SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Koobface abuses Google Reader pages
- http://blog.trendmicro.com/koobface-...-reader-pages/
Nov. 9, 2009 - "We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter. The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component... This sharing of content to the public is what the cybercriminals abused to use the Google Reader domain in spamming malicious links. We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack..."
(Screenshots available at the URL above.)

Malicious Google AppEngine Used as a CnC
- http://asert.arbornetworks.com/2009/...used-as-a-cnc/
November 9, 2009

- http://www.f-secure.com/weblog/archives/00001815.html
November 9, 2009 - "... there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here..."). When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains... Why do they want them? So they can pose as you on MySpace and send malicious links to your friends — who will surely follow them, as they know you and trust you. But in this case, this is not the only thing they are after. After logging on, you get this prompt... A New MySpace Update Tool? Really? As an executable file? Hmm… and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant..."
(Screenshots available at the F-secure URL above.)

Zeus Malware Moves to Myspace
- http://garwarner.blogspot.com/2009/1...o-myspace.html
November 09, 2009 - "... The newest campaign follows the model of last week's Facebook UpdateTool*, only now targeting MySpace users..."
* http://garwarner.blogspot.com/2009/1...rs-beware.html
October 28, 2009

[AplusWebMaster]

FYI...

Conficker patch via email - NOT
- http://isc.sans.org/diary.html?storyid=7591
Last Updated: 2009-11-13 20:16:53 UTC - "Microsoft does -not- send patches, updates, anti-virus, or anti-spyware via email (hopefully ever)... in my inbox this aft. The subject was: Conflicker.B Infection Alert
"Dear Microsoft Customer,
Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division"

* https://www.virustotal.com/analisis/...ae5-1258134283
File 3YMH6JJY.zip received on 2009.11.13 17:44:43 (UTC)
Result: 11/41 (26.83%)

[AplusWebMaster]

FYI...

Bogus ‘Balance Checker’ tool carries malware
- http://blog.trendmicro.com/bogus-bal...rries-malware/
Nov. 14, 2009 - "... received samples of spammed messages that purports to come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employed the balance checker tool attached in the email... When users opened the attached .ZIP file, they won’t find any ballance checker tool and instead will get a malicious file (balancechecker.exe) detected by Trend Micro as TSPY_ZBOT.SMP. TSPY_ZBOT.SMP steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities for difficult detection and removal. Users are strongly advised not to open any suspicious-looking emails even it comes from a known source. It also good to verify first any email coming from your mobile services provider just to be sure if it is legitimate or not..."

[AplusWebMaster]

FYI...

Online criminals cash in on swine flu
- http://www.sophos.com/blogs/gc/g/200...ssian-hackers/
November 16, 2009 - "As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Research published by Sophos* exposes the profit model of the Russian cybercriminals making millions of pounds from counterfeit Tamiflu. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes... The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet..."
* http://www.sophos.com/sophos/docs/en...2009-paper.pdf
"... The ‘Canadian Pharmacy’ group now holds the number one position in the Spamhaus Top 10 spammers list... Searching for GlavMed’s support number reveals over 120,000 online pharmacy sites..."

[AplusWebMaster]

FYI...

Payment Request SPAM contains malware
- http://blog.trendmicro.com/payment-r...tains-malware/
Nov. 18, 2009 - "TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request... The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA. Users are advised to be wary before opening -any- attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

FDA targets online pharmacy counterfeits
- http://www.theregister.co.uk/2009/11...armacy_action/
20 November 2009 - "The US Food and Drug Administration said it has completed a sweep of illegal online pharmacies that targeted 136 websites that appeared to be illegally selling drugs to American consumers... Websites peddling Viagra, steroids and other pharmaceuticals have emerged as a major source of spam over the past few years. In addition to clogging inboxes, the sites can put customers' health at risk because the drugs are frequently counterfeits. According to a study released in August, almost 90 percent of online drugstores advertised on Microsoft's Bing search engine violated federal and state laws... The FDA said the notices* sent to service providers and registrars may give them grounds to terminate service to their customers."
* http://www.fda.gov/NewsEvents/Newsro.../ucm191330.htm

> http://www.fda.gov/ForConsumers/Cons.../ucm048396.htm

- http://forums.spybot.info/showpost.p...&postcount=174