Page 18 of 132 FirstFirst ... 81415161718192021222868118 ... LastLast
Results 171 to 180 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #171
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Boston Marathon SPAM ...

    FYI...

    Fake Boston Marathon SPAM / askmeaboutcctv .com
    - http://blog.dynamoo.com/2013/04/bost...utcctvcom.html
    17 April 2013 - "This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv .com:
    Sample 1:
    From: Graham Jarvis [mailto:alejandro.alfonzo-larrain @tctwest .net]
    Sent: 17 April 2013 09:49
    Subject: Video of Explosion at the Boston Marathon 2013
    hxxp:||61.63.123.44/news .html
    Sample 2:
    From: Sally Rasmussen [mailto:artek33 @risd .edu]
    Sent: 17 April 2013 09:49
    To: UK HPEA 2
    Subject: Aftermath to explosion at Boston Marathon
    hxxp:||190.245.177.248/news .html


    (Note that the payload links have been lightly obfuscated, don't click them).
    If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv .com/wmiq.html (report here*) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
    * http://urlquery.net/report.php?id=2044081
    ... RedKit applet + obfuscated URL...
    more sample subjects and links:
    Subject: Video of Explosion at the Boston Marathon 2013
    Subject: Aftermath to explosion at Boston Marathon
    Subject: Explosion at Boston Marathon
    Subject: Explosions at the Boston Marathon
    [donotclick]46.233.4.113 /boston.html
    [donotclick]37.229.92.116 /boston.html
    [donotclick]188.2.164.112 /news.html
    [donotclick]109.87.205.222 /news.html
    I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way."

    - http://blog.dynamoo.com/2013/04/webs...-marathon.html
    17 April 2013 - "Earlier today I reported some Boston Marathon themed spam and since then I have seen more malicious landing pages on -hacked- legitimate sites as follows (don't click those links, obviously):
    hxxp :||46.233.4.113 /boston.html
    96.125.163.122 (WebsiteWelcome.com, US) ...
    hxxp :||190.245.177.248 /news.html
    184.172.168.32 (WebsiteWelcome.com, US)...
    hxxp :||95.87.6.156 /boston.html
    50.22.194.64 (WebsiteWelcome.com, US)...
    69.56.174.178 ...
    This situation has been reported to HostGator / WebsiteWelcome who are investigating..."
    (More detail at the dynamoo URL above.)

    Sample screenshot: https://gs1.wac.edgecastcdn.net/8019...Pcg1qz4rgp.png
    ___

    KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast
    - http://blog.trendmicro.com/trendlabs...arathon-blast/
    April 16, 2013 11:52 pm (UTC-7) - "... a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:
    > http://blog.trendmicro.com/trendlabs...blast_fig1.png
    The spammed message only contains the URL... but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
    > http://blog.trendmicro.com/trendlabs...blast_fig2.png
    ... Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
    > http://blog.trendmicro.com/trendlabs...blast_fig6.png
    ... a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief."
    ___

    Boston Marathon bombings used to spread malware
    - https://www.net-security.org/malware_news.php?id=2469
    April 17, 2013 - "... the Boston Marathon bombings have become an effective lure in the hands of cyber scammers and malware peddlers. Kaspersky Lab researchers are warning about spam emails* offering nothing more than a simple link to a web page that contains URLs of non-malicious YouTube videos about the attacks. Unfortunately, after 60 seconds, another link is activated, and this one leads to a malicious executable:
    > https://www.net-security.org/images/...e-17042013.jpg
    The file offered for download is a variant of the Tepfer info-stealer Trojan, which phones home to a number of IP addresses in Ukraine, Argentina and Taiwan... don't follow links or download files delivered via unsolicited emails or messages sent via popular social media sites and IM services. You're best bet is to check out reputable news sites for information."
    * https://www.securelist.com/en/blog/2...ston_Aftermath
    ___

    Fake BBB SPAM / janariamko .ru
    - http://blog.dynamoo.com/2013/04/bbb-...ariamkoru.html
    17 Apr 2013 - "After a few quiet days on the RU:8080 spam front it has started again..
    Date: Wed, 17 Apr 2013 20:18:14 +0800
    From: "Better Business Bureau" [guttersnipeg792 @ema1lsv100249121 .bbb.org]
    Subject: Better Business Beareau accreditation Terminated 64A488W04
    Case N. 64A488W04
    Respective Owner/Responsive Person:
    The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
    We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
    bbb .org/business-claims/customercare/report-65896564
    If you think you got this email by mistake - please forward this message to your principal or accountant
    We are looking forward to your prompt answer.
    Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
    Sincerely,
    Gabriel Reyes - Online Communication Specialist
    bbb.org - Start With Trust


    The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here*) hosted on the following IPs:
    91.191.170.26 (Netdirekt, Turkey)
    93.187.200.250 (Netdirekt, Turkey)
    208.94.108.238 (Fibrenoire, Canada)
    Blocklist:
    91.191.170.26
    93.187.200.250
    208.94.108.238
    ..."
    * http://urlquery.net/report.php?id=2048054
    ... Blackholev2 redirection successful 93.187.200.250
    ___

    Another BBB spam run / freedblacks .net
    - http://blog.dynamoo.com/2013/04/bbb-...blacksnet.html
    17 Apr 2013 - "Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks .net.
    Date: Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
    From: BBB [bridegroomc @m.bbb .org]
    Subject: Better Business Beareau accreditation Cancelled P5088819
    Case No. P5088819
    Respective Owner/Responsive Person:
    The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
    We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
    bbb .org/business-claims/customercare/report-02111671
    If you think you recieved this email by mistake - please forward this message to your principal or accountant
    We are looking forward to your prompt answer.
    Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
    Sincerely,
    Ian Wilson - Online Communication Specialist
    bbb.org - Start With Trust


    The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here*) hosted on the following IPs:
    65.34.160.10 (Comcast, US)
    94.249.206.117 (GHOSTnet, Germany)
    155.239.247.247 (Centurion Telkom, South Africa)
    173.234.239.60 (Nobis Technology Group, US)
    Blocklist:
    65.34.160.10
    94.249.206.117
    155.239.247.247
    173.234.239.60
    ..."
    * http://wepawet.iseclab.org/view.php?...206729&type=js
    ___

    Fake CNN .com Boston Marathon SPAM / thesecondincomee .com
    - http://blog.dynamoo.com/2013/04/cnnc...thon-spam.html
    17 Apr 2013 - "This Boston Marathon themed spam leads to malware on thesecondincomee .com:
    Example 1:
    Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
    From: CNN Breaking News [BreakingNews@mail.cnn.com]
    Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
    CNN.com
    Powered by
    * Please note, the sender's email address has not been verified.
    You have received the following link from BreakingNews @mail .cnn .com:
    Click the following to access the sent link:
    Boston Marathon Explosions - Obama Benefits? - CNN.com*
    SAVE THIS link FORWARD THIS link
    Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
    *This article can also be accessed if you copy and paste the entire address below into your web browser.
    by clicking here

    Example 2:
    Date: Wed, 17 Apr 2013 22:32:56 +0600
    From: behring401 @mail .cnn .com
    Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
    Powered by
    * Please note, the sender's email address has not been verified.
    You have received the following link from BreakingNews @mail .cnn .com:
    Click the following to access the sent link:
    Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
    Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
    This article can also be accessed if you copy and paste the entire address below into your web browser.
    by clicking here


    Screenshot: https://lh3.ggpht.com/-ZWq-ThYXI-U/U...cnn-boston.png
    The malicious payload is at [donotclick]thesecondincomee .com/news/agency_row_fixed.php hosted on:
    94.249.206.117 (GHOSTnet, Germany)
    155.239.247.247 (Centurion Telkom, South Africa)
    173.234.239.60 (Nobis Technology Group, US)
    The recommended blocklist is the same as used in this earlier attack*."
    * http://blog.dynamoo.com/2013/04/bbb-...blacksnet.html

    Last edited by AplusWebMaster; 2013-04-17 at 22:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #172
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious Texas Explosion SPAM ..

    FYI...

    Malicious Texas Explosion SPAM
    - http://blog.dynamoo.com/2013/04/fert...near-waco.html
    18 April 2013 - "As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
    From: Maria Numbers [mailto:tjm7 @deco-club .ru]
    Sent: 18 April 2013 11:51
    To: UK HPEA 3
    Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
    hxxp :||83.170.192.154 /news.html


    At the moment the payload site is [donotclick]bigmovies777 .sweans .org/aoiq.html (report here* but site appears b0rked) but it seems to rotate every hour or so to a new domain. Almost all the domains I have seen are -hacked- legitimate sites hosted by WebsiteWelcome. If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
    > https://lh3.ggpht.com/-9WKYbkNtVV4/U...-explosion.jpg
    The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
    Sample subjects:
    CAUGHT ON CAMERA: Fertilizer Plant Explosion
    CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
    Raw: Texas Explosion Injures Dozens
    Texas Explosion Injures Dozens..."
    * http://urlquery.net/report.php?id=2061326
    ___

    Malicious West, TX Exploison Spam
    - http://threattrack.tumblr.com/post/4...exploison-spam
    18 April 2013 - "Subjects Seen:
    West Tx Explosion
    Video footage of Texas explosion

    Typical e-mail details:
    182.235.147.164 /texas.html[/i]

    Malicious URLs
    182.235.147.164 /texas.html
    78.90.133.133 /news.html


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Bze1qz4rgp.png
    ___

    Malicious Secure Message Spam
    - http://threattrack.tumblr.com/post/4...e-message-spam
    18 April 2013 - "Subjects Seen:
    New Secure Message Received from [removed]
    Typical e-mail details:
    Greetings [removed],
    You have received a new secure message from [removed].
    If you are using the Secure Message Plugin in Outlook Messamnger this message will be in your SecureMSG Folder.
    If you are NOT using the Secure Message Plugin, you are able to view it at csiweb.com/[removed] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
    Thank You,
    CSIeSafe


    Malicious URLs
    klamzi .hu/csisecurmsg.html?id=8757234110
    sub.newwaysys .com/complaints/rush-lacked_whereby.php


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...RZF1qz4rgp.png
    ___

    Texas and Boston Blasts SPAM
    - http://www.hotforsecurity.com/blog/s...aves-5973.html
    April 18, 2013 - "The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware... based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks. In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails. The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.
    Screenshot1: http://www.hotforsecurity.com/wp-con...am-Waves_1.png
    ... Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.
    Screenshot2: http://www.hotforsecurity.com/wp-con...pam-Waves2.png
    ... be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links..."
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake ADP Payroll Invoice Notification E-mail Messages - 2013 Apr 18
    Fake Digital Certificate Notification E-mail Messages - 2013 Apr 18
    Fake Lawsuit Documents Attachment E-mail Messages - 2013 Apr 18
    Fake PayPal Notification E-mail Messages - 2013 Apr 18
    Fake Payment Request Notice E-mail Messages on Messages - 2013 Apr 18
    Fake Tax Document Submission Notification E-mail Messages - 2013 Apr 18
    Malicious Attachment E-mail Messages - 2013 Apr 18
    Scanned Document Attachment E-mail Messages - 2013 Apr 18
    (Links and more detail available at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-04-19 at 13:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #173
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook scam leads to Fake Flash Player

    FYI...

    Fake Facebook scam leads to Fake Flash Player...
    - http://blog.trendmicro.com/trendlabs...e-adobe-flash/
    April 19, 2013 - "Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
    > https://blog.trendmicro.com/trendlab...ookprofile.png
    ... we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site:
    > http://blog.trendmicro.com/trendlabs...ebook-page.jpg
    From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US. Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs... cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends..."
    ___

    Fake American Express SPAM / CD0199381.434469398992.zip
    - http://blog.dynamoo.com/2013/04/amer...ress-spam.html
    19 Apr 2013 - "This fake American Express spam comes with a malicious attachment:
    Date: Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
    From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
    Subject: PAYVE - Remit file
    Part(s): 2 CD0199381.434469398992.zip [application/zip]
    A payment(s) to your company has been processed through the American Express Payment
    Network.
    The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
    - The remittance file contains invoice information passed by your buyer. Please
    contact your buyer
    for additional information not available in the file.
    - The funds associated with this payment will be deposited into your bank account
    according to the
    terms of your American Express merchant agreement and may be combined with other
    American Express deposits.
    For additional information about Deposits, Fees, or your American Express merchant
    agreement:
    Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
    8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
    using My Merchant Account/Online Merchant Services.
    If you are not enrolled in My Merchant Account/OMS, you can do so at
    www.americanexpress.com/mymerchantaccount
    or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
    be glad to help you.
    For quick and easy enrollment, please have your American Express Merchant Number,
    bank account ABA (routing number)
    and DDA (account number) on hand.
    This customer service e-mail was sent to you by American Express. You may receive
    customer service e-mails even if you have unsubscribed from marketing e-mails from
    American Express.
    Copyright 2013 American Express Company...


    The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46*. ThreatExpert reports** that the malware communicates with the following servers:
    mail.yaklasim .com (212.58.4.13: Doruknet, Turkey)
    autoservicegreeley .com (198.100.45.44: A2 Hosting, US)
    This malware shares some characteristics with this attack***.
    Blocklist:
    198.100.45.44
    212.58.4.13
    ..."
    * https://www.virustotal.com/en/file/a...is/1366379362/
    File name: CD0199381-04192013.exe
    Detection ratio: 6/46
    Analysis date: 2013-04-19
    ** http://www.threatexpert.com/report.a...622e9e5277ffce
    *** http://blog.dynamoo.com/2013/04/fise...tion-spam.html

    Last edited by AplusWebMaster; 2013-04-19 at 20:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #174
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Twitter malware, DHL SPAM, Malware sites to block...

    FYI...

    Twitter malware...
    - https://www.trusteer.com/blog/twitte...han-just-ideas
    April 22, 2013 - "... With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware... recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry. The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim... This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious... it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download)..."
    ___

    Malicious DHL Spam
    - http://threattrack.tumblr.com/post/4...cious-dhl-spam
    April 22, 2013 - "Subjects Seen:
    Tracking Info
    Shipping Detail
    Order Detail

    Typical e-mail details:
    DHL Ship Shipment Notification
    On April 18, 2013 a shipment label was printed for delivery.
    The shipment number of this package is 81395268.
    To get additional info about this shipment use any of these options:
    1) Click the following URL in your browser:
    2) Enter the shipment number on tracking page:
    Tracking Page
    For further assistance, please call DHL Customer Service.
    For International Customer Service, please use official DHL site.


    Malicious URLs
    honoredstudents .org/images/index.php?info=841_139088422
    eumpharma .com/images/index.php?get_info=ss00_323
    sman4-tanjungpinang.sch .id/images/index.php?get_info=ss00_323


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...9FL1qz4rgp.png
    ___

    Malware sites to block 22/4/13
    - http://blog.dynamoo.com/2013/04/malw...ock-22413.html
    22 April 2013 - "These domains form part of a large Kelihos botnet described over at Malware Must Die* and which is related to the recent Boston Marathon** and Texas Fertilizer Plant spam*** runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network..."
    (Long list at the dynamoo URL above.)

    * http://malwaremustdie.blogspot.co.uk...following.html

    ** http://blog.dynamoo.com/2013/04/bost...utcctvcom.html

    *** http://blog.dynamoo.com/2013/04/fert...near-waco.html
    ___

    Telstra Bill Account Update Phishing Scam
    - http://www.hoax-slayer.com/telstra-phishing-scam.shtml
    April 22, 2013 - "... Detailed Analysis: This email, which purports to be from Australian telecommunications giant, Telstra, informs the recipient that the company was unable to process a recent bill payment. The email claims that, unless the account holder follows a link in the message to confirm and update billing information, his or her Telstra service may be interrupted. The email arrives complete with the Telstra logo and a seemingly genuine Telstra sender address. However, the email is certainly -not- from Telstra and the information about a payment problem is a lie. In reality, the email is a phishing scam designed to trick Telstra customers into handing over their personal and financial information to Internet criminals. The link in the phishing scam email is disguised to make it appear that it leads to the genuine Telstra site. The sender address of the email is also disguised in such a way that it appears to have originated from Telstra... Telstra (or BigPond) will -never- send customers unsolicited emails* requesting them to provide financial and personal information via links in the message..."
    * https://help.telstra.com/app/answers/detail/a_id/17020
    ___

    Fake "Loss Avoidance Alerts" SPAM / tempandhost .com
    - http://blog.dynamoo.com/2013/04/loss...erts-spam.html
    22 April 2013 - "I haven't seen this particular spam before. It leads to malware on tempandhost .com:
    Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
    From: personableop641 @swacha .org
    Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
    Loss Avoidance Alert System
    April 22, 2013
    Loss Avoidance Report:
    The Loss Avoidance Alerts that was processed are now available on a secure website at:
    www .lossavoidancealert .org
    http ://www.lossavoidancealert .org
    Alerts:
    CL0017279 – Sham Checks (ALL)
    Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
    enter the Alert Number and hit Go.
    Thank you for your participation!
    Loss Avoidance Alert System Administrator
    This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
    those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
    responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
    If you received this email in error, please contact the sender.


    Screenshot: https://lh3.ggpht.com/-bvBZl6q9rNY/U...ance-alert.png

    The link in the email appears to point to www .lossavoidancealert .org but actually goes through a legitimate -hacked- site (in this case [donotclick]samadaan .com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost .com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here* and here**) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this***. Anyway, tempandhost .com is hosted on the following servers:
    1.235.183.241 (SK Broadband Co Ltd, Korea)
    46.183.147.116 (Serverclub.com, Netherlands)
    155.239.247.247 (Centurion Telkom, South Africa)
    202.31.139.173 (Kum oh National University of Technology, Korea) ...
    Blocklist:
    1.235.183.241
    46.183.147.116
    155.239.247.247
    202.31.139.173
    ..."
    * http://wepawet.iseclab.org/view.php?...666636&type=js

    ** http://jsunpack.jeek.org/?report=138...01b8fb3caafe11

    *** http://urlquery.net/report.php?id=2111319

    Last edited by AplusWebMaster; 2013-04-23 at 04:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #175
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake DHL SPAM ...

    FYI...

    Fake DHL SPAM / DHL-LABEL-ID-2456-8344-5362-5466.zip
    - http://blog.dynamoo.com/2013/04/dhl-...8344-5362.html
    23 Apr 2013 - "This fake DHL spam has a malicious attachment.
    Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
    From: Ramon Brewer - DHL regional manager [reports @dhl .com]
    Subject: DHL DELIVERY REPORT NY73377
    DHL notification
    Our company’s courier couldn’t make the delivery of parcel.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: ETBAKPRSU3
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    DHL Global ...


    Screenshot: https://lh3.ggpht.com/-ETQLGLo29qk/U...s1600/dhl2.png

    Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45*..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en/file/b...is/1366703919/
    File name: DHL-LABEL-ID-2456-8344-5362-5466.exe
    Detection ratio: 22/45
    Analysis date: 2013-04-23

    > http://camas.comodo.com/cgi-bin/subm...94ecd0257d185b
    ___

    Something evil on 173.246.104.104
    - http://blog.dynamoo.com/2013/04/some...246104104.html
    23 April 2013 - "173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon .com/news/pint_excluded.php (report here*).
    Both VirusTotal** and URLquery* detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow... I recommend that you apply the following blocklist for the time being:
    173.246.104.104
    (More listed at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=2122697
    ... Detected live BlackHole v2.0 exploit kit 173.246.104.104
    - https://www.google.com/safebrowsing/...?site=AS:29169

    ** https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake CareerBuilder SPAM / CB_Offer_04232013_8817391.zip
    - http://blog.dynamoo.com/2013/04/care...tion-spam.html
    23 Apr 2013 - "This fake CareerBuilder email has a malicious attachment containing malware.
    Date: Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
    From: CareerBuilder [Herman_Gallagher @careerbuilder .com]
    Subject: CareerBuilder Notification
    Hello,
    I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
    You can review the position on the CareerBuilder by downloading the attached PDF file.
    Attached file is scanned in PDF format.
    Adobe(R)Reader(R) can be downloaded from the following URL: http ://www.adobe .com
    Best wishes in your job search !
    Hal_Shields
    Careerbuilder Customer Service Team
    CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092


    The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename. VirusTotal detections are patchy*... I'm still waiting for some sort of analysis..
    MD5 924310716fee707db1ea019c3b4eca56
    SHA1 2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
    SHA256 e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 "
    * https://www.virustotal.com/en/file/e...8dd5/analysis/
    File name: CB_Offer_04232013_8817391.exe
    Detection ratio: 19/46
    Analysis date: 2013-04-24

    Last edited by AplusWebMaster; 2013-04-24 at 04:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #176
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 151.248.123.170 ...

    FYI...

    Something evil on 151.248.123.170
    - http://blog.dynamoo.com/2013/04/some...123170_24.html
    24 April 2013 - "151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1*, example 2**). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

    Recommended blocklist:
    151.248.123.170 ..."
    (Long list at the dynamoo URL above.)

    * http://urlquery.net/search.php?q=151...3-04-24&max=50

    ** https://www.virustotal.com/en/ip-add...0/information/

    - https://www.google.com/safebrowsing/...?site=AS:39134
    ____

    Fake American Express SPAM / SecureMail.zip
    - http://blog.dynamoo.com/2013/04/amer...s-spam_24.html
    24 Apr 2013 - "Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.
    Date: Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
    From: American Express [Christian_Frey @aexp .com]
    Subject: Confidential - Secure Message from AMEX
    Secure Message The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
    Note: The attached file contains encrypted data.
    If you have any questions, please call us at 800-964-7890, option 3.
    Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
    8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The information contained in this message may be privileged, confidential and protected from
    disclosure. If the reader of this message is not the intended recipient, or an employee
    or agent responsible for delivering this message to the intended recipient, you are
    hereby notified that any dissemination, distribution or copying of this communication is
    strictly prohibited.
    Thank you,
    American Express 2012 American Express Company. All rights reserved...


    The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46* at VirusTotal. Comodo CAMAS doesn't tell us much** except that it seems to phone home to angels-mail .com and has the following checksums:
    MD5 6870fd8fd2b2bedd83e218d9e7e4de8b
    SHA1 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
    SHA256 ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
    What about angels-mail .com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf***].
    Recommended blocklist:
    5.77.45.108
    64.90.61.19
    212.58.4.13
    ..."
    * https://www.virustotal.com/en/file/a...is/1366835710/
    File name: SecureMail.exe
    Detection ratio: 21/46
    Analysis date: 2013-04-24
    ** http://camas.comodo.com/cgi-bin/subm...ca660fb2cb45e3
    *** http://www.dynamoo.com/files/analysi...d9e7e4de8b.pdf

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Q8b1qz4rgp.png
    ___

    "New Secure Message" spam / pricesgettos .info
    - http://blog.dynamoo.com/2013/04/new-...ettosinfo.html
    24 Apr 2013 - "This spam leads to malware on pricesgettos .info:
    Date: Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
    From: Cooper.Anderson @csiweb .com
    Subject: New Secure Message Received from Cooper.Anderson @csiweb .com
    New Secure Message
    Respective [redacted],
    You have received a new secure message from Cooper.Anderson @csiweb .com.
    If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
    If you are NOT using the Secure Message Plugin, you are able to view it by clicking [redacted] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
    Sincerely Yours,
    CSIe


    The link displayed in the email is -fake- and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos .info/news/done-heavy_hall_meant.php (report here*) hosted on the following IPs:
    1.235.183.241 (SK Broadband, Korea)
    130.239.163.24 (Umea University, Sweden)
    155.239.247.247 (Centurion Telkom, South Africa)
    202.31.139.173 (Kum oh National University of Technology, Korea)
    203.64.101.145 (Taiwan Academic Network, Taiwan)
    Blocklist:
    1.235.183.241
    130.239.163.24
    155.239.247.247
    202.31.139.173
    203.64.101.145
    ..."
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=2157408
    ... Detected live BlackHole v2.0 exploit kit 203.64.101.145

    Last edited by AplusWebMaster; 2013-04-25 at 01:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #177
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious PayPal, Wire Transfer SPAM

    FYI...

    Malicious Wire Transfer Spam
    - http://threattrack.tumblr.com/post/4...-transfer-spam
    25 Apr 2013 - "Subjects Seen:
    Incoming Transactions Report
    Typical e-mail details:
    Incoming Transactions Report
    An incoming money transfer has been received by your financial institution and the funds deposited to account.
    Initiated By: Fiserv Inc.
    Initiated Date & Time: Thu, 25 Apr 2013 06:13:22 -0800
    Batch ID: 497
    Please view the attached file to review the transaction details.


    Malicious URLs
    lipo-exdenver .com/ponyb/gate.php
    lipo-exdallas .com/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    angels-mail .com:8080/ponyb/gate.php
    serw.myroitracking .com/vHn3xjt.exe
    pro-sb-immobilien .de/stdwR8gb.exe

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...pru1qz4rgp.png
    ___

    Malicious PayPal Password Reset Spam
    - http://threattrack.tumblr.com/post/4...ord-reset-spam
    25 April 2013 - "Subjects Seen:
    Reset Yoyr PayPal Password
    Typical e-mail details:
    Your account would stay frozen untill password reset.
    How to reset your PayPal password
    Hello [removed],
    To get back into your PayPal account, you’ll need to create a new password.
    It’s easy:
    Click the link below to open a secure browser window.
    Confirm that you’re the owner of the account, and then follow the instructions.


    Malicious URLs
    iremadze .com/wp-content/themes/toolbox/breakingnews.html
    it-academy-by-student07 .ru/wp-content/themes/toolbox/breakingnews.html
    sub.bestquotesnsayings .com/complaints/or_knew-passed.php
    sub.bestquotesnsayings .com/complaints/or_knew-passed.php?kdvawba=mlmr&nlmepj=lwuzwkh


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...mCg1qz4rgp.png

    Last edited by AplusWebMaster; 2013-04-25 at 23:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #178
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake/malicious USPS, BoA SPAM ...

    FYI...

    Fake USPS SPAM / LABEL-ID-56723547-GFK72.zip
    - http://blog.dynamoo.com/2013/04/usps...pam-label.html
    26 Apr 2013 - "This fake USPS message has a malicious attachment:
    Date: Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
    From: USPS client manager Lelia Holden [reports @usps .com]
    Subject: USPS delivery failure report
    Priority: High Priority 1
    Notification
    Our company’s courier couldn’t make the delivery of package.
    REASON: Postal code contains an error.
    LOCATION OF YOUR PARCEL: New York
    DELIVERY STATUS: sort order
    SERVICE: One-day Shipping
    NUMBER OF YOUR PARCEL: UGL38SHK4T
    FEATURES: No
    Label is enclosed to the letter.
    Print a label and show it at your post office.
    An additional information:
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
    You can find the information about the procedure and conditions of parcels keeping in the nearest office.
    Thank you for using our services.
    USPS Global.


    There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46*.
    The malicious binary has the following checksums:
    MD5 df81b21e9526c571d03bc1fb189f233c
    SHA1 dd2fe390e3f16a7f12786799af927f62df6754c4
    SHA256 db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
    Comodo CAMAS reports** some very unusual behaviour around LDAP registry keys, not present in the Anubis report*** or ThreatExpert report****."
    * https://www.virustotal.com/en/file/d...is/1366967613/
    File name: LABEL-ID-56753547-GFK72.exe
    Detection ratio: 7/46
    Analysis date: 2013-04-26
    ** http://camas.comodo.com/cgi-bin/subm...1d2f4cde60590a

    *** http://anubis.iseclab.org/?action=re...96&format=html

    **** http://www.threatexpert.com/report.a...3bc1fb189f233c
    ___

    Something evil on 193.107.16.213 / Ideal Solution Ltd
    - http://blog.dynamoo.com/2013/04/some...213-ideal.html
    26 April 2013 - "193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range. VirusTotal detects a number of malicious sites on this server (see report*) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects. The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv**]. Use this data as you see fit..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en/ip-add...2/information/

    ** http://www.dynamoo.com/files/ideal-solution.csv

    - https://www.google.com/safebrowsing/...?site=AS:58001
    ___

    Something evil on 199.71.212.122
    - http://blog.dynamoo.com/2013/04/some...971212122.html
    26 April 2013 - "199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware on them according to VirusTotal* and URLquery**. Some of the malicious domains were recently hosted on this IP. I suspect that there are alot more domains than the ones listed on this server, blocking access to it is probably the best approach..."
    * https://www.virustotal.com/en/ip-add...2/information/

    ** http://urlquery.net/search.php?q=199...3-04-26&max=50

    - https://www.google.com/safebrowsing/...?site=AS:40676
    ___

    Malicious PayPal Dispute Spam
    - http://threattrack.tumblr.com/post/4...l-dispute-spam
    26 April 2013 - "Subjects Seen:
    Resolution of case #[removed]
    Typical e-mail details:
    Our records indicate that you never responded to requests for additional
    information about this claim. We hope you review the attached file and solve the situation amicably.
    For more details please see the attached file (Case_[removed].zip)
    Sincerely,
    Protection Services Department


    Malicious URLs
    angels-mail .com:8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    palmspringsvacationhomerentals .com/ponyb/gate.php
    palmspringsvacationrentalshomes .com/ponyb/gate.php
    techsolbowling .com/Ff1.exe


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...6WK1qz4rgp.png
    ___

    Fake BoA malicious SPAM
    - http://blog.webroot.com/2013/04/26/c...serve-malware/
    April 26, 2013 - "Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....tnet.png?w=869
    Detection rate for the malicious executable: MD5: c671d0896a2412b42e1abad4be9d43a8 * ...Trojan-Spy.Win32.Zbot.kulh.
    ... phones back to... C&Cs servers..."
    (Long IP list at the webroot URL above.)
    * https://www.virustotal.com/en/file/8...f838/analysis/
    File name: Mnvw57ch.exe
    Detection ratio: 32/46
    Analysis date: 2013-04-26

    Last edited by AplusWebMaster; 2013-04-27 at 01:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #179
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Multiple Facebook SCAMS ...

    FYI...

    Multiple Facebook SCAMS ...
    - http://www.hoax-slayer.com/fb-profile-viewer-scam.shtml
    April 30, 2013 - "Outline: Message being spammed across Facebook claims that users can follow a link to install an app that allows them to check who has been viewing their profile.
    Brief Analysis: The message is an attempt to trick Facebook users into relinquishing control of their Facebook accounts to Internet scammers by submitting their Facebook authentication token. The scammers will use the compromised accounts to launch further spam and scam campaigns in the names of their victims. Any message that claims that you can install an app to see who has viewed your profile is likely to be a scam. Do not click on any links in these messages...
    Detailed Analysis: This message, which is currently appearing on Facebook, claims that users can check out who has been viewing their Facebook profiles by clicking a link and installing a new app.
    However, the message is a scam designed to trick users into temporarily handing control of their Facebook accounts to online scammers. Those who click the link will first be taken to a Facebook page with further "instructions" for procuring the app:
    > http://www.hoax-slayer.com/images/fb...wer-scam-1.jpg
    If victims follow the link on the page, they will next be taken to a second page that falsely claims that Facebook is now required to show users who has been viewing their profile:
    > http://www.hoax-slayer.com/images/fb...wer-scam-2.jpg
    Next, victims are taken to a "security check" and told that they must generate an "age verification code" before proceeding:
    > http://www.hoax-slayer.com/images/fb...wer-scam-3.jpg
    Users will then receive the following instructions:
    > http://www.hoax-slayer.com/images/fb...wer-scam-4.jpg
    Folllowed by this:
    > http://www.hoax-slayer.com/images/fb...wer-scam-5.jpg
    ... by pasting the "age verification" code as instructed, users are in fact giving the scammers access to their Facebook accounts, including their Friends list. The code is the victim's Facebook authentication token, which can then be used by the criminals to temporarily hijack the Facebook account. The compromised accounts are then used to distribute more of the same scam messages on Facebook... victims will be taken onward to various bogus survey pages and enticed to participate, supposedly as a further prerequisite to getting the promised profile viewer app... In reality, the profile viewer app does not exist... Some versions use the promise of a profile viewer to lead victims directly to a scam survey page. Other versions try to trick users into first installing a rogue Facebook application that will send spam and scam messages to all of their friends.
    Do not trust any message that claims that you can click a link and install an app to see who has viewed your profile. If you receive such a message, delete it."
    ___

    UK banks targeted with Trojans and social engineering
    - https://www.net-security.org/malware_news.php?id=2477
    April 30, 2013 - "... Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
    > https://www.net-security.org/images/...r-042013-1.jpg
    - or:
    > https://www.net-security.org/images/...r-042013-2.jpg
    While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
    > https://www.net-security.org/images/...r-042013-3.jpg
    The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process... the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit* demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there..."

    * http://www.trusteer.com/blog/ramnit-...ancial-malware
    ___

    Malicious PDFs on the rise
    - http://blog.trendmicro.com/trendlabs...s-on-the-rise/
    Apr 29, 2013 - "... we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640)... files used dnsport.chatnook .com, inter.so-webmail .com, and 223.25.242.45 as their command-and-control servers... Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158."
    (More detail at the trendmicro URL above.)

    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    29 Apr 2013
    Graph: https://www.microsoft.com/security/p...exploits/2.png
    ___

    Phish target Apple IDs
    - http://blog.trendmicro.com/trendlabs...phishing-bait/
    Apr 30, 2013 - "Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs... Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised... the directory contains pages that spoof the Apple ID login page fairly closely:
    > http://blog.trendmicro.com/trendlabs...fake_apple.jpg
    We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned:
    > http://blog.trendmicro.com/trendlabs...3/04/chart.png
    The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
    > http://blog.trendmicro.com/trendlabs...redit_card.jpg
    Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
    > http://blog.trendmicro.com/trendlabs...apple_mail.jpg
    One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:
    > http://blog.trendmicro.com/trendlabs.../legitsite.jpg
    The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites. For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection..."
    ___

    Something evil on 96.126.108.132
    - http://blog.dynamoo.com/2013/04/some...126108132.html
    30 April 2013 - "These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ..."
    (Long list at the dynamoo URL above.)
    1) https://www.virustotal.com/en/ip-add...2/information/

    2) https://palevotracker.abuse.ch/?ipad...96.126.108.132

    3) http://support.clean-mx.de/clean-mx/...96.126.108.132
    ___

    Fake "Requested Reset of Yoyr PayPal Password" SPAM / frustrationpostcards .biz
    - http://blog.dynamoo.com/2013/04/requ...-password.html
    29 Apr 2013 - "This fake PayPal spam leads to malware on frustrationpostcards .biz:
    Date: Mon, 29 Apr 2013 13:22:03 -0500
    From: "service @paypalmail .com" [chichisaq0 @emlreq.paypalmail .com]
    Subject: Requested Reset of Yoyr PayPal Password
    Your account will stay on hold untill password reset.
    How to reset your PayPal password
    Hello [redacted],
    To get back into your PayPal account, you'll have to create a new password.
    It's easy:
    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.
    Reset your password now
    If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
    Help Center | Security Center
    Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
    Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
    PayPal Email ID 2A7X1


    The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards .biz/news/institutions-trusted.php (report here*) hosted on the following IPs:
    82.236.38.147 (PROXAD Free SAS, France)
    83.212.110.172 (Greek Research and Technology Network, Greece)
    130.239.163.24 (Umea University, Sweden)...
    Blocklist:
    82.236.38.147
    83.212.110.172
    130.239.163.24
    ..."
    * http://urlquery.net/report.php?id=2230181

    Screenshot: https://www.net-security.org/images/...e-30042013.jpg
    ___

    Fake Wire Transfer SPAM / Payment reeceipt.exe / 78.139.187.6
    - http://blog.dynamoo.com/2013/04/your...-canceled.html
    30 Apr 2013 - "This fake wire transfer spam comes with a malicious attachment:
    Date: Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
    From: Federal Reserve [alerts @federalreserve .gov]
    Subject: Your Wire Transfer 82932922 canceled
    The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
    Transfer details attached to the letter.
    This service is provided to you by the Federal Reserve Board. Visit us on the web at website
    To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately


    In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46*.
    The malware has the following checksums according to Comodo CAMAS**:
    Size 371712
    MD5 0a3723483e06dcf7e51073972b9d1ef3
    SHA1 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
    SHA256 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
    Anubis has a pretty detailed report*** of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here****. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
    64.231.249.250
    69.183.226.70
    78.139.187.6
    81.133.189.232
    123.237.234.67
    ...."
    * https://www.virustotal.com/en/file/0...is/1367354089/
    File name: Payment reeceipt.exe
    Detection ratio: 29/46
    Analysis date: 2013-04-30
    ** http://camas.comodo.com/cgi-bin/subm...59c2d3f25753dd
    *** http://anubis.iseclab.org/?action=re...fd&format=html

    **** http://blog.dynamoo.com/2013/04/fise...tion-spam.html

    Last edited by AplusWebMaster; 2013-05-01 at 02:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #180
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ADP, LinkedIn, Citibank, US Airways SPAM ...

    FYI...

    Malicious ADP Delivery Notice Spam
    - http://threattrack.tumblr.com/post/4...ry-notice-spam
    3 May 2013 - "Subjects Seen:
    ADP Chesapeake - Package Delivery Confirmation
    Typical e-mail details:
    This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
    Here are the details of your delivery:
    Package Type: QTR/YE Reporting
    Courier: UPS Ground
    Estimated Time of Arrival: Monday, 1:00pm
    Tracking Number (if one is available for this package): [removed]
    Details: Click here to overview and/or modify order
    We will notify you via email if the status of your delivery changes.
    Access these and other valuable tools at support.ADP.com:
    Payroll and Tax Calculators
    Order Payroll Supplies, Blank Checks, and more
    Submit requests online such as SUI Rate Changes, Schedule Changes, and more
    Download Product Documentation, Manuals, and Forms
    Download Software Patches and Updates
    Access Knowledge Solutions / Frequently Asked Questions
    Watch Animated Tours with Guided Input Instructions
    Thank You,
    ADP Client Services
    support.ADP .com


    Malicious URLs
    technotkan .kz/templates/ja_purity_ii/adp_dpack.html
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?hyobrlhz=kniez&vvhxv=nle
    sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?df=1g:1i:2v:32:1f&ne=1g:2w:2w:1h:1g:1j:1l:1h:2v:30&h=1f&ug=q&tr=s&jopa=3366088


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...PsL1qz4rgp.png
    ___

    Something evil on 173.255.200.91
    - http://blog.dynamoo.com/2013/05/some...325520091.html
    3 May 2013 - "173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit* [see URLquery** and VirusTotal reports***). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server. I can see... domains on the server, ones flagged by Google for malware... I would recommend blocking all domains on this server... or simply block the IP address..."
    * http://malware.dontneedcoffee.com/20...ploit-kit.html

    ** http://urlquery.net/search.php?q=173...3-05-03&max=50

    *** https://www.virustotal.com/en/ip-add...1/information/
    ___

    Malicious US Airways Spam
    - http://threattrack.tumblr.com/post/4...s-airways-spam
    2 May 2013 - "Subjects Seen:
    US Airways online check-in.
    Typical e-mail details:
    You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and go to the gate.

    Malicious URLs
    concaribe .com/images/wp_pageid.html?id=516047FC45UOYFC8AVC60VIQ
    yob.newwaysys .com/ensure/origin-want_require.php?jnlp=e3ca9e7968
    yob.newwaysys .com/ensure/origin-want_require.php?bnddxr=nlbaicu&zvgibtad=tqu
    yob.newwaysys .com/ensure/origin-want_require.php?qf=1i:1f:32:33:2v&ge=32:1i:30:2v:1o:32:1m:1o:1l:1n&i=1f&wl=j&rw=r&jopa=2959383


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...lQn1qz4rgp.png
    ___

    Malicious Citibank Paymentech Attachment Spam
    - http://threattrack.tumblr.com/post/4...ttachment-spam
    2 May 2013 - "Subjects Seen:
    Merchant Statement
    Typical e-mail details:
    " Attached is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech’s or the Merchant’s email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ————— Learn more about Citibank Paymentech Solutions, LLC payment processing services at citibank.com. ————— THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

    Malicious URLs
    Spam contains a malicious attachment.

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Qsp1qz4rgp.png
    ___

    Fake LinkedIn SPAM / guessworkcontentprotect .biz
    - http://blog.dynamoo.com/2013/05/link...rotectbiz.html
    2 May 2013 - "This fake LinkedIn email leads to malware on guessworkcontentprotect .biz:
    From: LinkedIn Invitations [giuseppeah5 @mail.paypal .com]
    Date: 2 May 2013 16:49
    Subject: LinkedIn inviation notificaltion.
    LinkedIn
    This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
    Accept Lewis Padilla Invitation
    On May 2, Lewis Padilla wrote:
    > To: [redacted]
    > I'd like to join you to my professional network on LinkedIn.
    > Lewis Padilla
    You are receiving Reminder emails for pending invitations. Unsubscribe.
    © 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.


    The malicious payload is at [donotclick]guessworkcontentprotect .biz/news/pattern-brother.php (report here*) hosted on:
    82.236.38.147 (PROXAD Free SAS, France)
    83.212.110.172 (Greek Research and Technology Network, Greece)
    130.239.163.24 (Umea University, Sweden)
    203.190.36.201 (Kementerian Pertanian, Indonesia)
    Blocklist:
    82.236.38.147
    83.212.110.172
    130.239.163.24
    203.190.36.201
    ..."
    * http://urlquery.net/report.php?id=2293535

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •