SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Phishing emails from "Nationwide" in circulation
- http://www.gfi.com/blog/nationwide-p...n-circulation/
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
> http://www.gfi.com/blog/wp-content/u...ationphish.jpg
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
> http://www.gfi.com/blog/wp-content/u...tionphish2.jpg
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
http://www.gfi.com/blog/wp-content/u...tionphish3.jpg
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
* https://en.wikipedia.org/wiki/Nation...ilding_Society
"Nationwide Building Society is a British mutual financial institution..."

[AplusWebMaster]

FYI...

Insecure WordPress blogs... host Blackhole malware attack
- http://nakedsecurity.sophos.com/2012...alware-attack/
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
> https://sophosnews.files.wordpress.c...ail1.jpg?w=640
Subject: Verify your order
Message body:
Dear [name],
please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."

"WordPress Plugin" search results ...
* https://secunia.com/advisories/searc...rdPress+Plugin
Found: 407 Secunia Security Advisories ...
Aug 13, 2012

[AplusWebMaster]

FYI...

IRS SPAM campaign leads to BlackHole exploit kit
- http://blog.webroot.com/2012/08/13/i...e-exploit-kit/
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
> https://webrootblog.files.wordpress....xploit_kit.png
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."

- https://www.virustotal.com/file/83e2...is/1343319131/
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
- https://www.virustotal.com/file/af31...4557/analysis/
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04

[AplusWebMaster]

FYI...

Another Fake Intuit email: "Your order was shipped today"
> http://security.intuit.com/alert.php?a=53
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.

Dear Customer,
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.

This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]
___

JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
It works.

[AplusWebMaster]

FYI...

PDF reader exploits-in-the-wild ...
- http://blog.fireeye.com/research/201...n-myagent.html
2012.08.15 - "At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation... We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment... we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits... We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware."