Skype SPAM voicemail leads to Blackhole / Zeus attacks
FYI...
Skype SPAM voicemail leads to Blackhole / Zeus attacks
- http://www.gfi.com/blog/skype-voicem...-zeus-attacks/
Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
> http://www.gfi.com/blog/wp-content/u...cemailscam.png
It reads as follows:
Hi there,
You have a new voicemail
Sign in to Skype to listen to the message.
If you no longer want to receive email alerts about new voicemails, unsubscribe now.
Talk soon,
The people at Skype
It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."
- http://pandalabs.pandasecurity.com/i...and-messenger/
10/10/12
___
Skype Messages Spreading DORKBOT Variants
- http://blog.trendmicro.com/trendlabs...kbot-variants/
Oct 9, 2012
- http://blog.trendmicro.com/trendlabs...dorkbot-rises/
Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."
- http://blog.spiderlabs.com/2012/10/w...-messages.html
12 Oct 2012
___
Rampaging Squirrel + Boyband = Twitter SPAM
- http://www.gfi.com/blog/rampaging-sq...-twitter-spam/
Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
> http://www.gfi.com/blog/wp-content/u...0/1dirspam.jpg
Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
> http://www.gfi.com/blog/wp-content/u...0/2dirspam.jpg
“Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
> http://www.gfi.com/blog/wp-content/u...0/3dirspam.jpg
... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
* http://www.wandsworthguardian.co.uk/...Park_squirrel/
___
Fake job offers - union-trans .com employment scam
- http://blog.dynamoo.com/2012/10/unio...ment-scam.html
10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."
Sprint SPAM / 1.starkresidential .net
- http://blog.dynamoo.com/2012/10/spri...entialnet.html
9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."
"Biweekly payroll" SPAM / editdvsyourself .net
- http://blog.dynamoo.com/2012/10/biwe...urselfnet.html
9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
___
Facebook Scam SPAM
- https://isc.sans.edu/diary.html?storyid=14281
Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
> https://isc.sans.edu/diaryimages/Dia...-Scam-Spam.png
If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."
:fear: :fear: :mad:
Malicious Presidential SPAM campaign has started...
FYI...
Malicious Presidential SPAM campaign has started...
- http://community.websense.com/blogs/...n-started.aspx
10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
> http://community.websense.com/cfs-fi...2D00_550x0.png
... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
> http://community.websense.com/cfs-fi...0.sshot002.png
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
> http://community.websense.com/cfs-fi...6.sshot004.PNG
The links found in the spam emails usually has this kind of content:
> http://community.websense.com/cfs-fi...8.sshot005.PNG
The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."
- http://blog.trendmicro.com/trendlabs...nline-threats/
Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
> http://blog.trendmicro.com/trendlabs...0/cnn-spam.png
... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."
- http://blog.trendmicro.com/trendlabs...nline-threats/
Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."
:mad:
LinkedIn SPAM and more SPAM...
FYI... Multiple entries:
LinkedIn SPAM / inklingads .biz
- http://blog.dynamoo.com/2012/10/link...ingadsbiz.html
11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately...
The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
___
ADP SPAM / 198.143.159.108
- http://blog.dynamoo.com/2012/10/adp-...143159108.html
12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
Avoid."
___
ADP SPAM / 4.wapin .in and 173.224.209.165:
- http://blog.dynamoo.com/2012/10/adp-spam-4wapinin.html
11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
----
Digital Certificate About to Expire...
The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)"
___
ADP SPAM / 108.61.57.66
- http://blog.dynamoo.com/2012/10/adp-spam-108615766.html
11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate ...
In this case the malicious payload is at [donotclick]108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
___
Blackhole sites to block ...
- http://blog.dynamoo.com/2012/10/blac...ck-111012.html
11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads .biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
___
"Copies of Policies" SPAM / windowsmobilever .ru
- http://blog.dynamoo.com/2012/10/copi...cies-spam.html
11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss
Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
___
eFax SPAM / 173.255.223.77 and chase .swf
- http://blog.dynamoo.com/2012/10/efax...-chaseswf.html
11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax...'
' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax...'
One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
* https://www.virustotal.com/file/5db6...7784/analysis/
File name: chase.swf-QrUTmm
Detection ratio: 1/40
Analysis date: 2012-10-11 13:04:39 UTC...
:mad::mad:
Vodafone SPAM - emails serve malware
FYI...
Vodafone SPAM - emails serve malware
- http://blog.webroot.com/2012/10/15/v...serve-malware/
Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
* https://www.virustotal.com/file/2d62...is/1349008562/
File name: Your_Friend_New_photos-updates.jpeg.exe
Detection ratio: 36/43
Analysis date: 2012-09-30 15:01:54 UTC
___
Fake UPS emails - client-side exploits and malware
- http://blog.webroot.com/2012/10/15/c...s-and-malware/
Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
* https://www.virustotal.com/file/37d8...a453/analysis/
File name: java.jar
Detection ratio: 26/43
Analysis date: 2012-10-15
... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
... Related malicious domains part of the campaign’s infrastructure:
rumyniaonline .ru – 84.22.100.108
denegnashete .ru – 84.22.100.108
dimabilanch .ru – 84.22.100.108
ioponeslal .ru – 84.22.100.108
moskowpulkavo .ru – 84.22.100.108
omahabeachs .ru – 84.22.100.108
uzoshkins .ru – 84.22.100.108
sectantes-x .ru – 84.22.100.108
... Name servers part of the campaign’s infrastructure:
ns1.denegnashete .ru – 62.76.190.50
ns2.denegnashete .ru – 87.120.41.155
ns3.denegnashete .ru – 132.248.49.112
ns4.denegnashete .ru – 91.194.122.8
ns5.denegnashete .ru – 62.76.188.246
ns6.denegnashete .ru – 178.63.51.54 ..."
___
Rogue Bad Piggies ...
- http://blog.trendmicro.com/trendlabs...gies-versions/
Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
> http://blog.trendmicro.com/trendlabs...es_website.jpg
... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
___
eBay phishers update branding...
- http://www.gfi.com/blog/ebay-phisher...heir-branding/
Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
> http://www.gfi.com/blog/wp-content/u...kebay_new2.jpg
... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
> http://www.gfi.com/blog/wp-content/u...kebay_new1.jpg
... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
* http://pages.ebay.com/securitycenter/index.html ..."
:fear::fear: :mad:
SPAM, SPAM, and more SPAM ...
FYI...
Wire Transfer SPAM / hotsecrete .net
- http://blog.dynamoo.com/2012/10/wire...ecretenet.html
16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.
The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
___
LinkedIn SPAM / 74.91.112.86
- http://blog.dynamoo.com/2012/10/link...749111286.html
16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
___
Facebook SPAM / o.anygutterkings .com
- http://blog.dynamoo.com/2012/10/face...rkingscom.html
15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
Date: Mon, 15 Oct 2012 20:02:21 +0200
From: "FB Account"
Subject: Facebook account
facebook
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting ...
Please use the link below to resume your account ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Other subjects are: "Account blocked" and "Account activated"
The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."
- http://www.gfi.com/blog/this-spam-gi...second-chance/
Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
> http://www.gfi.com/blog/wp-content/u...10/FB_1015.png
___
Intuit SPAM / navisiteseparation .net
- http://blog.dynamoo.com/2012/10/intu...rationnet.html
15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE : Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.
... Sample subjects:
Congrats - you're accepted for Intuit GoPayment Merchant
Congratulations - you're approved for Intuit Merchant
Congrats - you're approved for GoPayment Merchant
Welcome - you're accepted for Intuit GoPayment
The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
___
Copies of Policies SPAM / linkrdin .ru
- http://blog.dynamoo.com/2012/10/copi...inkrdinru.html
15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia) ..."
:mad::mad: :fear:
Fake AA, Amazon emails serve BlackHole Exploit kit
FYI...
Fake American Airlines emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/17/a...e-exploit-kit/
Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
* https://www.virustotal.com/file/68d4...is/1349016199/
File name: American_Airlines.html
Detection ratio: 9/42
Analysis date: 2012-09-30
___
Fake Amazon emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/16/c...s-and-malware/
Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
> https://webrootblog.files.wordpress....oit_kit_01.png
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_02.png
Sample subjects used in the spamvertised emails:
Re: HD TV Waiting on delivery Few hours ago;
Your HDTV Delivered Now;
Re: HDTV Processed Yesterday;
Re: Order Processed Today;
Your Order Approved Few hours ago ...
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
* https://www.virustotal.com/file/4747...is/1349014600/
File name: Amazon.html
Detection ratio: 20/43
Analysis date: 2012-09-30
___
Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
- http://blog.trendmicro.com/trendlabs...-flash-update/
Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
> http://blog.trendmicro.com/trendlabs...ebex_email.jpg
The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
> http://blog.trendmicro.com/trendlabs...shingemail.jpg
Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."
:mad::mad:
Fake Traffic Ticket SPAM - and more...
FYI...
NY Traffic Ticket SPAM / kennedyana .ru
- http://blog.dynamoo.com/2012/10/ny-t...nedyanaru.html
18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia) ..."
___
Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
- http://blog.webroot.com/2012/10/18/i...e-exploit-kit/
Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the first spamvertised campaign:
> https://webrootblog.files.wordpress....xploit_kit.png
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
> https://webrootblog.files.wordpress....oit_kit_01.png
Screenshots of the second spamvertised campaign:
> https://webrootblog.files.wordpress....oit_kit_02.png
... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
* https://www.virustotal.com/file/64e1...4bb3/analysis/
File name: contacts.exe
Detection ratio: 17/43
Analysis date: 2012-09-29
** https://www.virustotal.com/file/ee30...d907/analysis/
File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
Detection ratio: 33/43
Analysis date: 2012-10-19
___
Adbobe CS4 SPAM / leprasmotra .ru
- http://blog.dynamoo.com/2012/10/adbo...asmotraru.html
18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended."
___
LinkedIn SPAM / 64.111.24.162
- http://blog.dynamoo.com/2012/10/link...411124162.html
17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
... Blocking the IP (and possibly the /27 block) is probably wise.
___
Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
- http://blog.dynamoo.com/2012/10/amaz...iddnsinfo.html
17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
___
Take a critical look at DNS blocking...
- http://h-online.com/-1731993
18 Oct 2012
:mad::mad:
Fake Facebook direct messages - malware campaign
FYI...
Fake Facebook direct messages - malware campaign ...
- http://blog.webroot.com/2012/10/19/m...d-in-the-wild/
Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
Sample screenshot of the spamvertised direct download link:
> https://webrootblog.files.wordpress....e_campaign.png
... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
* https://www.virustotal.com/file/a6ab...is/1349355521/
File name: Picture15-JPG.scr
Detection ratio: 20/43
Analysis date: 2012-10-04 ..."
___
LinkedIn SPAM / cowonhorse .co
- http://blog.dynamoo.com/2012/10/link...onhorseco.html
19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
___
Fake Friendster emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/10/19/r...e-exploit-kit/
19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
* https://www.virustotal.com/file/2d91...is/1349356588/
File name: Friendster.html
Detection ratio: 12/43
Analysis date: 2012-10-04
** https://www.virustotal.com/file/94ff...690d/analysis/
File name: 8fa93035ba01238dd7a55c378d1
Detection ratio: 27/43
Analysis date: 2012-10-05
___
Cisco - Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
Fake Shipment Notification E-mail Messages - October 19, 2012
Fake Product Quote Request E-mail Messages - October 19, 2012
Fake Changelog E-mail Messages- October 19, 2012
Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
Fake Bill Statement E-mail Messages - October 19, 2012
Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
Fake Payment Slip E-mail Messages - October 19, 2012
Fake Money Transfer Receipt E-mail Messages - October 19, 2012
Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...
:mad:
Fake PayPal-NACHA-inTuit emails serve malware
FYI...
Fake PayPal emails serve malware
- http://blog.webroot.com/2012/10/23/p...serve-malware/
Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
* https://www.virustotal.com/file/1f5f...is/1350578639/
File name: Notification_payment_08_15_2012.exe
Detection ratio: 39/43
Analysis date: 2012-10-18
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake PayPal Account Verification E-mail Messages - October 22, 2012
Fake Payment Confirmation E-mail Messages - October 22, 2012
Fake Picture Link E-mail Messages- October 22, 2012
Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
Fake Changelog E-mail Messages - Updated October 22, 2012
Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
___
NACHA SPAM / bwdlpjvehrka.ddns .info
- http://blog.dynamoo.com/2012/10/nach...addnsinfo.html
23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
Date: Tue, 23 Oct 2012 05:44:05 +0200
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
___
Intuit SPAM / montrealhotpropertyguide .com
- http://blog.dynamoo.com/2012/10/intu...yguidecom.html
23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order: $183.96 $0.00 $183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.
The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."
:mad: