Page 62 of 70 FirstFirst ... 1252585960616263646566 ... LastLast
Results 611 to 620 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #611
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down SPAM Scams spoof Social Networking sites - peddle Malicious sites...

    FYI...

    SPAM Scams spoof Social Networking sites - peddle Malicious sites
    - http://blog.trendmicro.com/email-sca...licious-sites/
    Appr 25, 2012 - "... email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, MySpace, and Pinterest. These spam contain links that direct users to -bogus- pharmaceutical or -fraud- sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam... We uncovered spammed messages masked as notifications from Foursquare, a popular location-based social networking site... The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification... Both messages use the address noreply @foursquare .com in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the -malicious- URLs... also spotted sample messages that are purportedly from LinkedIn and Myspace... we have identified that the senders’ info were forged. We also did not find any pertinent details that could identify these messages as legitimate LinkedIn and MySpace email notifications. These mails also used cloaked URLs that redirect to the fake site 'Wiki Pharmacy'... we found fake Pinterest email notifications that contain a URL, a purported online article on weight-loss. Users who click this link are instead lead to sites that were previously found to engage in fraud activities... Users are advised to always be cautious of dubious-looking messages and avoid clicking links or downloading the attachment included in these."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #612
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down Blackhole obfuscated JavaScript...

    FYI...

    Blackhole obfuscated JavaScript
    - https://isc.sans.edu/diary.html?storyid=13051
    Last Updated: 2012-04-25 11:44:21 UTC - "... Most of the current obfuscation methods make heavy use of objects and functions that are only present in the web browser or Adobe reader. Since it is unlikely that a JavaScript analysis engine on, for example, a web proxy anti-virus solution can duplicate the entire object model of Internet Explorer, the bad guys are hoping that automated analysis will fail, and their JavaScript -will- make it past the virus defenses to the user's browser, where it will run just fine. Often, this actually works. The current wave of Blackhole (Blacole) exploit kits are a good example - it took Anti-Virus a looong time to catch on to these infected web sites. Even today, the raw malicious JavaScript block full of exploit attempts comes back with only 14/41 on Virustotal*..."
    * https://www.virustotal.com/file/e1ab...is/1335349187/
    File name: b.js
    Detection ratio: 14/41
    Analysis date: 2012-04-25 10:19:47 UTC

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #613
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down Yahoo phishing via compromised WordPress sites

    FYI...

    Yahoo phishing via compromised WordPress sites
    - http://blog.commtouch.com/cafe/email...ress-websites/
    April 25, 2012 - "Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email. Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss*...
    * http://blog.commtouch.com/cafe/wp-co...hing-email.jpg
    ... The phishing pages are very authentic looking. Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail. A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress**. In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites..."
    ** https://wordpress.org/download/
    April 20, 2012 - WordPress v3.3.2 released

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #614
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down Brazilian banking malware...

    FYI...

    Brazilian banking malware ...
    - http://blog.spiderlabs.com/2012/04/b...-slacker-.html
    26 April 2012 - "... part of a Brazilian phishing attack... VirusTotal reports... the sample as being detected by 5/42*... the malware is a straightforward PE executable that is made to look like a word document. In addition to being named boleto.doc.exe, the file also comes with a Microsoft Word icon
    > http://npercoco.typepad.com/.a/6a013...6348970b-800wi
    ... This was actually one of the few instances where Google Translate failed... knowing the file size (1.5 MB) alone told me it was going to be packed with "goodies"... the malware is ensuring persistence by setting itself in the 'Run' registry key. This will cause the malware the run every time that user logs into their machine... look forward to the (hopefully) increased detection by antivirus in the coming days."
    * https://www.virustotal.com/file/1884...c5be/analysis/
    File name: 188477e8f2a9523b0a001040982942ff9c5ba13c88b823d3b6a0b9f1d8b0c5be
    Detection ratio: 5/42
    Analysis date: 2012-04-26 15:31:50 UTC

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #615
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down BlackHole SPAM runs underway...

    FYI...

    BlackHole SPAM runs underway
    - http://blog.trendmicro.com/persisten...runs-underway/
    Apr 30, 2012 - "... high-volume spam runs that sent users to websites compromised with the BlackHole exploit kit... spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:
    > http://blog.trendmicro.com/wp-conten...ckhatspam1.jpg
    > http://blog.trendmicro.com/wp-conten...khatspam2a.jpg
    ... conclusions about these each of these attacks are broadly similar:
    • Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
    • Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
    • Users were eventually directed to sites containing the Black Hole exploit kit.
    ... more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages... The goal of these attacks is to install ZeuS variants onto user systems..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #616
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Exclamation Service automates boobytrapping of Hacked Sites

    FYI...

    Service automates boobytrapping of Hacked Sites
    - https://krebsonsecurity.com/2012/05/...-hacked-sites/
    May 1, 2012 - "Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware... one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites... another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits... A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials... Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site... the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password...)."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #617
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down Ransomware - Fake G-Men attack Hijacks computers...

    FYI...

    Ransomware - Fake G-Men attack Hijacks computers ...
    - https://www.trusteer.com/blog/fake-g...mputers-ransom
    May 01, 2012 - "... new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims’ computers. This ransomware, named Reveton, freezes the compromised machine’s operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform... Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution. The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server. Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen* claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.
    * https://www.trusteer.com/sites/defau...men%20blog.png
    In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard... Independent of the Reveton ransomware secondary payload, Citadel continues to operate on the compromised machine on its own. Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform’s man-in-the-browser, key-logging and other malicious techniques. It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack. Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information... cyber-crime and cyber-security protection begins with the endpoint now more than ever."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #618
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Unhappy Multi-Layer malware attack uses same exploit as Flashback - Atlas

    FYI...

    Multi-Layer malware attack uses same exploit as Flashback
    - http://atlas.arbor.net/briefs/index#1402527155
    Severity: Elevated Severity
    Published: Monday, April 30, 2012 16:24
    Yet another malware is using the recent Java flaw to exploit both OSX and Windows systems.
    Analysis: The malware determines which OS is being attacked and then delivers the proper payload... case in point that there are many copycat attacks that take place when a serious flaw emerges and organizations must anticipate multiple threats rather than the threats that get the most media attention.
    Source: http://nakedsecurity.sophos.com/2012...n-malware-mac/
    > Python-based malware attack targets Macs - Windows PCs also under fire
    April 27, 2012 - "... there may still be some users whose computers are not patched against the Java vulnerability - and are at risk of attack. The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using... The downloaded programs will then install further malicious code... This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge... The backdoor Python script allows remote hackers to steal information... We have a free Mac anti-virus for home users*, if you think it's time to take your computer's security more seriously..."
    * http://www.sophos.com/freemacav
    > https://www.avira.com/en/avira-free-mac-security

    OSX.Flashback.K – motivation behind the malware - $$$
    - http://www.symantec.com/connect/blog...behind-malware
    Apr 30, 2012

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #619
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Thumbs down Bogus invoices set virus trap...

    FYI...

    Bogus invoices set virus trap
    - http://h-online.com/-1567059
    3 May 2012 - "Criminals are currently sending out a large number of bogus order confirmations that are designed to make recipients open the attached malware. The attackers appear to be using stolen online store customer data to address email recipients by their real names. The criminals pretend that the email recipient has placed an order worth several hundred euros at an online store. To make things difficult for spam filters, they vary the store names... Users who receive an order confirmation or invoice that they can't associate with a purchase should -not- open these file attachments under any circumstances. Unfortunately, virus scanners don't offer reliable protection in this case... it isn't just invoices in ZIP or EXE format that should make users suspicious: attackers have also been circulating bogus Deutsche Telekom and Vodafone invoices as PDF attachments that try to infect computers via an old security hole in Adobe Reader. This attack scenario is also possible using Office documents."
    * https://www.virustotal.com/file/6e9c...e294/analysis/
    File name: Rechnungsdaten.zip
    Detection ratio: 9/42
    Analysis date: 2012-05-03 10:55:17 UTC

    Last edited by AplusWebMaster; 2012-05-03 at 16:44.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #620
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    5,168

    Lightbulb Mapping cybercrime by country

    FYI...

    Mapping cybercrime by country
    - http://hostexploit.com/blog/14-repor...y-country.html
    3 May 2012 - "All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem. How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map* displays global hot spots for cybercriminal activities based on geographic location... The Global Security Map* is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide. HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest). At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks. With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity..."
    (More info at the hostexploit URL above.)

    * http://globalsecuritymap.com/

    > English report (PDF) here: http://hostexploit.com/downloads/vie...pril-2012.html

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •