Page 59 of 70 FirstFirst ... 94955565758596061626369 ... LastLast
Results 581 to 590 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #581
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down US SEC SPAM leads to exploit and stealer

    FYI...

    US SEC SPAM leads to exploit and stealer
    - http://www.gfi.com/blog/us-securitie...t-and-stealer/
    March 2, 2012 - "... received an email** in his GMail inbox that purports to originate from the U.S. Securities and Exchange Commission (SEC)... Clicking the link leads users to ftp(dot)psimpresores(dot)com(dot)ar/QH1r1tTd/index(dot)html, which then -redirects- them to trucktumble(dot)com/search(dot)php?page=d44175c6da768b70... This page contains a Blackhole exploit kit that targets the following vulnerabilities:
    CVE-2010-0188, an old Adobe Reader and Acrobat vulnerability (patch already available)
    CVE-2010-1885, an old Microsoft Windows Help and Support vulnerability (patch already available)
    Based on the deobfuscated script, this exploit can also target other vulnerabilities on Java, Adobe Flash, and Windows Media Player. Once vulnerabilities of these software were successfully exploited, users are then led to the website, trucktumble(dot)com/content/ap2(dot)php?f=e0c3a, where the file about.exe can be downloaded... about.exe was found to be a variant of ZBOT, that infamous information stealer, and we detect it as Win32.Malware!Drop. Only 12 AV vendors* detect the variant as of this writing..."
    * https://www.virustotal.com/file/bc43...7c4a/analysis/
    File name: about.vxe
    Detection ratio: 12/43
    Analysis date: 2012-03-02 05:19:43 UTC

    ** http://www.gfi.com/blog/wp-content/u...03/email01.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #582
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Flashback Mac -malware- using Twitter as C&C center

    FYI...

    Flashback Mac -malware- using Twitter as C&C center
    - http://blog.intego.com/flashback-mac...ontrol-center/
    Mar 5, 2012 - "... Flashback... uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system. The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year... In addition, in order to ensure that people checking logs don’t spot the malware, it uses a number of different user agents... It’s worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #583
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware attacks...

    FYI...

    Ransomware attacks...
    - http://blog.trendmicro.com/ransomwar...across-europe/
    Mar 8, 2012 - "Ransomware attacks are growing in popularity these days. French users were a recent target of an attack that impersonated the Gendarmerie nationale. A few months ago, Japanese users were also hit by ransomware in a one-click billing fraud scheme targeted for Android smartphones... the more recent ransomware variants appear to be targeting other European countries. They are disguised as notifications from country-specific law enforcement agencies such as eCops of Belgium and Bundespolizei of Germany... a majority of the top eight countries infected with ransomware are from Europe:
    - http://blog.trendmicro.com/wp-conten..._countries.jpg
    ... While ransomware are also being distributed through affiliate networks like FAKEAVs, these attacks operate using payments outside of traditional credit card payments, specifically via Ukash and Paysafecard vouchers. Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business... based on feedback taken from the past 30 days."

    - https://www.f-secure.com/weblog/archives/00002325.html
    March 9, 2012 - "... reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police..."

    Police Themed Ransomware continues
    - https://www.f-secure.com/weblog/archives/00002344.html
    April 4, 2012 - "Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer... easiest way to manually disable it is as follows:
    1 – Press Ctrl-O (that's the letter O, not the number zero).
    2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
    3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
    4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
    > https://www.f-secure.com/weblog/arch...re_startup.png
    5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
    6 – Reboot the computer.
    After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.
    The steps may vary slightly depending on the variant... Microsoft provides information in their description*.
    * http://www.microsoft.com/security/po...#recovery_link
    Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions."
    ** http://www.f-secure.com/v-descs/troj..._reveton.shtml

    Last edited by AplusWebMaster; 2012-04-07 at 13:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #584
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus prescription drug trade...

    FYI...

    Bogus prescription drug trade...
    - https://krebsonsecurity.com/2012/03/...wo-registrars/
    Mar 12, 2012 - "Half of all “rogue” online pharmacies - sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars... but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript*, a verification and monitoring service for online pharmacies... Anti-spam and registrar watchdog Knujon (“nojunk” spelled backwards) also released a report (PDF**) on rogue Internet pharmacies today, calling attention to Internet.bs, AB Systems and a host of other registrars with large volumes of pharma sites..."
    * http://legitscriptblog.com/2012/03/r...on-drug-trade/

    ** http://krebsonsecurity.com/wp-conten...2012_DRAFT.pdf

    > https://krebsonsecurity.com/wp-conte...registrars.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #585
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mobile phones - weak link in Online Bank Fraud scheme

    FYI...

    Mobile phones - weak link in Online Bank Fraud scheme
    - https://www.trusteer.com/blog/sim-pl...g-fraud-scheme
    March 13, 2012 - "... two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks... in these -new- scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card...
    > In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device...
    > The second attack combines online and physical fraud to achieve the same goal. We discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen. The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is -deactivated- by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes...
    Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them. The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves."

    - https://en.wikipedia.org/wiki/Man_in_the_Browser

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #586
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Unsolicited support calls - iYogi ...

    FYI...

    Unsolicited support calls - iYogi ...
    - https://krebsonsecurity.com/2012/03/...iyogi-support/
    March 14, 2012 - "The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast's customer support. A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support... Unfortunately, Avast is not the only security and antivirus firm that has outsourced its support to this company. iYogi also is the support service for AVG, probably Avast’s closest competitor."

    - https://blog.avast.com/2012/03/12/yo...ited-call-you/
    Mar 12, 2012 - "... we -never- phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either..."

    - https://encrypted.google.com/
    Unsolicited support calls
    ... About 7,230,000 results...
    ___

    Avast Antivirus drops iYogi support
    - https://krebsonsecurity.com/2012/03/...iyogi-support/
    March 15, 2012

    - https://blog.avast.com/2012/03/15/iy...rvice-removed/
    March 15, 2012 - "... we have removed the iYogi support service from our website and shortly it will be removed from our products... users can receive support via the other support options provided on our website. We will also work to ensure that any users that feel they have been misled into purchasing a premium support receive a full refund..."

    Last edited by AplusWebMaster; 2012-03-16 at 01:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #587
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Brute force attacks - WordPress sites

    FYI...

    Brute force attacks - WordPress sites...
    - http://blog.sucuri.net/2012/03/brute...ess-sites.html
    Mar 15, 2012 - "... Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and -never- changes it... There is a technique known as brute-force attack... access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..)... the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware... in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
    146.0.74.234 – 32 attempts
    212.67.25.66 – 47 attempts
    176.31.253.139 – 211 attempts
    91.226.165.164 – 39 attempts
    95.79.221.169 – 105 attempts
    91.217.178.235 – 40 attempts
    And many more IP addresses. We will adding all of them to our IP blacklist* and Global Malware view**..."
    * http://sucuri.net/sucuri-blacklist

    ** http://sucuri.net/global
    ___

    WordPress Page is Loading... an Exploit
    - https://www.f-secure.com/weblog/archives/00002328.html
    March 15, 2012 - "... Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit... Currently, these sites redirect to the following domains that host Blackhole exploit kit:
    • georgekinsman.net
    • icemed.net
    • mynourigen.net
    • synergyledlighting.net
    • themeparkoupons.net ..."

    Last edited by AplusWebMaster; 2012-03-16 at 16:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #588
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mobile malware - ATLAS briefs...

    FYI...

    iPhone malware - CrossTalk ...
    - http://atlas.arbor.net/briefs/index#1608668149
    Tue, 13 Mar 2012 18:54:02 +0000
    Those tasked with the defense of smartphones could benefit from this detailed document.
    Source: http://secniche.blogspot.com/2012/03...-paradigm.html

    Attempts to Spread Mobile Malware in Tweets ...
    - http://atlas.arbor.net/briefs/index#-815968668
    Tue, 13 Mar 2012 18:54:02 +0000
    Yet more attempts to spread mobile malware are being seen, this time Twitter is the spreading platform of choice.
    Source: http://www.symantec.com/connect/blog...malware-tweets

    Android Malware Stealing Online Banking Credentials
    - http://atlas.arbor.net/briefs/index#-1589555277
    Friday, March 16, 2012 01:36
    ... Android malware continues with multi-factor financial credential theft and remote update capabilities.
    Analysis: As mobile devices proliferate, cybercrime goes where the money is. While the style of this attack is not new, extra capabilities are being seen and it is likely just a matter of time before very sophisticated malware targeted towards mobile devices becomes a larger problem. Additionally, malware awareness and safe browsing on handhelds may not be as common as on dekstop or notebook systems in enterprises with security policies. If mobile devices are not yet part of the organizational security policy, such threats may quicken this change.
    Source: https://threatpost.com/en_us/blogs/a...entials-031512

    Last edited by AplusWebMaster; 2012-03-18 at 03:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #589
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Linkedin e-mails lead To Cridex

    FYI...

    Fake Linkedin e-mails lead To Cridex
    - http://www.gfi.com/blog/fake-linkedi...ead-to-cridex/
    March 16, 2012 - "... there are fake Linkedin invitation reminders in circulation sending users to a BlackHole exploit which attempts to drop Cridex* onto the PC. Cridex is a rather nasty piece of work that does everything from target banks and social networking accounts to a little bit of CAPTCHA cracking... This particular run shares the IP address 41(dot)64(dot)21(dot)71 with various BBB and Intuit spam runs from recent weeks. If in doubt, go directly to Linkedin and check your invites from there."
    * http://community.websense.com/blogs/...ity-issue.aspx

    > http://www.gfi.com/blog/wp-content/u...In_exploit.png

    - http://labs.m86security.com/2012/03/...ons-in-one-go/
    March 1, 2012

    Last edited by AplusWebMaster; 2012-03-19 at 13:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #590
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb 2012 Data Breach Investigations Report - Verizon

    FYI...

    2012 Data Breach Investigations Report - Verizon
    - http://www.wired.com/threatlevel/201...ybercriminals/
    March 22, 2012 - "... The report combines data from 855 incidents that involved more than 174 million compromised records, an explosion of data loss compared to last year’s 4 million records stolen. The increase is due largely to the massive breaches perpetrated by activists... Most breaches Verizon tracked were opportunistic intrusions rather than targeted ones, occurring simply because the victim had an easily exploitable weakness rather than because they were specifically chosen by the attacker. And, as with previous years, most breaches — 96 percent — were not difficult to accomplish, suggesting they would have been avoidable if companies had implemented basic security measures. Verizon noticed a difference between how large and small organizations are breached. Smaller organizations tend to be breached through active hacking, involving vulnerabilities in websites and other systems and brute force attacks. Larger companies are more often breached through social engineering and phishing attacks — sending e-mail to employees to trick them into clicking on malicious attachments and links so that the intruders can install malware that steals employee credentials. Verizon surmises that this is because larger organizations tend to have better perimeter protections, forcing intruders to use human vulnerabilities to breach these networks instead."
    Charted: http://www.wired.com/images_blogs/th...eport-2012.jpg

    PDF: http://www.wired.com/images_blogs/th...eport-2012.pdf

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •