Page 65 of 70 FirstFirst ... 1555616263646566676869 ... LastLast
Results 641 to 650 of 694

Thread: SPAM frauds, fakes, and other MALWARE deliveries - archive

  1. #641
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down CareerBuilder fake SPAM serves exploits and malware

    FYI...

    CareerBuilder fake SPAM serves exploits and malware
    - http://blog.webroot.com/2012/05/30/s...s-and-malware/
    May 30, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links... they’re spamvertising a binary that’s largely detected by the security community...
    Spamvertised URL: hxxp ://karigar .in/car.html
    Client-side exploits served: CVE-2010-0188 and CVE-2010-1885
    Malicious client-side exploitation chain: hxxp ://karigar .in/car.html -> hxxp ://masterisland .net/main.php?page=975982764ed58ec3 -> hxxp ://masterisland .net/data/ap2.php -sometimes- hxxp ://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection.
    Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf
    Upon execution it phones back to the following URLs/domains:
    zorberzorberzu .ru/mev/in/ (146.185.218.122)
    prakticalcex .ru – 91.201.4.142
    nalezivmordu .in
    internetsexcuritee4dummies .ru
    Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #642
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pharma SPAM on Dropbox

    FYI...

    Pharma SPAM on Dropbox
    - http://www.gfi.com/blog/pharmacy-spam-lurks-on-dropbox/
    May 31, 2012 - "Pharma Spam pages sometimes pop up on Dropbox accounts (along with more dubious content*, if you’re really unlucky), and it seems we have another one lining up to sell you some pills.
    > http://www.gfi.com/blog/wp-content/u...pillspam11.jpg
    Clicking through will take the end-user to a typically generic pills website:
    > http://www.gfi.com/blog/wp-content/u...xpillspam2.jpg
    ... the best advice would be “don’t bother” (especially if it involves random spam in your mailbox)..."
    * http://www.gfi.com/blog/dont-cash-this-cheque/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #643
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Small 20K trojan does damage

    FYI...

    Small 20K trojan does damage
    - http://h-online.com/-1588948
    1 June 2012 - "Security experts at CSIS* say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files. Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Tinba is a bot in the classical sense; it uses an encoded connection to deliver data it has collected to a command and control server, which in turn gives the bot new orders. According to CSIS, Tinba has only been used on a very small number of banking web sites so far, but its modular structure means that the perpetrators should not have any problems adding other sites to that list."
    * https://www.csis.dk/en/csis/news/3566/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #644
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Facebook SPAM e-mails ...

    FYI...

    Fake Facebook SPAM e-mails...
    - http://blog.commtouch.com/cafe/anti-...-wikipharmacy/
    June 4, 2012 - "Using phony Facebook emails to draw recipients to pharmacy websites is not a new trick... this is no ordinary Viagra shop – it’s the WikiPharmacy! The phony Facebook emails and the pharmacy destination are shown below...
    > http://blog.commtouch.com/cafe/wp-co...acy-images.jpg
    ... the links in the emails above lead to compromised websites. These unknowingly host -redirects- to the WikiPharmacy...
    Email text:
    'You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 3 ago. This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
    If you have any other questions, please visit our Help Center.
    Thanks,
    The Facebook Team
    ...' "
    ___

    Facebook privacy notice chain letter - hoax
    - http://nakedsecurity.sophos.com/2012...ter-is-a-hoax/
    June 5, 2012 - "... messages are simply another chain letter type hoax pinned upon wishful thinking. If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information. If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes* or the Naked Security Facebook page** before propagating myths."
    * http://www.snopes.com/computer/facebook/privacy.asp

    ** http://www.facebook.com/SophosSecurity

    Last edited by AplusWebMaster; 2012-06-05 at 17:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #645
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 284,000 WordPress sites hacked? ...

    FYI...

    284,000 WordPress sites hacked? Probably not.
    - http://blog.commtouch.com/cafe/malwa...-probably-not/
    June 6, 2012 - "This Amazon order confirmation email is a fake:
    > http://blog.commtouch.com/cafe/wp-co...hony-email.jpg
    Every link leads to malware. Every link leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
    http ://maximconsulting .us/wp-content/themes/twentyten/—e.html
    http ://hampsteadelectrician .com/wp-content/themes/twentyten/—e.html
    http ://mormonwomenvoices .com/wp-content/themes/twentyten/—e.html
    http ://steppingstones-online .co.uk/wp-content/themes/twentyten/—e.html ... etc.
    Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure:
    > http://blog.commtouch.com/cafe/wp-co...ess-themes.jpg
    ... this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it. The malware targets known Adobe Reader and Acrobat exploits."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #646
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Flame self-destruct cmd sent...

    FYI...

    Flame self-destruct cmd sent ...
    - http://www.symantec.com/connect/blog...urgent-suicide
    6 Jun 2012 - "Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider. Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
    The browse32.ocx module has two exports:
    1. EnableBrowser — This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
    2. StartBrowse — This is the part of the code that does the actual removal of the Flamer components.
    The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #647
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Spoofed Xanga malicious emails...

    FYI...

    Spoofed Xanga malicious emails ...
    - http://community.websense.com/blogs/...-campaign.aspx
    7 Jun 2012 - "Hot on the trail of yesterday's spoofed Craigslist malicious emails* comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal... a sample:
    Subject: New Weblog comment on your post!
    > http://community.websense.com/cfs-fi...2D00_550x0.jpg
    ... the "Click here to reply" link goes to this URL:
    hxxp ://www.1000sovetov .kiev.ua/wp-content/themes/esp/wp-local.htm
    The target site contains obfuscated JavaScript that redirects to URLs like:
    hxxp ://pushkidamki .ru:8080/forum/showthread .php?page=5fa58bce769e5c2c
    Those are the sites that host the exploit kit.
    Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base..."
    * http://community.websense.com/blogs/...st-emails.aspx

    Last edited by AplusWebMaster; 2012-06-10 at 09:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #648
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM: Pharmacy / Facebook/Digg app || FAKE Classmates.com email

    FYI...

    Pharmacy SPAM - Facebook/Digg app
    - http://blog.commtouch.com/cafe/anti-...cebook-social/
    June 14th, 2012 - "... a “Facebook Social Reader” for Digg – but “Facebook Social” is a neatly confusing invention of pharmacy spammers... The email welcomes users to the new service and invites them to “view profile details”:
    > http://blog.commtouch.com/cafe/wp-co...ial-email1.jpg
    The links in the email lead to compromised websites ... Scripts hidden on these sites redirect users to the destination pharmacy site – the “Toronto Drug Store” which apparently is an “essential part of the Canadian RX Network”:
    > http://blog.commtouch.com/cafe/wp-co...am-website.jpg
    Email text:
    Thank you for registering with us at Facebook Social. We look forward to seeing you around the site.
    Your profile has two different views reachable through clickable tabs:
    • View My Profile: see your profile as your network does
    • Edit My Profile: edit the different elements of your profile
    View profile details.
    What is Facebook Social Share?
    Enable Facebook social sharing, and share your Digg experience with your Facebook friends. Let your friends see what you’re reading as you discover the best news around the web. Click the Social button to turn this off.

    ___

    FAKE Classmates.com email
    - http://blog.commtouch.com/cafe/malwa...tes-com-email/
    June 13th, 2012 - "Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
    • Linking to multiple compromised sites which then redirect to the malware hosting sites
    • Favoring WordPress sites (that can be exploited)
    • Hosting the malware on various .ru domains
    • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
    • Using the same Flash exploits in the malware
    Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless. The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections:
    > http://blog.commtouch.com/cafe/wp-co...hony-email.jpg
    Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks:
    > http://blog.commtouch.com/cafe/wp-co...lware-site.jpg
    The malware on the final site checks for PDF and Flash versions on the target PC.
    • If an appropriate version is found it then redirects to a malicious SWF flash file.
    • If not it redirects to google .de"

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #649
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down LinkedIn SPAM serving Adobe and Java exploits...

    FYI...

    LinkedIn SPAM serving Adobe and Java exploits
    - http://pandalabs.pandasecurity.com/l...java-exploits/
    06/14/12 - "... email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack... If we verify the “To” and “CC” fields of this email, we see about -100- other recipients.... email in question:
    >> http://pandalabs.pandasecurity.com/w...2012/06/ss.jpg
    Subjects of this email might be: 'Relationship LinkedIn Mail, 'Communication LinkedIn Mail', 'Link LinkedIn Mail' or 'Urgent LinkedIn Mail'. No doubt the subjects of this email will vary, and are not limited to these four.
    - Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
    - Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer: Adobe Reader / Java
    In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens... the exploit will begin doing its work... seems to spawn a .dll file, which in turn spawns another file.. Your machine is executing malware and is in the process of being infected... a malicious executable which will start every time the computer boots. The exploits’ source is probably the Blackhole exploit kit. The exploits in question are: CVE-2006-0003 / CVE-2010-0840
    Unknown (at this point) Adobe Reader exploit
    - Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. The malware will try to phone home or connect to the following IP addresses: 188.40.248.150 / 46.105.125.7 . The IPs (188.40.248.150 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware... lesson is a very important one and is one of the basics of security... Keep ALL of your software up-to-date! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player...This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed..."
    ___

    > http://centralops.net/co/DomainDossier.aspx
    - 188.40.248.150
    Registrant-Name:Felix Preuss
    Registrant-Organisation:netcup GmbH
    Registrant-Street:Griesbachstrasse 5
    Registrant-City:Karlsruhe
    Registrant-State/Province:Germany
    Registrant-Postal-Code:76185
    Registrant-Country:DE ...
    - 46.105.125.7
    person: Octave Klaba
    address: OVH SAS
    address: 2 rue Kellermann
    address: 59100 Roubaix
    address: France ...

    Last edited by AplusWebMaster; 2012-06-15 at 19:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #650
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 9500 malicious sites a day found by Google

    FYI...

    9500 malicious sites a day found by Google
    - http://h-online.com/-1621670
    20 June 2012 - "Google's Safe Browsing programme, which searches for malicious sites and warns browser users when they attempt to visit them, is now five years old, and the problem of malicious sites is still as bad as ever with the system finding more than nine thousand dangerous sites a day. In a post* marking the five year anniversary, Google shared statistics on how effective the system has been... the problem of malicious sites is still growing. Google's own statistics show they are currently discovering over 300,000 phishing sites a month, the highest detection rate ever. These sites may be online for only an hour as they attempt to avoid being detected by services like Safe Browsing, and they have become more targeted both through spear phishing attacks which target particular groups of individuals and through attacks aimed at companies and banks. Phishing sites are also likely to try and get the user to install some malware. Malware distribution through compromised innocent sites is still commonplace, but according to Google, attack web sites built specifically to deliver malware to victims are being used in increasing numbers. While these attacks have used drive-by downloads and other technical mechanisms to deploy the malware, Google notes that social engineering attacks, while still behind drive-by attacks in frequency, are a rapidly growing category. Google asks that people don't ignore their warnings when they see them in the browser..."
    * http://googleonlinesecurity.blogspot...users-for.html
    (Charted)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •