Traffic Exchange network. Not surprisingly, we also identified a related threat that is currently using the same infrastructure as the official Web site of the Traffic Exchange.
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Mass_iFrame_Injection_Traffic_EShop_Buy_Purchase_Traffic_Exploits_Malware.png
Secondary iFrame: mxdistant .com – 213.239.231.141 ... Once executed, it phones back to anyplace-gateway .info – 76.72.165.63 – info@remote-control-pc .com... Moreover, updbrowser .com is also directly related to worldtraff .ru, as it used to push fake browser updates**, similar to the MD5s at bank7 .net and ztxserv .biz..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/c15139a1f4faef6bac513dc14875482b892cb27d1d202609fa3bf4a993c3cc75/analysis/

** http://stopmalvertising.com/malware-reports/does-your-browser-really-need-that-critical-update.html

- https://www.virustotal.com/en/ip-address/213.239.231.141/information/

- https://www.virustotal.com/en/ip-address/76.72.165.63/information/

- https://www.virustotal.com/en/ip-address/46.105.166.96/information/

- https://www.virustotal.com/en/ip-address/198.50.225.114/information/

- https://www.virustotal.com/en/ip-address/88.198.7.48/information/
___

Fake Flash update serves multitude of Firefox Extensions
- http://www.threattracksecurity.com/it-blog/fake-flash-update-serves-multitude-firefox-extensions/
Oct 17, 2013 - "“Update your Flash player”, they said:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/fakeflashfirefox1.png
Specifically, “Version 11.9.900.117″ because “if you’re not using the latest version of Flash Player your version may contain vulnerabilities which can be used to attack your computer”. Above, we’re visiting updatedflashplayer(dot)com with Firefox. Running the file will offer up a wide selection of programs that don’t tend to come with what are supposed “security updates”:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/airinstall1.png
“After clicking next you will be presented with several great third party offers that can be skipped by pressing decline”
There’s no update to the latest version of Flash – merely something you can use to watch Flash videos with and a bunch of bundled programs. Here’s a few, starting with Fast Free Converter, an Adware plug-in:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/airinstall4.png
... Below you can see a typical install, with everything loaded up and ready to roll in your Firefox browser:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/installs.jpg
... As for the above “Flash Player update”, you can see some more information about it over on VirusTotal where it is currently pegged at 9/48*..."
* https://www.virustotal.com/en/file/04fbdf8f933ff6b8dd7e2d48df6fde372ce4cdd1b73bb9a44f1c9cd193b050c1/analysis/1381940695/
File name: setup.exe
Detection ratio: 9/48
___

Fake Xerox WorkCentre SPAM / A136_Incoming_Money_Transfer_Form.exe
- http://blog.dynamoo.com/2013/10/scan-from-xerox-workcentre-spam.html
17 Oct 2013 - "The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:
Date: Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From: Incoming Fax [Incoming.Fax3@ victimdomain .com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~9.pdf
multifunction device Location: machine location not set
Device Name: Xerox1552
For more information on Xerox products and solutions, please visit http ://www .xerox .com

Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48*. Automated analysis... shows a connection to cushinc .com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday**, so my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent."
* https://www.virustotal.com/en/file/3555785d71083dd18eee762c1e2f768bfa7d4d91f6d0adbf747021a65da5a62e/analysis/1382037428/

** http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/

:mad: :fear:

FYI...

Fake MS Update phish ...
- http://blog.dynamoo.com/2013/10/microsoft-windows-update-phish.html
18 Oct 2013 - "A random and untargeted attempt at phishing with a Windows Update twist.
From: Microsoft Office [accounts-updates@ microsoft .com]
Date: 17 October 2013 02:54
Subject: Microsoft Windows Update
Dear Customer,
Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.
Thank you,
Copyright © 2013 Microsoft Inc. All rights reserved.

The email originates from 66.160.250.236 [mail.andrustrucking .com] which is a trucking company called Doug Andrus Distributing... perhaps they have had their email system compromised (maybe by someone using the same phishing technique)... the link in the email goes to a legitimate but -hacked- site and then lands on a phishing page hosted on [donotclick]www.cycook .com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.
Screenshot: https://lh3.ggpht.com/-iRzMFul5GSo/UmEvfhg7xYI/AAAAAAAACG8/Mz1-f0prhmE/s1600/msphish.png
Entering your credentials simply takes you to a genuine Microsoft page:
> https://lh3.ggpht.com/-1sopTIkGh-w/UmEwrqORkiI/AAAAAAAACHI/LDBANi89hG0/s1600/msphish2.png
Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution."

Also see recent post: http://forums.spybot.info/showthread.php?66171-Fake-MS-updates&p=445961&viewfull=1#post445961

... and:
- https://isc.sans.edu/diary.html?storyid=16838
Last Updated: 2013-10-17 22:19:09 UTC
> https://isc.sans.edu/diaryimages/images/microsoft-phish.jpg
___

Rogue ads lead to toolbar PUA (Potentially Unwanted Application)
- http://www.webroot.com/blog/2013/10/18/rogue-ads-lead-mipony-download-accelerator-fun-moods-toolbar-pua-potentially-unwanted-application/
Oct 18, 2013 - "Potentially Unwanted Applications (PUAs) continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is bundled with the privacy-invading FunMoods toolbar PUA, an unnecessary bargain with the integrity and confidentiality of your PC.
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application.png
Detection rate for the PUA: MD5: 023e625cbb1b30565d46f7533ddc03db * ... W32/InstallCore.R4.gen!Eldorado; Install Core Click run software.
Domain name reconnaissance: ultimatedownloadaccelerator .com – 50.19.220.248; 174.129.22.118; 23.21.144.61; 23.23.144.245
Upon execution, it phones back to:
cdneu.ultimatedownloadaccelerator .com – 65.254.40.36
os-test.ultimatedownloadaccelerator .com – 54.244.230.64
cdnus.ultimatedownloadaccelerator .com – 199.58.87.155
img.ultimatedownloadaccelerator .com – 199.58.87.155...
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application_01.png
Detection rate for the FunMoods Toolbar: MD5: 592f35f9954a7ec4c0b4985857f81ad8 ** Win32/InstallCore; PUP.Optional.Funmoods
Once executed, it phones back to:
os.funmoodscdn .com 54.245.235.34
cdneu.funmoodscdn .com 146.185.27.53
cdnus.funmoodscdn .com 199.58.87.155 ...
Despite the fact that most modern day PUAs include uninstall instructions, our advice is to -not- install them in the first place, instead, seek a legitimate — often free but this time fully featured and working — alternative to their pseudo-unique value propositions..."
* https://www.virustotal.com/en/file/3096843008cc4c9363b1e96ccc4618bfc190455fc9266e1740ee1bad528ec71a/analysis/1381837813/

** https://www.virustotal.com/en/file/be4283edf1d9be7d7ab4e6e57e7c7e8737585be85a62d427f4965e417af3dd14/analysis/1381929038/

- https://www.virustotal.com/en/ip-address/199.58.87.155/information/

- https://www.virustotal.com/en/ip-address/146.185.27.53/information/

- https://www.virustotal.com/en/ip-address/54.245.235.34/information/

- https://www.virustotal.com/en/ip-address/54.244.230.64/information/

- https://www.virustotal.com/en/ip-address/65.254.40.36/information/

- https://www.virustotal.com/en/ip-address/50.19.220.248/information/

- https://www.virustotal.com/en/ip-address/174.129.22.118/information/

- https://www.virustotal.com/en/ip-address/23.21.144.61/information/

- https://www.virustotal.com/en/ip-address/23.23.144.245/information/
___

Fake Avaya "Voice Mail Message" SPAM - malicious payload
- http://blog.dynamoo.com/2013/10/avaya-voice-mail-message-spam-with.html
18 Oct 2013 - "This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):
Date: Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From: Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject: Voice Mail Message ( 45 seconds )
This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.
Screenshot: https://lh3.ggpht.com/-S_u-eR8Vy9I/UmFlmRsohDI/AAAAAAAACHY/9ymnNl5QrZg/s1600/voicemessage.png
Of course, the .exe file is malware with a pretty low detection rate of just 3/48* at VirusTotal. Automated analysis... shows a connection to a domain called adamdevarney .com on 209.236.71.58 (Westhost, US) which has been seen twice before**. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection."
* https://www.virustotal.com/en/file/8a9656fec2d39d44e8656b961d568350df042fdded242d31c2af08b673301abb/analysis/1382114301/
File name: VoiceMessageTT.exe
Detection ratio: 3/48

** http://blog.dynamoo.com/2013/10/scan-from-xerox-workcentre-spam.html

** http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/
___

Fake Dropbox SPAM - dynamooblog .ru
- http://blog.dynamoo.com/2013/10/dropbox-spam-leads-to-malware-on-errr.html
18 Oct 2013 - "Two days ago I wrote about the apparent return of the RU:8080.. it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog .ru... this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run*.
Screenshot: https://lh3.ggpht.com/-E-4Jwel4IN8/UmGl0a0kqII/AAAAAAAACHs/hgBHVc4h6yg/s1600/dropbox2.png
The attack and payload is exactly the same as this one**, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48***. The domain dynamooblog .ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time... this is my recommended blocklist:
dynamooblog .ru, 12.46.52.147, 41.203.18.120, 62.76.42.58, 69.46.253.241, 70.159.17.146, 91.205.17.80, 94.102.14.239, 111.68.229.205, 114.32.54.164, 118.163.216.107, 140.174.98.150, 163.18.62.51, 182.237.17.180, 202.6.120.103, 203.80.16.81, 203.114.112.156, 210.56.23.100, 210.166.209.15, 212.154.192.122, 213.5.182.144, 213.143.121.133, 213.214.74.5 "
* http://blog.dynamoo.com/2013/10/fake-dropbox-spam-leads-to-malware-on.html

** http://blog.dynamoo.com/2013/10/your-facebook-friend-andrew-hernandez.html

*** https://www.virustotal.com/en/file/807f43d9649976a3ac7bc4b2506947ccedea2235eb80ac69a8246fb2b8c1a1b4/analysis/1382130555/
File name: ieupdate.exe
Detection ratio: 29/48

:mad: :fear:

FYI...

Fake billing SPAM - Remit_10212013.exe
- http://blog.dynamoo.com/2013/10/last-month-remit-spam-remit10212013.html
21 Oct 2013 - "This -bogus- remittance spam comes with a malicious attachment:
Date: Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From: Administrator [docs9@ victimdomain]
Subject: FW: Last Month Remit
File Validity: 21/10/2013
Company : http ://[victimdomain
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...

Screenshot: https://lh3.ggpht.com/-9V_pNykJ8sY/UmU-MFH_t5I/AAAAAAAACIA/tsWBG4K21o4/s1600/remit.png

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename. The malicious payload has a very low detection rate at VirusTotal of just 2/47*. Automated analysis tools... show an attempted connection to p3-sports .com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs** demonstrating a peer-to-peer capability."
* https://www.virustotal.com/en-gb/file/ba281955fe4332c18f4a5981160cca4973edbfde28c14a7b54e7b2d8dbbcb5fc/analysis/1382365823/

** https://malwr.com/analysis/YzVmYzljOTQwYTdjNDI0OWI3OWYxNGVhNzQzMzBiYzQ/

:fear: :mad:

FYI...

Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
- http://www.webroot.com/blog/2013/10/22/rogue-ads-lead-ezdownloaderpro-pua-potentially-unwanted-application/
Oct 22, 2013 - "We’ve just intercepted yet another rogue ad campaign, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on catchy “Play Now, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns we’ve previously profiled...
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy-1024x490.png
Landing URL: lp.ezdownloadpro .info/sspcQA/ssa/ – 46.165.228.246
Domain name reconnaissance of the redirectors:
superfilesdocumentsy .asia/v944/?a=1 – 141.101.117.252; 141.101.116.252
applicationscenterforally .asia/v944/?INm – 108.162.197.34; 108.162.196.34
op.applicationscenterforally .asia/sspcQA/ssa/ ...
The following MD5 is also known to have been downloaded from the same IP (108.162.197.34):
MD5: bc44e23e46fa4c3e73413c130d4f2018 *
Detection rate for the sample ‘pushed’ by the rogue Download page: MD5: e8c9c2db3514f375f74b60cb9dfcd4ef ** PUP.Optional.InstalleRex; Installerex/WebPick (fs)
Once executed, the sample phones back to:
r1.stylezip .info – 198.7.61.118
c1.stylezip .info – 198.7.61.118
i1.stylezip .info – 198.7.61.118
... Detection rate for the original EzDownloadpro executable: MD5: 292b53b745e3fc4af79924a3c11fcff0 *** Win32:InstalleRex-U [PUP]; MalSign.Skodna.Pick; PUP.Optional.EZDownloader.A
Sample screenshot of EzDownloadpro’s official Web site:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy_01.png
Unique PUA MD5s served based on multiple requests to the same URL (applicationscenterforally .asia/v944/?INm)..."
(More detail at the webroot URL.)

* https://www.virustotal.com/en/file/9b5d1ddabc8d19246443e5afd73e95a9c34d3ffadb1f55d624488ba5bcb18cdc/analysis/

** https://www.virustotal.com/en/file/66f660ef7c260b1a9da9be0466882043efc01b86de44a6baf849e49c66893237/analysis/1381845366/

*** https://www.virustotal.com/en/file/be42dcbc7c8bad64854a93ba9b853c6492a6405ab0324fd42429908d09fc9589/analysis/

- https://www.virustotal.com/en/ip-address/46.165.228.246/information/

- https://www.virustotal.com/en/ip-address/141.101.116.252/information/

- https://www.virustotal.com/en/ip-address/141.101.117.252/information/

- https://www.virustotal.com/en/ip-address/108.162.196.34/information/

- https://www.virustotal.com/en/ip-address/108.162.197.34/information/

- https://www.virustotal.com/en/ip-address/198.7.61.118/information/
___

Fake ADP SPAM / abrakandabr .ru
- http://blog.dynamoo.com/2013/10/adp-spam-abrakandabrru.html
22 Oct 2013 - "This fake ADP spam leads to malware on abrakandabr .ru:
From: ClientService@ adp .com [ClientService@ adp .com]
Date: 22 October 2013 18:04
Subject: ADP RUN: Account Charge Alert
ADP Urgent Communication
Note ID: 33400
October, 22 2013
Valued ADP Partner
Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:
Sign In here
Please see the following notes:
• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s)...

Screenshot: https://lh3.ggpht.com/-kuQevnVKmHA/Uma1nwWs78I/AAAAAAAACIU/rRK4oYQnzDU/s1600/adp-spam3.png

The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr .ru:8080/adp.report.php (if running Windows, else they get sent to adp .com). This is hosted on quite a lot of IP addresses:
69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)
As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody -pretending- to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.
Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr .ru
dynamooblog .ru
inkrediblehalk .ru
intro2seo .ru
hankoksuper .ru "

- http://threattrack.tumblr.com/post/64787914171/adp-invoice-spam
Oct 22, 2013 - "Subjects Seen:
Payroll Invoice
Typical e-mail details:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No: 08
Payroll No: 1

Malicious File Name and MD5:
invoice.zip (5B9EABC34B1A326F6491613E9FD6AAFD)
invoice_<random>.pdf.exe
(12C700409E6DB4A6E043BD3BBD3A1A21)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c50b35a4e0ca49843f16c4932723d3d0/tumblr_inline_mv30siC2sP1r6pupn.png
___

Fake Xerox WorkCentre emails lead to malware
- http://www.webroot.com/blog/2013/10/22/fake-scanned-image-xerox-workcentre-themed-emails-lead-malware/
Oct 22, 2013 - "We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.
Sample screenshots of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Malicious_Fake_Social_Engineering_Malware_Malicious_Software_Xerox_WorkCentre_Pro.png
Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 * ... TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89... phones back to:
smclan .com – 209.236.71.58 ... malicious domains are also currently responding to the same IP ..."
* https://www.virustotal.com/en/file/b1769b5b65c3c93c1fd6f17380dc23678af1033ed2b51a6d876bdc9867d279f0/analysis/

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/

:mad: :mad:

FYI...

Fake Voice msg. SPAM / VoiceMessage .exe
- http://blog.dynamoo.com/2013/10/voice-message-from-unknown-spam.html
23 Oct 2013 - "These bogus voice message spams have a malicious attachment:
Date: Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From: Administrator [voice8@ victimdomain]
Subject: Voice Message from Unknown (553-843-8846)
- - -Original Message- - -
From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee
- -
Date: Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From: Administrator [voice3@ victimdomain]
Subject: Voice Message from Unknown (586-898-9333)
- - -Original Message- - -
From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject: Employees Only ...

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.
> https://lh3.ggpht.com/-xjhFKIS98do/UmfX0oudikI/AAAAAAAACIk/HP043i6x5_Q/s1600/voicemessage.png
Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46*. Automated analysis... shows an attempted connection to glyphs-design .com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it."
* https://www.virustotal.com/en-gb/file/4d1f10d965fb352617ed1e33491f74d2519304bbc97916e18a014d4481c29f65/analysis/1382536265/
File name: VoiceMessage.exe
Detection ratio: 5/47

- https://www.virustotal.com/en-gb/ip-address/212.199.115.173/information/

- http://threattrack.tumblr.com/post/64865370226/voice-message-spam
Oct 23, 2013 - "Subjects Seen:
Voice Message from Unknown (389-353-7349)
Typical e-mail details:
- - -Original Message- - -
From: 389-353-7349
Sent: Wed, 23 Oct 2013 08:52:48 -0500
To: <e-mail addresses>
Subject: Important: to all Employees

Malicious File Name and MD5:
VoiceMessage.zip (D33AF1A7B51CFA41EAAB6292E0F6EBBE)
VoiceMessage.exe
(535109E4902D32BB6F11F7235FCEC6C4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c93f93751266d3c4f4d55cdb835be450/tumblr_inline_mv4kshNZfU1r6pupn.png

:fear: :sad: :mad:

FYI...

Fake resume SPAM / Resume_LinkedIn.exe
- http://blog.dynamoo.com/2013/10/my-resume-spam-resumelinkedinexe.html
24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From: Elijah Parr [Elijah.Parr@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Elijah Parr
------------------------
Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From: Greg Barnes [Greg.Barnes@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Greg Barnes

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
* https://www.virustotal.com/en-gb/ip-address/64.50.166.122/information/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-10-09&end=2013-10-24&max=50

- http://threattrack.tumblr.com/post/64955364250/linkedin-resume-spam
Oct 24, 2013 - "Subjects Seen:
My resume
Typical e-mail details:
Attached is my resume, let me know if its ok.
Thanks,
Mike Whalen

Malicious File Name and MD5:
Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
Resume_LinkedIn.exe
(62F4A3DFE059E9030E2450D608C82899)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/241debf2f886a3945d47d6bc1e3e3347/tumblr_inline_mv6facqrta1r6pupn.png
___

Fake Company Reports emails lead to malware ...
- http://www.webroot.com/blog/2013/10/24/fake-important-company-reports-themed-emails-lead-malware/
Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
Sample screenshots of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Fake_Malicious_Rogue_Email_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering_Botnet_Company_Reports.png
Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
* https://www.virustotal.com/en/file/7ae17affe0c3c2bf997405e96e7cc2d42363bc7e945633cdc2be9d0cd169360f/analysis/
File name: Company_Report_10222013.exe
Detection ratio: 28/44

- https://www.virustotal.com/en/ip-address/38.102.226.14/information/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Faxed Document Delivery Email Messages - 2013 Oct 24
Fake Payroll Report Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
Fake Financial Account Statement Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
Fake Product Purchase Order Email Messages - 2013 Oct 24
Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
Fake Resume Delivery Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Product Quote Request Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Money Transfer Notification Email Messages - 2013 Oct 23
Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
(More detail and links at the cisco URL above.)

:mad: :fear:

FYI...

Survey Scams - Halloween freebies ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/halloween-freebies-lead-to-ghastly-survey-scams/
Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
Suspicious YouTube video
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube1.jpg
The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
Survey site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube2.jpg
Survey scam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube3.jpg
Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
Two suspicious Twitter accounts
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-twitter11.jpg
Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
Website advertising free candy
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook1.jpg
But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
Apple products as “reward” for completed surveys
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook3.jpg
It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/tricks-and-threats-infographic/
"... Oct 29, 2011... filed under Bad Sites"
___

Fake Lloyds SPAM - Lloyds TSB msg...
- http://blog.dynamoo.com/2013/10/you-have-received-new-debit-lloyds-tsb.html
25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From: LloydsTSB [noreply@ lloydstsb .co .uk]
Subject: You have received a new debit
Priority: High Priority 1 (High)
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached...

Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
* https://www.virustotal.com/en-gb/file/27dd3808d50bc690e155b2687fe0e67083882f1d9493437343e27255ccd95ad4/analysis/1382702941/

- https://www.virustotal.com/en/ip-address/173.203.199.241/information/

:mad: :fear::fear:

FYI...

Fake "You're a Mercedes-Benz winner!" SPAM
- http://blog.dynamoo.com/2013/10/you-are-mercedes-benz-winner-spam.html
27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
From: Mercedes-Benz [desk_notification@ yahoo .com]
Reply-To: bmlot20137@ live .com
Date: 27 October 2013 13:44
Subject: You are a Mercedes-Benz winner !!!
Dear Recipient,
You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator

The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
Labels: 419, Advanced Fee Fraud, Scam, Spam

:fear: :mad:

FYI...

Fake WhatsApp Voice msg. emails lead to malware
- http://www.webroot.com/blog/2013/10/28/fake-whatsapp-voice-message-notification1-new-voicemail-themed-emails-lead-malware-2/
Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/WhatsApp_Email_Spam_Malware_Malicious_Software_Social_Engineering_Cybercrime.png
Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
* https://www.virustotal.com/en/file/ad4b4fc2cf32922405fe7cd8eb252aa22607004b5c70ac5c8109ef314ad36964/analysis/
___

Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
- http://blog.dynamoo.com/2013/10/american-express-fraud-alert-spam.html
28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
From: American Express [fraud@ aexp .com]
Date: 28 October 2013 14:14
Subject: Fraud Alert : Irregular Card Activity
Irregular Card Activity
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 28th October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
https ://www .americanexpress .com/
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.
© 2013 American Express Company. All rights reserved.
AMEX Fraud Department

Screenshot: https://lh3.ggpht.com/-NyKdfJqQV8A/Um6McGvcPyI/AAAAAAAACLU/volqQqZZQw8/s1600/amex.png

The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
[donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
[donotclick]naturesfinest .eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse .com/handmade/analects.js
From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
Recommended blocklist:
96.126.102.8
8353333 .com ..."

- https://www.virustotal.com/en/ip-address/96.126.102.8/information/
___

Past Due Invoice Spam
- http://threattrack.tumblr.com/post/65351182223/past-due-invoice-spam
Oct 28, 2013 - "Subjects Seen:
Past Due Invoice
Typical e-mail details:
Your invoice is attached. Please remit payment at your earliest convenience.

Malicious File Name and MD5:
invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ac231f1d8cd70361a9f185642dd14d83/tumblr_inline_mve559X8gD1r6pupn.png

:mad: :fear:

FYI...

Fake Wells Fargo SPAM / Copy_10292013.zip
- http://blog.dynamoo.com/2013/10/wells-fargo-check-copy-spam.html
29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...

Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
* https://www.virustotal.com/en-gb/file/f6a99470d5cddbec1efa7457cce598db675557f298bae2929149fa2aa3cbe8aa/analysis/1383058267/

- http://threattrack.tumblr.com/post/65435227304/wells-fargo-check-copy-spam
Oct 29, 2013 - "Subjects Seen:
FW: Check copy
Typical e-mail details:
We had problems processing your latest check, attached is a image copy...

Malicious File Name and MD5:
Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/60378ab4d687528636cb0339a170c768/tumblr_inline_mvfr56kFaj1r6pupn.png
___

Something evil on 82.211.31.147
- http://blog.dynamoo.com/2013/10/something-evil-on-8221131147.html
29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
(Long list at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=82.211.31.147&type=string&start=2013-10-14&end=2013-10-29&max=50

2) https://www.virustotal.com/en-gb/ip-address/82.211.31.147/information/
___

CookieBomb toolkit ...
- http://community.websense.com/blogs/securitylabs/archive/2013/10/29/evolution-of-the-cookiebomb-toolkit.aspx
Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
46.180.44.231
46.185.22.123
109.162.98.248
Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
- https://www.virustotal.com/en/ip-address/46.180.44.231/information/

- https://www.virustotal.com/en/ip-address/109.162.98.248/information/
___

Suspect network: 69.26.171.176/28
- http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@ xeex .com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast .com
- https://malwr.com/analysis/MDMwMGY2ZWU0YTAxNGI3ZWI4NmNlNjAyYmFjMWRhMTU/
69.26.171.181 - allisontravels .com
- https://malwr.com/analysis/ZWE1NDQ0MTI3OTU2NDZjM2I1YWEyYWJhNDNlZjVjMzA/
69.26.171.182 - robotvacuumhut .com
- https://malwr.com/analysis/MDVlNjJkNDhjYzYyNDc0NDliZTZmNDY5ODRiNWVhM2I/
As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
(More domains listed at the dynamoo URL above.)

:mad: :fear::sad:

FYI...

Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
- http://blog.dynamoo.com/2013/10/corporate-efax-message-spam.html
30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From: eFax Corporate [message@ inbound . efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service..
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@ inbound .efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service...

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
* https://www.virustotal.com/en-gb/file/d50c068a3e2ea94e93ee282a8d13f26218cecf75d6f7929567e5882f24a77df4/analysis/1383148137/

** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
___

Something evil on 144.76.207.224/28
- http://blog.dynamoo.com/2013/10/something-evil-on-1447620722428.html
30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
* http://urlquery.net/report.php?id=7281185

:mad: :fear::fear:

FYI...

Rogue Ads in Yahoo lead to Sirefef Infection
- http://www.threattracksecurity.com/it-blog/rogue-ads-yahoo-lead-sirefef-infection/
Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found an ad for a fake browser on Yahoo! after doing a search for “google chrome browser”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/yahoo-search-ad.png
Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/fake-chrome-page.png
Below this page are texts that read as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/lower-section-wm.png
... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and belongs to the Sirefef/ZeroAccess malware family. We were able to retrieve two variants of this file...
MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
* https://www.virustotal.com/en/file/fd5cdc89d535857bfab3facdded568dbf229527298bcc981c595958fa1755c02/analysis/1383072130/

** https://www.virustotal.com/en/file/cd42a909b54651dd77b655b6dd170105138b8f47c9f7be4118476312c030ffbd/analysis/

*** https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:mad: :fear::fear:

FYI...

Fake Snapchat install leads to Adware
- http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-optimum-ad.png
The very first entry under the search is an ad, leading to videonechat(dot)com.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchatdorgem.jpg
The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/adknowledge-snap-7.png
Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
* https://www.virustotal.com/en/file/310c015702cf679740dcc1bb10250f8f13f63322de944ce42d84e0d30f51433a/analysis/1383232536/
___

Email Quota Limit Credentials Phish
- http://threattrack.tumblr.com/post/65699040166/email-quota-limit-credentials-phish
Nov 1, 2013 - "Subjects Seen:
Email Quota Limit
Typical e-mail details:
Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
System Administrator

Malicious URLs
suppereasy.jimdo .com

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/eb3e9ebbb3d6d5a3dceb6decc215f8d4/tumblr_inline_mvldpyDIa01r6pupn.png

:mad: :fear:

FYI...

Ads lead to SpyAlertApp PUA ...
- http://www.webroot.com/blog/2013/11/01/deceptive-ads-lead-spyalertapp-pua-potentially-unwanted-application/
Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
Sample screenshots of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/SpyAlertApp_Search_Donkey_PUA_Potentially_Unwanted_Application-896x1024.png
Landing URL: spyalertapp .com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
* https://www.virustotal.com/en/file/555f41fef52b8749af0d9c8800a42d4527060ece923eb08bb5a53befe44649ab/analysis/1382979505/

** http://www.mozilla.org/en-US/lightbeam/

- https://www.virustotal.com/en/ip-address/66.135.34.181/information/

- https://www.virustotal.com/en/ip-address/66.135.34.182/information/

:mad: :fear:

FYI...

Fake SAGE SPAM / Payroll_Report-PaymentOverdue.exe
- http://blog.dynamoo.com/2013/11/payment-overdue-please-respond-spam.html
4 Nov 2013 - "This -fake- SAGE spam has a malicious attachment:
Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From: Payroll Reports [payroll@sage .co .uk]
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Bernice Swanson
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet. This malware has a VirusTotal detection rate of just 4/47*, and automated analysis tools... shows an attempted connect to goyhenetche .com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones** too."
* https://www.virustotal.com/en-gb/file/9dfa58c9ec7e5978706cbba73dfbbd9828aa7caf67274688c315b0a64b97d815/analysis/1383579237/

** https://www.virustotal.com/en-gb/ip-address/184.154.15.188/information/

Diagnostic page for AS32475 (SINGLEHOP-INC)
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."

- http://threattrack.tumblr.com/post/66000322286/sage-payroll-overdue-payment-spam
Nov 4, 2013 - "Subjects Seen:
Payment Overdue - Please respond
Typical e-mail details:
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Shelby Lloyd

Malicious File Name and MD5:
PaymentOverdue.zip (AF69AE41F500EBCE3A044A1FC8FF8701)
Payroll_Report-PaymentOverdue.exe (32B2481F9EF7F58D3EF3640ECFC64B19)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/35a3c83b4732e7e1e4b26248d702e85c/tumblr_inline_mvqx1rPlId1r6pupn.png
___

Ring Central Fax Spam
- http://threattrack.tumblr.com/post/66001198347/ring-central-fax-spam
Nov 4, 2013 - "Subjects Seen:
New Fax Message on 11/04/2013
Typical e-mail details:
To view this message, please open the attachment
Thank you for using RingCentral.

Malicious File Name and MD5:
<random #s>.pdf.exe (FE52EE7811D93A3E941C0A15126152AC)
<random #s>.zip (8728BBFD1ABAC087211D55BB53991017)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1d1bf6b80679780a97c58e296d1f19a0/tumblr_inline_mvqxpmLMDn1r6pupn.png

:fear::fear: :mad:

FYI...

Fake ACH SPAM / ACAS1104201336289204PARA7747.zip
- http://blog.dynamoo.com/2013/11/ach-notification-ach-process-end-of-day.html
5 Nov 2013 - "This fake ACH (or is it Paychex?) email has a malicious attachment:
Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From: "Paychex, Inc" [paychexemail@ paychex .com]
Subject: ACH Notification : ACH Process End of Day Report
Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@ paychex .com during regular business hours.
Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46*. Automated analysis... shows an attempted connection to slowdating .ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised. The malware drops several files..."
* https://www.virustotal.com/en-gb/file/20513b4d72843de749e677310f75288e91265be57ec5381ad87eb190e1cf22bd/analysis/1383665169/

- https://www.virustotal.com/en/ip-address/69.64.39.215/information/
___

Fake USPS SPAM / Label_442493822628.zip
- http://blog.dynamoo.com/2013/11/usps-spam-label442493822628zip.html
5 Nov 2013 - "This -fake- USPS spam has a malicious attachment:
Date: Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From: USPS Express Services [service-notification@ usps .gov]
Subject: USPS - Missed package delivery
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: 442493822628
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services...

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46*. Automated analysis... shows an attempted connection to sellmakers .com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised."
* https://www.virustotal.com/en-gb/file/40260e01b9ed71d41c651209f74a08f77a7dcb65423dfa6bff94dd8c0348d5af/analysis/1383666106/

- https://www.virustotal.com/en-gb/ip-address/192.64.115.140/information/

:mad: :fear: :mad:

FYI...

Fake invoice SPAM leads to DOC exploit
- http://blog.dynamoo.com/2013/11/invoice-17731-from-victoria-commercial.html
6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
[donotclick]http ://www.vantageone .co .uk/invoice17731.doc
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Victoria Commercial Ltd

The email originates from bosmailout13.eigbox .net 66.96.186.13 which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys .com
feeds.nsupdatedns .com
It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60 ..."
* https://www.virustotal.com/en-gb/file/6c654921074a82ff6f4a6309b5dfa94587efcb81cd3d8559eac3488102f51d0a/analysis/1383746893/

** http://bartblaze.blogspot.co.uk/2013/11/latest-ups-spam-runs-include-exploits.html

- https://www.virustotal.com/en/ip-address/118.67.250.91/information/

- https://www.virustotal.com/en/ip-address/158.255.2.60/information/
___

Fake voice mail SPAM / VoiceMail.zip
- http://blog.dynamoo.com/2013/11/voice-message-from-unknown-spam.html
6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From: Administrator [voice9@ victimdomain]
Subject: Voice Message from Unknown (886-966-4698)
- - -Original Message- - -
From: 886-966-4698
Sent: Wed, 6 Nov 2013 22:22:28 +0800
To: recipients@ victimdomain
Subject: Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/f086f403c85530de181708f588e8d5d27f4727e5f44d7f5fb0d4a7f35b1688f0/analysis/1383748084/

** http://blog.dynamoo.com/search/label/Xeex

*** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html

:mad::mad: :fear:

FYI...

Fake voicemail SPAM / Voice_Mail.exe
- http://blog.dynamoo.com/2013/11/you-received-voice-mail-spam.html
7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From: Microsoft Outlook [no-reply@ victimdomain .net]
Subject: You received a voice mail
You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
Caller-Id:
698-333-5643
Message-Id:
80956-84B-12XGU
Email-Id:
[redacted]
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Screenshot: https://lh3.ggpht.com/-TcGTepv34NQ/Unu1BKezJaI/AAAAAAAACOs/NNjOsDO0uC0/s1600/voicemail.png

Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
* https://www.virustotal.com/en-gb/file/854cf63454d0cd8df2cdae4183b2d1b1e25ea347b081931af18b916c7adf14c4/analysis/1383838216/

- https://www.virustotal.com/en/ip-address/202.150.215.66/information/
___

Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/66285164149/visa-recent-transactions-report-spam
Nov 7, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Dion_Andersen
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom

Malicious File Name and MD5:
payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4615addb73be1f23ecb588a8f136cc96/tumblr_inline_mvwj2jIxPM1r6pupn.png
___

DocuSign - Internal Company Changes Spam
- http://threattrack.tumblr.com/post/66283048697/docusign-internal-company-changes-spam
Nov 7, 2013 - "Subjects Seen:
Please DocuSign this document : Company Changes - Internal Only
Typical e-mail details:
Sent on behalf of <email address>.
All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to <email domain>

Malicious File Name and MD5:
Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bb23ef96a17891dc0951c011dad6a4d7/tumblr_inline_mvwhhsr8NO1r6pupn.png
___

My FedEx Rewards Spam
- http://threattrack.tumblr.com/post/66278510467/my-fedex-rewards-spam
Nov 7, 2013 - "Subjects Seen:
Your Rewards Order Has Shipped
Typical e-mail details:
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.

Malicious File Name and MD5:
Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a9446772300a4ba33ec3f56ef005039f/tumblr_inline_mvwdqhG7MY1r6pupn.png

:mad: :fear:

FYI...

Malware sites to block - (Nuclear EK)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-8112013-nuclear.html
8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30 ..."
(More domains listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7517029

** http://www.dynamoo.com/files/penziatki-private-customer.csv
___

Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
- http://blog.dynamoo.com/2013/11/voicemail-message-spam-msg00049zip-and.html
8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
From: Voicemail [user@ victimdomain .com]
Subject: Voicemail Message
IP Office Voicemail redirected message

Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
* https://www.virustotal.com/en-gb/file/7cd710517520b00227fc4e591cb0943f7de341f181b4cd14cc8737494b977f1e/analysis/1383936341/

- https://www.virustotal.com/en/ip-address/198.1.84.99/information/
___

Shylock/Caphaw Drops Blackhole for Styx and Nuclear
- http://www.threattracksecurity.com/it-blog/shylock-caphaw-drops-blackhole-for-styx-and-nuclear/
Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/directed-to-exploit.jpg
... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
• Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
• Keep your antivirus software also up-to-date.
• Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
___

Key Bank Secure Message Spam
- http://threattrack.tumblr.com/post/66377019759/key-bank-secure-message-spam
Nov 8, 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a93ab444b3cd245f3bd7b11ccfa4df41/tumblr_inline_mvyd7vEbVl1r6pupn.png

:mad: :fear::fear:

FYI...

Typhoon Scams... Email, Telephone, Door to Door
- http://www.threattracksecurity.com/it-blog/typhoon-haiyan-scams-rounds-email-telephone-door-door/
Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
(More detail at the threattracksecurity URL above.)

* http://moosefm.com/cfbg/news/14095-police-warning-about-potential-typhoon-scam

** https://donate.salvationarmyusa.org/TyphoonHaiyan

*** http://www.snopes.com/fraud/employment/femasandy.asp
___

- https://www.us-cert.gov/ncas/current-activity/2013/11/12/Philippines-Typhoon-Disaster-Email-Scams-Fake-Antivirus-and
Nov 12, 2013
___

Adware sites to block / "Consumer Benefit Ltd" ...
- http://blog.dynamoo.com/2013/11/consumer-benefit-ltd-adware-sites-to.html
11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28 ..."
(More detail and URLs listed at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/file/4ccc3fd07b45d285940bc931b0b0c09e1184882faaf1e288245fc4f3f523b847/analysis/1384162704/

** https://www.virustotal.com/en-gb/file/d0eaa89c7f094c52fc758e43dbe0e122b67f4df392254b210a153a25ce8d2ae7/analysis/1384162774/
___

Fake Confidential Message SPAM / To All Employees 2013.zip.exe
- http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From: DocuSign Service [dse@ docusign .net]
Subject: To all Employees - Confidential Message
Your document has been completed
Sent on behalf of administrator@victimdomain.
All parties have completed the envelope 'Please DocuSign this document:
To All Employees 2013.doc'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF) This document contains information confidential and proprietary to spamcop .net
DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender directly...

The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
* https://www.virustotal.com/en-gb/file/ab07dbeca3a3a3703007949ed05a100f95ce89d7e937fe320222a7812c904d16/analysis/1384175853/

- https://www.virustotal.com/en-gb/ip-address/121.127.248.74/information/
___

Fake Paypal SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/identity-issue-pp-716-097-521-587-spam.html
11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake- spam pretending to be from PayPal with a malicious attachment:
Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-716-097-521-587
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-D503YC19DXP3
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks, PayPal...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis... shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
* https://www.virustotal.com/en-gb/file/ab07dbeca3a3a3703007949ed05a100f95ce89d7e937fe320222a7812c904d16/analysis/1384185446/

** http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
___

American Express Suspicious Activity Report Spam
- http://threattrack.tumblr.com/post/66684841364/american-express-suspicious-activity-report-spam
Nov 11, 2013 - "Subjects Seen:
Recent Activity Report - Incident #6U7X67B05H6NGET
Typical e-mail details:
As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
Please review the “Suspicious Activity Report” document attached to this email.
Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
Thank you for your Cardmembership.
Sincerely,
Lindsey_Oneal
Tier III Support
American Express Account Security
Fraud Prevention and Detection Network

Malicious File Name and MD5:
Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/633dc733982657f7327c5dd769f322e8/tumblr_inline_mw3y824fCm1r6pupn.png

Tagged:
American Express: http://threattrack.tumblr.com/tagged/American-Express
Upatre: http://threattrack.tumblr.com/tagged/Upatre

:mad: :fear:

FYI...

Dynamic DNS sites you might want to block ...
- http://blog.dynamoo.com/2013/11/dynamic-dns-sites-you-might-want-to.html
12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
(Long list at the dynamoo URL above.)
* http://www.surbl.org/lists
___

Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
- http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system.
2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices...

... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards .com/a1.exe
[donotclick]itcbadnera .org/images/dot.exe
a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23 /forum/viewtopic.php
[donotclick]new.data.valinformatique .net/5GmVjT.exe
[donotclick]hargobindtravels .com/38emc.exe
[donotclick]bonway-onza .com/d9c9.exe
[donotclick]friseur-freisinger .at/t5krH.exe
dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
Recommended blocklist:
59.106.185.23 ..."
(More URLS listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/c01fa56f1c18f2c4249606cb1cd8166118f026e3a7833005c2a01b58881dbbf9/analysis/1384264864/

** https://www.virustotal.com/en-gb/file/afb912f62363bdbbd667a3ef6ae5eff9adfd47c6e78171459306681dd8b04a50/analysis/1384265605/

*** https://www.virustotal.com/en-gb/file/c6221e19d2df42f2e1318a3c74c035802cb9dcc86923bd6c49f23bb13c130a86/analysis/1384266070/
___

Fake "Outlook Settings" SPAM - Outlook.zip
- http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
12 Nov 2013 - "This spam email has a malicious attachment:
Date: Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From: Undisclosed Recipients
Subject: Important - New Outlook Settings
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
Screenshot: https://lh3.ggpht.com/-uZyweXA5n_g/UoJOXnVIA-I/AAAAAAAACPY/tKqQ0Ksz0To/s1600/outlook-icon.png
The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
* https://www.virustotal.com/en-gb/file/96d6e3a19d9f529dd1c8cda5460a77d1f9286213b1d8f42f4d1fb146a9132acf/analysis/1384270918/

- https://www.virustotal.com/en-gb/ip-address/216.157.85.173/information/

- http://threattrack.tumblr.com/post/66784403820/new-outlook-settings-spam
Nov 12, 2013 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

Malicious File Name and MD5:
Outlook.zip (4D0A70E1DD207785CB7067189D175679)
Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/15b88d66ccc6974a6134c025cc9ad5a2/tumblr_inline_mw5rx8vTYV1r6pupn.png
___

Fake Tax/Accountant SPAM / tax 2012-2013.exe
- http://blog.dynamoo.com/2013/11/2012-and-2013-tax-documents-accountants.html
12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: FW: 2012 and 2013 Tax Documents; Accountant's Letter
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-4dRp1ML5c40/UoKNNvkL9pI/AAAAAAAACPo/3PTjlVby9Z8/s1600/tax-icon.png
VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
* https://www.virustotal.com/en-gb/file/c792601ed172e0f235f6e7add5d4d8aa72cefc5c3427519492be080b9be128e0/analysis/1384287261/

** http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
___

Department of Treasury Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/66792822412/department-of-treasury-outstanding-obligation-spam
Nov 12, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case <random>
Typical e-mail details:
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/74ca553a1712c3af975dfb32f39e1f04/tumblr_inline_mw5xr3YMit1r6pupn.png

:mad: :fear::fear:

FYI...

Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/this-fake-paypal-or-is-it-quickbooks.html
13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
Date: Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-679-223-724-838
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-TEBY66KNZPMU
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks,
PayPal ...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-sx8_WjDsH10/UoNeT2WY8MI/AAAAAAAACP8/9ov_y4ZOpJI/s1600/identity-form.png
The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
* https://www.virustotal.com/en-gb/file/6e4731ec02a08573524e2acd46493dc250315f486b3200abf7b51a0a55e31188/analysis/1384340556/

** http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
___

CareerBuilder Notification Spam
- http://threattrack.tumblr.com/post/66872856439/careerbuilder-notification-spam
Nov 13, 2013 - "Subjects Seen:
CareerBuilder Notification
Typical e-mail details:
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: adobe.com
Best wishes in your job search !
Savannah_Moyer
Careerbuilder Customer Service Team

Malicious File Name and MD5:
CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f04c30490974e668e917a2b953c45753/tumblr_inline_mw7h9fdQrQ1r6pupn.png

Tagged:
CareerBuilder: http://threattrack.tumblr.com/tagged/CareerBuilder
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

Facebook Password Request Spam
- http://threattrack.tumblr.com/post/66873997398/facebook-password-request-spam
Nov 13, 2013 - "Subjects Seen:
You requested a new Facebook password!
Typical e-mail details:
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Malicious File Name and MD5:
Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0d5ef87b8b15f44b0c999e8ca90912df/tumblr_inline_mw7iewKvP31r6pupn.png

Tagged:
Facebook: http://threattrack.tumblr.com/tagged/Facebook
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

EXE-in-ZIP SPAM storm continues
- http://blog.dynamoo.com/2013/11/the-exe-in-zip-spam-storm-continues.html
13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a -fake- Wells Fargo spam similar to this:
We have received this documents from your bank, please review attached documents.
Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
* https://www.virustotal.com/en-gb/file/4f8a8db1d66a8172ae46abd2ff2c9f576a48dccd3d7d4334c439caf98f8c0979/analysis/1384377409/

** https://www.virustotal.com/en-gb/file/5bda57e0cca9728ad56314c90a54c61c51edf3d3b7c548056041f81660d0d667/analysis/1384377605/

- https://www.virustotal.com/en/ip-address/80.179.141.8/information/

- https://www.virustotal.com/en/ip-address/184.154.15.190/information/

:mad: :fear:

FYI...

Google Drive phish...
- http://www.threattracksecurity.com/it-blog/google-drive-phish-deploys-data-uri-technique/
Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive1.jpg
The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
bashoomal(dot)com/redirect.html
The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive2.jpg
As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."

- https://isc.sans.edu/diary.html?storyid=17018
2013-11-13
___

Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html
14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7696954

- http://www.virusradar.com/en/Win32_Caphaw.K/description

:mad::fear:

FYI...

More Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-15112013-caphaw.html
15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html

- https://www.virustotal.com/en/ip-address/199.68.199.178/information/

- http://www.virusradar.com/en/Win32_Caphaw/detail
___

Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
- http://blog.dynamoo.com/2013/11/ringcentral-bank-of-america-fax-message.html
15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
Date: Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From: RingCentral [notify-us@ ringcentral .com]
Subject: New Fax Message on 11/15/2013 at 09:51:51 CST
You Have a New Fax Message
From
Bank of America
Received: 11/15/2013 at 09:51:51 CST
Pages: 5
To view this message, please open the attachment.
Thank you for using Ring Central .

Screenshot: https://lh3.ggpht.com/-bw4CETLVd5I/UoZep7qACkI/AAAAAAAACQg/hq_7rR1l0nc/s1600/ringcentral.png

There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
* https://www.virustotal.com/en-gb/file/fa877e587e5ae611d3a1f6c27cc2629efcaebad39084bc3a6fb1496b076c643d/analysis/1384537461/

- https://www.virustotal.com/en/ip-address/199.167.40.33/information/
___

Citigroup Secure Message Spam
- http://threattrack.tumblr.com/post/67060979477/citigroup-secure-message-spam
Nov 15, 2013 - "Subjects Seen:
You have a new encrypted message from Citigroup Inc.
Typical e-mail details:
You have received a secure e-mail message from Citigroup Inc..
We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b1298b867cb6486caf9d64497db4a0e7/tumblr_inline_mwb9gyugMb1r6pupn.png

Tagged: CitiGroup, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Authorization Form Email Messages - 2013 Nov 15
Fake Product Purchase Order Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
Fake Bank Payment Notification Email Messages - 2013 Nov 15
Fake Product Order Email Messages - 013 Nov 15
Fake Meeting Invitation Email Messages - 2013 Nov 15
Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
Fake Product Quote Request Email Messages - 2013 Nov 15
Fake Shipping Order Information Email Messages - 2013 Nov 15
Fake Shipping Notification Email Messages - 2013 Nov 15
Fake Product Inquiry Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Fake Tax Document Email Messages - 2013 Nov 15
Fake Travel Information Email Messages - 2013 Nov 15
Email Messages with Malicious Attachments - 2013 Nov 15
(More detail and links at the cisco URL above.)

:mad: :fear:

FYI...

Phone SCAM - (08445715179)
- http://blog.dynamoo.com/2013/11/0844-number-scam-08445715179.html
18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
* http://www.moneysavingexpert.com/news/phones/2013/08/how-much-do-08-numbers-really-cost-dont-get-fleeced-by-premium-rate-calls

** http://www.tpsonline.org.uk/tps/number_type.html

*** http://www.ico.org.uk/complaints/marketing/2
___

Freenters Hit By Breach, Student Data Leaked
- http://www.threattracksecurity.com/it-blog/freenters-hit-breach-student-data/
Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/printpwn11.jpg
... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
___

PlayStation 4 and Xbox One Survey Scams ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/playstation-4-and-xbox-one-survey-scams-spotted/
Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-1.jpg
The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-2.jpg
Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-3.jpg
... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox1.jpg
The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox2.jpg
... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
___

Netflix on your PC - Beware of Silverlight exploit
- http://blog.malwarebytes.org/exploits-2/2013/11/streaming-netflix-on-your-pc-beware-of-silverlight-exploit/
Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/screenshot_2013-11-13_016.png
... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/silverlight.png "

* http://technet.microsoft.com/en-us/security/bulletin/ms13-022
___

IRS Tax Payment Rejection Spam
- http://threattrack.tumblr.com/post/67401200848/irs-tax-payment-rejection-spam
Nov 18, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 6LHIRS930292818
Payment Amount: $ 2373.00
Transaction status: Rejected
ACH Trace Number: 268976180630733
Transaction Type: ACH Debit Payment-DDA

Malicious File Name and MD5:
FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7f7ede2a153c661ffd968854d85937b7/tumblr_inline_mwhbufHbhC1r6pupn.png

Tagged: IRS, Upatre

:mad: :fear:

FYI...

Fake ‘Sent from my iPhone’ themed emails - expose users to malware
- http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thousands-fake-sent-iphone-themed-emails-expose-users-malware/
Nov 19, 2013 - "Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitoring for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – * ... Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A... Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57
next to the well known by now, networksecurityx.hopto .org (1) a C&C host..."
* https://www.virustotal.com/en/file/58496093758ee50877ce8453987259bf30d4222d0954525d89011909a0466217/analysis/1384441224/

Diagnostic page for hopto .org
1) http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... Part of this site was listed for suspicious activity 731 time(s) over the past 90 days... Malicious software includes 817 exploit(s), 113 trojan(s), 59 virus. Successful infection resulted in an average of 5 new process(es) on the target machine. This site was hosted on 80 network(s)... Over the past 90 days, hopto .org appeared to function as an intermediary for the infection of 140 site(s)... this site has hosted malicious software over the past 90 days. It infected 210 domain(s)..."
___

Fake Snapchat downloads in Search Engine Ads
- http://www.threattracksecurity.com/it-blog/fake-snapchat-downloads-search-engine-ads/
Nov 19, 2013 - "Hot on the heels of fake Snapchat Adware installs*, we have advert results in both Google and Bing adverts leading to non-existent downloads of Snapchat in return for an Adware bundle. Here’s Google:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-googlesearch.png
The site in question here is soft1d(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/soft1dprompt.jpg
Here’s Bing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapadsbing.jpg
The ad in question is the one in the bottom right hand corner for download-apps(dot)org/snapchat
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/download-apps-snap.jpg
Both sites lead to the same install. Comments from Matthew, one of our researchers in the Labs who discovered this: 'When you run the installer it precedes to install Fast Media Converter (Zango/Pinball Corp/BlinkX/LeadImpact) and LyricsViewer (Crossrider) with the only notice being from the page shown in the “prompt” screenshots. After loading those, it proceeds to offer you some more: a Conduit Toolbar and Dealply. In the end there is no Snapchat install or even a replacement for Snapchat'...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-1.png
.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-3.png
VirusTotal has this one pegged at 4/47** ..."
* http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1, 2013
** https://www.virustotal.com/en/file/1616385d2eb89a60387a5d42f598987063ad932f6d3793bdee4a57b8bb504b40/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Job Offer Notification Email Messages - 2013 Nov 19
Fake Monthly Report Notification Email Messages - 2013 Nov 19
Fake Invoice Attachment Email Messages - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Payment Information Notification Email Messages - 2013 Nov 19
Email Messages with Malicious Attachments - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Product Quote Request - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Payment Confirmation Email Messages - 2013 Nov 19
Fake Personal Photo Sharing Email Messages - 2013 Nov 19
Fake Payment Invoice Email Messages - 2013 Nov 19
Fake Shipment Tracking Information Email Messages - 2013 Nov 19
Fake Product Order Notification Email Messages - 2013 Nov 19
Fake Scanned Image Notification Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Bank Payment Notification Email Messages - 2013 Nov 19
Fake Customer Complaint Attachment Email Messages - 2013 Nov 19
(More info and links at the cisco URL above.)

:mad: :mad:

FYI...

Fake mileage reimbursement email leads to malware ...
- http://www.webroot.com/blog/2013/11/20/fake-annual-form-std-261-authorization-use-privately-owned-vehicle-state-business-themed-emails-lead-malware/
Nov 20, 2013 - "Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of -malicious- emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/STD261_Fake_Rogue_Malicious_Fraudulent_Email_Spam_Spamvertised_Social_Engineering_Malware_Malicious_Software-1024x64.png
Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – * ... Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A. Once executed, the sample starts listening on ports 8412 and 3495... It then attempts to phone back to the following C&C servers... (long list of IP's listed at the first webroot URL above)..."
* https://www.virustotal.com/en/file/e891094bb8a3b68edeb36d56d70312956a24504a78f2a84c61816ccda953cd9c/analysis/1384525049/
___

Red Cross 419 Scam exploits Typhoon Haiyan
- http://www.threattracksecurity.com/it-blog/red-cross-419-scam-exploits-typhoon-haiyan/
Nov 20, 2013 - "There are a number of emails currently in circulation attempting to cash in on the generosity of individuals and organisations wanting to assist the Typhoon Haiyan relief efforts. Another one just landed in our spamtraps, and reads as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/fakehaiyanmail-wm.jpg
... If the poor spelling and generally dreadful formatting of the mail doesn’t give the game away, hopefully the free Yahoo email address will help to tip the balance. This is absolutely a scam, and one that should be directed to the recycle bin / spam folder with all due haste. Elsewhere, Trend Micro are seeing missives related to fake Navy donations* and Symantec are dealing with one “Andrew Stevens” who is asking for donations** via Western Union. You can be sure more of these will emerge in the coming weeks, so please be cautious and don’t reply to any email sent out of the blue. No matter how convincing the mail appears to be, there’s a very good chance your money is going to end up with someone other than who you intended it for."
* http://blog.trendmicro.com/trendlabs-security-intelligence/watching-out-for-typhoon-haiyan-scams

** http://www.symantec.com/connect/blogs/scams-emerge-typhoon-haiyan-strikes-philippines
___

Bitcoin Boom leads to Malware Badness
- http://www.threattracksecurity.com/it-blog/bitcoin-boom-leads-malware-badness/
Nov 20, 2013 - "... you may be tempted to mine some Bitcoins via the art of downloading random files from the internet... The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts – you name it, they’re all out there and they’re all clamouring for your attention. Just keep in mind that you never really know what you’re signing up to when playing the random download game... Scammers are promoting “no survey Bitcoin generators”, which come with -surveys- attached regardless.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins3.jpg
If no survey is available, you’re encouraged to pay for a premium account to access the download.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins4.jpg
Elsewhere, the below Pastebin page directs individuals to a Mediafire download. Note that they claim it is “legit”, but the file isn’t theirs and they won’t accept responsibility for any “inconvenience”. Never a good sign, really.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins1.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins2.jpg
... VirusTotal currently flagging it at 8/47*. We’re also seeing a number of files on MEGA, which claim to be Bitcoin Generators (with one claiming to offer up 0.06975 mBTC “every couple of hours” in return for filling in some CAPTCHA codes)... An additional file below (also hosted on MEGA) already flags up at 17/47** on VirusTotal, and we also detect this as Trojan.Win32.Generic!BT... trying to go down the fast and easy route ensures there’s a lot to lose too. If you’re late to the Bitcoin party, bandwagon jumping may result in a nasty fall."
* https://www.virustotal.com/en/file/9332d6300c0761476a87d63b5e73a1846387ba72691b26ab924ffb89c357aa24/analysis/

** https://www.virustotal.com/en/file/00ae28fa8dfff8f664c619278dd14f7b93b1a2f96a8c6209ae57e9e1901cff38/analysis/

:mad::mad: :fear:

FYI...

Fake ADP Anti-Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/67663410958/adp-anti-fraud-secure-update-spam
Nov 21, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (7DF767E9225803F5CA6C1ED9D2B5E448)
2013 Anti-Fraud Secure Update.exe (6A9D66DF6AE25A86FCF1BBFB36002D44)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7f5a6916e64b7718d9a679117cc819c7/tumblr_inline_mwmemcErG21r6pupn.png

Tagged: ADP, Upatre.

:mad::fear::mad:

FYI...

Fake WhatsApp SPAM - exposes users to malware ...
- http://www.webroot.com/blog/2013/11/22/fake-whatsapp-voice-message-notification-themed-emails-expose-users-malware/
Nov 22, 2013 - "... intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/WhatsApp_Fake_Rogue_Malicious_Email_Voice_Message_Notification_Social_Engineering_Malware_Malicious_Software_Cybercrime.png
Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – * ... TrojanDownloader:Win32/Kuluoz.D. Once executed, it phones back to:
hxxp ://103.4.18.215:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2 ...
* https://www.virustotal.com/en/file/e7f8d088049d74cb12b12780abfd4b726174beecc4b49b4e7b7f5e6c4b04cccb/analysis/1384979533/
___

Watch where you’re logging in ...
- http://www.threattracksecurity.com/it-blog/tesco-bank-credit-card-customers-watch-youre-logging/
Nov 22, 2013 - "If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is:
mrqos(dot)com(dot)au/kate/tess/tescr/login(dot)html
and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco0.jpg
Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco3.jpg
All of the above pages present end-users with the following login screen:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco4.jpg
The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information... you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages..."
___

Pokemon X and Y Tumblrs: Warn your Kids
- http://www.threattracksecurity.com/it-blog/pokemon-x-y-tumblrs-warn-kids/
Nov 22, 2013 - "A gentle reminder not to leave your kids alone with their best friend ever, the internet. Pokemon X and Y is by all accounts a raging success, and if the smaller members of your household go Googling for things related to said title, they may well end up on a site such as the below promising a PC download of the new game.
pokemonxetyromemulateur(dot)tumblr(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload1.jpg
This site intends to direct the end-user to a cookie-cutter blog located at
pokemonxyemulator(dot)blogspot(dot)ro
The site pops a -survey- with offers likely dictated by region. What’s worrying here is if kids arrive on this site given the Pokemon theme, they could well be presented with survey questions asking for personal information alongside the more typical installs (and installs aren’t really something you want to be presenting kids with either).
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload2.jpg
In this case, one of the links leads to an iLivid install.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload3.jpg
... it mentions a -toolbar- install which is pre-ticked in the next screen... What’s on offer here isn’t a big deal, but there’s no way you can predict what will be on the other end of a survey popup – everything from personal information requests and ringtone offers to Adware and (occasionally) Malware have all been sitting in wait on the other side of that “Complete this” button. While adults may hopefully steer clear of a lot of these antics, any kids going click happy in Pokemon land (or any other themed set of search engine queries) probably won’t be so lucky..."

:mad: :fear:

FYI...

Fake PayPal Spam
- http://threattrack.tumblr.com/post/68070828047/paypal-resolution-of-case-spam
Nov 25, 2013 - "Subjects Seen:
Resolution of case #PP-016-353-161-368
Typical e-mail details:
Transaction ID: 27223374MSB9Y6FV6
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_9503665.zip)
Sincerely,
Protection Services Department

Malicious File Name and MD5:
Case_9503665.zip (040D3AA61ADB6431576D27E14BA12E43)
Case_.exe (8DB3C24FCD0EF4A660636250D0120B23)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bbfc34678338de568d5f7f9d84a17410/tumblr_inline_mwtvpuDtlR1r6pupn.png

Tagged: PayPal, Upatre
___

Fake HSBC emails - malware
- http://www.webroot.com/blog/2013/11/25/cybercriminals-impersonate-hsbc-fake-payment-e-advice-themed-emails-expose-users-malware/
Nov 25, 2013 - "HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/HSBC_Fake_Rogue_Malicious_Email_Spam_Spamvertised_Social_Engineering_Malware_Malicious_Software.png
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – * ...Trojan.Win32.Bublik.blgc. Once executed, the sample starts listening on ports 3670 and 6652..."
* https://www.virustotal.com/en/file/1ea24f6fe1dfc8c883da3bd380e1da53f766aa9f3df8eb0ebdd6fb0e8b94182e/analysis/1385042183/
___

.gov, .edu - Phish ...
- http://www.threattracksecurity.com/it-blog/gov-edu-phish-oh/
Nov 25, 2013 - "We’ve noticed a couple of .cn URLs which customers of ANZ will probably want to steer clear of.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz0.jpg
syftec(dot)gov(dot)cn
... appears to be a site about the county-level city Shangyu. One of the URLs on the site is
syftec(dot)gov(dot)cn/images/online/
... which takes users to:
rh(dot)buaa(dot)edu(dot)cn/js/online
... which is a .Edu URL called “China Domestic Research Project for ITER”, with the sub-heading “Key technologies research for remote handling manipulator using in nuclear environment”.
Here’s the frontpage, minus the js/online directory:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz1.jpg
Here’s what is located at the rh(dot)buaa(dot)edu(dot)cn/js/online URL:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz2.jpg
The page asks for name, DOB, address, card number, expiration date and security code. Hitting the log on button will direct users to the genuine ANZ website. The URL has already been blacklisted by Google Safebrowsing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz4.jpg
What’s interesting here is if the URL forwarding end-users from the .gov site to the .edu page is supposed to be there, or it too has been compromised to direct more users to the ANZ “login”. It’s possible the .gov site once forwarded them to a formerly legitimate page on the .edu portal which has since been compromised. However, the .edu page isn’t on Internet Archive so it’s hard to say one way or the other. What we can say for certain is that customers of ANZ should only log in on the genuine ANZ website*, and that .gov URLs are prime targets..."
* https://www.anz.com/

:mad: :fear:

FYI...

Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
- http://blog.dynamoo.com/2013/11/you-requested-new-facebook-password.html
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password!
facebook
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Didn't request this change?
If you didn't request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Screenshot: https://lh3.ggpht.com/-20l6OoLiEfc/UpSqzbqg9yI/AAAAAAAACSE/yW-Pfq5-JW8/s1600/facebook3.png

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 38.102.226.252 (Cogent, US) and spotopia .com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
* https://www.virustotal.com/en-gb/file/34414881de0d3cdd56832bd5ade4609c1091faabd9f5755eff61109be377caa4/analysis/1385474059/

- https://www.virustotal.com/en/ip-address/199.229.232.99/information/
___

Xerox Incoming Fax Spam
- http://threattrack.tumblr.com/post/68163781381/xerox-incoming-fax-spam
Nov 26, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
INCOMING FAX REPORT
Date/Time: 11/26/2013 04:51:31 EST
Speed: 17766 bps
Connection time: 07:01
Pages: 3
Resolution: Normal
Remote ID: 633-553-5385
Line number: 633-553-5385
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

Malicious File Name and MD5:
IncomingFax.zip (A5E6AB0F6ECF230633B91612A79BF875)
IncomingFax.exe (B048E178F86F6DBD54D84F488120BB9B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d194235ca4bd59fb321f065ff35f21e2/tumblr_inline_mwvl3vV45y1r6pupn.png

Tagged: Xerox, Upatre
___

Something evil on 46.19.139.236
- http://blog.dynamoo.com/2013/11/something-evil-on-4619139236.html
26 Nov 2013 - "46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-address/46.19.139.236/information/
___

Fake Loan site delivers adware
- http://www.threattracksecurity.com/it-blog/beware-of-trustfinancial-dot-org/
Nov 26, 2013 - "... a fake loan page from an equally fake financial institution called “Trust Financial Group”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/02D3B1F566A419CEFACB8E96C52913E1.jpg
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/B98992173625FF8F069029FFC1704ACD.jpg
Here’s another sample that we have acquired:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/36311B015C8950A6322B3B49590EE75C.jpg
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/C936F07A4085EBFA62BE550F9F6D03F2.jpg
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
___

Blackshades Rat usage on the rise...
- http://www.symantec.com/connect/blogs/blackshades-rat-usage-rise-despite-author-s-alleged-arrest
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%201.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%202.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%203.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%204.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."

:mad::mad: :fear:

FYI...

Fake ADP SPAM - Reference #274135902580" / Transaction.exe
- http://blog.dynamoo.com/2013/11/adp-reference-274135902580-spam.html
27 Nov 2013 - "Is it Salesforce or ADP? Of course.. it is -neither- ...
Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: ADP - Reference #274135902580
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #274135902580
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48*...
> https://lh3.ggpht.com/-SxwSXmXNPHs/UpX1fXSXObI/AAAAAAAACSY/UNYcz2opuj4/s1600/transaction.png
Malwr reports an attempted connection to seribeau .com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several -hundred- legitimate web sites on it, and it is not possible to determine if these are clean or infected."
* https://www.virustotal.com/en-gb/file/ac234318dd27d51436d0233b5d916538c6630d06f7ddcc7d4b6a4d875de95068/analysis/1385558999/

- https://www.virustotal.com/en/ip-address/103.6.196.152/information/
___

Dun & Bradstreet iUpdate Spam
- http://threattrack.tumblr.com/post/68263874738/dun-bradstreet-iupdate-spam
Nov 27, 2013 - "Subjects Seen:
D&B iUpdate : Company Request Processed
Typical e-mail details:
Thank you,
Your request has been successfully processed by D&B.
All information has been reviewed and validated by D&B.
Please Find your Order Information attached.

Malicious File Name and MD5:
CompanyInfo.zip (22CC978F9A6AEE77E653D7507B35CD65)
CompanyInfo.exe (2F3C1473F8BCF79C645134ED84F5EF62)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b39bb51d432ab6e1d846351c04e8a72a/tumblr_inline_mwxg59IRwc1r6pupn.png

Tagged: Dun & Bradstreet, Upatre
___

Tax Return Accountant’s Letter Spam
- http://threattrack.tumblr.com/post/68262070063/tax-return-accountants-letter-spam
Nov 27, 2013 - "Subjects Seen:
FW: 2012 and 2013 Tax Documents; Accountant’s Letter
Typical e-mail details:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant’s letter.

Malicious File Name and MD5:
<e-mail recipient>.zip (BC8FC4D02BB86F957F5AE0818D94432F)
TaxReturn.exe (E85AD4B09201144ACDC04FFC5F708F03)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c645b5f4cba8e18c2243a881fd1fe365/tumblr_inline_mwxeqis2ka1r6pupn.png

Tagged: Tax Return, Upatre
___

Russian Photo Attachment Spam
- http://threattrack.tumblr.com/post/68274420361/russian-photo-attachment-spam
Nov 27, 2013 - "Subjects Seen:
Hello
Typical e-mail details:
Hi
My name is Yulia.
I am from Russia.
Look my photo in attachment.

Malicious File Name and MD5:
DSC_0492(copy).jpg.zip (41B37B08293C1BFE76458FA806796206)
DSC_0492(copy).jpg.exe (AC7CD2087014D9092E48CE465E4F902D)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d590cef1826546d83c7e63b46f2231dd/tumblr_inline_mwxmtdo5Ih1r6pupn.png

Tagged: Photo, Sirefef, .

:fear: :mad:

FYI...

Fake Skype voicemail - Trojan SPAM ...
- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/
28 Nov 2013 - "A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns*. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that "Skype staff will NEVER ask you for your password via email", all in a bid to appear genuine..."
* http://www.actionfraud.police.uk/alert-fake-voicemail-emails-from-skype-contain-virus-nov13

- http://blog.mxlab.eu/2013/11/26/fake-email-you-received-a-new-message-from-skype-voicemail-service-contains-trojan/

:mad: :fear:

FYI...

Fake 'planned outage' SPAM - attachment contains trojan ...
- http://blog.mxlab.eu/2013/12/02/email-regarding-planned-outage-of-mail-server-with-the-instructions-to-save-and-backup-attached-file-contains-trojan/
Dec 2, 2013 - "MX Lab... started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”. This email is sent from the spoofed address “mail server update” and has the following body:
Dear user!
This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
Our MailServer is currently experiencing some problems. It should be working again as usual shortly.
If you want to keep previous saved emails
please download and save your backup from the attached file.
Please do not reply to this message.
This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message: http://img.blog.mxlab.eu/2013/20131202_planned_outage.gif

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml. The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S. At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c
The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.
The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:
hxxp ://62.76.45.242/our/1.exe
hxxp ://62.76.42.218/our/1.exe
hxxp ://62.76.45.242/our/2.exe
hxxp ://62.76.42.218/our/2.exe
hxxp ://networksecurityx .hopto .org
The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error. This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0. At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink*** and Malwr permalink**** for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407."
* https://www.virustotal.com/en/file/8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c/analysis/1385977408/

** https://malwr.com/analysis/MmRjZDMzZDI0MjgyNGRjZjk5ODAwYWVhNzI0MGJiMzU/

*** https://www.virustotal.com/en/file/8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407/analysis/1385978531/

**** https://malwr.com/analysis/Y2QzOWY1NWIzYzY4NDRhZTlhNjdlMTNkZTJmY2JkODY/

- https://www.virustotal.com/en/ip-address/62.76.45.242/information/

- http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... this site was listed for suspicious activity 695 time(s) over the past 90 days..."
___

Toolbar uses Your System to make BTC ...
- http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-to-make-btc/
Nov 29, 2013 - "Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping. A recent and unfortunate discovery by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes... we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/VictorPost-1024x420.png
... we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”... We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe” . Monitor.exe* was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT. We were able to find out the connection between WBT and Mutual Public thanks to an entry in the Sarasota Business Observer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/WBT_is_MP.png
Another product belonging to Mutual Public is known as Your Free Proxy.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/YourFreeProxy.png
Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server... We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner”... We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back..."
* https://www.virustotal.com/en/file/caaab1e0b1ece9f5f150b092d3bbce74a3dd573cdfdcf0e8bfbf8966ed66353e/analysis/
File name: vti-rescan
Detection ratio: 1/48
Analysis date: 2013-11-29

:mad: :fear:

FYI...

Fake AMEX SPAM
- http://threattrack.tumblr.com/post/68886754223/american-express-secure-message-spam
Dec 3, 2013 - "Subjects Seen:
Confidential - Secure Message from AMEX
Typical e-mail details:
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-524-3645, option 1. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express

Malicious File Name and MD5:
SecureMail.zip (2986FFD9B827B34DCB108923FEA1D403)
SecureMail.exe (7DC5BF7F5F3EAF118C7A6DE6AF921017)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/59723401b83ae64fa575f3c72696dee8/tumblr_inline_mx8op1XMJQ1r6pupn.png

Tagged: American Express, Upatre
___

Fake eFax SPAM
- http://blog.dynamoo.com/2013/12/another-day-another-fake-efax-spam.html
3 Dec 2013 - "These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.
Date: Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Fax transmission: -5219616961-5460126761-20130705352854-84905.zip
Please find attached to this email a facsimile transmission we have just received on your behalf
(Do not reply to this email as any reply will not be read by a real person)

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48*) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48**.
> http://1.bp.blogspot.com/-riDinrvAIZ8/Up5qPTdSDVI/AAAAAAAACTM/5XIcLTSsYks/s1600/fax-report.png
Automated analysis tools... show an attempted communication with tuhostingprofesional .net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised."
* https://www.virustotal.com/en/file/a675bb8d8d32d11a1262abde0250616908fd79cbedde9f11e339597c760e9e1b/analysis/1386113630/

** https://www.virustotal.com/en/file/31cd9cd01c86abacdb78c5277bec57464b51a95533084a937b0666007b318dc4/analysis/1386113237/
___

Fake Fax/Voice SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/email-faxnachricht-von-unknown-an-03212-1298305-contains-trojan/
Dec 3, 2013 - "... new trojan distribution campaign by email with the subject “Faxnachricht von unknown an 03212-1298305″. This email is send from the spoofed address “”WEB.DE Fax und Voice” <fax-021213-voice@webde.de>” and has the followingvery short body:
Fax und Voice
The attached ZIP file has the name WEB.DE Fax und Voice.zip and contains the 120 kB large file WEB.DE Fax und Voice.exe. The trojan is known as TR/Dropper.VB.3500, Virus.Win32.Heur.p, Trojan.Packed.25042, Win32/TrojanDownloader.Wauchos.X, PE:Trojan.VBInject!1.64FE or Troj/Agent-AFAX. At the time of writing, 15 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
SHA256: 8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b
* https://www.virustotal.com/en/file/8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b/analysis/

** https://malwr.com/analysis/ZWMxYjQ3YWEyNzY0NGVlNjgyMWVkNzI5OGUwZmEwZGQ/
___

Fake Mastercard SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/important-notification-for-a-mastercard-holder-with-trojan-disguised-as-email-from-mastercard/
Dec 3, 2013 - "... trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”. MX Lab... intercepted these emails that are sent from the spoofed address “MasterCard” and has the following body:
Important notification for a Mastercard holder!
Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
About MasterCard Global Privacy Policy Copyright Terms of Use
© 1994-2013 MasterCard

Screenshot: http://img.blog.mxlab.eu/2013/20131203_mastercard.gif

The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe. The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total. Use the... Malwr permalink* for more detailed information."
* https://malwr.com/analysis/Yjk0NjczNDAyMDZlNDMzMDk4NjU5NGQzOGQyNGM0OTU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Fax and Voice Notification Email Messages - 2013 Dec 03
Fake Purchase Order Request Email Messages - 2013 Dec 03
Fake Payment Confirmation Notification Email Messages - 2013 Dec 03
Fake Shipping Order Information Email Messages - 2013 Dec 03
Fake Product Inquiry Email Messages - 2013 Dec 03
Fake Product Purchase Order Email Messages - 2013 Dec 03
Fake Meeting Invitation Email Messages - 2013 Dec 03
Fake Fax Message Delivery Email Messages - 2013 Dec 03
Fake Failed Delivery Notification Email Messages - 2013 Dec 03
Malicious Personal Pictures Attachment Email Messages - 2013 Dec 03
Fake Payment processing Notification Email Messages - 2013 Dec 03
Fake Unpaid Debt Invoice Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Product Order Quotation Email Messages - 2013 Dec 03
Fake Payroll Invoice Notification Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Financial Document Email Messages - 2013 Dec 03
(More detail and links at the cisco URL above.)

:fear: :mad:

FYI...

Fake Amazon SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/amazon-order-details-email-with-attached-order-details-zip-contains-trojan/
Dec 4, 2013 - "... new trojan distribution campaign by email with the subject “order #852-9045074-5639529 or “order ID801-7322179-4122684". This email is sent from the spoofed address “”AMAZON.CO.UK” <SALES@ AMAZON .CO .UK>”and has the following body:
Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID266-3050394-3760006 Placed on December 2, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk

The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe. The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S. At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc."
* https://www.virustotal.com/en/file/0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc/analysis/1386150729/

** https://malwr.com/analysis/YTk5MDIzNzM1OTJiNDAwOWExODFhMzYzNDlhY2ZhY2Q/

79.187.164.155 - PL
- https://www.virustotal.com/en/ip-address/79.187.164.155/information/

- http://blogs.appriver.com/Blog/bid/100278/Just-In-Time-for-the-Holidays
Dec 03, 2013 - "... floods of -fake- Amazon.com "Order Details" notifications are hitting our filters... They are out in full force."
Screenshot: http://blogs.appriver.com/Portals/53864/images/Amazon-resized-600.png
___

Fake Amazon.co.uk SPAM / Order details.zip
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-spam-order-detailszip.html
4 Dec 2013 - "This -fake- Amazon spam comes with a malicious attachment:
Date: Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From: "AMAZON.CO.UK" [SALES@ AMAZON .CO .UK]
Subject: order ID718-4116431-2424056
Good evening, Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID757-7743075-1612424 Placed on December 1, 2013 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon. co .uk

Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49*. Automated analysis tools... are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup."
* https://www.virustotal.com/en-gb/file/0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc/analysis/1386166395/
___

Fake Royal Mail SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/newer-version-of-fake-email-from-royal-mail-regarding-detained-package/
Dec 4, 2013 - "... Today’s campaign is slightly different and carrying a new variant of the trojan. This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@ royalmail .com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.

Screenshot: http://img.blog.mxlab.eu/2013/20131202_royalmail.gif

The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf. The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX. This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.
UPDATE: The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available. At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink*** or Malwr permalink**** for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db."
* https://www.virustotal.com/en/file/36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66/analysis/1386160116/

** https://malwr.com/analysis/MjNjZTZjMzA3YTI4NGI2MmI2NTI3MjRhYzYyN2FkYWY/

*** https://www.virustotal.com/en/file/1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db/analysis/1386167663/

**** https://malwr.com/analysis/YTI1YmQxZDk1OTRmNGE5OTg3ZjhmNjkzYzg3N2I4OWE/
___

Fake Dept of Treasury SPAM / FMS-Case.exe
- http://blog.dynamoo.com/2013/12/department-of-treasury-notice-of.html
4 Dec 2013 - "This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.
Date: Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From: "support@salesforce.com" [support@ salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49*. Automated analysis tools... show an attempted connection to worldofchamps .com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran .com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47**, although automated analysis tools are inconclusive***. I recommend blocking -both- those domains."
* https://www.virustotal.com/en-gb/file/3822905181974a0e22aae2707b1d12b08053b7c988c46a84a57290dcb4574c40/analysis/1386170174/

** https://www.virustotal.com/en-gb/file/a4c4a0cd70470584469c91caed5b803957d0681cf4f91f87f5be77e53b1182bb/analysis/1386170947/

*** https://malwr.com/analysis/NWJmNGQyNjRmMjIyNDFiNTllMzU3ZTE0MTlmMDU0NTY/
___

Job SCAMS - "british-googleapps .com" (and other googleapps .com domains)
- http://blog.dynamoo.com/2013/12/british-googleappscom-and-other.html
4 Dec 2013 - "This following spam email is attempting to recruit money mules:
From: arwildcbrender@ victimdomain .com
to: arwildcbrender@ victimdomain .com
date: 4 December 2013 07:49
subject: Employment you've been searching!
Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.
You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.
Region: United Kingdom only.
If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Gene@british-googleapps .com

Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine...
british-googleapps .com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam... In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.
50.194.47.186 - US
175.67.90.27 - CN
95.94.135.113 - PT
220.67.126.175 - KR ..."
(Many URLs listed at the dynamoo URL above.)

:mad: :fear:

FYI...

Bogus Firefox and Media Player downloads - 89.248.164.219 and 217.23.2.233
- http://blog.dynamoo.com/2013/12/something-unpleasant-on-89248164219-and.html
5 Dec 2013 - "The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of -bogus- Firefox* and Media Player** downloads. (You can see the VirusTotal reports here*** and here****). All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233 ..."
(Long list of URLs at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8165658

** http://urlquery.net/report.php?id=8165615

*** https://www.virustotal.com/en-gb/ip-address/89.248.164.219/information/

**** https://www.virustotal.com/en-gb/ip-address/217.23.2.233/information/

Bogus Browser Update ...
- http://www.webroot.com/blog/2013/12/05/compromised-legitimate-web-sites-expose-users-malicious-javasymbianandroid-browser-updates/
Dec 5, 2013 - "... a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a -bogus- “Browser Update“, which in reality is a premium rate SMS malware.
Sample screenshot of the landing page upon automatic redirection:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/Compromised_Sites_Traffic_Exchange_Android_Java_Symbian_Malware_Fake_Browser_Update.png
Landing page upon redirection: hxxp ://mobleq .com/e/4366
Domain name reconnaissance: mobleq .com – 91.202.63.75 ...
Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – * HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – ** Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – *** ..."
* https://www.virustotal.com/en/file/22278cc82c79d1ea4328d633b9f935db3020e626ade7c77a889d36e1b3b19fce/analysis/

** https://www.virustotal.com/en/file/62ec89a0f6c8f6cd047705793a3fc9818adb5c7f3a098d472bc0b0c4c6a4ee03/analysis/1386176451/

*** https://www.virustotal.com/en/file/7bbe99439e2f50e647c9178343af4b2e8ebec4630fd739e38e2f46e1c7e37bac/analysis/1386176560/

- https://www.virustotal.com/en/ip-address/91.202.63.75/information/
___

Something evil on 192.95.1.190
- http://blog.dynamoo.com/2013/12/something-evil-on-192951190.html
5 Dec 2013 - "It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example*] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend -blocking- that IP... Some of the subdomains in use are listed here**..."
(More dot biz URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/url/e90cdfb1a187b78997e573ab9fee90442b45c6a95b4281f5f185e458161a79f3/analysis/

** http://pastebin.com/JREzW6vm

- https://www.virustotal.com/en/ip-address/192.95.1.190/information/

:fear::fear: :mad:

FYI...

Malware sites to block 9/12/2013
- http://blog.dynamoo.com/2013/12/malware-sites-to-block-9122013.html
9 Dec 2013 - "These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X .org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@ r5x .org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
R5X .org IPs have featured a couple of times before here [1] [2] so I would suggest -blocking- any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28 ..."
(Many URLs listed at the dynamoo URL above.)
1] http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html

2] http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html

- http://google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4217 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Billing Invoice malware spam
- http://blog.dynamoo.com/2013/12/tnt-uk-limited-self-billing-invoice.html
9 Dec 2013 - "This fairly terse spam email comes with a malicious attachment:
Date: Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
From: Accounts Payable TNT [accounts.payable@ tnt .co .uk]
Subject: TNT UK Limited Self Billing Invoice 5321378841
Download the attachment. Invoice will be automatically shown by double click.

Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49*) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47**) which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.com/-NNMZumhc_ug/UqXfV-JQT3I/AAAAAAAACT0/JbtcZarxowE/s1600/tnt.png
Automated analysis tools... show an attempted connection to 2dlife .com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife .fr so I would assume that both are compromised and blocking access to this IP address is the way to go."
* https://www.virustotal.com/en-gb/file/0c00fb260a368c5d404df7e16184d4bb310c94cd9eb98e9cbe4fe31382a973cf/analysis/1386602037/

** https://www.virustotal.com/en-gb/file/29d1353b9c7a3b705b192f63ffe8def30e3079d02356d59c6f82beecb76da113/analysis/1386602000/

- https://www.virustotal.com/en/ip-address/5.9.182.220/information/
___

Multi-hop iframe campaign - client-side exploit malware
- http://www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/
Dec 9, 2013 - "... The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure... currently active malicious iframe campaign that continues to serving a cocktail of (patched*) client-side exploits, to users visiting legitimate Web sites... Domain names reconnaissance:
hxxp ://www3.judtn3qyy1yv-4.4pu .com – 188.116.34.246
hxxp ://www1.gtyg4h3.4pu .com – 188.116.34.246
find-and-go .com – 78.47.4.17
... malicious scripts, dropped malicious files..."
(More detail at the webroot URL above.)
* http://www.zdnet.com/blog/security/seven-myths-about-zero-day-vulnerabilities-debunked/7026

- https://www.virustotal.com/en/ip-address/188.116.34.246/information/

:fear: :mad:

FYI...

Evil network: R5X .org / OVH
- http://blog.dynamoo.com/2013/12/evil-network-r5xorg-ovh.html
10 Dec 2013 - "Russian web host R5X .org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely... Out of 300 domains that I found hosted now or recently in R5X .org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked. R5X .org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you -block- although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ...
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis and SURBL codes can be found here* [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ..."
(More detail at the dynamoo URL above.)
* http://www.dynamoo.com/files/r5x-org.csv
___

"EUROPOL" scareware / something evil on 193.169.87.247
- http://blog.dynamoo.com/2013/12/europol-scareware-something-evil-on.html
10 Dec 2013 - "193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is -locked- using the following domains:
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
The -scareware- is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
> http://3.bp.blogspot.com/-J6hJIZ3fRzU/UqcdAZQLanI/AAAAAAAACUI/pBsB0ZBF00E/s1600/europol.png
... The text varies depending on the country the visitor is in... The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207 .com (for example), you get europol.europe .eu.id176630100-8047697129.f1207 .com instead which looks a little more official. You can see some more examples here*... 193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock."
* https://www.virustotal.com/en-gb/ip-address/193.169.87.247/information/

- https://www.virustotal.com/en-gb/ip-address/193.169.86.250/information/

- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 206 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Amazon .co.uk order SPAM / AM-ORDER-65HNA1972.exe
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-order-spam-am-order.html
10 Dec 2013 - "This -fake- Amazon spam has a malicious attachment:
Date: Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]
From: blackjacksxjt@ yahoo .com
Subject: order #822-8266277-7103199
Good evening,
Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #481-0295978-7625805 Placed on December 8, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk

Screenshot: http://techhelplist.com/images/stories/amazon-order-virus-10dec2013.png

Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47*) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49**) which has an icon to make it look like some sort of document.
> https://lh3.ggpht.com/-iL24C02iQD0/Uqc5UVD9uxI/AAAAAAAACUY/mIqo2BZhA4s/s1600/amazon-order.png
Automated analysis tools seem to be timing out... indicating perhaps that it has been hardened against sandbox analysis."
* https://www.virustotal.com/en-gb/file/895ec9342baba173aa0a7583ac548c6647ae833021946a47f532b792ff2fb5a6/analysis/1386690407/

** https://www.virustotal.com/en-gb/file/a1b2ca37ec2e9d0a781a4b21fbb64d8ce76874dbf2ac8d3715b7106afe6eab36/analysis/1386690064/

:fear::fear: :mad:

FYI...

Fake WhatsApp SPAM / IMG003299.zip
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013 - "This -fake- WhatsApp message has a malicious attachment.
Date: Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
Subject: Your friend has just sent you a pic
Hi!
Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.

Screenshot: https://lh3.ggpht.com/-AJQc-jYcGAQ/Uqhm_0JsT9I/AAAAAAAACU4/uu5v94u_a2o/s400/whatsapp.png

Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43*) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49**). Automated analysis tools... don't reveal very much about the malware in question however."
* https://www.virustotal.com/en-gb/file/a0b86830e901fd952133622ea6832ce96393c6c700144b5521c7870b1848be5f/analysis/1386767572/

** https://www.virustotal.com/en-gb/file/44e50a568df5633083be84c9dcc82f37a22fa3cedc1d1c50c06e0fe9065f6793/analysis/1386767585/
___

Fake Wells Fargo SPAM / WF_Docs_121113.exe
- http://blog.dynamoo.com/2013/12/wells-fargo-spam-wfdocs121113exe.html
11 Dec 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]
From: Kerry Pettit [Kerry.Pettit@ wellsfargo .com]
Subject: FW: Important docs
We have received this documents from your bank, please review attached documents.
Kerry Pettit
Wells Fargo Accounting
817-295-1849 office
817-884-0882 cell Kerry.Pettit@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE ...

Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49* and are 6/47** for the EXE.
Automated analysis... shows an attempted connection to hortonnovak .com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or -both- of them."
* https://www.virustotal.com/en-gb/file/9d46d60ffbb6e69a73252716c9291009ee3d31b9cfb83911d8b9df3a56db35d6/analysis/1386779806/

** https://www.virustotal.com/en-gb/file/75576d28bbe0f815bc7333696df3646a79edf229e952aac83213754f206cdb79/analysis/1386779808/

- https://www.virustotal.com/en/ip-address/194.28.87.121/information/
___

Facebook Phishing and Malware via Tumblr redirects
- https://isc.sans.edu/diary/Facebook+Phishing+and+Malware+via+Tumblr+Redirects/17207
Last Updated: 2013-12-11 13:43:23 UTC - "... The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202013-12-10%20at%209_37_46%20PM.png
The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons. Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos .pw" domain, which uses a wildcard record to resolve to 198.50.202.224 ... The fake Facebook page will ask the user for a username and password as well as for a "secret question". Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection.
- https://www.virustotal.com/en/file/d23456ffeaad7183176e71870957a222d20025a35e8e1070bd81bc7491ab625b/analysis/1386730327/
(was 3/42 when I first saw it. Now 10/42 improved). As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos .pw" as well as connections to 198.50.202.224 ..."

- https://www.virustotal.com/en-gb/ip-address/198.50.202.224/information/
___

NatWest Banking Phish
- http://threattrack.tumblr.com/post/69721298913/natwest-banking-phish
Dec 11, 2013 - "Subjects Seen:
Account Alert !
Typical e-mail details:
Dear <removed>
Your password was entered incorrectly more than 5 times.
Because of that , our security team had to suspend your accounts and all the funds inside.
Your account access and the hold on your funds will be released as soon as you verify your information.
Review Your Account Activity
We are sorry for this inconvenience but this is a security measure which we must apply to ensure your account safety.
If you have already confirmed your information then please disregard this message
Thanks for choosing NatWest UK
NatWest Security Team

Malicious URLs: didooc .co .uk/images/stories/android/index.php
149.255.62.19 - https://www.virustotal.com/en-gb/ip-address/149.255.62.19/information/

Screenshot: https://31.media.tumblr.com/313a5cf56ecbca5bfc7af94a66ca3691/tumblr_inline_mxnvtazkSB1r6pupn.png

:mad: :fear::sad:

FYI...

Top 5 Most Dangerous Email Subjects ...
- http://community.websense.com/blogs/securitylabs/archive/2013/12/11/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx
11 Dec 2013 - "... the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/1067.3364.Spearphising_2D00_Infographic_2D00_ml_2D00_Nov2013_5F00_WEB.jpg_2D00_550x0.jpg
___

Fake tech support scams/SPAMs on YouTube
- http://blog.malwarebytes.org/fraud-scam/2013/12/tech-support-scammers-spam-youtube-with-robot-like-warnings/
Dec 12, 2013 - "... In a twisted new variant, crooks are calling out to all antivirus / anti-malware customers and urging them to fix their computers now. One such account was spamming -YouTube- with hundreds of videos, all using a computer-generated voice and personalized for each AV/Anti-Malware company:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/vendors.png
... The company behind this scam is “My Tech Gurus” (http ://www.mytechgurus .com):
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/website.png
Once on the phone, I am quickly directed to a remote technician and instructed to hang the call to pursue the support session directly through the chat window on my computer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/chatsession1.png
... If the ‘technician’ were honest, she would tell me there is absolutely nothing wrong with this computer... Instead she wastes no time in making up fake errors... here is the ‘technical’ explanation:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/thedetails.png
Of course, fixing those ‘errors’ is not going to be free:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/pay.png
... most of their website’s traffic comes from… India:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/india.png
... we encourage everyone to report each incident. We have created a guide* for victims that describes the variations of scams and what to do in each case. It may seem like a never-ending battle, but at the end of the day, if we’ve managed to save even just one person, then we can feel confident we’re doing the right thing..."
* http://blog.malwarebytes.org/tech-support-scams/
___

Fake FedEx SPAM - Malware Emails
- http://www.hoax-slayer.com/fedex-shipping-confirmation-malware-email.shtml
Dec 12, 2013 - "Email purporting to be from delivery company FedEx claims that a package delivery could not be completed because important information was missing. Recipients are instructed to click a link to verify their identity or risk having the package returned to sender... invites users to download "verification manager" software. If downloaded and run, the bogus "verification manager" will install malware on the user's computer:
From: FedEx UK
Subject: Package for you
SHIPPING CONFIRMATION
Dear [email address removed]
We have a package for you!
Unfortunately some important information is missing to complete the delivery.
Please follow the link to verify your identity:
verify your identity now!
You have 24 hours to compleate the verification! Otherwise the package will be returned to sender!
Order confirmation number: 56749951703
Order date: 03/12/2013
Thank you for choosing FedEx...
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-1.jpg
... Those who fall for the ruse and click the link will be taken to a -bogus- website tricked up to resemble a genuine FedEx webpage. Once on the page, they will be instructed to download and install a piece of software called the "FedEx Verification Manager", as shown in the following screenshot:
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-2.jpg
... following the instructions will not install a verification manager as claimed. Instead, it will install a trojan on the victim's computer..."
___

Spam Campaign delivers Liftoh Downloader
- http://www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/
12/12/13 - "... researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system... the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.
> http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.liftoh.1.png
... The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure... researchers observed the following domains in spam recipient email addresses:
gicom . nl
mvdloo . nl
cneweb . de
yahoo . fr
helimail . de
online . fr
tq3 . co. uk
excel . co. jp
smegroup . co . uk
fujielectric . co . jp
st-pauls . hereford . sch . uk
The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload... event monitoring shows organizations in the following market verticals have been affected by Liftoh:
Banking
Manufacturing
Healthcare
Legal
Credit unions
Retail
Technology providers
... It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads..."
(More detail at the secureworks URL above.)
___

64-bit ZeuS - enhanced with Tor - banking malware
- https://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor
Dec 11, 2013 - "The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware... we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside... Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached. Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality - ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability."

:mad: :fear:

FYI...

Fake Amazon order SPAM
- http://threattrack.tumblr.com/post/69880436154/amazon-com-order-confirmation-spam
Dec 13, 2013 - "Subjects Seen:
Your Amazon.com order HZ1517235
Typical e-mail details:
Good day,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order WD4202401 Placed on December 9, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .com

Malicious File Name and MD5:
ORDER_JB46238.zip (765FD2406623781F6F9EB4893C681A5B)
ORDER_JB46238.exe (26E57BDE90B43CF6DAE6FD5731954C61)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/def8933618a1f5be4e260a22d0ae1c5a/tumblr_inline_mxr13wZhzU1r6pupn.png

Tagged: Amazon, Wauchos
___

Bitcoin stealing SPAM
- http://www.arbornetworks.com/asert/2013/12/bitcoin-alarm-bitcoin-stealing-spam/
Dec 12, 2013 - "The rise in Bitcoin values seems to have caused an equal increase of Bitcoin -spam- as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm .net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/btclogo-300x36.png
The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool. They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/AppScreenshot.png
The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal* when I first scanned it... This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was -not- blacklisted... On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404..."
* https://www.virustotal.com/en/file/3e032b8c58aa17811d74f92658196374c2b8e6670640c121582690dab00573a0/analysis/

82.221.129.16
- https://www.virustotal.com/en/ip-address/82.221.129.16/information/
___

Fake - Halifax Bank Phishing Scam
- http://www.hoax-slayer.com/halifax-third-party-intrusions-phishing.shtml
Dec 13, 2013 - "... The email is -not- from Halifax. Links in the message open a -fake- website that contains web forms designed to steal the recipient's account login details, credit card data and other personal information...
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-1.jpg
... According to this message, which purports to be from UK bank, Halifax, third party intrusions have been detected on the recipient's account and, as a result, the account has been limited for security reasons. Supposedly, to restore access, the account holder must confirm his or her identity and verify that the account has not been used for fraud. The email instructs the recipient to access a "validation form" by clicking a link... Halifax customers who fall for the lies in the scam email and click the link will be taken to a -fake- website designed to look like the real Halifax site and asked to login:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-2.jpg
Next, they will be asked to provide name and contact information:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-3.jpg
And, on a final form, they will be asked to provide their card details:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-4.jpg
After the final form is completed, victims will be automatically redirected to the genuine Halifax website and, at least until the criminals begin using the stolen information, they may remain unaware that they have just been scammed. Using the information provided on the fake forms, the scammers can hijack genuine Halifax accounts, lock out their rightful owners and commit banking and credit card fraud. The bank has published information about Halifax phishing scams, including how to report any that you receive, on its website*..."
* http://www.halifax.co.uk/aboutonline/security/common-threats/phishing/

:fear: :mad:

FYI...

Malware Spam uses Geolocation to Mass Customize Filename
- https://isc.sans.edu/diary.html?storyid=17222
Last Updated: 2013-12-14 15:16:44 UTC - " Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message... received one e-mail... falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even ithe link is formed to make it look like a voicemail link with the little "/play" ending:
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202013-12-14%20at%209_48_56%20AM.png
... the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded... anti-malware coverage is -bad- according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message..."
[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

A few variants...
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013

- http://www.webroot.com/blog/blog/2013/11/22/fake-whatsapp-voice-message-notification-themed-emails-expose-users-malware/
Nov 22, 2013

:mad: :fear:

FYI...

Bogus Firefox add-on joins PC's to botnet - drive-by malware
- http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web-sites/
Dec 16, 2013 - "An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware... The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim... SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases. Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.
The fraudulent Firefox add-on:
> http://krebsonsecurity.com/wp-content/uploads/2013/12/sql-addon.png
The malicious code comes from sources referenced in this Malwar writeup* and this Virustotal** entry... On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”... The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities..."
(More detail at the krebsonsecurity URL above.)
* https://malwr.com/analysis/MTI2YzFkODZkNzA0NDVkYTkzNDBmZTg5YjdkMjM3MDA/

- https://malwr.com/

** https://www.virustotal.com/en/file/19b523e0db7d612dd439147956589b0c7fe264f1eb183ea3a74565ad20d3cb8a/analysis/

- https://addons.mozilla.org/en-US/firefox/blocked/i508
Blocked on December 16, 2013...
"Microsoft .NET Framework Assistant (malware) has been blocked for your protection.
Why was it blocked?
This is -not- the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a -malicious- extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites..."

- https://www.virustotal.com/en/ip-address/216.250.115.143/information/
2013-12-18
- http://google.com/safebrowsing/diagnostic?site=AS:8560
___

More Fake Amazon order SPAM ...
- http://www.hoax-slayer.com/amazon-order-details-malware.shtml
Dec 16, 2013 - "... The email is -not- from Amazon and the attached file does not contain order details. Instead, the attached .zip file harbours a malicious .exe file that, if opened, can install a trojan on the user's computer...
> http://www.hoax-slayer.com/images/amazon-order-details-malware-2013-1.jpg
... Amazon did -not- send the email and the attached .zip file does not contain order details as claimed. If opened, the .zip file reveals a .exe file. And, if users run this .exe file, a trojan may be installed on their computers... such trojans can harvest personal and financial information such as account login data from the compromised computer and send it to criminals waiting online. It may also allow the criminals to take control of the infected computer. The criminals hope that at least a few recipients, who have not made any recent Amazon orders, will be panicked into opening the attachment in the mistaken belief that a purchase has been made in their names... users who have recently bought items on Amazon might be tricked into opening the attachment in the belief that the file it contains pertains to their order..."
___

Bitcoin price hike spurs Malware, Wallet Theft
- http://blog.trendmicro.com/trendlabs-security-intelligence/bitcoin-price-hike-spurs-malware-wallet-theft/
Dec 16, 2013 - "The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC... This is giving rise to more Bitcoin-related threats. Victims are now being used either to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well. From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/12/bitcoin.jpg
... Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user... while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well."
___

Google Play - suspicious apps leak Google Account IDs
- http://blogs.mcafee.com/mcafee-labs/suspicious-apps-on-google-play-leak-google-account-ids
Dec 16, 2013 - "The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of -Android- device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk. Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of downloads of each app is between 10,000 and 50,000...
> http://blogs.mcafee.com/wp-content/uploads/galeaker-1.png
Another set of suspicious apps, from various categories, shown in the figure below* secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users...
* http://blogs.mcafee.com/wp-content/uploads/galeaker-2.png
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI... We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to -decline- the data transfer. Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes...
A GET_ACCOUNTS permission request:
> http://blogs.mcafee.com/wp-content/uploads/galeaker-3e.png
... With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen... We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also -not- expose their account names..."

:fear::fear: :mad:

FYI...

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers
- http://blog.dynamoo.com/2013/12/video-parcel-reshipping-scams-parcel.html
17 Dec 2013 - "A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers..."
(See the dynamoo URL above for the video.)

:mad: :fear: :sad:

FYI...

Malvertising campaign leads to Browser-Locking Ransomware
- http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware
17 Dec 2013 - "The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%201%20edit.png
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September. These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Browlock ransomware’s activity in November and December this year
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%202.png
... The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website... In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself... Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Top ten regions targeted by Browlock
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%203.png
... We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months. The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS. The Browlock ransomware tactic is simple but effective. Attackers save money by -not- using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate...
Malicious infrastructures used:
AS24940 HETZNER-AS Hetzner Online AG*
IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
IP address: 176.103.48.11 Number of redirected users: 37,521
IP address: 193.169.86.15 Number of redirected users: 346
IP address: 193.169.86.247 Number of redirected users: 662,712
IP address: 193.169.86.250 Number of redirected users: 475,914
IP address: 193.169.87.14 Number of redirected users: 164,587
IP address: 193.169.87.15 Number of redirected users: 3,945
IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
IP address: 194.44.49.150 Number of redirected users: 28,533
IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 - Petersburg Internet Network LLC
IP address: 91.220.131.106 Number of redirected users: 81,343
IP address: 91.220.131.108 Number of redirected users: 75,381
IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
IP address: 91.239.238.21 Number of redirected users: 8,063 "

Diagnostic page for AS24940 (HETZNER-AS)
* http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 4337 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 683 site(s)... appeared to function as intermediaries for the infection of 1634 other site(s)... We found 514 site(s)... that infected 5040 other site(s)..."

Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 178 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 25 site(s) on this network... appeared to function as intermediaries for the infection of 120 other site(s)... We found 16 site(s)... that infected 779 other site(s)..."
___

Fake ‘WhatsApp Missed Voicemail’ emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/12/18/fake-whatsapp-missed-voicemail-themed-emails-lead-pharmaceutical-scams/
Dec 18, 2013 - "... A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01.png
Sample screenshot of the landing pharmaceutical scam page:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam-1024x587.png
Redirection chain: hxxp :// 203.78.110.20 /horizontally.html -> hxxp ://viagraphysician .com (109.201.133.58). We’re also aware of... fraudulent domains that are known to have phoned back to the same IP (109.201.133.58)... Name servers:
ns1 .viagraphysician .com – 178.88.64.149
ns2 .viagraphysician .com – 200.185.230.32
... fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149 ... We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs..."
(More detail at the webroot URL above.)

- https://www.virustotal.com/en/ip-address/109.201.133.58/information/

- https://www.virustotal.com/en/ip-address/178.88.64.149/information/

- https://www.virustotal.com/en/ip-address/200.185.230.32/information/

- https://www.virustotal.com/en/ip-address/203.78.110.20/information/
___

Gmail’s Image Display defaults may change your Privacy
- http://blog.trendmicro.com/trendlabs-security-intelligence/changes-to-gmails-image-display-defaults-may-change-your-privacy/
Dec 18, 2013 - "... this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google. Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps. In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users... actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits. The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are. Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment. Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We -strongly- recommend that users -change- this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images."
___

Fake VISA Report SPAM / payment-history-n434543-434328745231.zip
- http://blog.dynamoo.com/2013/12/visa-recent-transactions-report-spam.html
18 Dec 2013 - "This -fake- VISA spam comes with a malicious attachment:
Date: Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
From: Visa [Eddie_Jackson@ visa .com]
Subject: VISA - Recent Transactions Report
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom ...

Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48*, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49**. Automated analysis tools... indicate a network connection to bestdatingsitesreview4u .com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection."
* https://www.virustotal.com/en/file/fd5451a5d4731ae279fcc5cdad37ec4f76e81957f9be643fd0934d67cba387ac/analysis/1387397621/

** https://www.virustotal.com/en/file/c7172701eeb5bfaa15acf865a6ff80b2c01fc437072f644b768386a23f262127/analysis/1387397396/

- https://www.virustotal.com/en/ip-address/38.102.226.126/information/

:mad: :fear: :sad:

FYI...

Fake Voicemail SPAM - from "Elfin Cars Sports"
- http://blog.dynamoo.com/2013/12/new-voicemail-message-from-elfin-cars.html
19 Dec 2013 - "This -fake- voicemail message from "Elfin Cars Sports" has a malicious attachment:
Date: Thu, 19 Dec 2013 08:36:56 -0600 [09:36:56 EST]
From: Voice Mail [noreply@ spamcop .net]
Subject: New Voicemail Message
New Voicemail Message
You have been left a 1:02 long message (number 1) in mailbox from "Elfin Cars Sports"
07594434593, on Thursday, December 19, 2013 at 07:20:02 AM
The voicemail message has been attached to this email - which you can play on most
computers...

The attachment is VoiceMail.zip with a VirusTotal detection rate of 9/49*, which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file, and this has a also detection rate of 9/49** (but with slightly different detections). Automated analysis tools... show an attempted connection to plantautomation-technology .com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog .com on 66.7.149.156 (Web Werks, US)."
* https://www.virustotal.com/en-gb/file/c9705f38f51fa419ec3f59421aeee7f27c89b7b45a5088c141326f19adc0480a/analysis/1387465669/

** https://www.virustotal.com/en-gb/file/d2e63c058e914b511d6f33960f0a031d623fb83341dd4c0cfec555de732e44bf/analysis/1387465683/
___

Fake Navy Federal Credit Union Phish
- http://threattrack.tumblr.com/post/70485890383/navy-federal-credit-union-phish
Dec 19, 2013 - "Subjects Seen:
NAVY FEDERAL Credit Union
Typical e-mail details:
We recently reviewed your account, and we suspect an unauthorized ATM-based transactions on your account access. Our banking service will help you to avoid frequently fraud transactions and to keep your savings and investments confidential.
To ensure that your account is not compromised please login to NAVY Account Access by clicking this link, verify and update your profile and your current account access will be 128-bit encrypted and guard by our security system.
- Click Here to login your Federal Credit Union Account
- Enter your Account Access details
- Verify and update with NAVY FEDERAL
Thank you for using F.C.U Account Access Security

Malicious URLs:
holidayindingle .com/wp-admin/css/colors/blue/gos/
80.93.29.195
- https://www.virustotal.com/en/ip-address/80.93.29.195/information/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/60c69283a087981d79c8ee5168829d36/tumblr_inline_my234zcEAF1r6pupn.png

Tagged: Navy Federal Credit Union, phish
___

AT&T Voicemail Message Spam
- http://threattrack.tumblr.com/post/70498350698/at-t-voicemail-message-spam
Dec 19, 2013 - "Subjects Seen:
AT&T - You Have a new Voice Mail
Typical e-mail details:
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
The length of transmission was 25 seconds.
Thank you,
AT&T Online Services

Malicious File Name and MD5:
VoiceMail.zip (BE7D2F4179D6D57827A18A20996A5A42)
VoiceMail.exe (D1CA2DC1B6D1C8B32665FCFA36BE810B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6d1b214f58019207207945b6f0c1372d/tumblr_inline_my2cl9aSPC1r6pupn.png

Tagged: AT&T, Upatre
___

Fake emails regarding license key from Adobe - trojan
- http://blog.mxlab.eu/2013/12/19/trojan-attached-in-fake-emails-regarding-license-key-from-adobe/
Dec 19, 2013 - "... new trojan distribution campaign by email with the following subjects:
Download your adobe software
Download your license key
Thank you for your order
Your order is processed
This email is send from the spoofed address “Adobe Software <soft@ adobes .com>”, “Adobe Software <support@ adobes .com>”, “Adobe <software@ adobes .com>”, “Adobe Software <your_order@ adobes .com>” or similar and has the following body:
Hello.
Thank you for buying Director 11.5 software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Hello.
Thank you for buying Creative Suite 6 Master Collection software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Order Notification.
Thank you for buying Adobe Connect software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
The attached ZIP file has the name License_Key_OR8957.zip and contains the 209 kB large file License_Key_Document_Adobe_Systems_Incorporated.exe. The trojan is known as Win32:Malware-gen, W32/Trojan.BDDH-7155, W32/Trojan3.GVP, Trojan-Downloader.Win32.Dofoil.rqh or Artemis!30AAE526F5C4. At the time of writing, 11 of the 45 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/a6cb6905775a7c4995222b3d91e7513a405d0cd183b7106dd713e720b2a4762a/analysis/1387485019/

Alert: Adobe License Key Email Scam
- http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/
Dec 20, 2013 - "Adobe is aware of reports that a phishing campaign is underway involving malicious emails purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should -delete- it immediately without downloading attachments or following hyperlinks that may be included in the message..."

:mad: :fear:

FYI...

Fake ADP Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/70587915512/adp-fraud-secure-update-spam
Dec 20, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre. Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll
on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (EFF54DFFF096C439D07B50A494D6B435)
2013 Anti-Fraud Secure Update.exe (D4CBC4F2BE31277783F63B3991317AFE)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/206afa7c773e9cb15ab7c24bf8116ac4/tumblr_inline_my41kdEEtA1r6pupn.png

Tagged: ADP, Upatre
___

Fake Dept. of Treasury - Notice of Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/70597137872/department-of-treasury-notice-of-outstanding-obligation
Dec 20, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case L3FY2OH7CD1N9OS
Typical e-mail details:
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
FMS-Case-L3FY2OH7CD1N9OS.zip (D82A734CC165A85D1C19C65A6A9EA2A7)
FMS-.exe (167744869CBD5560810B7CF2A03BD6FF)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c9ca0241c01bd51afa7ee8985765bc24/tumblr_inline_my47ubkkd51r6pupn.png

Tagged: Upatre, Department of Treasury
___

Fake AT&T voicemail - malware...
- http://www.hoax-slayer.com/atandt-new-voice-mail-malware.shtml
Dec 20, 2013 - "... Message purporting to be from telecommunications company AT&T claims that a new voicemail could not be delivered to the recipient. The email includes an attached file that supposedly contains the voicemail.
Analysis: The message is not from AT&T and the attached file does not contain a missed voicemail. Instead, the attachment harbours a malicious .exe file hidden within a .zip file. Opening the .exe file can install malware on the user's computer...
> http://www.hoax-slayer.com/images/atandt-new-voice-mail-malware-1.jpg
This attack is similar to another malware distribution that claims that WhatsApp users have a new voicemail waiting. Clicking the "Play" button in the -bogus- email will open a malicious website that harbours malware..."

:fear: :mad:

FYI...

Fake QuickBooks SPAM / Invoice.zip
- http://blog.dynamoo.com/2013/12/quickbooks-spam-invoicezip.html
23 Dec 2013 - "This -fake- QuickBooks spam has a malicious attachment:
Date: Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Randal Owen ...

Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44*, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49**. Automated analysis... shows an attempted connection to wifordgallery .com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware."
* https://www.virustotal.com/en-gb/file/f699d5ff02ea67276220385c5d6335ee8005f9ab30a0da82cde592e83e7f7595/analysis/1387814800/

** https://www.virustotal.com/en-gb/file/200f56fec7d3b793662ad9481f153f80cc79bc0f76ba999b8f5c24cea1ee9d88/analysis/
___

More Email scams, spam...
- https://isc.sans.edu/diary.html?storyid=17276
Last Updated: 2013-12-23 20:27:58 - "... new wave of email making the rounds, with a message that looks as follows:
> https://isc.sans.edu/diaryimages/images/c1.jpg
... The subject seems to be one of "Delivery Canceling", "Express Delivery Failure" or "Standard Delivery Failure". Next to Costco, the same scam is currently ongoing for BestBuy and Walmart, maybe others. The links are (appear to be) random or encoded, there is no repeat occurrence of the URL and "package number" for the entire sample set that we have. It could well be that the BASE64 portion of the URL contains an encoded hash of the email address to which the phish was sent, so when you play with one of the samples, be mindful that you could be confirming the email address back to the bad guys... For a change, clicking on the link doesn't bring up a web form asking for your credit card number. Instead, it quite bluntly downloads a ZIP which contains an EXE. What makes this particular version more cute than others is that the EXE inside the ZIP is re-named on the fly, based on the geolocation of your download request. In my case, this spoiled the fun some, because "CostcoForm_Zürich.exe" and "CostcoForm_Hamburg.exe" didn't look all that credible: There are no Costcos in Switzerland or Germany :) ... As for the malware: Lowish detection as usual, Virustotal 12/44*. Malwr/Cuckoo analysis**. The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background)... Hosts currently seen pushing the malware include:
bmaschool .net Address: 61.47.47.35
bright-color .de Address: 78.46.149.229
am-software .net Address: 64.37.52.95
artes-bonae .de Address: 81.169.145.149
automartin .com Address: 46.30.212.214
almexterminatinginc .com Address: 50.63.90.1
brandschutz-poenitz .de Address: 81.169.145.160
All these sites have been on the corresponding IP addresses since years, which suggests that these are legitimate web sites that have been compromised/hacked, and are now being abused to push malware..."
* https://www.virustotal.com/en/file/f80c9b51c6357ca07f7204ab5a60b3912180103ac64e6dfaf15e6dc9481a028d/analysis/1387825985/

** https://malwr.com/analysis/MjUxNzExNGIwMTJkNGY4MThiMTI0MTJlMWRjYmM0NzU/
"... Hosts: IP 95.101.0.114 ..."
- https://www.virustotal.com/en/ip-address/95.101.0.114/information/

Keywords: malware scam
___

Fake Court hearing SPAM - Court_Notice_Jones_Day_Wa#8127.zip
- http://blog.dynamoo.com/2013/12/hearing-of-your-case-in-court-nr6976.html
23 Dec 2013 - "... malicious attachment:
Date: Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]
From: Notice to Appear [support.6@ jonesday .com]
Subject: Hearing of your case in Court NR#6976
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 9, 2014 at 10:00
am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Alison Smith
Clerk to the Court.

There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49*."
* https://www.virustotal.com/en-gb/file/0067a31360bda03b85ceac1df405bd073cb86d9fdd6b6f9c5529bf77a160dac7/analysis/1387815631/

Same stuff D.D.: https://isc.sans.edu/diary.html?storyid=17279
Last Updated: 2013-12-24 00:54:04
Keywords: scam spam malware

:fear::mad:

FYI...

Fake Apple reactivation email - phishing attempt
- http://blog.mxlab.eu/2013/12/30/reactivation-email-from-service-apple-is-fake-and-contains-a-phishing-attempt/
Dec 30, 2013 - "MX Labs... intercepted a phishing email from the spoofed email address “Service Apple <client@ apple .com>” with the subject “Reactivation No: A3556P325LL346E?” and the following body:
Dear (e) client (e)
We inform you that your account is about to expire in less than 48 hours, it is imperative to conduct an audit of your information now, otherwise your account will be deleted.
Download the attached form and open it in your browser and make your request.
Why you email he sent?
The sending of this email applies when the date of expiration of your account will terminate.
Thank you,
Assistance Apple customers

Screenshot: http://img.blog.mxlab.eu/2013/20131230_apple_phish_1.gif

The email comes with the attachment Apple.html. Once opened you will have the following screen:
> http://img.blog.mxlab.eu/2013/20131230_apple_phish_2.gif
The HTML page contains code to use an -iframe- and the real web form is hosted on hxxp ://photosappl.bbsindex .com:89/apple .com/ca/index.html.
Once all the details are filled in, the user is -redirected- to the official log in page of Apple at https ://secure2.store.apple .com/es/sign_in/."
___

Fake Tesco phish ...
- http://www.welivesecurity.com/2013/12/30/phishing-for-tesco-shoppers/
Dec 30, 2013 - "... -scam- message again, just for comparison.
Dear Valued Customer,
NatWest is giving out free shopping vouchers for your favorites stores for Christmas.
This offer is only for NatWest Credit Card Online Services users and it will be valid to use until the 31st of December, 2013
To Qualify for this opportunity, Kindly Click here now.
After validation your voucher will be sent via text message or posted to your Mailbox.
Yours Sincerely,
NatWest Credit Card Services.

The example below – with the subject header “Free Tesco Vouchers for Christmas.” – is a little more sophisticated. For a start, it has the festive Tesco Bank logo currently in use, complete with Google-ish party hat on the ‘O’. And since TESCO is probably better known for its supermarkets than for its banking and insurance services, even to people who never use it, it’s rather more credible that the bank might be offering vouchers for Tesco stores, rather than the vague and ungrammatical ‘your favorites stores’...
> http://www.welivesecurity.com/wp-content/uploads/2013/12/tesco-logo.png
Dear Valued Customer,
Tesco Bank is giving you a chance to shop for free at any of our tesco outlets or online by giving out free tesco vouchers for Christmas.
This offer is only for Tesco Credit Card and Tesco Savings/Loan owners and it will be valid to use until the 31st of December,2013.
SAVINGS OR LOAN CUSTOMER CLICK THE LINK BELOW
Savings/Loan Click here to Claim
CREDIT CARD CUSTOMER CLICK THE LINK BELOW
Credit Card Click here to Claim
After validation your voucher will be sent via text message or posted to your Mailbox.
Tesco Personal Finance Online Service

Most bank phishing messages come in waves/campaigns, and they’re not particularly topical. The scammers keep sending out material that falls into one of the same set of social engineering categories... While they want you to respond immediately (before you have time to think about it, and before the link disappears because security researchers have found it and taken action), the content isn’t particularly topical. This one, however, resembles the sort of topical approach we associate with other kinds of malicious activity (botnets, fake AV, charity/disaster relief scams and so on) where social engineering is based on a current seasonal event (Xmas, Valentine’s Day, Cyber Monday) or news item (real or fake)..."
___

Snapchat security issues ...
- http://www.darkreading.com/vulnerability/researchers-reveal-snapchat-security-iss/240165041?printer_friendly=this-page
Dec 27, 2013 - "Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat's "Find My Friends" feature. The visit was the work of Gibson Security*, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target: Snapchat's Find My Friends feature. Typically, Find My Friends enables users to look up their friends' usernames by uploading the phone numbers in their devices' address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale... researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step toward building a database of social networking profiles that could be sold to others..."
* http://gibsonsec.org/

:fear: :mad:

FYI...

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Deposit Statement Email Messages - 2014 Jan 02
Fake Business Complaint Notification Email Messages - 2014 Jan 02
Fake Personal Picture Email Messages - 2014 Jan 02
Fake Hotel Reservation Request Email Messages - 2014 Jan 02
Fake Account Payment Information Email Messages - 2014 Jan 02
Fake Product Purchase Request Email Messages - 2014 Jan 02
Fake Online Purchase Email Messages - 2014 Jan 02
Fake Account Information Request Email Messages - 2014 Jan 02
Fake Payment Notification - 2014 Jan 02
Fake Job Offer Documents Email Messages - 2014 Jan 02
Fake Account Refund Email Messages - 2014 Jan 02
Fake Court Appearance Request Email Messages - 2014 Jan 02
Fake Product Order Email Messages - 2014 Jan 02
(More detail and links at the cisco URL above.)

:mad: :sad:

FYI...

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Images - 2014 Jan 03
Fake Financial Document Delivery Email Messages - 2014 Jan 03
Fake Product Order Inquiry Email Messages - 2014 Jan 03
Fake Court Hearing Documents Email Messages - 2014 Jan 03
Fake Product Purchase Order Email Messages - 2014 Jan 03
Fake Shipping Information Email Messages - 2014 Jan 03
Fake Payroll Invoice Email Messages - 2014 Jan 03
Fake Bank Transfer Notification Email Messages - 2014 Jan 03
Fake Account Bill Statement Email Messages - 2014 Jan 03
Fake Court Appearance Request Email Messages - 2014 Jan 03
Fake Financial Report Email Messages - 2014 Jan 03
Fake Order Details Email Messages - 2014 Jan 03
Fake Invoice Statement Attachment Email Messages - 2014 Jan 03
Fake Account Payment Confirmation Email Messages - 2014 Jan 03
Fake Personal Photos Email Messages - 2014 Jan 03
Fake Online Order Details Email Messages - 2014 Jan 03
Fake Document Delivery Email Messages - 2014 Jan 03
Fake Court Documents Email Messages - 2014 Jan 03
Fake Services Invoice Email Messages - 2014 Jan 03
(More detail and links at the cisco URL above.)

:mad: :fear:

FYI...

Malicious Ads from Yahoo
- https://isc.sans.edu/diary.html?storyid=17345
Last Updated: 2014-01-04 13:49:34 UTC - "According to a blog post from fox-it.com*, they found ads.yahoo .com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe. Yahoo appears to be aware and addressing the issue, according to the blog..."
* http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
Jan 3, 2014 - "... Clients visiting yahoo.com received advertisements served by ads.yahoo .com. Some of the advertisements are malicious. Those malicious advertisements are iframes... Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
boxsdiscussing .net
crisisreverse .net
limitingbeyond .net
and others
All those domains are served from a single IP address: 193.169.245.78 *. This IP-address appears to be hosted in the Netherlands. This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier... it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.
> http://foxitsecurity.files.wordpress.com/2014/01/yahoo-ad-distribution.jpg?w=448&h=387
... Block access to the following IP-addresses of the malicious advertisement and the exploit kit:
Block the 192.133.137/24 subnet
Block the 193.169.245/24 subnet
Also closely inspect network traffic for signs of successful exploits for any of the dropped malware. Yahoo is aware of the issue and looking into it.
Please watch this page for updates.
Update: January 3, 1815 (GMT+1): It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem."

* https://www.virustotal.com/en/ip-address/193.169.245.78/information/

- http://help.yahoo.com/kb/index?page=content&y=PROD_FRONT&locale=en_US&id=SLN22569
Update on ads 1/5/14

:fear: :mad: :fear:

FYI...

Fake Amazon account phish
- http://blog.dynamoo.com/2014/01/unauthorized-activity-on-your-amazon.html
6 Jan 3024 - "... new wave of phishing emails, here's a new one looking for Amazon credentials.
Date: Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
From: Amazon [noreply@ trysensa .com]
Case- 91289-90990
Unauthorized Activity on your Amazon account.
We recently confirmed that you had unauthorized activity on your Amazon account.
Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.
Unfortunately, we have not confirmed your complete information , please follow the instructions below.
Click the link below to validate your account information using our secure server:
Click Here To Active Your Amazon Account
For your protection, you must verify this activity before you can continue using your account
Thank You.
Amazon LTD Security System

The link in the email goes to [donotclick]immedicenter .com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:
> http://2.bp.blogspot.com/-NtFM6bDPGL4/UsqVU6VUT5I/AAAAAAAACYk/vN_Mb3KZDis/s1600/amazon-login-1.png
The next page phishes for even more information... it goes after your credit card information... then gets sent to the genuine Amazon .com website. In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is -not- amazon .com. If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination."
___

The $9.84 Credit Card Hustle
- http://krebsonsecurity.com/2014/01/deconstructing-the-9-84-credit-card-hustle/
Jan 6, 2014 - "Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84... repeatedly advised readers to keep a close eye on their bank statements for -bogus- transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom. One reader said the $9.84 charge on her card came with a notation stating the site responsible was eetsac .com. I soon discovered that there are -dozens- of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread* at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.
> http://krebsonsecurity.com/wp-content/uploads/2014/01/homecs.png
... A closer look at some of those domains reveals a few interesting facts. Callscs .in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs .in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075... this is not a new type of fraud, nor is this particular fraud a recent occurrence — although the bogus $9.84 charges do appear to have spiked around the holidays. Most of the domains involved in this scheme were registered a year ago or more, and a quick search on the amount $9.84 shows that the fraudsters responsible for this scheme have been at it since at least the first half of 2013. If you see a charge like this or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to abused like this again..."
(More detail at the krebsonsecurity URL above.)
* http://www.amazon.com/gp/help/customer/forums/ref=cm_cd_pg_oldest?ie=UTF8&authToken=&cdForum=Fx2NFGOONPZEXIP&cdPage=1&cdSort=newest&cdThread=Tx2EME4IL59BUP4

> http://www.scambook.com/search?search=IAWCS.COM&sort=relevance
___

Zeus spoofing Bitdefender AV ...
- http://www.webroot.com/blog/2014/01/06/zeus-infection-spoofing-bit-defender-av/
Jan 6, 2014 - "... noticed a large amount of -Zeus- infections that are -spoofing- the Bitdefender name. While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone! The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website... This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file. Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up... the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)... Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector... this infection has also been seen to be spread by email... Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file..."

:fear::fear: :mad:

FYI...

Spam... trends of 2013
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-year-of-spam-the-notable-trends-of-2013/
Jan 7, 2014 - "... still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.
Spam volume from 2008...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/2013-spam-volume.jpg
... In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year... In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/2013-BHEK.jpg
... The number of BHEK spam runs dwindled until there was none in December... the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.
Volume of spam messages with -malicious- attachments
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/spam-malware-attachment.jpg
From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE* unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware. UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible..."
* http://about-threats.trendmicro.com/us/malware/TROJ_UPATRE.VNA
___

64-bit ZBOT leverages Tor - improves evasion techniques
- http://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-zbot-leverages-tor-improves-evasion-techniques/
Jan 7, 2014 - "... we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques... Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version. The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers... This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts..."
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/72579411468/wells-fargo-important-documents-spam
Jan 7, 2014 - "Subjects Seen:
ATTN: Important Bank Documents
Typical e-mail details:
We have received this documents from your bank, please review attached documents.
Lanny Hester
Wells Fargo Advisors

Malicious File Name and MD5:
BankDocs-4F17B9844A.zip (1A493400DBDE62CC64AB2FC97985F07B)
BankDocuments_FE0274A4593F58683C1949896834F32939859835947694653298321744361597236489231640913264.pdf.exe (8F24720E4D08C986C0FE07A66CCF8380)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7a3955f21a2e5cf1833d2538b6a7b5fc/tumblr_inline_mz1s1nPzwB1r6pupn.png

Tagged: wells fargo, Upatre
___

'Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam ...
- http://www.webroot.com/blog/2014/01/07/adobe-license-service-center-order-nr-notice-appear-court-themed-malicious-spam-campaigns-intercepted-wild/
Jan 7, 2014 - "... Despite the lack of blog updates over the Holidays, we continued to intercept malicious campaigns over the same period of time, proving that the bad guys never take holidays... The first campaign successfully impersonates Adobe’s License Service Center, in an attempt to trick users into thinking that they’ve successfully purchased a Creative Suite 6 Design Standard software license key.
Sample screenshot of the first spamvertised campaign:
> https://www.webroot.com/blog/wp-content/uploads/2014/01/Adobe_License_Service_Center_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering1.png
Detection rate for the spamvertised attachment: MD5: 10dbbaaceda4dce944ebb9c777f24066 * TrojanDownloader:Win32/Kuluoz.D.
The second campaign, attempts to trick users into thinking that they’ve received a notice to appear in court.
Sample screenshot of the spamvertised attachment:
> https://www.webroot.com/blog/wp-content/uploads/2014/01/Chicago_Court_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineerig1.png
Detection rate for the spamvertised attachment: MD5: c77ca2486d1517b511973ad1c923bb7d ** TrojanDownloader:Win32/Kuluoz.D; Backdoor.Win32.Androm.bket.
Once executed the sample phones back to:
... 109.169.87.141... also known to have responded to 200.98.141.0 ... Two more MD5s are known to have responded to the same C&C IP in the past..."
* https://www.virustotal.com/en/file/d5ec477dc0b39867b39a56b9ca7652c8ea115533583d8b6211c1e4f53537bbb2/analysis/1389006917/

** https://www.virustotal.com/en/file/bc55a78b008cce2102f3679adc4694211cf61710e2bcf49391365928a0e96519/analysis/1389008875/

:fear::fear: :mad:

FYI...

More malicious "Voice Message from Unknown" SPAM
- http://blog.dynamoo.com/2014/01/more-voice-message-from-unknown-spam.html
8 Jan 2014 - "Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:
Subject: Voice Message from Unknown (996-743-6568)
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)
Body:
- - -Original Message- - -
From: 996-743-6568
Sent: Wed, 8 Jan 2014 12:06:38 +0000
To: [redacted]
Subject: Important Message to All Employees

Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to casbir .com .au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent."
* https://www.virustotal.com/en-gb/file/040ffe7e91bf3f640e62bea1deea85280256eff407c6c176d63b730731eda2dd/analysis/1389191399/
___

jConnect Fax Spam
- http://threattrack.tumblr.com/post/72662543973/jconnect-fax-spam
Jan 8, 2014 - "Subjects Seen:
jConnect fax from “<phone number>” - 21 page(s), Caller-ID: <phone number>
Typical e-mail details:
Fax Message [Caller-ID: <phone number>]
You have received a 21 page(s) fax at 2012-12-17 05:25:32 EST.
* The reference number for this fax is lax3_did10-1514386087-4062628129-11.
This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2.com/downloads
Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

Malicious File Name and MD5:
FAX_93-238738192_19.zip (3A8CAA5972CF72CCEB0C40531C28B5AB)
FAX_93-238738192_19.exe (CA2628B955CAC2C8B6BD9F8C4C504FA4)

Screenshot: https://31.media.tumblr.com/245418432179a0bd5297d62bf564f010/tumblr_inline_mz375kXLm51r6pupn.png

Tagged: jconnect, Upatre
___

LinkedIn Makes Federal Case Out of Fake Accounts
- http://blogs.wsj.com/digits/2014/01/07/linkedin-makes-federal-case-out-of-fake-accounts/
Jan 7, 2014 - "LinkedIn, the business-focused social network, charged in a federal civil lawsuit that 10 unnamed people had created thousands of fake accounts that can be used to pass on malicious computer code or puff up users’ profiles. In a suit filed Monday in U.S. District Court for the Northern District of California, LinkedIn said it had deleted the abusive accounts and traced them to an Amazon Web Services account. It’s asking the cloud computing giant to hand over the names of the owners of the web-services accounts. Amazon Web Services offers computing power for rent via the Internet. An Amazon spokeswoman did not immediately respond to a request for comment. LinkedIn accuses the unnamed people of violating its user agreement by creating multiple fake accounts that stole data from legitimate LinkedIn profiles through a method called scraping*..."
* http://www.hotforsecurity.com/blog/linkedin-files-lawsuit-against-fake-account-creators-7594.html
Jan 8, 2014 - "... In November, Bitdefender warned about fake LinkedIn profiles that gather personal details** and lead users to dangerous websites..."
** http://www.hotforsecurity.com/blog/alluring-fake-recruiters-entice-linkedin-users-with-attractive-job-offers-7362.html
Nov 21, 2013 - "... As many users speak English and a native language, the scam aims at most countries in the world especially the US, where over 84 million users are active on LinkedIn. The fake recruiter spreads the link to the scam using URL shortening techniques. The bogus profile of “Annabella Erica” was already injected into authentic LinkedIn groups such as Global Jobs Network, which includes 167,000 users worldwide. Members of the social network are now sharing insights on more than 2.1 million groups, so the number of victims exposed to the scam could be a lot higher. The fake employment website is registered on a reputable “.com” domain to avoid raising doubts as to its authenticity. Scammers gather e-mail addresses and passwords they may later use for identity theft. Fraudsters usually register websites for longer periods and sometimes make their pages look even better than legitimate websites..."
___

inTuit/TurboTax phish
- http://security.intuit.com/alert.php?a=95
1/7/14 - "Here is a copy of the phishing email people are receiving. Be sure -not- to open the attachment.

TurboTax Alert: Your $4,120.55 Tax Refund!
> http://security.intuit.com/images/ttphish.jpg
Dear Customer,
You've received a Tax Refund of $4,120.55.
Kindly find attached file to view your Refund Confirmation from TurboTax.
Please keep this refund confirmation for your records.
NOTE: TurboTax/IRS will not request your banking details through email, sms or telephone.
Thank you for using TurboTax

This is the end of the -fake- email.
Steps to Take Now:
Do -not- open the email attachment...
Delete the email."

:mad: :fear:

FYI...

Fake Browser update site installs Malware
- http://www.symantec.com/connect/blogs/fake-browser-update-site-installs-malware
9 Jan 2014 - "In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http ://newyear[REMOVED]fix .com, was registered on Dec 30, 2013. Based on our research, 94 percent of attacks appear to be targeting users based in the United Kingdom through advertising networks and free movie streaming and media sites... This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down. The website, which is hosted in the -Ukraine- uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect. The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates...
Page displayed to Chrome users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%201.png
Page displayed to Firefox users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%202.png
Page displayed to Internet Explorer users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%203.png
JavaScript loop button which requires 100 clicks to close
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%204.png
At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe. Both of these samples are detected by Symantec as Trojan.Shylock*..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99
___

Spam Overdose Yields Fareit, Zeus and Cryptolocker
- http://www.f-secure.com/weblog/archives/00002655.html
Jan 9, 2014 - "... massive spam surge with the same subjects and attachments in our spam traps.
>> http://www.f-secure.com/weblog/archives/emails.PNG
>>> http://www.f-secure.com/weblog/archives/emailstats.png
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers. For the two samples coming from these spam, we've seen them connecting to these to send information:
• networksecurityx .hopto .org
• 188.167.38.131
• 94.136.131.2
• 66.241.103.146
• 37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P... Other malware seen installed in the system was Cryptolocker.
> http://www.f-secure.com/weblog/archives/btc.PNG
... Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants."

- http://google.com/safebrowsing/diagnostic?site=hopto.org/

- https://www.virustotal.com/en/ip-address/188.167.38.131/information/

- https://www.virustotal.com/en/ip-address/94.136.131.2/information/

- https://www.virustotal.com/en/ip-address/66.241.103.146/information/

- https://www.virustotal.com/en/ip-address/37.9.50.200/information/
___

JPMorgan Chase SecureMail Spam
- http://threattrack.tumblr.com/post/72770317229/jpmorgan-chase-securemail-spam
Jan 9, 2014 - "Subjects Seen:
You have a new encrypted message from JPMorgan Chase & CO.
Typical e-mail details:
You have received a secure e-mail message from JPMorgan Chase & CO..
We care about your privacy, JPMorgan Chase & CO. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secureinformation.zip (19CCB0B5FCF8D707671E5F98AC475D36)
Secureinformation.exe (7F81501C468FF358DE1DA5B1F1AD150B)

Screenshot: https://31.media.tumblr.com/84b205b1c95963599c75ad1a8f504e2b/tumblr_inline_mz54fwHloB1r6pupn.png

Tagged: Chase, Upatre
___

IRS Tax Return Spam
- http://threattrack.tumblr.com/post/72779324288/irs-tax-return-spam
Jan 9, 2014 - "Subjects Seen:
IRS: Early 2013 Tax Return Report!
Typical e-mail details:
Dear Member
Here is a report on your early 2013 Federal Tax return report. Kindly download the attachment to view your report and start filling for 2013 return as early as second week of December.
Thanks
Internal Revenue Service

Malicious File Name and MD5:
Early2013TaxReturnReport_D0E7937B80.zip (E76B91B9010AE7ABDC264380B95BF86D)
Early2013TaxReturnReport_983456948574980572398456324965984573984509324.pdf.exe (FE20A23BEC91B7EC1E301B571CE91100)

Screenshot: https://31.media.tumblr.com/a5c84027cb11ed21a4ec12d0754733b1/tumblr_inline_mz5ak6wRXE1r6pupn.png

Tagged: IRS, Fareit
___

- http://blog.mxlab.eu/2014/01/09/email-attn-early-2013-tax-return-report-contains-trojan/

- https://www.virustotal.com/en/file/bcbd43ec615225cede44318677c65f89c9113705c4cd7f975ea3d4c327a18bd5/analysis/
Early2013TaxReturnReport_ ...
Analysis date: 2014-01-10 12:55:07 UTC

- https://malwr.com/analysis/YzgyZWQzMDI2YjRjNGZlNTg3MzYwY2Y1OTU4MDdhODQ/

:fear: :mad:

FYI...

Fake Bank Statement SPAM
- http://threattrack.tumblr.com/post/72870666524/bank-statement-spam
Jan 10, 2014 - "Subjects Seen:
Bank Statement. Please read
Typical e-mail details:
Hello <email name>,
I attached the December Invoice that contains the Property Tax and the other document showing the details mentioned below.
I am at your disposal for any further question.
Waiting for your instructions concerning the document attached.
Goldie Oliver

Malicious File Name and MD5:
USBank_December_2013_17F9968085.zip (5A2E558A7DC17998A11A0FBFB34AACF9)
USBank - December 2013_ID39485394562093456309847589346598237598320471237481923427583450.pdf.exe (2089EAC526883C98D67D399449B461DB)

Screenshot: https://31.media.tumblr.com/66b87ad8c326f8dd4df1ae31ff410018/tumblr_inline_mz6x0jV1p11r6pupn.png

Tagged: Bank Statement, Fareit
___

Junk Mail vs Scam Mail
- http://www.bbb.org/blog/2014/01/junk-mail-vs-scam-mail/
Jan 10, 2014 - "Many of the items sent to consumers in-boxes these days are little more than junk mail. But BBB warns a growing number of spam emails are designed to inflict harm. While it may seem like this topic comes up frequently, unfortunately, scammers find a way to catch users off guard. Right after the Target store hacking of some 40 million credit and debit cards, BBB issued a warning* about emails claiming to be from Target but were disguised as malware designed to steal identity information. The warning was issued in light of all the scam emails on internet right now. The hard part is telling the difference between a legitimate email from a vendor you do subscribe to and one that looks like the vendor but isn’t... Check for misspellings and grammatical errors. Silly mistakes and sloppy copy – for example, an area code that doesn’t match an address – often are giveaways that the site is a scam. Messaging like, “Just tell us where to send this $1,100” -or- “a delivery was cancelled because of problems with the mailing addressed and to please provide a correct address” is another giveaway. Companies typically do not use this type of language. A recent trend in scam emails are asking users to select a link on a state where they are to send the money or to send the correct address. This link will then lead to a site where a thief will use the information for their own use. It isn’t wise to select the links or open attachments in emails you aren’t familiar with especially ones you haven’t solicited from. When in doubt, check with the company before you respond to any website that asks you to enter personal identifying information. Bottom line, unless you’ve done business with the company or are on a mailing list with them – do -not- click on email links even if they appear to be from legitimate companies. Far too many times these days, it’s all just a scam."
* http://www.bbb.org/blog/2014/01/watch-for-scams-following-target-data-breach/
___

Google linking of social network contacts to email raises concerns
- http://www.reuters.com/article/2014/01/10/us-google-gmail-idUSBREA081NH20140110
Jan 9, 2014 - "A new feature in Google Inc's Gmail will result in some users receiving messages from people with whom they have not shared their email addresses, raising concerns among some privacy advocates. The change, which Google announced on Thursday, broadens the list of contacts available to Gmail users so it includes both the email addresses of their existing contacts, as well as the names of people on the Google+ social network. As a result, a person can send an email directly to friends, and strangers, who use Google+. Google is increasingly trying to integrate its Google+, a two-and-a-half-year old social network that has 540 million active users, with its other services. When consumers sign up for Gmail, the company's Web-based email service, they are now automatically given a Google+ account. Google said the new feature will make it easier for people who use both services to communicate with their friends... Some privacy advocates said Google should have made the new feature "opt-in," meaning that users should explicitly agree to receive messages from other Google+ users, rather than being required to manually change the setting... A Google spokeswoman said the company planned to send an email to all Google+ users during the next two days alerting them to the change and explaining how to change their settings..."

:fear: :mad: :sad:

FYI...

Sefnit-added Tor service ...
- https://net-security.org/malware_news.php?id=2673
Jan 10, 2014 - "... the Sefnit click-fraud Trojan... has been around since 2009... This rapid rise in Tor connections has served to see just how many computers were infected with the malware, and the number was staggering: over four million. Since then, Microsoft has been working to diminish that number... Microsoft has decided to retroactively clean the machines that still had the Sefnit-added Tor service, and practically managed to do so for half of them - around 2 million - in just two months...
> http://www.net-security.org/images/articles/ms-10012014-big.jpg
... two million cleaned computers is better than none, two million more remain at risk... In order to help these users, Microsoft has compiled a short step-by-step guide* on how to do it..."
* http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx
9 Jan 2014

:fear::fear:

FYI...

Fake Dept. of Treasury SPAM
- http://blog.dynamoo.com/2014/01/department-of-treasury-notice-of.html
13 Jan 2014 - "This US Treasury spam (but apparently sent from salesforce .com) has a malicious attachment:
Date: Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47*) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47**)... analysis shows an attempted connection to anggun.my .id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent."
* https://www.virustotal.com/en-gb/file/abbfbaadd5ea95647e9c79e2a7cfc87bd84dab8849c7a2ad4c70c9fd8f07c001/analysis/1389622089/

** https://www.virustotal.com/en-gb/file/2b992fd40c86b615b6e91c186eed79714493c77d0588fe59e3f01dbcbe8bcbb0/analysis/1389622087/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Financial Tips Attachment Email Messages - 2014 Jan 13
Fake Account Payment Information Email Messages - 2014 Jan 13
Fake Court Appearance Request Email Messages - 2014 Jan 13
Fake Product Catalog Email Messages - 2014 Jan 13
Fake Company Complaint Email Messages - 2014 Jan 13
Fake Bank Account Statement Email Messages - 2014 Jan 13
Fake Package Tracking Information Email Messages - 2014 Jan 13
Fake Payroll Invoice Email Messages - 2014 Jan 13
Fake Bank Payment Notification Email Messages - 2014 Jan 13
Fake Invoice Statement Attachment Email Messages - 2014 Jan 13
(More detail and links at the cisco URL above.)

:fear: :mad:

FYI...

Fake HSBC SPAM / Payment Advice.exe
- http://blog.dynamoo.com/2014/01/hsbc-payment-advice-spam-payment.html
14 Jan 2014 - "This -fake- HSBC spam comes with a malicious attachment:
Date: Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
From: HSBC Advising Service [advising.service.738805677.728003.693090157@ mail.hsbcnet.hsbc .com]
Subject: Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]
Sir/Madam
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Yours faithfully
Global Payments and Cash Management
HSBC ...

The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48*. Automated analysis... shows an attempted connection to thebostonshaker .com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection."
* https://www.virustotal.com/en-gb/file/3bfd83deba0221db8d741b4492d5487245a8a50156d302aa0d2fe8ee4f368b70/analysis/1389713473/
___

Unsolicted SPAM...
- http://blog.dynamoo.com/2014/01/uncensored-download-spam-leads-to-adware.html
14 Jan 2014 - "... plagued with these over the past few days, emails coming in with the following subjects:
Underground XXX files
Free porno torrents
Uncensored download
The body text contains just a link to [donotclick]goinst .com/download/getfile/1205000/0/?q=Uncensored%20download
In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" ... A quick look at the EXE in VirusTotal* indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably -not- behind the spam run, but are probably inadvertently paying the spammers for installations. Avoid."
* https://www.virustotal.com/en-gb/file/b998d160881aa19487888014cf12e276ba55b54d3405b45699cf507b7acda416/analysis/1389715495/
___

More WhatsApp Message Spam
- http://threattrack.tumblr.com/post/73312753221/whatsapp-message-spam
Jan 14, 2014 - Subjects Seen:
Missed voice message, “4:27”PM
Typical e-mail details:
New voicemessage.
Please download attached file
Description
Jan 09 2:44PM PM
08 seconds

Malicious File Name and MD5:
Missed-message.zip (687C8BE7F4A56A00AF03ED9DFC3BFB76)
Missed-message.exe (BF1411F18EA12E058BFB05692E422216)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ede2bd7794acfb19f8ead1a762f1ed8e/tumblr_inline_mzefht1KF81r6pupn.png

Tagged: WhatsApp, Upatre
___

Fake ADP invoice w/ Fiserv document - TROJAN
- http://blog.mxlab.eu/2014/01/14/genvariant-strictor-49180-trojan-attached-to-emails-regarding-adp-invoice-and-fiserv-document/
Jan 14, 2014 - "... intercepting different type of emails with an attached Gen:Variant.Strictor.49180.
> ADP Invoice - This email is send from the spoofed address “payroll.invoices@ adp .com” while the SMTP from is “fraud@ aexp .com”, comes with the subject “Invoice #3164342″ and has the following body:
Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices@ adp. com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...
The attached ZIP file has the name Invoice_ADP_3164342.zip and contains the 19 kB large file Invoice_ADP_01142014.exe.

> Fiserv attached document - This email is send from the spoofed address “Fiserv <Debra_Drake@ fiserv .com>” while the SMTP from is “fraud@ aexp .com”, comes with the subject “FW: Scanned Document Attached” and has the following body:
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center – a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Debra_Drake@ fiserv .com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password... If you have any questions, please contact your Fiserv representative...
The attached ZIP file has the name FSEMC.Debra_Drake.zip and contains the 19 kB large file FSEMC_01142014.exe. The trojan is known as Gen:Variant.Strictor.49180 by most of the virus engines but also as PWSZbot-FMO!5B171D420618, Heuristic.LooksLike.Win32.Suspicious.J!81, TrojanDownloader:Win32/Upatre.A or PE:Malware.FakePDF@CV!1.9C28. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/88f4cae7b769ce0eb2ad50aff40d5832cd3c9e3bca10aee5b10d088d2347bb92/analysis/

- https://malwr.com/analysis/ZTNjMzM4Y2Y0NDFkNDQzZTgwZWE0ZGUyNmJjOTEyZDg/

- https://www.virustotal.com/en-gb/ip-address/206.190.147.142/information/

- https://www.virustotal.com/en-gb/ip-address/95.101.0.115/information/
___

Fake Quickbooks Invoice - Trojan.Zbot ...
- http://blog.mxlab.eu/2014/01/14/trojan-zbot-ide-attached-to-different-emails-quickbooks-invoice-important-docs/
Jan 14, 2014 - "... intercepting different type of emails with an attached Trojan.Zbot.IDE.
> Quickbooks Invoice: This email is send from the spoofed address “QuickBooks Invoice <auto-invoice@ quickbooks .com>” while the SMTP from is “fraud@ aexp .com”, has the subject “Notification of direct debit of fees” and has the following body:
Notification Number: 5430143
Mandate Number: 8396466
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 214.00 GBP from your nominated account on or as soon as possible before 15/01/2013.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov .uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry ...
The attached ZIP file has the name Notification_5430143.zip and contains the 19 kB large file Notification_1401.exe.
> Important Docs: This email is send from the spoofed address “Elbert Hickman <xxxx@ rbs .co .uk>” while the SMTP from is “fraud@aexp .com”, has the subject “Important Docs” and has the following body:
Check attached docs.
Elbert Hickman
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023
Tel: 01322 639620
Fax: 01322 606862
email: Elbert@ rbs .co .uk ...
The attached ZIP file has the name Docs_14012014.zip and contains the 19 kB large file Docs_14012014.exe. The trojan is known as Trojan.Zbot.IDE, Trojan-Spy.Zbot, TR/Yarwi.B.117, W32/Trojan.TROM-4807 or Trojan.Email.FakeDoc. At the time of writing, 14 of the 48 AV engines did detect the trojan at Virus Total*."
* https://www.virustotal.com/en/file/2bd962a5552826c2b24447a8bcbce7d7f08c0c863cb041d70f851771a77a6ef5/analysis/1389713323/

- https://malwr.com/analysis/ZjM0MmVjY2QwOWY5NGU2MTlhNTBiNTBjYzE5OTY5ZmI/

- https://www.virustotal.com/en-gb/ip-address/85.204.19.17/information/

- https://www.virustotal.com/en-gb/ip-address/95.101.0.104/information/
___

Fake PG&E SPAM
- http://blog.dynamoo.com/2014/01/pg-gas-and-electric-usage-statement-spam.html
14 Jan 2014 - "This -fake- spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..
From: PG&E [do_not_reply@ sourcefort .com]
Reply-To: PG&E [do_not_reply@ sourcefort .com]
Date: 14 January 2014 22:37
Subject: Gas and Electric Usage Statement
PG & E ENERGY STATEMENT Account No: 718198305-5
Statement Date: 01/10/2014
Due Date: 02/01/2014
Your Account Summary
Amount Due on Previous Statement $344.70
Payment(s) Recieved Since Last Statement 0.0
Previous Unpaid Balance $344.70
Current Electric Charges $165.80
Current Gas Charges 49.20
Total Amount Due BY 02/01/2014 $559.7
To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement...

Screenshot: http://2.bp.blogspot.com/-AhQr4bPPcjA/UtW8y45D6fI/AAAAAAAACZw/EPN9GQZd8nA/s1600/pge.png

To give PG&E full credit, they have a link on their homepage about it and a full warning here*. These scam emails seem to have been doing the rounds for quite a few days now."
* http://www.pgecurrents.com/2014/01/08/pge-warns-of-scam-emails-calls/

:mad: :mad:

FYI...

Fake Staples order SPAM...
- http://blog.dynamoo.com/2014/01/staples-your-order-is-awaiting.html
15 Jan 2014 - "This -fake- Staples spam has a malicious attachment:
Date: Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
From: Staples Advantage Orders [Order@ staplesadvantage .com]
Subject: Your order is awaiting verification!
Order Status: Awaiting verification
Order #: 5079728
Your order has been submitted and is awaiting verification from you.
Order #: 5079728
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $152.46
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance....

Screenshot: https://lh3.ggpht.com/--iaCgzY9eyg/UtanjFKqkSI/AAAAAAAACaA/W4MGugL9yLU/s1600/staples2.png

Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47*. The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools."
* https://www.virustotal.com/en-gb/file/351499a61b3c987967fa2754a1726e4fc4d2ea3dddb352552584cbb10e74f8a1/analysis/1389799070/

- http://threattrack.tumblr.com/post/73414944865/staples-order-verification-spam
Jan 15, 2014 - "Subjects Seen:
Your order is awaiting verification!
Typical e-mail details:
Your order has been submitted and is awaiting verification from you.
Order #: 1178687
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $271.74
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance...

Malicious File Name and MD5:
Order_1178687.zip (312C682B547215FB1462C7C46646A1B7)
Order_{_partorderb}.exe (1D85D2CC51AC6E1A2805366BB910EF70)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b3864d35e3fb5fe5d4789b184d92c16f/tumblr_inline_mzg9f3cJYM1r6pupn.png

Tagged: Staples, Upatre
___

Fake RBS pwd reset SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbs-bankline-password-reset-form-fake-pdf-malware/
15 Jan 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Of course the RBS Bankline Password Reset Form is not from RBS or any other bank. Once the scammers and malware purveyors find a new or different scam they will use every bank they can to try to infect as many users as they can. Normally when you see an attachment or email with a subject like RBS Bankline Password Reset Form, you automatically think that it is another phishing attempt. In this case it is not phishing but a very nasty malware- virus-trojan. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form. Fax to 0845 878 9791 or alternatively email a scanned copy of the form to banklineadministration@ rbs .co .uk, on receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email. <<RBS_Bankline_Password_Reactivation.pdf>> Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered. Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details. If you are the sole Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in an Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner. If you require any further assistance then please do not hesitate to contact us...
Regards
Bankline Product Support ...

RBS_Bankline_Password_Reactivation.zip extracts to RBS_Bankline_Password_Reactivation.exe. Current Virus total detections: 2/48*. MALWR Auto Analysis**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/e9f2c240795640b17f43c0ef322d483a86e023146889c06a9f81fe1b3b0d3e0c/analysis/

** https://malwr.com/analysis/YmYyYjIzMGM2N2I3NGJmZjhhMDlkMmFjMTE5MTA1NGM/

38.102.226.94
- https://www.virustotal.com/en-gb/ip-address/38.102.226.94/information/

- http://google.com/safebrowsing/diagnostic?site=AS:174
___

Compromised Sites pull Fake Flash Player from SkyDrive
- http://www.f-secure.com/weblog/archives/00002659.html
Jan 15, 2014 - "On most days, our WorldMap* shows more of the same thing. Today is an exception... One infection is topping so high in the charts that it pretty much captured our attention. Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits... It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts... Successful redirection leads to a fake flash download site that look similar to these pages:
> http://www.f-secure.com/weblog/archives/5_flash1.PNG
... The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account. When the malicious flashplayer.exe is executed, this message is displayed to the user.
> http://www.f-secure.com/weblog/archives/7_dialog.PNG
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware... Initial analysis showed that the sample is connecting to these locations.
> http://www.f-secure.com/weblog/archives/9_post.PNG ..."

* http://worldmap3.f-secure.com/

- https://www.virustotal.com/en-gb/ip-address/208.73.210.155/information/

- https://www.virustotal.com/en-gb/ip-address/151.236.24.49/information/

:sad: :fear: :mad:

FYI...

Cushion Redirect sites using hijacked GoDaddy domains to block
- http://blog.dynamoo.com/2014/01/cushion-redirect-sites-using-hijacked.html
16 Jan 2014 - "... some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here*) which is being injected into certain sites such as the one in this URLquery report**... A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects... The hijacked GoDaddy domains in question are:
allgaysitespassfree .com
amateurloginfree .com
yourchicagocarservice .com
yourchicagogranite .com
yourchicagohummerlimo .com
yourbestpartybus .com
A quick look at the Google stats for AS42655*** indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites."
* http://malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html

** http://urlquery.net/report.php?id=8838865

- https://www.virustotal.com/en-gb/ip-address/194.28.175.129/information/

*** http://www.google.com/safebrowsing/diagnostic?site=AS:42655
___

Script exploits lead to Adscend Media LLC ads
- http://blog.dynamoo.com/2014/01/script-exploits-lead-to-adscend-media.html
16 Jan 2014 - "Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious. Here is a case in point.. the German website physiomedicor .de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report*. In this case it's pretty easy to tell what's going on from the URLquery screenshot:
> http://3.bp.blogspot.com/-BqNzhIdeK1Y/Utfer7qFwFI/AAAAAAAACa0/gHJVqXmtrVk/s1600/urlquery.jpg
What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor .de/assets/rollover.js as follows...
> http://4.bp.blogspot.com/-Gb14LMV3niM/UtfgX5HhfII/AAAAAAAACbA/Kg04ljNJmF0/s1600/injection1.png
In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia .com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:
[donotclick]berriesarsuiz .com/ptc84vRb.php?id=117515949
[donotclick]www.karsons .co .uk/qdrX3tDB.php?id=114433444
... Adscend Media has been accused of deceptive advertising practices** before which makes me think that it might be a good candidate for -blocking- on your network, especially as they have private WHOIS details for that domain. If you want to banish these from your network then the following list might help:
199.59.164.5
adscendmedia .com
adshiftclick .com
jmp2 .am
lnkgt .com ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8840002

** http://news.cnet.com/8301-1023_3-57429518-93/alleged-facebook-likejacker-settles-with-washington-state/

81.169.145.150
- https://www.virustotal.com/en-gb/ip-address/81.169.145.150/information/
___

Fake malicious "ACTION REQUIRED" SPAM
- http://blog.dynamoo.com/2014/01/action-required-document-has-arrived.html
16 Jan 2014 - "This spam with a lengthy subject has a malicious attachment:
Date: Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
Priority: High Priority 2
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Record ID: HJRQY9PSXBSK334
Supplier: http ://[victimdomain .com]
Invoice No.: 5644366804
Document No.: 3319683775
Invoice amount: USD 0488.21
Rejection reason(s): Approval Required
Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons.

Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48*... anaylsis shows an attempted connection to centrum .co .id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful."
* https://www.virustotal.com/en-gb/file/b0d91090761192733241b1825a120ed7c984c3a43ef4cd16cacbeabc4426ebf9/analysis/1389889350/

- http://threattrack.tumblr.com/post/73524218077/salesforce-com-malicious-spam
Jan 16, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bfdcf1b6d905c870af58d2bbb29410dc/tumblr_inline_mzi8n1JQ3n1r6pupn.png
Tagged: Salesforce, Upatre
___

Google+ Local - Thousands Of Hotel Listings Hijacked
- http://searchengineland.com/thousands-of-hotels-listings-were-hijacked-in-google-local-181670
Jan 14, 2014 - "Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services. Google+ Local listings are what Google depends on to provide results in Google Maps or Google Search, when people look for local businesses... Doing a search on Google for Google+ Local listings using these domains reveals how thousands of hotels appear to have been hit. For example, a search for listings using the “RoomsToBook .Info” domain currently brings up 1,880 listings that appear to have been hijacked:
> http://searchengineland.com/figz/wp-content/seloads/2014/01/site_plus_google_com__roomstobook_info__-_Google_Search-4-600x816.jpg
Postscript: Google has now said that I can confirm it is aware of the issue and is working to fix it."

- http://searchengineland.com/local-seos-sound-off-on-google-local-hijackings-181933
Jan 16, 2014 - "... Without offering any substantive comments about the situation Google appears to have cleaned up the problem and mostly if not entirely restored the proper links. There’s been no explanation forthcoming about how this might have happened from the company, though Google acknowledged the incident..."

:fear::fear: :mad:

FYI...

Fake Experian Credit Report Malicious Spam
- http://threattrack.tumblr.com/post/73615136871/experian-credit-report-malicious-spam
Jan 17, 2014 - "Subjects Seen:
IMPORTANT - A Key Change Has Been Posted
Typical e-mail details:
A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian®, Equifax and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:
View detailed report by opening the attachment.
You will be prompted to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser.
Contact our Customer Care Center with any additional questions.
Note: The attached file contains personal data.

Malicious File Name and MD5:
Credit_Report_4287362163.zip (1B1C6223EC52CE2E2B8CE6C117A15ADA)
Credit_Report_4287362163.exe (B4101936ED3C8BC09F994223A39E5FE2)

Screenshot: https://31.media.tumblr.com/5f9f8502e65a25465c35c879ef89f06a/tumblr_inline_mzjvs68VC01r6pupn.png

Tagged: Experian, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Photograph Sharing Email Messages - 2014 Jan 17
Fake Court Notice Email Messages - 2014 Jan 17
Fake Fax Message Receipt Email Messages - 2014 Jan 17
Fake Credit Report Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Job Offer Notification Email Messages - 2014 Jan 17
Fake Account Payment Information Email Messages - 2014 Jan 17
Fake Failed Delivery Notification Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Incoming Money Transfer Notification Email Messages - 2014 Jan 17
Fake Invoice Statement Attachment Email Messages - 2014 Jan 17
Fake Delivery Express Parcel Notification Email Messages - 2014 Jan 17
Fake Anti-Phishing Email Messages - 2014 Jan 17
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 17
Fake Product Order Notification Email Messages - 2014 Jan 17
(More detail and links at the cisco URL above.)

:fear::mad: :sad:

FYI...

Spyware attacks against U.S. bloggers ...
- http://www.welivesecurity.com/2014/01/20/vietnamese-malware-single-post-enough-to-trigger-spyware-attacks-against-u-s-bloggers-eff-claims/
20 Jan 2014 - "A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims* targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists... The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff... The -malware- was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch..."
* https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
Jan 19, 2014

- https://net-security.org/malware_news.php?id=2679
20.01.2014
___

PG&E SPAM - Malware distribution campaign
- https://isc.sans.edu/diary.html?storyid=17459
Last Updated: 2014-01-19 18:41:43 UTC - "Starting about 10 days or so ago, a Spam campaign began targeting Pacific Gas and Energy (PG&E), a large U.S. energy provider. PG&E has been aware of this campaign for about a week, and has informed its customers.
> http://www.pgecurrents.com/2014/01/08/pge-warns-of-scam-emails-calls/
... these emails look quite professional and the English is good. The only real issue in the email being formatting of some of the currency figures.
> https://isc.sans.edu/diaryimages/images/PGEStatement.jpg
The header revealed that it was sent from user nf@ www1 .nsalt .net using IP 212.2.230.181, most likely a compromised webmail account. Both the from and the reply-to fields are set to do_not_reply@ nf .kg, an email address that bounces. The 212.2.230.181 IP, the nf .kg domain and the nsalt .net domain - all map to City Telecom Broadband in Kyrgyzstan (country code KG)... the goal of this particular campaign seems to be malware distribution. The "click here" link in the two samples point to different places
hxxp ://s-dream1 .com/message/e2y+KAkbElUyJZk38F2gvCp7boiEKa2PSdYRj+YOvLI=/pge
hxxp ://paskamp .nl/message/hbu8N3ny7oAVfvBZrZWLSrkYv2kTbwArk3+Tspbd2Cg=/pge
Both of these links are now down, but when they were alive they both served up PGE_FullStatement_San_Francisco_94118.zip which contained a Windows executable... Virustotal has a 5/48 detection rate indicating this is most likely a Trojan Dropper:
> https://isc.sans.edu/diaryimages/images/virustotalpge.jpg ..."

- https://www.virustotal.com/en/ip-address/212.2.230.181/information/
___

Spammers buy Chrome extensions - turn them into adware
- https://www.computerworld.com/s/article/9245551/Spammers_buy_Chrome_extensions_and_turn_them_into_adware
Jan 20, 2014 - "... At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers. The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware... A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November... According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites..."
___

Bill Me Later Payment Spam
- http://threattrack.tumblr.com/post/73952603900/bill-me-later-payment-spam
Jan 20, 2014 - "Subjects Seen:
Thank you for scheduling a payment to Bill Me Later
Typical e-mail details:
Dear Customer,
Thank you for making a payment online! We’ve received your
Bill Me Later® payment of $1201.39 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0759
You Paid: $1201.39
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 042075773771348058

Malicious File Name and MD5:
PP_03357442.zip (93C0326C3D37927E4C38C90016C7F14C)
PP_03357442.exe (2B68D8CC7CB979EA9A1405D32E30A00A)

Screenshot: https://31.media.tumblr.com/dcb80e6f244cf5c9ac9a1b1f619ca78c/tumblr_inline_mzpik5AQ2R1r6pupn.png

Tagged: bill me later, Upatre

- http://blog.dynamoo.com/2014/01/thank-you-for-scheduling-payment-to.html
20 Jan 2014 - "This -fake- Bill Me Later spam has a malicious attachment:
Date: Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From: Bill Me Later [service@ paypal .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0266
You Paid: $1603.57
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 971892583971968191 ...

Screenshot: https://lh3.ggpht.com/-g4CABaa5Ka4/Ut1QywUpoEI/AAAAAAAACbY/NXzEDLx1S_U/s1600/billmelater.png

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45*. Automated analysis tools... show an attempted connection to jatit .org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site."
* https://www.virustotal.com/en-gb/file/e6407a8ddd930055870379962e430154381a909e15e5af84d2da53ee3d8b2106/analysis/1390235463/
___

Fake WhatsApp "A friend of yours has just sent you a pic" SPAM
- http://blog.dynamoo.com/2014/01/whatsapp-friend-of-yours-has-just-sent.html
20 Jan 2014 - "This -fake- WhatsApp spam has a malicious attachment:
Date: Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From: WhatsApp [{messages@ whatsapp .com}]
Subject: A friend of yours has just sent you a pic
Hey!
Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.
2013 WhatsApp Inc

Screenshot: https://lh3.ggpht.com/-ogFWbF6oOwk/Ut1zdrTph5I/AAAAAAAACbo/gYz18kkrW_A/s1600/whatsapp.png

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49*... analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive."
* https://www.virustotal.com/en/file/a1142f44e5add86007cf1be62d909e19032a165c57d29a61c10af009d0fcf69f/analysis/1390244298/

:mad: :fear:

FYI...

Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slayer.com/apple-new-ssl-servers-phishing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated. The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."

... as in: DELETE.
___

Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-email-500.png?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-pdf-appears-500.png?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___

Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo.com/2014/01/something-evil-on-525496240-and-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.com/-icNtor0_pdM/Ut6DaRXAgGI/AAAAAAAACb4/XqfuRAlLjFU/s1600/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."

* http://urlquery.net/report.php?id=8907792

** https://www.virustotal.com/en-gb/file/9ff1c4c75212defc5fadc096cb8436dc9eaabb3afe0e69364ce53e90dadbfabc/analysis/1390310958/

*** http://urlquery.net/search.php?q=5.254.96.240&type=string&start=2014-01-06&end=2014-01-21&max=50

**** https://www.virustotal.com/en-gb/ip-address/5.254.96.240/information/

Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713

:mad: :fear:

FYI...

Fake PayPal Scams ...
- http://www.hoax-slayer.com/look-out-for-paypal-scam-warning-message.shtml
Jan 22, 2014 - "Message that circulates via social media and online forums warns users to watch out for an email from PayPal... PayPal is almost continually targeted by phishing scammers using a wide variety of phishing techniques... This warning message has been circulating via various social media channels as well as online forums and blogs since around May 2013. The message warns users to look out for an email from PayPal that claims that £35.50 has been taken from the recipient's PayPal account and used to pay a Skype bill... Since at least 2011 scammers have been using and reusing a phishing technique that comprises scam emails that supposedly notify recipients that a Skype TopUp payment has been made via their PayPal account. Links in the scam emails open -fake- PayPal sites that entice users to enter their PayPal login details, and - in some cases - other personal and financial information... it should also be noted that this particular phishing technique is just one among -dozens- of phishing attacks that continually target PayPal users... Because it conducts its business online and via email, PayPal is a primary target for phishing scammers. A quick rule of thumb. Genuine PayPal emails will always address you by your name, -not- via a generic greeting such as "Dear Customer". If you receive a suspected phishing scam email from PayPal you can submit it for analysis via the address listed on the PayPal website*."
* https://www.paypal.com/au/webapps/mpp/security/antiphishing-ppphishingreport
___

Sochi Olympics - Hoax threats
- http://www.reuters.com/article/2014/01/22/olympics-threat-idUSL5N0KW3RT20140122
Jan 22, 2014 - "At least five European countries' Olympic committees and the United States received letters in Russian on Wednesday making a "terrorist threat" before the Sochi Games, but Olympic chiefs said they posed no danger. Despite the assurances, the letters to committees in Italy, Hungary, Germany, Slovenia and Slovakia briefly caused alarm and underlined nervousness about security at the $50 billion event... The U.S. Olympic Committee later confirmed that it also received a letter by email. Suicide bombers killed at least 34 people in a city in southern Russia last month, Islamist militants have threatened to attack the Winter Games and security forces are hunting a woman suspected of planning a suicide bombing and of being in Sochi already..."
___

Facebook Survey Scams
- http://www.hoax-slayer.com/facebook-survey-scam-list.shtml
Jan 21, 2014 - Last:
- http://www.hoax-slayer.com/royal-caribbean-international-survey-scam.shtml
Jan 22, 2014
___

Fake NatWest Mortgage Spam
- http://threattrack.tumblr.com/post/74170286889/natwest-mortgage-spam
Jan 22, 2014 - "Subjects Seen:
Mortgage update - Completion date
Typical e-mail details:
NatWest Intermediary Solutions
Mortgage Ref number: 9080338
We are pleased to advise that we have received a mortgage completion request from the solicitor acting on the case for your customer named above. The acting solicitor has confirmed that the mortgage will complete on 22.01.2014.
For more details please check attached file.
Kind Regards
NatWest Mortgage Team

Malicious File Name and MD5:
Morg_9080338.zip (C02B5FA63331394B6ADFF54952646A16)
Morg_220114.exe (BE295E5E51F2354EF6396AFAB4225783)

Screenshot: https://31.media.tumblr.com/943447252d5a4ba04b541425281a7959/tumblr_inline_mzt3y3xdNK1r6pupn.png

Tagged: NatWest, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Attachments - 2014 Jan 22
Fake Account Payment Notification Email Messages - 2014 Jan 22
Fake Application Confirmation Email Messages - 2014 Jan 22
Fake Transaction Details Notification Email Messages - 2014 Jan 22
Fake Electricity Bill Notification Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Product Order Notification Email Messages - 2014 Jan 22
Fake Travel Information Email Messages - 2014 Jan 22
Fake Product Order Email Messages - 2014 Jan 22
Fake UPS Payment Document Attachment Email Messages - 2014 Jan 22
Fake Photograph Sharing Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Account Payment Information Email Messages - 2014 Jan 22
Fake Failed Delivery Notification Email Messages - 2014 Jan 22
Fake Company Complaint Email Messages - 2014 Jan 22
Fake Fax Message Delivery Email Messages - 2014 Jan 22
Fake Fax Delivery Email Messages - 2014 Jan 22
Fake Payroll Invoice Email Messages - 2014 Jan 22
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 22
Fake German Payment Form Attachment Email Messages - 2014 Jan 22
(More detail and links at the cisco URL above.)

:fear: :mad:

FYI...

Fake "Legal Business Proposal" SPAM ...
- http://blog.dynamoo.com/2014/01/legal-business-proposal-spam-has.html
23 Jan 2014 - "This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
Date: Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From: Webster Bank [WebsterWeb-LinkNotifications@ WebsterBank .com]
Subject: Legal Business Proposal
Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).
I have a Business worth $47.1M USD for you to handle with me.
Detailed scheme of business can be seen in the attached file.

Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49*. Automated analysis tools... show attempted connections to dallasautoinsurance1 .com on 38.102.226.239 and wiwab .com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName .com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21 "
* https://www.virustotal.com/en-gb/file/61e951a6d18f96539bf7ad19cf951c9d397e6b45b905adf431f7981a54b59be4/analysis/1390482190/

- https://www.virustotal.com/en/ip-address/38.102.226.82/information/
___

Mint.Com.Uk 'Minimum Credit Card Payment Due' Phish
- http://www.hoax-slayer.com/mint-credit-card-payment-due-phishing.shtml
Jan 23, 2014 - "Message, which pretends to be from UK based credit card provider Mint, claims that the recipient's minimum credit card payment is due and advises that the latest bill can be found in an attached file. The email is -not- from Mint. It is a -phishing- scam designed to trick recipients into divulging their account login details to cybercriminals... According to this message, which purports to be from UK credit card provider Mint, the recipient's minimum credit card payment is now due. The message instructs the recipient to open an attached file to view the latest Mint credit card bill. However, the email is not from Mint and the attachment does not contain a credit card bill. Instead, the email is a typical phishing scam designed to trick Mint customers into giving account login details to cybercriminals. Those taken in by the email will find that clicking the attachment loads a html file in their browser. The file contains a link supposedly leading to the credit card bill. However, clicking the link opens a fraudulent website that asks users to supply their account login details, ostensibly to access the "bill". However, users will never reach the supposed bill. They have instead sent their account login details to criminals who can then use it to hijack their accounts, steal information therein, and conduct further fraud..."
___

Gateway.gov.uk Spam
- http://threattrack.tumblr.com/post/74280913157/gateway-gov-uk-spam
Jan 23, 2014 - "Subjects Seen:
Your Online Submission for Reference 435/GB1678208 Could not process
Typical e-mail details:
The submission for reference 435/GB1678208 was successfully received and was not processed.
Check attached copy for more information.

Malicious File Name and MD5:
GB1678208.zip (1BD4797C93A4837777397CE9CB13FC8C)
GB001231401.exe (05FB8AD05E87E12F5E6E4DAE20168194)

Screenshot: https://31.media.tumblr.com/efe7c609820416483d66a4d348eababb/tumblr_inline_mzv11lghEd1r6pupn.png

Tagged: UK Government, Upatre

:fear: :mad:

FYI...

Fake 'Customer Service Center' malware Emails
- http://www.hoax-slayer.com/customer-service-center-malware-emails.shtml
Jan 24, 2014 - "Email claiming to be from the "Customer Service Center" informs recipients that an order has been received and invites them to click a link to find out more about the order.
Brief Analysis: The email is not from any legitimate customer service center. The email is designed to trick users into installing a malicious file on their computer. Clicking the link in the email downloads a .zip file that contains a malware .exe file...
Example:
Subject: Customer Service Center
Hello, Customer
We have got your order and we will process it for 3 days.
You can find specification of the order:
[Link to .zip file removed]
Best regards
Customer Service Center

... The message makes no effort to identify either the company that supposedly sent the message or the product that the recipient supposedly ordered. The message is fraudulent and was not sent by any legitimate customer service center. The goal of the criminals who sent the email is to trick the recipient into downloading and installing malware... Details in different incarnations of the malware emails may vary. Some may claim to be from the "Client Management Department" rather than the "Customer Service Center"..."
___

Fake Amazon Local Spam
- http://threattrack.tumblr.com/post/74407933494/amazon-local-spam
Jan 24, 2014 - "Subjects Seen:
Fwd: Your order report id 2531
Typical e-mail details:
Hi,
Thank you for your order. We ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order DA6220062 Placed on December 11, 2013
Order details and invoice in attached file.

Malicious File Name and MD5:
report.creditcard2735.zip (333794D9592CE296A6FE15CDF58756EA)
report.9983.exe (3B81614E62963AC5336946B87F9487FE)

Screenshot: https://31.media.tumblr.com/747295f5d77e9ee97623058f2135eeec/tumblr_inline_mzx8bt1SLW1r6pupn.png

Tagged: Amazon Local, Androm

:fear: :mad:

FYI...

Fake "MVL Company" job offer
- http://blog.dynamoo.com/2014/01/mvl-company-fake-job-offer.html
25 Jan 2014 - "This job offer is a -fake- and in reality probably involves money laundering or handling stolen goods:
From: Downard Bergstrom [downardkrjbergstrom@ outlook .com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000
Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.
Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.
Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!
To apply for the vacancy or to get more details about it, please email us directly back to this email.
Hope to hear from you soon!
Best regards,
Downard Bergstrom

The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a free Microsoft Outlook .com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.
Avoid."

:fear: :mad:

FYI...

Fake Voice Message contains trojan in attachment
- http://blog.mxlab.eu/2014/01/27/voice-message-from-unknown-xxx-xxx-xxxx-contains-trojan-in-attached-zip-file/
Jan 27, 2014 - "... intercepted a new trojan distribution campaign by email with the subject Voice Message from Unknown (xxx-xxx-xxxx) – where x is replaced by a phone number. This email is sent from the spoofed address “Unity Messaging System <Unity_UNITY5@ xxx .xxx>”and has the following very short body (where x is replaced by phone number):
From: xxx-xxx-xxxx
The attached ZIP file has the name VoiceMail.zip and contains the 18 kB large file VoiceMail.exe. At the time of writing, 0 of the 50 AV engines did detect the trojan at Virus Total. Use the Virus Total* permalink and Malwr** permalink for more detailed information..."
* https://www.virustotal.com/en/file/e4f11d9a6515323165e2427fe0032bf29ee6ae7a0144b79f7f9dba64df8a6fba/analysis/

** https://malwr.com/analysis/ZjU0NzBlZDFjNTZkNDQ5MmIyYjUyMzFjMGMxOTBkMmM/
___

Fake "Carnival Cruise Line Australia" job offer
- http://blog.dynamoo.com/2014/01/carnival-cruise-line-australia-fake-job.html
27 Jan 2014 - "This -fake- job offer does NOT come from Carnival Cruise lines:
From: Mrs Vivian Mrs Vivian carnjob80@ wp .pl
Date: 27 January 2014 09:59
Subject: JOB ID: AU/CCL/AMPM/359/14-00
Signed by: wp.pl
Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000
http ://www .carnival .com .au/
http ://www .carnivalaustralia .com/
carnivalcareer@ globomail .com
JOB ID: AU/CCL/AMPM/359/14-00
What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING:
Employment Type: Full-Time/Part-Time
Salary: USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work: Permanent / Temporary
Status: All Vacancies
Job Location: Australia
Contract Period: 6 Months, 1 Year, 2 Years and 3 Years
Visa Type: Three Years working permit
The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@ globomail .com) so we can forward the list of positions available and our employment application form
Email: carnivalcareer@ globomail .com
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.
Regards
Management
Carnival Cruise Line Australia
carnivalcareer@ globomail .com

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland. The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate. More information on this type of scam can be found here* and here**."
* http://www.cruiseshipjobs.com/cruise-ship-job-scams.htm

** http://www.hoax-slayer.com/disney-cruise-line-job-offer-scam.shtml
___

Fake "Your FED TAX payment" SPAM
- http://blog.dynamoo.com/2014/01/your-fed-tax-payment-spam.html
27 Jan 2014 - "This -fake- "Tax payment" spam comes with a malicious attachment:
Date: Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
From: "TaxPro_PTIN@ irs .gov" [TaxPro_PTIN@ irs .gov]
Subject: Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 34KIRS821217111
Payment Amount: $ 9712.00
Transaction status: Rejected
ACH Trace Number: 768339074172506
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Screenshot: https://lh3.ggpht.com/-UNIXkf1KrEo/UuZ_8WP-v1I/AAAAAAAACc8/ObemHBUxulA/s1600/irs.png

Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50*. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.
* https://www.virustotal.com/en-gb/file/97a5412374a70610c9ed83eb4e202b0e8653384c3c8372bc63137c3a14e8fe0b/analysis/1390837447/
___

TNT Courier Service Spam
- http://threattrack.tumblr.com/post/74723096757/tnt-courier-service-spam
Jan 27, 2014 - "Subjects Seen:
TNT UK Limited - Package tracking 525933498011
Typical e-mail details:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 525933498011
Your package have been picked up and is ready for dispatch.
Connote # : 525933498011
Service Type : Export Non Documents - Intl
Shipped on : 25 Jan 13 00:00
Order No : 4134172
Status : Driver’s Return Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions

Malicious File Name and MD5:
Label_525933498011.zip (58985CC9AA284309262F4E59BC36E47A)
Label_27012014.exe (E0595C4F17056E5599B89F1F9CF52D83)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9745ecae0aa5ea25ce90ec5df697f5d4/tumblr_inline_n02cy8Jn4u1r6pupn.png

Tagged: TNT Courier Service, Upatre
___

Fake "Skype Missed voice message" SPAM
- http://blog.dynamoo.com/2014/01/skype-missed-voice-message-spam.html
27 Jan 2014 - "This -fake- Skype email has a malicious attachment:
Date: Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
From: Administrator [docs1@ victimdomain .com]
Subject: Skype Missed voice message
Skype system:
You have received a voice mail message.
Date 01/27/2014
Message length is 00:01:18.

Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49*. Malwr reports** that the malware calls home to rockthecasbah .eu on 64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you -block- traffic to it."
* https://www.virustotal.com/en/file/ba438b657c3a0efa1af1cdb7ae901a9e7778b949e91ae4460f3c97a36ae49836/analysis/1390858228/

** https://malwr.com/analysis/MzY1NTdiODY5M2MwNDcxZWEwMzdjZmYwMWM1NzIwMDg/

- http://threattrack.tumblr.com/post/74739263432/skype-missed-message-spam
Jan 27, 2014 - "Subjects Seen: Skype Missed voice message..."
Malicious File Name and MD5:
Skype-message.zip (79FB2E523FE515A6DAC229B236F796FF)
Voice_Mail_Message.exe (6E4857C995699C58D9E7B97BFF6E3EE6)

Tagged: Skype, Upatre

:fear::fear: :mad: