Page 1 of 35 1234511 ... LastLast
Results 1 to 10 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SPAM frauds, fakes, and other MALWARE deliveries - archive

    FYI...

    - http://preview.tinyurl.com/3xqd9o
    January 31, 2008 (Infoworld) - "...The Anti-Phishing Working Group (APWG) said in a new report* Thursday that it saw a sharp rise in November in malware that directs users to DNS servers controlled by phishers. DNS servers play a crucial role in locating Web sites. The servers translate a domain name into an IP address, enabling a Web site to be located and accessed through a browser. Often, the phishers will set up their own DNS server that works fine most of the time but can redirect to their own malicious site. Tainting a person's DNS settings is particularly dangerous since the user probably won't notice the redirection, the APWG said. "The fraudulent server replies with 'good' answers for most domains; however, when they want to direct you to a fraudulent one, they simply modify their name server responses," the report said. Phishers are also employing malware that modifies an internal PC file called the hosts, which is used to match domain names of Web sites with IP addresses. When a person visits a Web site, the browser checks the hosts to see if it has an IP address for a particular domain name. If the hosts file is corrupted or hijacked, the browser can be directed to fetch a different Web page than the one the user intended to go to. Both attacks -- also known as pharming -- are dangerous, since a user may be typing in the correct URL but be directed to the phishing site..."
    * PDF file: http://www.antiphishing.org/reports/...t_nov_2007.pdf

    Also see:
    > http://forums.spybot.info/showpost.p...15&postcount=8

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Malicious SPAM...

    FYI...

    Speed up your PC! for FREE!
    - http://www.sophos.com/security/blog/2008/03/1072.html
    27 March 2008 - "What’s the easiest (and cheapest) way to get a faster computer?... numerous tools and applications insist on clogging up their system drive with poorly written uninstallers, gigabytes of temporary files and those annoying startup agents that load with Windows and sit resident in memory just in case they’re needed. It’s common then, for these users to turn to third party tools to clean up their computers. For the most part, these tools work pretty well. However, these programs are not always what they seem... To the unsuspecting computer users, this software looks like the perfect thing to clean up their computer. It appears simple, easy to use, small and free. Just the sort of things we’re looking for right? Wrong! This tool will “optimise” your computer by deleting a lot of critical system files. The end result is that your computer is rendered un-bootable and you’re left hoping that you have made a full system backup recently... this malicious program is detected by Sophos as Troj/Sysdel-B..."

    Fake shooting scam used in Trojan attack
    - http://www.sophos.com/security/blog/2008/03/1238.html
    29 March 2008 - "... SophosLabs noticed a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a spy Trojan. We saw several spam messages alerting users to the supposed shooting of the e-Gold founder... A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server... The script attempts to exploit several client-side vulnerabilities in order to download and install a Trojan... Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ. This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims..."

    Swim in $$$ = Swim with Sharks!
    - http://www.sophos.com/security/blog/2008/03/1237.html
    28 March 2008 - “Im ************, i swim in money $$$
    I want you to swim with me!!! send this file to all friends and join me!!”
    If you are swimming with Troj/Nymod-A and looking at what appears to be the random picture of some person, you are definitely swimming with the sharks. Troj/Nymod-A drops a file called ^^^^^.exe (proactively detected by Sophos as Mal/Basine-C) and sets it to autostart everytime you reboot your computer. File ^^^^^.exe has process monitoring which just respawns itself if you kill the handle running ^^^^^.exe. Finally it tunnels through your firewall and contacts a remote server whose domain ends in “.ru”! This has opened your computer to the $$$ sharks who might steal information from you, or steal your computer’s resources = $$$ for them."

    (Screenshots available at each URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SPAM, SPAM, and more SPAM... w/malware

    FYI...

    More fake "Hallmark ecards"...
    - http://blog.trendmicro.com/greeting-...read-no-cheer/
    June 9, 2008 - "Thinking that someone just remembered you and sent you a Hallmark greeting card? Think again, before you open the email attachment. Today, we received a spam allegedly from Hallmark. Once you run the file named postcard.exe, it will automatically open Notepad with some garbage characters to distract users while the malware is being installed... Trend Micro detects this malware as TROJ_INJECTOR.DD... The malware drops copies of itself and creates registry entries to ensure its automatic execution at every system startup. This is not the first time malware authors tried to trick users by exploiting their curiosity and desire to receive good tidings via greeting cards: Storm started out much the same way, including the use of eCards, and well into 2007."

    ---------------------------------

    Phishers drop MySpace bait
    - http://blog.trendmicro.com/phishers-drop-myspace-bait/
    June 9, 2008 - "...new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site MySpace.com. The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object. Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY... And if the user tries to exit the page, it will not close until the said file is downloaded. To exit, a user needs to terminate the program using Task Manager... phishing URL hxxp ://{BLOCKED}ce404-error.farvista.net/myspace.php ..."

    (Screenshot available at the TrendMicro URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malicious spam - news on Osama...

    FYI...

    - http://securitylabs.websense.com/con...erts/3130.aspx
    07.04.2008 - "Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software... The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign... We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
    Jennifer Aniston Interesting mp3!!!
    Clara Morgane Shocking photo!!!
    Kylie Minogue Interesting video without cowards!!!
    Demi Moore New sexy songs!!!
    Avril Lavigne Shocking porno dvd!!!
    Nicole Richie Kick-up cd!!!
    Beyonce Shocking sexy songs!!!
    Keira Knightley Gallery photo!!!
    Britney Spears Interesting cd!!! ..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Airlines - infected ticket invoices...

    FYI...

    Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
    - http://preview.tinyurl.com/66ayhz
    July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
    * http://www.avertlabs.com/research/bl...-takes-flight/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Airlines - infected ticket invoices... SPAM

    More of same...

    - http://www.f-secure.com/weblog/archives/00001477.html
    July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
    (Screenshot available at the F-secure URL above.)

    - http://www.us-cert.gov/current/#airl...t_email_attack
    July 31, 2008

    Last edited by AplusWebMaster; 2008-08-01 at 01:17. Reason: Added US-CERT link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Phishers play the Olympics

    FYI...

    Phishers play the Olympics
    - http://blog.trendmicro.com/phishers-play-the-olympics/
    08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
    * http://www.latimes.com/technology/la...,7568966.story

    - http://securitylabs.websense.com/con...erts/3152.aspx
    08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."

    (Screenshots available at the TrendMicro and Websense URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation FAKE Adobe Flash Player

    FYI...

    FAKE Adobe Flash Player
    - http://www.us-cert.gov/current/#malw...e_flash_player
    August 5, 2008 - "Adobe has issued a Security Bulletin* warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that a worm is making fraudulent posts on social networking sites. These posts include links that lead to fake sites that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems..."
    * http://blogs.adobe.com/psirt/2008/08...nstallers.html
    "...do -not- download Flash Player from a site other than adobe.com... If the download is from an unfamiliar URL or an IP address, you should be suspicious..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation FAKE Adobe Flash Player - more...

    More...

    Compromised Web Servers Serving Fake Flash Players
    - http://ddanchev.blogspot.com/2008/08...ving-fake.html
    August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
    Sample detection rate : flashupdate.exe
    Scanners Result: 35/36 (97.23%)
    Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
    File size: 78848 bytes
    MD5...: c81b29a3662b6083e3590939b6793bb8
    SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

    The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
    Sample detection rate : antispyspider.msi
    Scanners Result: 11/35 (31.43%)
    FraudTool.Win32.AntiSpySpider.b;
    File size: 1851904 bytes
    MD5...: 2f1389e445f65e8a9c1a648b42a23827
    SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

    The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."

    ---

    * http://www.adobe.com/go/getflashplayer
    Current Adobe Flash Player version 9.0.124.0

    Last edited by AplusWebMaster; 2008-08-07 at 20:50. Reason: Added link to current Adobe Flash Player...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus CNN custom alerts...

    FYI...

    Bogus CNN Custom Alerts
    - http://securitylabs.websense.com/con...erts/3154.aspx
    08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •