SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

CA incident report...
- https://isc.sans.edu/diary.html?storyid=12205
Last Updated: 2011-12-14 17:39:34 UTC - "GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
http://www.globalsign.co.uk/company/...nt-report.html
They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
“We didn't find any evidence of
* Rogue Certificates issued.
* Customer data exposed.
* Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
* Compromised GlobalSign Certificate Authority (CA) infrastructure.
* Compromised GlobalSign Issuing Authorities and associated HSMs.
* Compromised GlobalSign Registration Authority (RA) services.
What did happen
* Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
* What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www .globalsign .com.
* SSL Certificate and key for www .globalsign .com were deemed compromised and revoked. “

[AplusWebMaster]

FYI...

Phish campaign targets users - timed with breach...
- http://nakedsecurity.sophos.com/2011...hing-campaign/
December 14, 2011 - "A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account... All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday. Personal information... was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend. Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information... an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger... this email was obviously a phish:
- Bigpond doesn't send out access your account now by clicking on a link emails.
- The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
- The link you are asked to click on has no obvious connection with Telstra or Bigpond.
- Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).
... if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks."

[AplusWebMaster]

FYI...

Ransomware impersonates the police
- https://blogs.technet.com/b/mmpc/arc...edirected=true
19 Dec 2011 - "... several samples of a ransomware family localized into different languages... We've so far seen variants localized into four languages: English, Spanish, German, and Dutch... Upon execution, the ransomware locks the computer, displays the localized screen.. and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are -not- involved in any way with the scammers' scheme; instead, they are being used for malicious purposes... In the case of Trojan:Win32/Ransom.DU... that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany... this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved... nowadays Blackhole distributes many widespread malware families... PS: Just today we encountered a sample targeting residents of France..."
___

- http://blog.eset.com/2011/12/04/carb...raud-incidents
Dec. 4, 2011 - "... Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software... The exploited vulnerabilities aren’t really new: some of them are more than a year old... To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it..."