SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Worm on Facebook steals 45,000 logins ...
- http://blog.seculert.com/2012/01/ram...es-social.html
January 5, 2012 - "... Seculert's research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France... Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users* in the United Kingdom and France...
* http://1.bp.blogspot.com/-F2YMFY8HB-...tbycountry.png
... We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks... With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands..."

[AplusWebMaster]

FYI...

MS11-100 exploit released
- https://threatpost.com/en_us/blogs/e...et-flaw-010912
Jan 9, 2012 - "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. The proof-of-concept exploit code was posted to the Full Disclosure mailing list.. the code is designed to exploit a recently discovered vulnerability in ASP.NET that's related to the way that the software handles certain HTTP post requests... The problem isn't actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch* for the flaw on Dec. 29, recommending that users install it as quickly as possible... The base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server's rresources."
* https://technet.microsoft.com/en-us/.../ms11-100.mspx

- https://isc.sans.edu/diary.html?storyid=12355
Last Updated: 2012-01-09 19:21:27 UTC

[AplusWebMaster]

FYI...

BBB SPAM leads to 'Blackhole'...
- https://blogs.technet.com/b/mmpc/arc...edirected=true
12 Jan 2012 - "... BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:
'To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam ...'
The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js"... The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script... This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware... This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack..."

[AplusWebMaster]

FYI...

NY banks and Online Theft ...
- http://online.wsj.com/article/SB1000...598919896.html
Jan. 10, 2012 - "... initiatives are designed to encourage banks to work together to better protect against hackers, whose efforts to shut down electronic operations and steal money or customer data pose a growing concern for the industry... Online attacks have increased sharply over the past two years and financial institutions are among the most likely targets, according to a new survey by PricewaterhouseCoopers LLP, the consulting firm. Avivah Litan, an analyst with Gartner Research, expects financial companies to increase spending on fraud detection and customer authentication systems by as much as 12%, to $1 billion, over the next two years — a record... While many bank officials agree with the information-sharing in principle, some are concerned that doing so could provide rivals with too much insight into their operations... Sharing might be discouraged in other parts of banking, because of possible antitrust implications...
the chief technology officer of a large bank said "phishing" attacks used by cyber criminals to extract personal information were not a threat... 'If they are -not- a threat, why are you spending $2 million on software to protect against them?'... The executive's answer: "We don't want to talk about fraud in front of anyone."

Search: online bank frauds
- https://encrypted.google.com/
... about 109,000,000 results.

[AplusWebMaster]

FYI...

IP's to block...
- https://isc.sans.edu/diary.html?storyid=12400
Last Updated: 2012-01-14 21:40:30 UTC - "Antony Elmar owns quite a few domain names... lives in a lovely city called "Kansas, US"... with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy... Registrant Phone:+3.976639877...
His new domains currently point to 89.187.53.237, in Moldova... The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 89.187.53.238.
His latest new domains include:
cyberendbaj .in
cyberevorm .in
endbaj .in
endbajcomp .in
evorm .in
evormhost .in
evormcorp .in
... and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages..."

[AplusWebMaster]

FYI...

Zbot spreads thru fake email ...
- http://labs.m86security.com/2012/01/...ication-email/
January 13, 2012 - "... malicious SPAM campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip... The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension... bill notifications do -not- usually arrive with an executable file - so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email..."

[AplusWebMaster]

FYI...

Zappos breach - 24M affected...
- https://www.computerworld.com/s/arti...er_data_breach
January 16, 2012 - "... Zappos.com is advising over 24 million customers to change their passwords following a data breach... Zappos employees received an email from CEO Tony Hsieh on Sunday*, alerting them about a security breach that involved the online shop's customer database... Even though he assured everyone that no credit card details had been compromised, Hsieh revealed that the attacker had accessed customer records including names; email, billing and shipping addresses; phone numbers, and the last four digits of their credit card numbers. The hacker also gained access to password hashes for the accounts registered on the website, prompting the company to reset everyone's access codes. Zappos is currently in the process of emailing its 24 million customers in order to notify them about the security breach and advise them to change their passwords..."
* http://blogs.zappos.com/securityemail

- https://isc.sans.edu/diary.html?storyid=12406
Last Updated: 2012-01-16 16:56:49 UTC

> http://www.reuters.com/article/2012/...80F1BD20120117
Jan 17, 2012 - "... hackers had not been able to access servers that held customers critical credit card and other payment data... Zappos... was recommending that customers change their passwords including on any other website where they use the same or similar password..."

- http://blog.eset.com/2012/01/17/zapp...essons-learned
Jan 17, 2012 - "... Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident..."
___

(Yet -another- hAcK...) T-Mobile USA hacked
- http://h-online.com/-1414307
17 January 2012