FYI...
Malvertising found on Dating Site Match[dot]com
- https://blog.malwarebytes.org/malver...e-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
Initial URL: uk.match .com/search/advanced_search.php
Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
Malicious Redirector: goo .gl/QU2x0w
Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malwarebytes.org/wp-con...15/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malwarebytes.org/wp-con.../09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."
chiro582help .com: 74.207.227.69: https://www.virustotal.com/en/ip-add...9/information/
___
Fake 'chat history' SPAM – PDF malware
- http://myonlinesecurity.co.uk/you-ne...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
You should know this. View the chat history that I’ve attached. Remember
it’s strongly confidential, so please don’t show it to anyone.
Mrs. Edmund Schultz | (859) 913-2400
Toys | Hackett-Kiehn
And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
You should view this correspondence
Please view this correspondence
You need to view it
Please see it
You need to review this information
You need to review this chat history
Please see this messages
You need to read this chat history
You should read this messages
You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to: history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441271691/
___
Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers) pretending to come from Accounts with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...4-1024x493.png
3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441279729/
___
Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/custom...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x490.png
3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441281692/
___
Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecurity.co.uk/overdu...e-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x314.png
Some of the subjects so far seen include:
Important reminder letter about outstanding remittances
Urgent e-mail letter of overdue balance
Important reminder letter about outstanding remittances
Urgent letter of past due balance
Urgent reminder about your delinquent balance
Important reminder notice of delinquent remittances
Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1441291670/
___
Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/you-ha...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel protégé' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x580.png
3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1441298777/
___
Skype Spam...
- https://blog.malwarebytes.org/fraud-...is-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.skype.com/t5/Securi...4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malwarebytes.org/wp-con...skypespam0.jpg
“Hi [username] | baidu(dot)com/[URL string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malwarebytes.org/wp-con...skypespam3.jpg
...
> https://blog.malwarebytes.org/wp-con...pam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/