Fake Boston Marathon SPAM ...
FYI...
Fake Boston Marathon SPAM / askmeaboutcctv .com
- http://blog.dynamoo.com/2013/04/bost...utcctvcom.html
17 April 2013 - "This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv .com:
Sample 1:
From: Graham Jarvis [mailto:alejandro.alfonzo-larrain @tctwest .net]
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013
hxxp:||61.63.123.44/news .html
Sample 2:
From: Sally Rasmussen [mailto:artek33 @risd .edu]
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon
hxxp:||190.245.177.248/news .html
(Note that the payload links have been lightly obfuscated, don't click them).
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv .com/wmiq.html (report here*) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
* http://urlquery.net/report.php?id=2044081
... RedKit applet + obfuscated URL...
more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
[donotclick]46.233.4.113 /boston.html
[donotclick]37.229.92.116 /boston.html
[donotclick]188.2.164.112 /news.html
[donotclick]109.87.205.222 /news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way."
- http://blog.dynamoo.com/2013/04/webs...-marathon.html
17 April 2013 - "Earlier today I reported some Boston Marathon themed spam and since then I have seen more malicious landing pages on -hacked- legitimate sites as follows (don't click those links, obviously):
hxxp :||46.233.4.113 /boston.html
96.125.163.122 (WebsiteWelcome.com, US) ...
hxxp :||190.245.177.248 /news.html
184.172.168.32 (WebsiteWelcome.com, US)...
hxxp :||95.87.6.156 /boston.html
50.22.194.64 (WebsiteWelcome.com, US)...
69.56.174.178 ...
This situation has been reported to HostGator / WebsiteWelcome who are investigating..."
(More detail at the dynamoo URL above.)
Sample screenshot: https://gs1.wac.edgecastcdn.net/8019...Pcg1qz4rgp.png
___
KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast
- http://blog.trendmicro.com/trendlabs...arathon-blast/
April 16, 2013 11:52 pm (UTC-7) - "... a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:
> http://blog.trendmicro.com/trendlabs...blast_fig1.png
The spammed message only contains the URL... but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
> http://blog.trendmicro.com/trendlabs...blast_fig2.png
... Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
> http://blog.trendmicro.com/trendlabs...blast_fig6.png
... a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief."
___
Boston Marathon bombings used to spread malware
- https://www.net-security.org/malware_news.php?id=2469
April 17, 2013 - "... the Boston Marathon bombings have become an effective lure in the hands of cyber scammers and malware peddlers. Kaspersky Lab researchers are warning about spam emails* offering nothing more than a simple link to a web page that contains URLs of non-malicious YouTube videos about the attacks. Unfortunately, after 60 seconds, another link is activated, and this one leads to a malicious executable:
> https://www.net-security.org/images/...e-17042013.jpg
The file offered for download is a variant of the Tepfer info-stealer Trojan, which phones home to a number of IP addresses in Ukraine, Argentina and Taiwan... don't follow links or download files delivered via unsolicited emails or messages sent via popular social media sites and IM services. You're best bet is to check out reputable news sites for information."
* https://www.securelist.com/en/blog/2...ston_Aftermath
___
Fake BBB SPAM / janariamko .ru
- http://blog.dynamoo.com/2013/04/bbb-...ariamkoru.html
17 Apr 2013 - "After a few quiet days on the RU:8080 spam front it has started again..
Date: Wed, 17 Apr 2013 20:18:14 +0800
From: "Better Business Bureau" [guttersnipeg792 @ema1lsv100249121 .bbb.org]
Subject: Better Business Beareau accreditation Terminated 64A488W04
Case N. 64A488W04
Respective Owner/Responsive Person:
The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-65896564
If you think you got this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Gabriel Reyes - Online Communication Specialist
bbb.org - Start With Trust
The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here*) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
* http://urlquery.net/report.php?id=2048054
... Blackholev2 redirection successful 93.187.200.250
___
Another BBB spam run / freedblacks .net
- http://blog.dynamoo.com/2013/04/bbb-...blacksnet.html
17 Apr 2013 - "Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks .net.
Date: Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From: BBB [bridegroomc @m.bbb .org]
Subject: Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819
Respective Owner/Responsive Person:
The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-02111671
If you think you recieved this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Ian Wilson - Online Communication Specialist
bbb.org - Start With Trust
The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here*) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60 ..."
* http://wepawet.iseclab.org/view.php?...206729&type=js
___
Fake CNN .com Boston Marathon SPAM / thesecondincomee .com
- http://blog.dynamoo.com/2013/04/cnnc...thon-spam.html
17 Apr 2013 - "This Boston Marathon themed spam leads to malware on thesecondincomee .com:
Example 1:
Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From: CNN Breaking News [BreakingNews@mail.cnn.com]
Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - Obama Benefits? - CNN.com*
SAVE THIS link FORWARD THIS link
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Example 2:
Date: Wed, 17 Apr 2013 22:32:56 +0600
From: behring401 @mail .cnn .com
Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Screenshot: https://lh3.ggpht.com/-ZWq-ThYXI-U/U...cnn-boston.png
The malicious payload is at [donotclick]thesecondincomee .com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack*."
* http://blog.dynamoo.com/2013/04/bbb-...blacksnet.html
:mad: :mad:
Malicious Texas Explosion SPAM ..
FYI...
Malicious Texas Explosion SPAM
- http://blog.dynamoo.com/2013/04/fert...near-waco.html
18 April 2013 - "As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
From: Maria Numbers [mailto:tjm7 @deco-club .ru]
Sent: 18 April 2013 11:51
To: UK HPEA 3
Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
hxxp :||83.170.192.154 /news.html
At the moment the payload site is [donotclick]bigmovies777 .sweans .org/aoiq.html (report here* but site appears b0rked) but it seems to rotate every hour or so to a new domain. Almost all the domains I have seen are -hacked- legitimate sites hosted by WebsiteWelcome. If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
> https://lh3.ggpht.com/-9WKYbkNtVV4/U...-explosion.jpg
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens..."
* http://urlquery.net/report.php?id=2061326
___
Malicious West, TX Exploison Spam
- http://threattrack.tumblr.com/post/4...exploison-spam
18 April 2013 - "Subjects Seen:
West Tx Explosion
Video footage of Texas explosion
Typical e-mail details:
182.235.147.164 /texas.html[/i]
Malicious URLs
182.235.147.164 /texas.html
78.90.133.133 /news.html
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Bze1qz4rgp.png
___
Malicious Secure Message Spam
- http://threattrack.tumblr.com/post/4...e-message-spam
18 April 2013 - "Subjects Seen:
New Secure Message Received from [removed]
Typical e-mail details:
Greetings [removed],
You have received a new secure message from [removed].
If you are using the Secure Message Plugin in Outlook Messamnger this message will be in your SecureMSG Folder.
If you are NOT using the Secure Message Plugin, you are able to view it at csiweb.com/[removed] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Thank You,
CSIeSafe
Malicious URLs
klamzi .hu/csisecurmsg.html?id=8757234110
sub.newwaysys .com/complaints/rush-lacked_whereby.php
Screenshot: https://gs1.wac.edgecastcdn.net/8019...RZF1qz4rgp.png
___
Texas and Boston Blasts SPAM
- http://www.hotforsecurity.com/blog/s...aves-5973.html
April 18, 2013 - "The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware... based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks. In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails. The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.
Screenshot1: http://www.hotforsecurity.com/wp-con...am-Waves_1.png
... Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.
Screenshot2: http://www.hotforsecurity.com/wp-con...pam-Waves2.png
... be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake ADP Payroll Invoice Notification E-mail Messages - 2013 Apr 18
Fake Digital Certificate Notification E-mail Messages - 2013 Apr 18
Fake Lawsuit Documents Attachment E-mail Messages - 2013 Apr 18
Fake PayPal Notification E-mail Messages - 2013 Apr 18
Fake Payment Request Notice E-mail Messages on Messages - 2013 Apr 18
Fake Tax Document Submission Notification E-mail Messages - 2013 Apr 18
Malicious Attachment E-mail Messages - 2013 Apr 18
Scanned Document Attachment E-mail Messages - 2013 Apr 18
(Links and more detail available at the cisco URL above.)
:mad::fear:
Fake Facebook scam leads to Fake Flash Player
FYI...
Fake Facebook scam leads to Fake Flash Player...
- http://blog.trendmicro.com/trendlabs...e-adobe-flash/
April 19, 2013 - "Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
> https://blog.trendmicro.com/trendlab...ookprofile.png
... we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site:
> http://blog.trendmicro.com/trendlabs...ebook-page.jpg
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US. Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs... cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends..."
___
Fake American Express SPAM / CD0199381.434469398992.zip
- http://blog.dynamoo.com/2013/04/amer...ress-spam.html
19 Apr 2013 - "This fake American Express spam comes with a malicious attachment:
Date: Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file
Part(s): 2 CD0199381.434469398992.zip [application/zip]
A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
- The remittance file contains invoice information passed by your buyer. Please
contact your buyer
for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account
according to the
terms of your American Express merchant agreement and may be combined with other
American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant
agreement:
Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.
Copyright 2013 American Express Company...
The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46*. ThreatExpert reports** that the malware communicates with the following servers:
mail.yaklasim .com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley .com (198.100.45.44: A2 Hosting, US)
This malware shares some characteristics with this attack***.
Blocklist:
198.100.45.44
212.58.4.13 ..."
* https://www.virustotal.com/en/file/a...is/1366379362/
File name: CD0199381-04192013.exe
Detection ratio: 6/46
Analysis date: 2013-04-19
** http://www.threatexpert.com/report.a...622e9e5277ffce
*** http://blog.dynamoo.com/2013/04/fise...tion-spam.html
:fear: :mad:
Twitter malware, DHL SPAM, Malware sites to block...
FYI...
Twitter malware...
- https://www.trusteer.com/blog/twitte...han-just-ideas
April 22, 2013 - "... With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware... recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry. The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim... This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious... it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download)..."
___
Malicious DHL Spam
- http://threattrack.tumblr.com/post/4...cious-dhl-spam
April 22, 2013 - "Subjects Seen:
Tracking Info
Shipping Detail
Order Detail
Typical e-mail details:
DHL Ship Shipment Notification
On April 18, 2013 a shipment label was printed for delivery.
The shipment number of this package is 81395268.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
Malicious URLs
honoredstudents .org/images/index.php?info=841_139088422
eumpharma .com/images/index.php?get_info=ss00_323
sman4-tanjungpinang.sch .id/images/index.php?get_info=ss00_323
Screenshot: https://gs1.wac.edgecastcdn.net/8019...9FL1qz4rgp.png
___
Malware sites to block 22/4/13
- http://blog.dynamoo.com/2013/04/malw...ock-22413.html
22 April 2013 - "These domains form part of a large Kelihos botnet described over at Malware Must Die* and which is related to the recent Boston Marathon** and Texas Fertilizer Plant spam*** runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network..."
(Long list at the dynamoo URL above.)
* http://malwaremustdie.blogspot.co.uk...following.html
** http://blog.dynamoo.com/2013/04/bost...utcctvcom.html
*** http://blog.dynamoo.com/2013/04/fert...near-waco.html
___
Telstra Bill Account Update Phishing Scam
- http://www.hoax-slayer.com/telstra-phishing-scam.shtml
April 22, 2013 - "... Detailed Analysis: This email, which purports to be from Australian telecommunications giant, Telstra, informs the recipient that the company was unable to process a recent bill payment. The email claims that, unless the account holder follows a link in the message to confirm and update billing information, his or her Telstra service may be interrupted. The email arrives complete with the Telstra logo and a seemingly genuine Telstra sender address. However, the email is certainly -not- from Telstra and the information about a payment problem is a lie. In reality, the email is a phishing scam designed to trick Telstra customers into handing over their personal and financial information to Internet criminals. The link in the phishing scam email is disguised to make it appear that it leads to the genuine Telstra site. The sender address of the email is also disguised in such a way that it appears to have originated from Telstra... Telstra (or BigPond) will -never- send customers unsolicited emails* requesting them to provide financial and personal information via links in the message..."
* https://help.telstra.com/app/answers/detail/a_id/17020
___
Fake "Loss Avoidance Alerts" SPAM / tempandhost .com
- http://blog.dynamoo.com/2013/04/loss...erts-spam.html
22 April 2013 - "I haven't seen this particular spam before. It leads to malware on tempandhost .com:
Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From: personableop641 @swacha .org
Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
Loss Avoidance Alert System
April 22, 2013
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available on a secure website at:
www .lossavoidancealert .org
http ://www.lossavoidancealert .org
Alerts:
CL0017279 – Sham Checks (ALL)
Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.
Thank you for your participation!
Loss Avoidance Alert System Administrator
This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.
Screenshot: https://lh3.ggpht.com/-bvBZl6q9rNY/U...ance-alert.png
The link in the email appears to point to www .lossavoidancealert .org but actually goes through a legitimate -hacked- site (in this case [donotclick]samadaan .com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost .com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here* and here**) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this***. Anyway, tempandhost .com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea) ...
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173 ..."
* http://wepawet.iseclab.org/view.php?...666636&type=js
** http://jsunpack.jeek.org/?report=138...01b8fb3caafe11
*** http://urlquery.net/report.php?id=2111319
:mad:
Something evil on 151.248.123.170 ...
FYI...
Something evil on 151.248.123.170
- http://blog.dynamoo.com/2013/04/some...123170_24.html
24 April 2013 - "151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1*, example 2**). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.
Recommended blocklist:
151.248.123.170 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/search.php?q=151...3-04-24&max=50
** https://www.virustotal.com/en/ip-add...0/information/
- https://www.google.com/safebrowsing/...?site=AS:39134
____
Fake American Express SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/04/amer...s-spam_24.html
24 Apr 2013 - "Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.
Date: Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From: American Express [Christian_Frey @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited.
Thank you,
American Express 2012 American Express Company. All rights reserved...
The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46* at VirusTotal. Comodo CAMAS doesn't tell us much** except that it seems to phone home to angels-mail .com and has the following checksums:
MD5 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA1 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
SHA256 ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
What about angels-mail .com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf***].
Recommended blocklist:
5.77.45.108
64.90.61.19
212.58.4.13 ..."
* https://www.virustotal.com/en/file/a...is/1366835710/
File name: SecureMail.exe
Detection ratio: 21/46
Analysis date: 2013-04-24
** http://camas.comodo.com/cgi-bin/subm...ca660fb2cb45e3
*** http://www.dynamoo.com/files/analysi...d9e7e4de8b.pdf
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Q8b1qz4rgp.png
___
"New Secure Message" spam / pricesgettos .info
- http://blog.dynamoo.com/2013/04/new-...ettosinfo.html
24 Apr 2013 - "This spam leads to malware on pricesgettos .info:
Date: Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From: Cooper.Anderson @csiweb .com
Subject: New Secure Message Received from Cooper.Anderson @csiweb .com
New Secure Message
Respective [redacted],
You have received a new secure message from Cooper.Anderson @csiweb .com.
If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
If you are NOT using the Secure Message Plugin, you are able to view it by clicking [redacted] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Sincerely Yours,
CSIe
The link displayed in the email is -fake- and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos .info/news/done-heavy_hall_meant.php (report here*) hosted on the following IPs:
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2157408
... Detected live BlackHole v2.0 exploit kit 203.64.101.145
:mad:
Malicious PayPal, Wire Transfer SPAM
FYI...
Malicious Wire Transfer Spam
- http://threattrack.tumblr.com/post/4...-transfer-spam
25 Apr 2013 - "Subjects Seen:
Incoming Transactions Report
Typical e-mail details:
Incoming Transactions Report
An incoming money transfer has been received by your financial institution and the funds deposited to account.
Initiated By: Fiserv Inc.
Initiated Date & Time: Thu, 25 Apr 2013 06:13:22 -0800
Batch ID: 497
Please view the attached file to review the transaction details.
Malicious URLs
lipo-exdenver .com/ponyb/gate.php
lipo-exdallas .com/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
angels-mail .com:8080/ponyb/gate.php
serw.myroitracking .com/vHn3xjt.exe
pro-sb-immobilien .de/stdwR8gb.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...pru1qz4rgp.png
___
Malicious PayPal Password Reset Spam
- http://threattrack.tumblr.com/post/4...ord-reset-spam
25 April 2013 - "Subjects Seen:
Reset Yoyr PayPal Password
Typical e-mail details:
Your account would stay frozen untill password reset.
How to reset your PayPal password
Hello [removed],
To get back into your PayPal account, you’ll need to create a new password.
It’s easy:
Click the link below to open a secure browser window.
Confirm that you’re the owner of the account, and then follow the instructions.
Malicious URLs
iremadze .com/wp-content/themes/toolbox/breakingnews.html
it-academy-by-student07 .ru/wp-content/themes/toolbox/breakingnews.html
sub.bestquotesnsayings .com/complaints/or_knew-passed.php
sub.bestquotesnsayings .com/complaints/or_knew-passed.php?kdvawba=mlmr&nlmepj=lwuzwkh
Screenshot: https://gs1.wac.edgecastcdn.net/8019...mCg1qz4rgp.png
:mad:
Fake/malicious USPS, BoA SPAM ...
FYI...
Fake USPS SPAM / LABEL-ID-56723547-GFK72.zip
- http://blog.dynamoo.com/2013/04/usps...pam-label.html
26 Apr 2013 - "This fake USPS message has a malicious attachment:
Date: Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From: USPS client manager Lelia Holden [reports @usps .com]
Subject: USPS delivery failure report
Priority: High Priority 1
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46*.
The malicious binary has the following checksums:
MD5 df81b21e9526c571d03bc1fb189f233c
SHA1 dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256 db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
Comodo CAMAS reports** some very unusual behaviour around LDAP registry keys, not present in the Anubis report*** or ThreatExpert report****."
* https://www.virustotal.com/en/file/d...is/1366967613/
File name: LABEL-ID-56753547-GFK72.exe
Detection ratio: 7/46
Analysis date: 2013-04-26
** http://camas.comodo.com/cgi-bin/subm...1d2f4cde60590a
*** http://anubis.iseclab.org/?action=re...96&format=html
**** http://www.threatexpert.com/report.a...3bc1fb189f233c
___
Something evil on 193.107.16.213 / Ideal Solution Ltd
- http://blog.dynamoo.com/2013/04/some...213-ideal.html
26 April 2013 - "193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range. VirusTotal detects a number of malicious sites on this server (see report*) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects. The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv**]. Use this data as you see fit..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/ip-add...2/information/
** http://www.dynamoo.com/files/ideal-solution.csv
- https://www.google.com/safebrowsing/...?site=AS:58001
___
Something evil on 199.71.212.122
- http://blog.dynamoo.com/2013/04/some...971212122.html
26 April 2013 - "199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware on them according to VirusTotal* and URLquery**. Some of the malicious domains were recently hosted on this IP. I suspect that there are alot more domains than the ones listed on this server, blocking access to it is probably the best approach..."
* https://www.virustotal.com/en/ip-add...2/information/
** http://urlquery.net/search.php?q=199...3-04-26&max=50
- https://www.google.com/safebrowsing/...?site=AS:40676
___
Malicious PayPal Dispute Spam
- http://threattrack.tumblr.com/post/4...l-dispute-spam
26 April 2013 - "Subjects Seen:
Resolution of case #[removed]
Typical e-mail details:
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_[removed].zip)
Sincerely,
Protection Services Department
Malicious URLs
angels-mail .com:8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
palmspringsvacationhomerentals .com/ponyb/gate.php
palmspringsvacationrentalshomes .com/ponyb/gate.php
techsolbowling .com/Ff1.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...6WK1qz4rgp.png
___
Fake BoA malicious SPAM
- http://blog.webroot.com/2013/04/26/c...serve-malware/
April 26, 2013 - "Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....tnet.png?w=869
Detection rate for the malicious executable: MD5: c671d0896a2412b42e1abad4be9d43a8 * ...Trojan-Spy.Win32.Zbot.kulh.
... phones back to... C&Cs servers..."
(Long IP list at the webroot URL above.)
* https://www.virustotal.com/en/file/8...f838/analysis/
File name: Mnvw57ch.exe
Detection ratio: 32/46
Analysis date: 2013-04-26
:mad:
Multiple Facebook SCAMS ...
FYI...
Multiple Facebook SCAMS ...
- http://www.hoax-slayer.com/fb-profile-viewer-scam.shtml
April 30, 2013 - "Outline: Message being spammed across Facebook claims that users can follow a link to install an app that allows them to check who has been viewing their profile.
Brief Analysis: The message is an attempt to trick Facebook users into relinquishing control of their Facebook accounts to Internet scammers by submitting their Facebook authentication token. The scammers will use the compromised accounts to launch further spam and scam campaigns in the names of their victims. Any message that claims that you can install an app to see who has viewed your profile is likely to be a scam. Do not click on any links in these messages...
Detailed Analysis: This message, which is currently appearing on Facebook, claims that users can check out who has been viewing their Facebook profiles by clicking a link and installing a new app.
However, the message is a scam designed to trick users into temporarily handing control of their Facebook accounts to online scammers. Those who click the link will first be taken to a Facebook page with further "instructions" for procuring the app:
> http://www.hoax-slayer.com/images/fb...wer-scam-1.jpg
If victims follow the link on the page, they will next be taken to a second page that falsely claims that Facebook is now required to show users who has been viewing their profile:
> http://www.hoax-slayer.com/images/fb...wer-scam-2.jpg
Next, victims are taken to a "security check" and told that they must generate an "age verification code" before proceeding:
> http://www.hoax-slayer.com/images/fb...wer-scam-3.jpg
Users will then receive the following instructions:
> http://www.hoax-slayer.com/images/fb...wer-scam-4.jpg
Folllowed by this:
> http://www.hoax-slayer.com/images/fb...wer-scam-5.jpg
... by pasting the "age verification" code as instructed, users are in fact giving the scammers access to their Facebook accounts, including their Friends list. The code is the victim's Facebook authentication token, which can then be used by the criminals to temporarily hijack the Facebook account. The compromised accounts are then used to distribute more of the same scam messages on Facebook... victims will be taken onward to various bogus survey pages and enticed to participate, supposedly as a further prerequisite to getting the promised profile viewer app... In reality, the profile viewer app does not exist... Some versions use the promise of a profile viewer to lead victims directly to a scam survey page. Other versions try to trick users into first installing a rogue Facebook application that will send spam and scam messages to all of their friends.
Do not trust any message that claims that you can click a link and install an app to see who has viewed your profile. If you receive such a message, delete it."
___
UK banks targeted with Trojans and social engineering
- https://www.net-security.org/malware_news.php?id=2477
April 30, 2013 - "... Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
> https://www.net-security.org/images/...r-042013-1.jpg
- or:
> https://www.net-security.org/images/...r-042013-2.jpg
While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
> https://www.net-security.org/images/...r-042013-3.jpg
The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process... the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit* demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there..."
* http://www.trusteer.com/blog/ramnit-...ancial-malware
___
Malicious PDFs on the rise
- http://blog.trendmicro.com/trendlabs...s-on-the-rise/
Apr 29, 2013 - "... we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640)... files used dnsport.chatnook .com, inter.so-webmail .com, and 223.25.242.45 as their command-and-control servers... Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158."
(More detail at the trendmicro URL above.)
- https://blogs.technet.com/b/mmpc/arc...edirected=true
29 Apr 2013
Graph: https://www.microsoft.com/security/p...exploits/2.png
___
Phish target Apple IDs
- http://blog.trendmicro.com/trendlabs...phishing-bait/
Apr 30, 2013 - "Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs... Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised... the directory contains pages that spoof the Apple ID login page fairly closely:
> http://blog.trendmicro.com/trendlabs...fake_apple.jpg
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned:
> http://blog.trendmicro.com/trendlabs...3/04/chart.png
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
> http://blog.trendmicro.com/trendlabs...redit_card.jpg
Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
> http://blog.trendmicro.com/trendlabs...apple_mail.jpg
One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:
> http://blog.trendmicro.com/trendlabs.../legitsite.jpg
The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites. For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection..."
___
Something evil on 96.126.108.132
- http://blog.dynamoo.com/2013/04/some...126108132.html
30 April 2013 - "These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ;) ..."
(Long list at the dynamoo URL above.)
1) https://www.virustotal.com/en/ip-add...2/information/
2) https://palevotracker.abuse.ch/?ipad...96.126.108.132
3) http://support.clean-mx.de/clean-mx/...96.126.108.132
___
Fake "Requested Reset of Yoyr PayPal Password" SPAM / frustrationpostcards .biz
- http://blog.dynamoo.com/2013/04/requ...-password.html
29 Apr 2013 - "This fake PayPal spam leads to malware on frustrationpostcards .biz:
Date: Mon, 29 Apr 2013 13:22:03 -0500
From: "service @paypalmail .com" [chichisaq0 @emlreq.paypalmail .com]
Subject: Requested Reset of Yoyr PayPal Password
Your account will stay on hold untill password reset.
How to reset your PayPal password
Hello [redacted],
To get back into your PayPal account, you'll have to create a new password.
It's easy:
Click the link below to open a secure browser window.
Confirm that you're the owner of the account, and then follow the instructions.
Reset your password now
If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
PayPal Email ID 2A7X1
The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards .biz/news/institutions-trusted.php (report here*) hosted on the following IPs:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)...
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24 ..."
* http://urlquery.net/report.php?id=2230181
Screenshot: https://www.net-security.org/images/...e-30042013.jpg
___
Fake Wire Transfer SPAM / Payment reeceipt.exe / 78.139.187.6
- http://blog.dynamoo.com/2013/04/your...-canceled.html
30 Apr 2013 - "This fake wire transfer spam comes with a malicious attachment:
Date: Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From: Federal Reserve [alerts @federalreserve .gov]
Subject: Your Wire Transfer 82932922 canceled
The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately
In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46*.
The malware has the following checksums according to Comodo CAMAS**:
Size 371712
MD5 0a3723483e06dcf7e51073972b9d1ef3
SHA1 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA256 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
Anubis has a pretty detailed report*** of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here****. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67 ...."
* https://www.virustotal.com/en/file/0...is/1367354089/
File name: Payment reeceipt.exe
Detection ratio: 29/46
Analysis date: 2013-04-30
** http://camas.comodo.com/cgi-bin/subm...59c2d3f25753dd
*** http://anubis.iseclab.org/?action=re...fd&format=html
**** http://blog.dynamoo.com/2013/04/fise...tion-spam.html
:mad: :sad:
Fake ADP, LinkedIn, Citibank, US Airways SPAM ...
FYI...
Malicious ADP Delivery Notice Spam
- http://threattrack.tumblr.com/post/4...ry-notice-spam
3 May 2013 - "Subjects Seen:
ADP Chesapeake - Package Delivery Confirmation
Typical e-mail details:
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Monday, 1:00pm
Tracking Number (if one is available for this package): [removed]
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
Payroll and Tax Calculators
Order Payroll Supplies, Blank Checks, and more
Submit requests online such as SUI Rate Changes, Schedule Changes, and more
Download Product Documentation, Manuals, and Forms
Download Software Patches and Updates
Access Knowledge Solutions / Frequently Asked Questions
Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP .com
Malicious URLs
technotkan .kz/templates/ja_purity_ii/adp_dpack.html
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?hyobrlhz=kniez&vvhxv=nle
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?df=1g:1i:2v:32:1f&ne=1g:2w:2w:1h:1g:1j:1l:1h:2v:30&h=1f&ug=q&tr=s&jopa=3366088
Screenshot: https://gs1.wac.edgecastcdn.net/8019...PsL1qz4rgp.png
___
Something evil on 173.255.200.91
- http://blog.dynamoo.com/2013/05/some...325520091.html
3 May 2013 - "173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit* [see URLquery** and VirusTotal reports***). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server. I can see... domains on the server, ones flagged by Google for malware... I would recommend blocking all domains on this server... or simply block the IP address..."
* http://malware.dontneedcoffee.com/20...ploit-kit.html
** http://urlquery.net/search.php?q=173...3-05-03&max=50
*** https://www.virustotal.com/en/ip-add...1/information/
___
Malicious US Airways Spam
- http://threattrack.tumblr.com/post/4...s-airways-spam
2 May 2013 - "Subjects Seen:
US Airways online check-in.
Typical e-mail details:
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and go to the gate.
Malicious URLs
concaribe .com/images/wp_pageid.html?id=516047FC45UOYFC8AVC60VIQ
yob.newwaysys .com/ensure/origin-want_require.php?jnlp=e3ca9e7968
yob.newwaysys .com/ensure/origin-want_require.php?bnddxr=nlbaicu&zvgibtad=tqu
yob.newwaysys .com/ensure/origin-want_require.php?qf=1i:1f:32:33:2v&ge=32:1i:30:2v:1o:32:1m:1o:1l:1n&i=1f&wl=j&rw=r&jopa=2959383
Screenshot: https://gs1.wac.edgecastcdn.net/8019...lQn1qz4rgp.png
___
Malicious Citibank Paymentech Attachment Spam
- http://threattrack.tumblr.com/post/4...ttachment-spam
2 May 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
" Attached is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech’s or the Merchant’s email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ————— Learn more about Citibank Paymentech Solutions, LLC payment processing services at citibank.com. ————— THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
Malicious URLs
Spam contains a malicious attachment.
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Qsp1qz4rgp.png
___
Fake LinkedIn SPAM / guessworkcontentprotect .biz
- http://blog.dynamoo.com/2013/05/link...rotectbiz.html
2 May 2013 - "This fake LinkedIn email leads to malware on guessworkcontentprotect .biz:
From: LinkedIn Invitations [giuseppeah5 @mail.paypal .com]
Date: 2 May 2013 16:49
Subject: LinkedIn inviation notificaltion.
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
On May 2, Lewis Padilla wrote:
> To: [redacted]
> I'd like to join you to my professional network on LinkedIn.
> Lewis Padilla
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
The malicious payload is at [donotclick]guessworkcontentprotect .biz/news/pattern-brother.php (report here*) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201 ..."
* http://urlquery.net/report.php?id=2293535
:mad::fear: