SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Spam from Hotmail compromised accounts
- http://isc.sans.org/diary.html?storyid=11026
Last Updated: 2011-06-08 13:47:30 UTC - "We keep getting ongoing reports from readers about SPAM being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. If an e-mail is received from a friend or relative, you are much more likely to open and read it. These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, they allow you to narrow down the chances of the account being compromised. You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender... Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, -all- sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup."

Hotmail and Windows Live Hotmail
To see the full, unmangled headers in Hotmail: http://spamcop.net/fom-serve/cache/22.html

[AplusWebMaster]

FYI...

PPI svcs - badness on the Web ...
- https://krebsonsecurity.com/2011/06/...ce-of-badness/
June 9, 2011 - "... Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims. The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install..."
> Continued here: http://www.technologyreview.com/computing/37705/page1/

[AplusWebMaster]

FYI...

SPAM Fake UPS e-mails - spread fake anti-virus
- http://nakedsecurity.sophos.com/2011...ke-anti-virus/
June 9, 2011 - "Email inboxes around the world are being spammed today with a malicious attack designed to infect Windows computers with a fake anti-virus attack. The emails claim to be notification from United Parcel Service (UPS) that a package is winging its way to your address. The cybercriminals behind the scheme hope that recipients will be intrigued enough to open the attached file, which can infect their computer with malware..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SpyEye targets airline - Bank Debit Cards...
- http://www.trusteer.com/blog/spyeye-...-card-payments
June 16, 2011 - "... a SpyEye configuration that targets users of two leading European airline travel Web sites: Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud. The attack subjects are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users... criminals targeting an Air Berlin traveller from these countries stand a good chance of obtaining the personal details of the user - including their date of birth, which is mandatory on the airline's site – as well as their bank account details... SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated... SpyEye injects code into the users' Web browser that claims to be an anti-fraud enhancement... In reality, of course, this is a cleverly-disguised attempt to -phish- user credentials from the unsuspecting customer of the AirPlus Web portal... traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with SpyEye as it uses targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside computers..."
(More detail available at the trusteer URL above.)

[AplusWebMaster]

FYI...

Exploit kit use on the rise
- http://research.zscaler.com/2011/06/...ploit-kit.html
June 14, 2011 - "Exploit kits are becoming an increasingly popular means of spreading attacks... usage of the Blackhole exploit kit... targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls... noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito*... multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge."
(More detail at the zscaler URL above.)

Incognito exploit kit
* http://www.malwaredomainlist.com/mdl...ll&quantity=50

Blackhole exploit kit
- http://www.malwaredomainlist.com/mdl...ll&quantity=50

Phoenix exploit kit
- http://www.malwaredomainlist.com/mdl...ll&quantity=50

[AplusWebMaster]

FYI...

Fake job site SCAMS...
- http://blog.dynamoo.com/2011/06/fake...job-eucom.html
17 June 2011 - "... fake job domain used for contacting potential money laundering mules, this time totaljob-eu .com which is a part of this long-running scam*..."
* http://blog.dynamoo.com/search/label/Lapatasker

- http://blog.dynamoo.com/2011/06/fake...nd-espana.html
17 June 2011 - "... more fake domains in the long-running "Lapatasker" series... The registration details have changed... but otherwise this is the same old attempt to recruit people for money laundering. Avoid..."

[AplusWebMaster]

FYI...

Outlook phishing SPAM...
- http://nakedsecurity.sophos.com/2011...ing-form-spam/
June 20, 2011 - "... Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?... If you do make the mistake of opening the attached file, you will be presented with a form which asks you for all the information a remote hacker would need to access your email account... Don't make it easy for the phishers, the spammers, the identity thieves and hackers to break into your online accounts..."

[AplusWebMaster]

FYI...

11 new exploit modules "for your pwning pleasure"
- http://h-online.com/-1265361
22 June 2011 - "The Metasploit Project has released version 3.7.2 of its exploit framework. According to the developers, the latest release of the open source penetration testing tool includes "eleven new exploit modules and fifteen post modules for your pwning pleasure"... Metasploit's hashdump capabilities now allow users to easily steal password hashes... developers note that they should also be "considerably easier to crack". A new cachedump module that allows users to steal Windows cached password hashes has also been added. Other changes include remote registry commands for Meterpreter and updates to the egghunter payload to help it bypass data execution prevention (DEP)..."

... of course, the "whitehats" won't be the only ones using it.

[AplusWebMaster]

FYI...

Facebook likejacking SCAMS
- http://techblog.avira.com/2011/06/27...king-scams/en/
June 27, 2011 - "A new series of likejacking scam are making large waves on Facebook. “Dad walks on Daughter… Embarrassing” is being sent in large numbers on Facebook... As soon as you click on the link, you must “LIKE” it and then you are -redirected- to a page where you have to repeat the experience. As unbelievable as it seems, I have seen people clicking more than once on the Like button with the hope that they will get to see the video... Another scam being sent is about an Italian TV star who seems to have problems with her dress... So, you clicked, now how to get rid of this embarrassing episode? You have to remove from your Wall the post, by clicking on the top right corner... nothing is free in the Internet, even if it seems so. Please think twice before clicking on some “interesting” pictures or videos."

[AplusWebMaster]

FYI...

XSS Attack on Sina MicroBlog
- http://community.websense.com/blogs/...microblog.aspx
29 Jun 2011 - "... Sina Weibo is the most popular microblog service in China, with more than 100 million registered customers. Just yesterday (28 June), Sina Weibo was attacked through an XSS exploit: more than 30,000 high profile customers were affected and sent out messages containing a malicious link... Followers who click the malicious link are redirected to a page hosted on "weibo .com/pub/star", which contains an XSS exploit to allow the execution of malicious JavaScript from www .2kt .cn... Although no malicious software was installed in this campaign, Websense reminds customers to do a simple check before you click on any suspicious URL, even it comes from your best friends."

- http://nakedsecurity.sophos.com/2011...e-hit-by-worm/
June 30, 2011

- https://www.computerworld.com/s/arti...r_like_service
June 30, 2011 - "... Affected posts displayed a malicious link with enticing messages like "Move a woman's heart with 100 lines of poetry" or "Software to listen to other people's phones." When the link was clicked, the user's own account would re-post and send out private messages circulating the malicious link again..."