SPAM frauds, fakes, and other MALWARE deliveries - archive

**AplusWebMaster** · 2011-08-02, 13:45

FYI...

'Work from home' SPAM scam floods Twitter
- http://nakedsecurity.sophos.com/2011...aking-adverts/
August 1, 2011 - "Compromised Twitter accounts are once again being used by criminals to spam out adverts to unsuspecting users. In the latest attack, Direct Messages (DMs) have been sent between Twitter users promoting a "make money fast" website... Clicking on the link takes the unsuspecting recipient to a website which claims, in breathless tones, to help single mothers and teenagers to make "thousands of dollars" every day... The likelihood is, however, that all that will happen is that you end up out of pocket if you invest in the site's Home Wealth Formula. Interestingly, the website tries to attempt to customise its content to appear more attractive to you. For instance, I visited the site from Sophos's British HQ in Abingdon, Oxfordshire, and the website duly described itself as the "Abingdon Business Journal" (no such publication really exists)... there will no doubt be Twitter users who trust DMs sent to them by their friends and may click on the link, and some of them may be tempted to sign-up for the scheme...
Update: ... SPAM messages are also being sent as classic messages, not just DMs..."
(Screenshots available at the Sophos URL above.)

**AplusWebMaster** · 2011-08-03, 11:46

FYI...

Cisco 2Q11 Global Threat Report
- http://blogs.cisco.com/security/cisc...threat-report/
August 1, 2011 - "... highlights from the Cisco 2Q11 Global Threat Report* include:
• A more than double increase in unique Web malware in the second quarter;
• Average encounter rates per enterprise peaked in March (455) and April (453);
• Companies with 5,001-10,000 employees and companies with 25,000+ employees experienced significantly higher Web malware encounters compared to other size segments;
• Brute force SQL login attempts increased significantly during the second quarter, coinciding with increased reports of SQL injection attacks throughout the period;
• Denial of Service attempts also increased during the second quarter and were observable in IPS logs;
• Global spam volumes remained fairly steady throughout the first half of 2011, while phishing increased in 2Q11, peaking at 4% of total volume in May 2011..."
* http://www.cisco.com/go/securityreport

**AplusWebMaster** · 2011-08-04, 20:27

FYI...

Rapid relief for osCommerce administrators...
- http://h-online.com/-1324235
17 August 2011
___

willysy osCommerce now over 6M infected pages - Mass Injection ongoing...
- http://blog.armorize.com/2011/08/wil...on-over-6.html
8.03.2011 - "... With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident*..."
* http://blog.armorize.com/2011/07/wil...n-ongoing.html

- http://www.youtube.com/watch?v=1Jh_H4qQzqo
Uploaded by ArmorizeTech on Aug 3, 2011
"... recorded when infection number reached 6 million pages..."
___

Is That a Virus in Your Shopping Cart?
- https://krebsonsecurity.com/2011/08/...shopping-cart/
August 5, 2011
___

- http://h-online.com/-1317410
3 August 2011
- http://h-online.com/-1323427
16 August 2011

- http://www.usatoday.com/money/indust...-hacking_n.htm
"... A single criminal gang using computer servers located in the Ukraine is responsible for the latest twist in converting legit web sites into delivery mechanisms for 'driveby downloads'..."

**AplusWebMaster** · 2011-08-04, 21:43

FYI...

HTran and APT ...
- http://www.secureworks.com/research/threats/htran/
August 3, 2011 - "... 'not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.
Conclusion: Over the past ten years, we have seen dozens of families of trojans that have been implicated in the theft of documents, email and computer source code from governments, industry and activists. Typically when hacking or malware traffic is reported on the Internet, the location of the source IP is not a reliable indicator of the true origin of the activity, due to the wide variety of programs designed to tunnel IP traffic through other computers. However, occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/user error. This is one of those cases where we were lucky enough to observe a transient event that showed a deliberate attempt to hide the true origin of an APT. This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes."
(More detail at the secureworks URL above.)

- https://www.computerworld.com/s/arti...trail_to_China
August 4, 2011 - "... attackers gained access to RSA's network by convincing a small number of the company's employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe's Flash Player. Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack... Joe Stewart uncovered the location of the malware's command servers by using error messages displayed by a popular tool called "HTran," which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not... more than 60 malware families he's found that were custom-made for RSA-style attacks..."

**AplusWebMaster** · 2011-08-06, 13:09

FYI...

Malware variants turn UAC off ...
- https://blogs.technet.com/b/mmpc/arc...t-malware.aspx
3 Aug 2011 - "... more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behavior monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly. The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity... UAC is not intended as malware protection, but it's another layer of security to help improve the safety of Windows. If you've been attacked from malware, please check the UAC setting in the control panel to see if it's been tampered*..."
* http://windows.microsoft.com/en-US/w...trol-on-or-off

**AplusWebMaster** · 2011-08-08, 13:08

FYI...

Fake Firefox update email...
- http://nakedsecurity.sophos.com/2011...email-malware/
August 8, 2011 - "... email which was spammed out this weekend pretending to be an advisory about a new update to the popular Firefox web browser... no surprises here. The link downloads an executable file, which bundles together an installer for Mozilla Firefox 5.0.1 -and- a password-stealing Trojan horse. Sophos already detected the Trojan horse as Troj/PWS-BSF... Firefox automatically updates itself - so you should never have to act upon an email like this. If you want to manually look for the latest update, simply open Firefox and go to the Help menu and select About Firefox..."

**AplusWebMaster** · 2011-08-11, 13:42

FYI...

LinkedIn box to Uncheck...
- https://brandimpact.wordpress.com/20...k-on-linkedin/
August 10, 2011 - "Apparently, LinkedIn has recently done us the “favor” of having a default setting whereby our names and photos can be used for third-party advertising. A friend forwarded me this alert (from a friend, from a friend…) this morning. Devious. And I expect that you, like me, don’t want to participate... graphic shows you how to Uncheck The Box*... Nice try, LinkedIn. But, no thanks!
*UPDATE: After you finish with Account, check the new default settings under E-mail Preferences (such as Partner InMails); and Groups, Companies & Applications (such as Data Sharing with 3rd-party applications). It’s a Facebook deja vu!
* https://brandimpact.files.wordpress....din_social.png

> http://www.theregister.co.uk/2011/08...vacy_stuff_up/

**AplusWebMaster** · 2011-08-12, 18:57

FYI...

Zeus SPAM campaign...
- http://blogs.appriver.com/blog/digit...-the-tax-angle
August 10, 2011 - "The past couple of days we have been seeing a fairly large Zeus-laden campaign hitting our filters. These emails are also taking on a few different personas, the majority of which being the Internal Revenue Service. The other two, to a lesser extent, are the Federal Reserve, and the Nacha Electronic Payments Association which is a non-profit group that provides the rules and regulations for electronic transactions such as insurance premiums and mortgage loans. The group claims to have one of the largest and safest payment systems in the world. This may be true, but these imposters are anything but... Zeus is currently the most frequently seen pieces of malware circulating through interwebs. It works its way onto victim machines, and installs malicious software that siphons off bank account credentials. In this campaign in particular we have seen over 1 million pieces of these caught in our filters, at an average rate of around 1 every 2 seconds. Each of the emails contain a link to a remotely hosted file. The domains on which they're hosted are: irs-report-file .com, nacha-transactions .com, irs-tax-reports .com, federal-taxes .us, irs-alerts-report .com, federalresrve .com, files-irs-pdf .com, nacha-files .com, and nacha-security .com. The filenames vary depending on the facade being used. These include: wire-report.pdf.exe, your-tax-report.pdf.exe, 00000700955060US.pdf.exe, alert-report.pdf.exe, tax_00077034772.pdf.exe, transaction_report.pdf.exe, and 3029230818209.pdf.exe..."
(Screenshots available at the appriver URL above.)

**AplusWebMaster** · 2011-08-15, 20:18

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 15, 2011

> http://tools.cisco.com/security/cent...o=1&sortType=d

Website Profile Inquiry E-mail Msg...
- http://tools.cisco.com/security/cent...?alertId=23906
Misleading Tourism E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23905
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23881
Fake Blocked Credit Card Notification E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23820

**AplusWebMaster** · 2011-08-18, 04:40

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

Thread Tools

Display

'Work from home' SPAM scam floods Twitter

Cisco 2Q11 Global Threat Report

willysy osCommerce Mass Injection now over 6M infected pages ...

HTran and APT ...

Malware variants turn UAC off ...

Fake Firefox update e-mail...

LinkedIn box to Uncheck...

Zeus SPAM campaign ...

SPAM - virus Outbreak In Progress

SPAM - Virus Outbreak In Progress - 2011.08.17

Posting Permissions