Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2014-09-09, 14:47 #11
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Bill.com Invoice, Sage Invoice, NatWest Invoice SPAM ...

    FYI...

    Fake Bill.com Invoice SPAM – PDF malware
    - http://myonlinesecurity.co.uk/bill-c...e-pdf-malware/
    9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    [ Bill .com image ]
    Hi,
    Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
    The Statement for this account is now available for viewing. Please find it attached to this email.
    Have questions? Sign in at our website, then contact support.
    Thank you,
    The Bill .com Team
    Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.

    9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
    Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1410252379/
    ____

    “Google dorking“ ...
    - http://blog.trendmicro.com/trendlabs...ns-everywhere/
    Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”. Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
    * https://publicintelligence.net/feds-google-dorking/
    ___

    Fake Sage Outdated Invoice SPAM – PDF malware
    - http://myonlinesecurity.co.uk/sage-o...e-pdf-malware/
    9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    [Sage logo image ]
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
    ... Account?432532=Invoice_090914.zip
    If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
    The contents of this email and any attachments are confidential...

    9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
    Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1410267601/

    - http://blog.dynamoo.com/2014/09/sage...oice-spam.html
    9 Sep 2014
    "Recommended blocklist:
    95.141.37.158 ..."
    (More detail at the dynamoo URL above.)

    95.141.37.158: https://www.virustotal.com/en/ip-add...8/information/
    ___

    Fake NatWest Invoice SPAM - PDF malware
    - http://myonlinesecurity.co.uk/import...e-pdf-malware/
    9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    [NatWest logo image]
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below...

    9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
    Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1410267601/
    ___

    Fake Worker’s Compensation SPAM – word.doc malware
    - http://myonlinesecurity.co.uk/hmcts-...d-doc-malware/
    9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
    HMC&TS Worker’s Compensation Appeal
    Worker’s Compensation Summons
    HM Courts & Tribunals Service Summons
    HM Courts & Tribunals Service
    All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
    Worker’s Compensation Appeal Tribunal
    Decision # 502
    Board Direction To Rehear Decision #695
    Claim No.: 2504=5704
    Date of Original Notice of Appeal: June 10, 2014
    Date Received at The Tribunal: June 19, 2014
    Date of Board Direction to Rehear: August 11, 2014
    Received: August 20, 2014
    Date of Documentary Review by Appeal Committee: August 23, 2014
    Date of Decision: September 6, 2014
    To Whom It May Concern,
    Your Corporation (named Respondent)
    Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
    We recommend you to download a copy of original Complaint at Tribunal in attachment below...

    9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
    Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1410269102/

    - http://threattrack.tumblr.com/post/9...s-service-spam
    Sep 9, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...cAX1r6pupn.png

    Malicious File Name and MD5:
    Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
    Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)

    Tagged: HM Courts & Tribunals, Kuluoz
    ___

    Hacks throw 25 malware variants at Apple Mac OS X
    - http://www.theinquirer.net/inquirer/...apple-mac-os-x
    Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
    * http://www.f-secure.com/weblog/archives/00002741.html
    Sep 8, 2014

    Last edited by AplusWebMaster; 2014-09-09 at 20:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules