Bogus spammed email eTickets...
FYI...
Bogus spammed email eTickets - Continental Airlines...
- http://blog.trendmicro.com/your-etic...es-a-worm-fly/
October 20, 2008 - "...Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble. TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!... The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment”... Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal... The phrase "Your credit card has been charged" will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details’... This seems to be a renewed campaign, as we first saw it in late August — only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more..."
(Screenshots available at the URL above.)
:mad:
Malicious BBB Certificate SPAM
FYI...
Malicious BBB Certificate SPAM
- http://securitylabs.websense.com/con...erts/3213.aspx
10.22.2008 - "Websense... has discovered another round of malicious BBB spam today. The spam contains a spoofed -From- address to look as if the message was sent by the Better Business Bureau. The message uses social engineering tactics to entice readers to follow a link in the message in order to "register new software and update contact information". We have seen tens of thousands of these messages coming in since noon today. Also of note is that, from the format of these messages and the resulting links, this looks like it was done by the same group that has been spamming out malicious phishes targeting customers of Bank of America, Wachovia, Royal Bank, and others. Clicking on the link takes the victim to a page which -looks- like the BBB site. The site stresses that a digital certificate should be used while browsing the BBB site. It then provides a prompt to download a file called "TrustedBBBCertificate.exe" which is actually a Trojan Downloader (SHA-1 dcefc1fb912d7bb536de3e66d9c5c6c8465f0790). When this file is executed, it takes the victim to another Web page, which is hosted on another malicious domain, for the "Certificate Registration". This secondary site also tries to get the victim to download "TrustedBBBCertificate.exe"..."
(Screenshots available at the URL above.)
:fear::mad:
Compromised Halloween-themed websites
FYI...
Malicious Website/Malicious Code - Halloween-themed websites
- http://securitylabs.websense.com/con...erts/3223.aspx
10.31.2008 - " Websense... has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit. One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique. Another example is a US-based retailer using the Halloween theme to promote its products. This Web site is infected with a redirection that points to a gpack exploit kit. The ThreatSeeker network is currently tracking over thirteen-thousand sites infected with these patterns... Not only malware authors take advantage of seasonal events. Numerous recently registered proxy Web sites are using the Halloween theme to allow users to bypass traditional URL filtering solutions..."
(Screenshots available at the URL above.)
:fear:
Election result SPAM #2...
Same (kind of) stuff, same day...
Election result SPAM malware #2
- http://securitylabs.websense.com/con...erts/3230.aspx
11.05.2008 - "... further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems... In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks... Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers..."
Also see:
- http://garwarner.blogspot.com/2008/1...-as-obama.html
November 05, 2008
- http://www.f-secure.com/weblog/archives/00001530.html
November 5, 2008
- http://sunbeltblog.blogspot.com/2008...l-malware.html
11.05.2008
(Screenshots available at all URLs above.)
:fear::mad:
Facebook - Koobface worm spreading again
FYI...
- http://securitylabs.websense.com/con...erts/3233.aspx
11.07.2008 - "Websense... has discovered that the Koobface social networking worm is again spreading on Facebook... email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader..."
(Screenshots available at the URL above.)
:fear::fear:
SPAM from ‘US Treasury’ ...redirects to malicious sites
FYI...
SPAM from ‘US Treasury’ ...redirects to malicious sites
- http://blog.trendmicro.com/us-treasu...licious-sites/
November 9, 2008 | 11:52 pm - "Spammed email messages -supposedly- from The United States Federal Reserve Bank warn their recipients of a “large-scaled phishing attack” affecting several banks and credit unions... The email message gives details on the supposed phishing attack and adds that the US Tresury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies. The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation... Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:
* ‘Treasury Optimizer’ Updates Systems With Malware
* Storm Goes Economic
* Fake IRS Web Sites Found (Again)
Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information..."
(Screenshot available at the URL above.)
:fear::mad:
SPAM - huge drops with McColo demise
FYI...
SPAM - huge drops with McColo demise...
- http://marshal.com/trace/traceitem.asp?article=815
November 13, 2008 - "Yesterday, MCColo Corp, the company responsible for hosting the control servers for several of the biggest spam botnets was taken offline*. Srizbi, Rustock, Mega-D and Pushdo botnets, as well as several others, all had control servers hosted on McColo’s network. Last week these four botnets accounted for over 80 percent of all spam. In addition to botnet control servers, McColo was also known to host malicious software, fake antivirus and child pornography websites... Today, spam has significantly decreased and three of the major botnets, Mega-D, Srizbi and Rustock have almost completely stopped sending spam. Our daily spam volume index showed a massive drop over the last two days... We do not expect this drop in spam to continue for long; often the people or groups responsible for the malicious activity simply move to a new host and continue as normal. Nevertheless, such a dramatic decline in spam, however short-lived, is good news indeed and represents another blow for the cyber criminals."
* http://asert.arbornetworks.com/2008/...s-mccolo-gone/
November 12, 2008
> http://hostexploit.com/downloads/Hos...2.0%201108.pdf
- http://blog.trendmicro.com/spam-volu...lug-on-mccolo/
Nov. 15, 2008 - "...This small victory will most likely be short-lived, as it is almost certain that these obviously profitable criminal operations are too valuable for these criminal operations to be abandoned..."
:fear:
PayPal SPAM warns of fraud - installs Worm instead
FYI...
- http://blog.trendmicro.com/paypal-sp...-worm-instead/
Nov. 18, 2008 - "A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment... It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered. The attachment that arrives with this spam, however, does not contain a report or any similar information. Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution..."
(Screenshots available at the URL above.)
:fear::mad: