FYI...
Fake Sendspace SPAM "You have been sent a file" / anifkailood .ru:
- http://blog.dynamoo.com/2012/12/you-...pace-spam.html
10 Dec 2012 - "This fake Sendspace spam leads to malware on anifkailood .ru:
Date: Mon, 10 Dec 2012 06:01:01 -0500
From: "Octavio BOWMAN" [AdlaiBaldacci @telefonica .net]
Subject: You have been sent a file (Filename: [redacted]-722.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]anifkailood .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."
___
Fake AICPA SPAM / eaglepointecondo .co
- http://blog.dynamoo.com/2012/12/aicp...tecondoco.html
10 Dec 2012 - "This fake AICPA spam leads to malware on eaglepointecondo .co:
Date: Mon, 10 Dec 2012 19:29:21 +0400
From: "AICPA" [alerts@aicpa.org]
Subject: Income fake tax return accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.
Termination of Public Account Status due to income tax fraud allegations
Respected accountant officer,
We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.
SubmittedReport.doc
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]eaglepointecondo .co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently* for malware distribution..."
* http://blog.dynamoo.com/search?q=59.57.247.185
> http://www.aicpa.org/news/featuredne...ent-email.aspx
Your CPA License has -not- been revoked
- https://isc.sans.edu/diary.html?storyid=14674
Last Updated: 2012-12-10 - "I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.
> https://isc.sans.edu/diaryimages/images/CPAEmail.png
The only clickable link is the "Delation.pdf" (maybe that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:
The first stop is httx ://tesorogroup .com/components/com_ag_google_analytics2/taxfraudalert.html
It includes javascript and meta tag redirects to
httx ://eaglepointecondo. co/ detects /denouncement-reports.php
... which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.
Wepawet does a nice job analysing the obfuscated javascript:
http://wepawet.iseclab.org/view.php?...160668&type=js ..."
___
Facebook SCAM goes wild - doubles over the weekend ...
- http://community.websense.com/blogs/...e-weekend.aspx
10 Dec 2012 - "Last week we wrote a blog* about a specific Facebook scam that appeared to spread rather aggresively... Websense.. detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat... The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid .org... A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:
> http://community.websense.com/cfs-fi...as_5F00_23.jpg
Screenshot of the scam's main page:
> http://community.websense.com/cfs-fi...as_5F00_24.jpg
How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:
> http://community.websense.com/cfs-fi...as_5F00_25.jpg
* http://community.websense.com/blogs/...-facebook.aspx
Facebook Spam leverages/abuses Instagram App
- http://blog.trendmicro.com/trendlabs...instagram-app/
Dec 10, 2012 - "... social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites. Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram. We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.
> http://blog.trendmicro.com/trendlabs...screenshot.gif
Should users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it -redirects- users to a page that looks like the Facebook Home page.
> http://blog.trendmicro.com/trendlabs...e_facebook.gif
... the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user) in a certain dialog box and to click ‘continue’... the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked. This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe..."
___
AICPA SPAM / eaglepointecondo .org
- http://blog.dynamoo.com/2012/12/aicpa-spam.html
10 Dec 2012 - "Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo .org:
Date: Mon, 10 Dec 2012 18:51:38 +0100
From: "AICPA" [info @aicpa .org]
Subject: Tax return assistance fraud.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.
Suspension of CPA license due to income tax indictment
Valued AICPA participant,
We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Mon, 10 Dec 2012 14:50:40 -0300
From: "AICPA" [noreply @aicpa .org]
Subject: Your accountant license can be end off.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.
Suspension of Accountant status due to tax return fraud prosecution
Respected AICPA member,
We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.
SubmittedReport.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
In this case the malicious payload is at [donotclick]eaglepointecondo .org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today*."
* http://blog.dynamoo.com/2012/12/aicp...tecondoco.html
___
GFI Labs Email Roundup for the Week
- http://www.gfi.com/blog/gfi-labs-ema...or-the-week-5/
Dec 10, 2012 - "... noteworthy email threats for the week of December 3 to 7:
- Phishers Target Wells Fargo Clients
- Message from the Department of Investigations
- Amazon eBook Spam in the Wild
- Spam from AICPA ...
(More detail and screenshots at the gfi URL above.)