SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Twitter-Facebook Phishing...
- http://isc.sans.org/diary.html?storyid=5623
Last Updated: 2009-01-04 15:45:09 UTC - "Several readers have sent us information about a phishing attempt based on Twitter and possibly Facebook. It looks like the twitter folks have it well under control*, but as always with your Internet experience, vigilance and skepticism are your friends..."
* http://blog.twitter.com/2009/01/gone-phishing.html
January 03, 2009

- http://preview.tinyurl.com/73gm9n
01/05/2009 cgisecurity.net - ""Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone... The Fox tweet was deleted an hour after it was posted, so the password may not have been changed... This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web."
- readwrite web
From Twitter's blog: http://blog.twitter.com/2009/01/mond...g-madness.html
"...The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure"..."

- http://blog.trendmicro.com/so-is-it-...r-or-facebook/
Jan. 5, 2009

[AplusWebMaster]

FYI...

HMRC phishing email and website
- http://securitylabs.websense.com/con...erts/3276.aspx
01.06.2009 - "Websense... has discovered a phishing site emulating the Web site belonging to HM Revenue & Customs (HMRC), the UK government's taxation authority. The fake site is hosted in Denmark and uses the same stylesheet and graphics as the real HMRC Web site. Recipients first receive an email advising them that they are due a tax refund. This email contains a link to the phishing Web site. The phishing site aims to collect personal information such as name, address, and credit card information. Upon submitting the data, the user is redirected to the real HMRC site. The sending of the email is very timely with certain HMRC deadlines for online applications of tax returns imminent (31st January 2009). Websense has advised HMRC of this threat..."

(Screenshot of the phishing email available at the Websense URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmicro.com/bogus-lin...cious-content/
Jan. 5, 2009 - "The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users. The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices... found some bogus LinkedIn profiles which contain links to malware, using the names and images of famous personalities such as:
* Beyoncé Knowles
* Victoria Beckham
* Christina Ricci
* Kirsten Dunst
* Salma Hayek
* Kate Hudson
... and several others. Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware. Note that there are several routes this infection path may take..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

MLB.com pushing malware
- http://sunbeltblog.blogspot.com/2009...g-malware.html
January 06, 2009 - "... stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan. These are almost certainly being done by malilcious flash advertisements. Not the first time* it’s happened (courtesy of Innovative Marketing**)."
(Screenshot available at the URL above.)

* http://www.security-forums.com/viewtopic.php?p=272589

** http://sunbeltblog.blogspot.com/2008...continues.html

- http://www.theregister.co.uk/2009/01...seball_threat/
8 January 2009 - "... Update: MLB spokesman Matthew Gould said the tainted ads were the result of an individual who claimed to sell ads through a company the website has done business with before. After the scam came to light, MLB officials discovered this individual had no affiliation with the company, which Gould declined to name because he says MLB is pursuing legal action. Gould said MLB officials believe the ads were taken down on Monday, less than 24 hours after going live. "As soon as we were made aware of the problem we removed the ad in all instances across our network," he said..." (Pop-up image for "Antivirus2009" shown at the URL above.)

[AplusWebMaster]

FYI...

- http://www.shadowserver.org/wiki/pmw...endar.20090109
9 January 2009 - "...we have a bunch of new and interesting information on the trojan, much of which has come from a number of security researchers out there. However, we are just going to touch on the last item and give you an updated list of domains associated with Waledac. You are bound to see all kinds of great research and interesting findings from others on this soon. In the meantime, please use this information to protect your networks and proactively (and retroactively) block these hosts. The following are a list of domains known to be associated with Waledac. Most of these domains have been seen in the wild and may be posted elsewhere. However, we want to provide our research that we have collected ourselves in a central spot for anyone to see and share.
Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.
Waledac Domain Listing (several new ones since our 12-31 post):
bestchristmascard .com
bestmirabella .com
bestyearcard .com
blackchristmascard .com
cardnewyear .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
eternalgreetingcard .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
greatmirabellasite .com
greetingcardcalendar .com
greetingcardgarb .com
greetingguide .com
greetingsupersite .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
lifegreetingcard .com
livechristmascard .com
livechristmasgift .com
mirabellaclub .com
mirabellamotors .com
mirabellanews .com
mirabellaonline .com
newlifeyearsite .com
newmediayearguide .com
newyearcardcompany .com
newyearcardfree .com
newyearcardonline .com
newyearcardservice .com
smartcardgreeting .com
superchristmasday .com
superchristmaslights .com
superyearcard .com
themirabelladirect .com
themirabellaguide .com
themirabellahome .com
topgreetingsite .com
whitewhitechristmas .com
worldgreetingcard .com
yourchristmaslights .com
yourdecember .com
yourmirabelladirect .com
yourregards .com
youryearcard .com

Related Exploit Domains (no new ones listed):
seocom .name
seocom .mobi
seofon .net
Please feel free to distribute the above list as you see fit..."

[AplusWebMaster]

FYI...

- http://www.us-cert.gov/current/#malw...email_messages
January 9, 2009 - "US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza. These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body. If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is -not- a legitimate Adobe Flash Player update; it is malicious code. If users download this executable file, malicious code may be installed on their systems..."

- http://www.rsa.com/blog/blog_entry.aspx?id=1416
(Screenshot at the RSA URL above.)

[AplusWebMaster]

FYI...

Yandex used in SPAM redirects
- http://sunbeltblog.blogspot.com/2009...redirects.html
January 11, 2009 - "We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine). These are used for both redirects to malware, as well as redirects in spam... Administrators would be well advised to simply block any email or web traffic with narod .ru ."

[AplusWebMaster]

FYI...

Malware directed at Classmates Online...
- http://securitylabs.websense.com/con...logs/3279.aspx
01.14.2009 - "Websense... noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on... The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable... the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates... The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Spam, Phishing, and Malware related to Presidential Inauguration
- http://www.us-cert.gov/current/#spam...alware_related
January 15, 2009 - "US-CERT has received reports of an increased number of phishing sites and spam related to the upcoming Presidential Inauguration. US-CERT reminds users that phishing and spamming campaigns often coincide with highly publicized events...
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites..."

- http://blog.trendmicro.com/fake-obam...-sites-abound/
Jan 18, 2009

- http://www.f-secure.com/weblog/archives/00001585.html
January 17, 2009 - "...All the links point to a file called speech.exe, which is a Waledec malware variant..."

- http://blog.trendmicro.com/dont-be-f...uration-scams/
January 16, 2009

[AplusWebMaster]

FYI...

3322 .org
- http://isc.sans.org/diary.html?storyid=5710
Last Updated: 2009-01-19 12:01:36 UTC - "...adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary* that we published in 2007, it is by far not the first time that this domain shows up on our malware radar ..."
* http://isc.sans.org/diary.html?storyid=3266