Page 51 of 70 FirstFirst ... 4147484950515253545561 ... LastLast
Results 501 to 510 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #501
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation JBoss worm-in-the-wild

    FYI...

    JBoss worm-in-the-wild
    - https://isc.sans.edu/diary.html?storyid=11860
    Last Updated: 2011-10-21 02:06:15 UTC ...(Version: 2) - "A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there. If you do run JBoss, please make sure to read the instructions posted by RedHat here:
    - http://community.jboss.org/blogs/mjc...ication-server
    Analysis of the worm: http://pastebin.com/U7fPMxet "
    ___

    - http://www.theregister.co.uk/2011/10/26/jboss_worm/
    26 October 2011 - "... The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm's payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines... exploits with a patch available for over a year accounted for 3.2 per cent of compromises..."

    Last edited by AplusWebMaster; 2011-10-26 at 17:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #502
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake jobs: jobbworld .com, yourjobb .com, canada-newjob .com, netherlandjobb .com...

    FYI...

    Fake jobs: jobbworld .com and yourjobb .com
    - http://blog.dynamoo.com/2011/10/fake...urjobbcom.html
    23 October 2011 - "Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
    jobbworld .com
    yourjobb .com
    This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address..."

    Fake jobs: canada-newjob .com, netherlandjobb .com and newjobrecruit .com
    - http://blog.dynamoo.com/2011/10/fake...newjobcom.html
    20 October 2011 - "Another bunch of domains being used to peddle fake jobs:
    canada-newjob .com
    netherlandjobb .com
    newjobrecruit .com
    These domains form part of this long running scam. You may find that the emails appear to come from your own email address..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #503
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mass SQL Injection attack hits 1 million sites

    FYI...

    Mass SQL Injection attack hits 1 million sites
    - http://www.darkreading.com/taxonomy/...e/id/231901236
    Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
    * http://blog.armorize.com/2011/10/htt...infection.html
    "... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
    > https://www.virustotal.com/file-scan...7aa-1319203779
    File name: file-2979089_
    Submission date: 2011-10-21 13:29:39 (UTC)
    Result: 30/42 (71.4%)
    ___

    Dissecting the Ongoing Mass SQL Injection Attack
    - http://ddanchev.blogspot.com/2011/10...injection.html
    Oct 20, 2011

    - https://encrypted.google.com/ ...
    Oct. 25, 2011 - "... about 1,610,000 results..."

    Last edited by AplusWebMaster; 2011-10-26 at 19:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #504
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Targeted malware attack shows how Fast Fingerprinting works

    FYI...

    Targeted malware attack shows how Fast Fingerprinting works
    - http://nakedsecurity.sophos.com/2011...rinting-works/
    October 24, 2011 - "... technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification... two differences between the new malware sample and previous ones are:
    - The case of the Workbook stream had been changed to workbook...
    - Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls.
    At the time of analysis, detection of this malware by other vendors wasn't very good... according to VirusTotal, detection has improved*. If your computer wasn't updated with Microsoft's MS09-067** security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC."
    * https://www.virustotal.com/file-scan...241-1319198077
    File name: e6d3bf9d5ba93ec6444612f819029e52942100f7.bin
    Submission date: 2011-10-21 11:54:37 (UTC)
    Result: 17/43 (39.5%)

    Microsoft Office Excel ...
    ** http://www.microsoft.com/technet/sec.../MS09-067.mspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #505
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook spam evolves...

    FYI...

    Facebook spams evolved
    - http://techblog.avira.com/2011/10/25...ms-evolved/en/
    October 25, 2011 - "... links usually redirect in two steps to a Canadian Pharmacy website where various (fake) meds are offered at unbelievable prices. We have noticed a new type of mail which at the first glance seems to be from the mentioned category . This time, there is a text:
    “Please call +7 951 xyzq”.
    According to its prefix, the number is from Russia... if we consider that the numbers starts with “9" then I think I can assume that it is a very expensive number... Can it be that the Canadian Pharmacy spam doesn’t bring anymore enough money to the spammers and they are searching for new methods of getting some easy money? Fortunately for us, the spam is malformed and it is quite easy to detect it as spam. But this opens a new chapter in Facebook related spam – now those who are not aware of such scams can lose some serious money. Facebook will never ask you to call any number. They will also never send you such a notification and definitely your Facebook Inbox will never get full. We strongly advise all users to never call any number present in such emails."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #506
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down URL shorteners actively circumvent spam filters

    FYI...

    URL shorteners actively circumvent spam filters

    Bulk Registrars, URL Shorteners, Dynamic DNS Providers
    - http://www.malwaredomains.com/wordpress/?p=2147
    October 27th, 2011 - "We’ve been maintaining lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners...
    http://www.malwaredomains.com/wordpress/?p=1991
    We just added a new list of “unverified” URL Shorteners here: http://mirror1.malwaredomains.com/fi...unverified.txt
    We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know."

    - http://www.digitaltrends.com/web/spa...to-hide-links/
    October 25, 2011 - "According to new information from researchers at Symantec, a group of spammers have created a group of 87 spam-friendly, public URL shortening services and are actively using them to circumvent spam filters on popular sites. Using URL shortening scripts that are free and open source, the spammers are churning spam through the service..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #507
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down “ce.ms” free domains... host malicious code

    FYI...

    “ce.ms” free domains... host malicious code
    * http://research.zscaler.com/2011/10/...g-used-to.html
    October 27, 2011 - "...it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
    hxxp ://27glshegbslijels .ce.ms/main.php?page=66c6ce3c7bc4b20c
    hxxp ://hhhjjjjj111111 .ce.ms/main.php?page=423b262d0a1a9f70
    hxxp ://00000000000000 .ce.ms/main.php?page=423b262d0a1a9f70
    hxxp ://24sjegohmjosee .ce.ms/main.php?page=66c6ce3c7bc4b20c
    hxxp ://44444444444444444 .ce.ms/main.php?page=423b262d0a1a9f70
    The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines... Attackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines..."

    - http://sunbeltblog.blogspot.com/2011...-now-cems.html
    October 30, 2011 - "... Late last week, our friends at Zscaler* discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #508
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down The Market for stolen credit cards data...

    FYI...

    The Market for stolen credit cards data...
    - http://ddanchev.blogspot.com/2011/10...dit-cards.html
    October 31, 2011 - "What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays?... the market for stolen credit cards data... 20 currently active and responding gateways for processing of fraudulently obtained financial data.
    Key summary points:
    Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion
    • The majority of the carding sites are hosted in the Ukraine and the Netherlands...
    • Four domains are using Yahoo accounts and one using Live.com account for domain registration...
    • Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones.
    The dynamics of the cybercrime ecosystem share the same similarities with that of a legitimate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers and vendors specializing in a specific market segment, all the market participants remains active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections proliferating, it's shouldn't be surprising that the average price for a stolen credit card is decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained through ATM skimming and crimeware botnets, the marketplace is getting over-crowded with trusted propositions for stolen credit card details..."
    (More detail at the ddanchev URL above.)

    More here:
    - https://krebsonsecurity.com/2011/10/...nto-hot-stuff/
    October 31st, 2011
    ___

    - http://www.businessinsider.com/bewar...-score-2011-11
    Nov. 1, 2011

    Last edited by AplusWebMaster; 2011-11-01 at 22:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #509
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New cyber attack targets chemical firms: Symantec

    FYI...

    New cyber attack targets chemical firms: Symantec
    - http://www.reuters.com/article/2011/...79U4K920111031
    Oct 31, 2011 - "At least 48 chemical and defense companies were victims of a coordinated cyber attack that has been traced to a man in China, according to a new report from security firm Symantec... Computers belonging to these companies were infected with malicious software known as "PoisonIvy", which was used to steal information such as design documents, formulas and details on manufacturing processes... The cyber campaign ran from late July through mid-September..."

    "Nitro" attacks
    - http://www.symantec.com/content/en/u...ro_attacks.pdf

    > http://www.h-online.com/security/new...ew=zoom;zoom=1

    Last edited by AplusWebMaster; 2011-11-01 at 20:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #510
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Duqu: status - 0-Day Exploit

    FYI...

    Duqu: status - 0-Day Exploit
    - http://www.symantec.com/connect/w32-...ro-day-exploit
    Nov. 1, 2011 - "... an installer has recently been recovered due to the great work done by the team at CrySyS. The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries...
    Key updates...
    • An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
    • Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
    • Six possible organizations in eight countries have confirmed infections
    • A new C&C server (77.241.93.160) hosted in Belgium was discovered and has been shutdown..."
    (More detail at the symantec URL above.)

    Graphic:
    - http://www.symantec.com/connect/site.../duqu_flow.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •